natural language xacml - soph-ware.com

Translating Natural Language to XACML

Digital Policy Management Technical Exchange Meeting

11 March 2014

Ron Turner (nMed LLC)

Execute with NLP as the center-ring star (not a side-show curiosity) of ABAC policy governance

Assume NLP as the preferred medium of expression of (access) policies: Most widely visible Most readily auditable Most straightforwardly interoperable Most economically $u$tainable

Copyright (c) by nMed LLC. All Rights Reserved.

2

Goal: NLP as ABAC Expression of Choice

4/23/2014

1. Bronze Bullet: Valid XACML 3.0 in 3-5 seconds

2. First Mile: NLNNL

3. Getting Real: Cultural “Policy Elephants” in the Room


3

Road Map

4/23/2014

Decade of a geek’s peddling “neat stuff” that’s been stuck in the Gartner trough

It’s about language (beyond “programming languages are like NLs”): formal vocabulary and grammar

XpressRules is at TRL 6: “Module and/or subsystem validation in a relevant end-to-end environment”

nMed’s approach has been highly pragmatic (pragma vs. logia)


4

Confessions and Disclaimers

4/23/2014

XpressRules™ End-to-End 1. HL7 Patient Consent Directive

2. XACML 3.o Policy

3. JSON Policy

4. XACML Request/Response

5. JSON Request/Response

4/23/2014 Copyright (c) by nMed LLC. All Rights Reserved.

Identity & Access Management (IAM): Policy-Based Access Control (PBAC) for Mobile/Cloud


6

4/23/2014


7

4/23/2014

Drop-downs from live attribute data


8

4/23/2014

Create Rule with attributes-defined options


9

4/23/2014

Make selections


10

4/23/2014

Submit to Server—View Metadata


11

4/23/2014

Auto-Generated Valid XACML 3.0


12

4/23/2014

Auto-Generated Valid JSON Rendition of Policy


13

4/23/2014

Audit of Creation Event: Reverse-Compiled Policy


14

4/23/2014


15

4/23/2014

Request Session


16

4/23/2014


17

XACML Request

4/23/2014


18

XACML Response

4/23/2014

JSON Request Per OASIS Non-normative Examples (§8)


19

4/23/2014

JSON Response Per OASIS Non-normative examples


20

4/23/2014

FHIR Audit: Security Event


21

4/23/2014

Decoded FHIR Security Event


22

4/23/2014

1. Select highly granular information attributes from a tree view of items to disallow.

2. Business unit must govern (1) levels of access (2) to specific information (3) from designated locations and furthermore define (4) device types and (5) times of day.

3. Nancy Smith, Nurse Practitioner in NIST Special Publication 800-162, seeks access to patients' information. Demonstrates declarative expressions.

4. Assemble pre-authored rules into policies that fit the organization

Other Console Options


23

4/23/2014

Return Copyright (c) by nMed LLC. All Rights Reserved.

24

4/23/2014

Return Copyright (c) by nMed LLC. All Rights Reserved.

25

4/23/2014


26

4/23/2014


27

4/23/2014

NLNNL as Systematic Constraint

1. Prescription for Constraint Process (“Recreational Prozac”)

2. Domain-specific (constrained) NLs

3. Constraining a statute


28

Most informative stylistic guidance: legal language.

Reason: legal utterances—like XACML’s data model, data flow model and language model—“perform acts, creating facts, rights[, obligations] and institutions.”


29

Pill1: Legal Language

4/23/2014

Most productive governance metaphor Rationale: For a policy each descent level implies decreased abstraction

and increased specificity

1. Executive 2. Management 3. Operations


30

Pill2: ABAC as Info System

4/23/2014

ABAC As Information System


31

4/23/2014


32

Strongest Affirmation: FICAM

[Source: FICAM Roadmap and Implementation Guidance, Version 2.0, §11 “Initiative 8: Modernize LACS Infrastructure,” pp.331-363]

4/23/2014


33

Most Unambiguous Guidance: SP 800-162

“Natural Language Policy (NLP): Statements governing management and access of enterprise objects. NLPs are human expressions that can be translated to machine-enforceable access control policies.”

NLP appears 27 times in the document!

4/23/2014

1. GRC (exec, mgt., operations, each with right-fitting “visibility artifacts”)

2. Audit (artifacts: opsmgtexec for forensic, execmgtops for proactive)

3. Stakes (“skin”) for each stakeholder: TCO, ROI, risks, exposure, sustainment


34

Pill3: Complex Stakeholder Spectra

4/23/2014

SBVR* for NL NNL * Semantics of Business Vocabulary and Business Rules (Object Management Group Framework)

ABAC Policy as SBVR: It is permitted that a Contractor or a Doctor or a Volunteer view a Problems Report that belongs to a Behavioral Health Patient.

