ppl presentation 2010
TRANSCRIPT
SYSTEMATIC THOUGHT LEADERSHIP FOR INNOVATIVE BUSINESS
PrimeLife Policy LanguagePPL
Dr Slim [email protected] 27/04/2010
© SAP 2010/ Page 2
Scenario Authorizations and Obligations Authorizations and Obligations Matching PPL Policy Language Model Example Architecture
Agenda
Scenario
Data Subject(Client)
Issuer
Data Controller(Server)
DownstreamData Controller
Resources Non-personal content, services,…
Collected personal data
Personal Data (PII) Non-certified
Certified: cards
requestcredential
card
request resource
request personal data
personal data
resource
requestpersonal data
personal data
Specific Policy:
over specific resource (e.g. BuyService)• Access control policy (ACP):
who can access• cards to possess (e.g. ID card)
• personal data to reveal (e.g. nationality) • conditions to satisfy (e.g. age>18)
• Data handling policy (DHP):
how revealed personal data will be treated• Authorizations (e.g. marketing purposes)
• Obligations (e.g. delete after 1y)
Generic Policy:
DHP over implicitly revealed personal data
(e.g. IP address, cookies,…)• Authorizations (e.g. admin purposes)
• Obligations (e.g. delete after 1y)
Types of policies
Data Subject Data Controller
Resources Non-personal content, services,…
Collected personal data
Personal Data (PD) Non-certified
Certified: cards
Specific Policy:
over specific personal data (e.g. birth date)• Access control policy (ACP):
who can access (e.g. PrivacySeal silver)• Data handling preferences (DHPrefs):
how is to be treated when revealed• Authorizations (e.g. marketing purposes,
forwarded to PrivacySeal gold)• Obligations (e.g. delete after ≤2y)
Generic Preferences:
DHPrefs over implicitly revealed personal data
(e.g. IP address, cookies,…)• Authorizations (e.g. admin purposes)
• Obligations (e.g. delete after ≤2y)
XACML
SAML
request resource
request personal data
personal data
resource
PolicyEngine
PolicyEngine
Authorizations and obligations in PPL
General principle: provide wrapper for user-extensible vocabularies basic pre-defined vocabulary
Authorizations “use for purpose”
user-extensible ontology of purposes, basic pre-defined ontology available
“forward under policy” = downstream access control
Obligations general structure: do action when trigger (from start to end) pre-defined actions:
delete data anonymize data notify data subject write to (secure) log
pre-defined triggers:at time, periodicdata access, data deletiondata loss, obligation violationaliens landing on earth
Obligation & authorization matching
automated matching of any two data handling preferences/policies via“less permissive than” relation (≤) defined on
authorizations, e.g.
use for {delivery} ≤ use for {delivery,marketing}
triggers, e.g.
trigger at 2010/01/01 ≤ trigger at 2010/12/31
actions, e.g.
delete firstname, lastname ≤ delete firstname
obligations
o1=(a1,t1,v1) ≤ o2=(a2,t2,v2) ⇔ (a1≤a2) ^ (t1≤t2) ^ (v1≤v2)
sets of authorizations and obligations
O1 ≤ O2 ⇔ ∀o1∈O1 ∃o2∈O2 : o1 ≤ o2
data handling policies
P1 = (A1,O1) ≤ P2 = (A2,O2) ⇔ A1 ≤ A2 ^ O1 ≤ O2
actiontrigger
validity
PPL Policy Language Model
© SAP 2009 / Page 7
Example: Alice Creating an Account
Privacy Policy Proposed by the Server: DHPolicy:
Purpose: Statistics, Administration, Marketing DownStreamUsage:
– XACML_Policy (www.travel.com, read, [e-mail | personal address| Age | Credit card])– Purpose: Marketing– Obligation: Delete (*, 3 months)
Obligation: Delete (*, 1 year) CredentialRequirements:
Age >18 (condition) Valid Credit Card
ProvisionalAction: RevealUnderDHP ([e-mail | personal address| Age | Credit card], DHPolicy)
© SAP 2009 / Page 8
Example: Alice Creating an Account
Privacy Preferences imposed by Alice ACP:
XACML_Policy(www.store.com, ANY, ANY) DHPref:
Purpose: Statistics, Administration, Marketing DownStreamUsage:
– XACML_Policy (www.travel.com,ANY, ANY)– Purpose: Marketing, Administration – Obligation: Delete (*, 3 months)
Obligation: Delete (*, 3 months)
© SAP 2009 / Page 9
Example: Alice Creating an Account
Sticky Policy generated as the result of the policy matching
StickyPolicy: Purpose: Statistics, Administration, Marketing DownStreamUsage:
– XACML_Policy (www.travel.com, ANY, ANY)– Purpose: Marketing– Obligation: Delete (*, 3 months)
Obligation: Delete (*,1 year)
© SAP 2009 / Page 10
ContextHandler
PEP
PDP
Architecture
Application/Communication Facade
Policy Store
CredentialStore
Ontologyengine
ObligationEnforcement
Cred Handler
PDP
Cred Selection
UI
IdemixX.509
RuleVerification
Resources/PII Store
Policy UI
Auth/OblMatching
Engine
Card abstraction
Card contains list of attribute-value pairs
pre-evidence: technology-specific meta-data to
protect attribute integrity
prove card ownership
Card issuer vouches for attributes wrt owner (identity/authority)
Hierarchy of card types: define attributes contained
Policy: requirements on owned cards own p::Passport issued-by admin.ch; c::Creditcard issued-by visa.comreveal c.numberwhere p.name = c.name ^ p.bdate < today-18Y
Authentication = claim over owned cards + evidence, e.g.,
Instantiating technologies include X.509, SAML, CardSpace, OpenID, Kerberos, trusted LDAP, Identity Mixer, U-Prove,…
Features
Access control requirements language supporting
Privacy preservation
for user: minimal claim to be disclosed
(selectively) reveal attribute ↔ predicate satisfied
for server: “sanitize” sensitive policies
Bloom Filter Based matching
Multi-card claims
but prevent “card mixing” through reference pointer to individual cards
Technology independence
but supporting advanced features, esp. anonymous credentials
© SAP 2009 / Page 14
Thank you!
© SAP 2010 / Page 15
Grid
© SAP 2010 / Page 16
Secondary color palette100%
Primary color palette 100%
Definition and Halftone Values of Colors
RGB 68/105/125
RGB 96/127/143
RGB 125/150/164
RGB 152/173/183
RGB 180/195/203
RGB 4/53/123 RGB 240/171/0 RGB 102/102/102RGB 153/153/153RGB 204/204/204
RGB 21/101/112
RGB 98/146/147
RGB 127/166/167
RGB 154/185/185
RGB 181/204/204
RGB 85/118/48
RGB 110/138/79
RGB 136/160/111
RGB 162/180/141
RGB 187/200/172
RGB 119/74/57
RGB 140/101/87
RGB 161/129/118
RGB 181/156/147
RGB 201/183/176
RGB 100/68/89
RGB 123/96/114
RGB 147/125/139
RGB 170/152/164
RGB 193/180/189
RGB 73/108/96
RGB 101/129/120
RGB 129/152/144
RGB 156/174/168
RGB 183/196/191
RGB 129/110/44
RGB 148/132/75
RGB 167/154/108
RGB 186/176/139
RGB 205/197/171
RGB 132/76/84
RGB 150/103/110
RGB 169/130/136
RGB 188/157/162
RGB 206/183/187
85%
70%
55%
40%
RGB 158/48/57Tertiary color palette100%
85%
70%
55%
40%
SAP Blue SAP Gold SAP Dark GraySAP GraySAP Light Gray
Dove Petrol Violet/MauveWarm RedWarm Green
Cool Green Ocher Warning RedCool Red
© SAP 2010 / Page 17
Copyright 2010 SAP AGAll Rights Reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.
Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.
IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation.
Linux is the registered trademark of Linus Torvalds in the U.S. and other countries.
Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries.
Oracle is a registered trademark of Oracle Corporation.
UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.
Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc.
HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology.
Java is a registered trademark of Sun Microsystems, Inc.
JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape.
SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries.
Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects S.A. in the United States and in other countries. Business Objects is an SAP company.
All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary.
These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