Create a language that fits your domain

Use your language to create declarative business rules


35

4/23/2014


37

NLNNL Constraint Process

Receive

• THE Authority: manage as a document

• Exploit robust document management

Transliterate

• Original NL Declarative sentences

• “Flatten” outline indentation

Normalize

• Reorder segments to parallel order

• Unravel syntactic embedding

Regularize

• Restructure to form that can be described by a context-free grammar

• Recast to allow XpressRules’ parsing

4/23/2014


38

12.15.01.11 .11 Dissemination of CHRI — General. A. The Central Repository and a criminal justice agency shall collect, report, maintain, and disseminate CHRI in accordance with federal and State laws and regulations pursuant to Criminal Procedure Article, §10-221, Annotated Code of Maryland. B. Noncriminal Justice Agency. (1) Except under §A(2) of this regulation, only the Central Repository may disseminate CHRI to a noncriminal justice agency or individual. (2) The Central Repository, through agreement with a criminal justice agency, may: (a) Designate a criminal justice agency as a location where a noncriminal justice agency or individual may initiate a request for the Central Repository to provide CHRI for a noncriminal justice purpose. (b) Authorize a criminal justice agency to disseminate to a noncriminal justice agency or individual CHRI maintained by the criminal justice agency. (3) If a criminal justice agency is authorized to disseminate CHRI under §B(1) of this regulation, the criminal justice agency shall maintain a log f each recording in the log the: (a) Date the request was made; (b) Purpose of the request; (c) CHRI disseminated; (d) Person receiving the information; and (e) Date the CHRI was disseminated. (4) The Central Repository shall maintain a log recording: (a) A criminal justice agency authorized to disseminate CHRI for noncriminal justice purposes; and (b) The name of the agency or individual receiving the CHRI for noncriminal justice purposes from the authorized criminal justice agency. C. The Central Repository or a criminal justice agency or individual authorized to access CHRI may not confirm the existence or nonexistence of CHRI to a person that is not eligible to receive the CHRI. D. A log required to be kept under this chapter shall be maintained for at least 3 years. E. The use of CHRI by an authorized agency or individual: (1) Is limited to the specific purpose stated in this chapter; and (2) May not be disseminated further without specific authorization by the Central Repository. F. In addition to another remedy or penalty authorized by law, the Secretary, or a designee, may: (1) Determine that an individual or agency is in violation of the provisions of this chapter; and (2) Initiate the necessary action to enforce compliance with this chapter, including: (a) Terminating authorization to access CHRI; (b) Revoking an agreement between the agency and the Central Repository; and (c) Criminal or civil proceedings. G. Dissemination of CHRI. (1) The Secretary, or a designee, shall review agreements to determine if continued dissemination of CHRI based on the agreements is consistent with current law, regulation, and policy. (2) If the Secretary, or a designee, determines that continued dissemination under an agreement is not consistent with current law, regulation, or policy, the Secretary, or a designee, shall: (a) Revoke the agreement; (b) Terminate access to CHRI; and (c) Send written notice of the revocation to the individual, agency, private employer, or organization stating the reasons for the revocation. (3) An individual, agency, private employer, or organization whose access is terminated by the Secretary, or a designee, may appeal the action in accordance with the State Government Article, Title 10, Subtitle 2, Annotated Code of Maryland.

4/23/2014

Step #0: Receive

State as received or required (by jurisdiction) (Canonical, most authoritative, on file for audit) www.dsd.state.md.us/comar/comarhtml/12/12.15.01.11.htm (excerpt):

(2) The Central Repository, through agreement with a criminal justice agency, may: (a) Designate a criminal justice agency as a location where a noncriminal justice agency or individual may initiate a request for the Central Repository to provide CHRI for a noncriminal justice purpose. (b) Authorize a criminal justice agency to disseminate to a noncriminal justice agency or individual CHRI maintained by the criminal justice agency.


39

4/23/2014

C:/Research & Development (31Aug13)/XACML/NSA DPM Presentatioin/www.dsd.state.md.us/comar/comarhtml/12/12.15.01.11.htm

Step #1: Transliterate

Transliterate (Original NL Declarative sentences): [“Flatten” the semantic indents.]

The Central Repository, through agreement with a criminal justice agency, may designate a criminal justice agency as a location where a noncriminal justice agency or individual may initiate a request for the Central Repository to provide CHRI for a noncriminal justice purpose.

The Central Repository, through agreement with a criminal justice agency, may authorize a criminal justice agency to disseminate to a noncriminal justice agency or individual CHRI maintained by the criminal justice agency.


40

4/23/2014

Step #2: Normalize

Normalize (Reorder segments to parallel order): [“Unravel the syntactic embedding in “a.”]

The Central Repository must create an agreement with a criminal justice agency for the purpose of processing CHRI requests and of dissemination.

The agreement may designate a criminal justice agency as a location for a request.

A noncriminal justice agency or an individual may initiate the request. The individual may initiate a request for the Central Repository to provide

CHRI. The request must be for a noncriminal justice purpose. The agreement may authorize a criminal justice agency to disseminate to a

noncriminal justice agency or to disseminate individual CHRI that is maintained by the criminal justice agency.


41

4/23/2014

Step #3: Regularize* to NNL COMPANY PROPRIETARY Tech Briefing Title: Reduction of MD Statute (Dissemination of CHRI) Date last revised: 7 March 2014 Page 1 of 1

It is obligatory that the Central Repository create an agreement with a criminal justice agency.

It is obligatory that the purpose of the agreement is the processing CHRI requests and dissemination.

It is permissible that the agreement designate that a criminal justice agency serve as a location for a request.

It is permissible that noncriminal justice agency or an individual initiate a request.

It is permissible that the individual initiate a request for the Central Repository to provide CHRI.

It is obligatory that the purpose of the request be for noncriminal justice.

It is permissible that the agreement authorize a criminal justice agency to disseminate individual CHRI to a noncriminal justice agency or to disseminate individual CHRI that is maintained by the criminal justice agency.

* (constrain/recast to allow parsing by current or reconfigured XpressRules RuleBuilder screens and grammar-parser):


42

4/23/2014

SBVR Editor


43

4/23/2014

Visualization: Semantic Map


44

4/23/2014


45

Elephants

1. Constraint. Is a NLNNL for NLP constraint scalable or even tenable? Requires deliberate strategy to avoid an O’Reilly NLP animal book

2. Programmers don’t like NL (or code generators or xGLs). Get Axiomatics’ free ALFA: screen in the DSA PPT (above) 3. Toward a constrained XACML: Pragmatic domain-specific(?) scoping definition

a. XACML Min. What is the necessary set of XACML 3.0 policies that the NLPs must generate (for the COI)?

b. XACML Max. What are the sufficient sets of XACML 3.0 policies that NLPs may generate (for the COI)?

4. Procedural. What about IF-ELSE (procedural)? / What is the necessary and sufficient procedural syntax for governance (execs and mgrs.), keeping in mind that XACML’s language model is declarative?

5. Conditions. How essential (or even prominent) are XACML 3.0 conditions? How might carefully crafted authoring tools bias rules toward targets (per the 3.0 core standard)?

6. Audit. What is the capability of the governance tool for enhancing the level of ABAC preparedness among auditors (in-house, external agency)?

4/23/2014

PBAC Identity & Access Management

46


Govern

•Author natural language policies (NLPs) *

•Manage policies’ system development life cycle (SDLC) *

Deploy

• Implement data-flow model, policy language model, circles of trust

•Normalize enterprise-wide attributes

Enforce

•Receive access requests

•Render access decisions

•Generate compliant audits

* Federal Identity, Credential, and Access Management (FICAM) Roadmap and Implementation Guidance (Dec 2011)

4/23/2014

Identity & Access Management (IAM): Policy-Based Access Control (PBAC) for Mobile/Cloud


47

4/23/2014

Title: Cross-Domain Innovation and Sciences Group PM

Full info: Michael J. Mayhew, CISSP, C|EH CDIS Group Program Manager

AFRL/RIEBA 525 Brooks Road Rome, NY 13441-4505 Group Tel: (315) 330-7380 Tel: (315) 330-2898 DSN: 587-2898 Fax: (315) 330-7267 DSN: 587-7267 E-Mail: [email protected]; [email protected]


48

Acknowledgement Mike Mayhew (Rome AFRL)

• Perceived in 2004 the value of NLP for XACML policy management

• Directed the SBIR I/II project resulting in XpressRules

4/23/2014

mailto:[email protected]


Ron Turner

Chief Technical Officer

nMed LLC

[email protected]

(O): 509.467.0668

(C): 509.869.1189


49

Contact

4/23/2014


natural language xacml - soph-ware.com

Documents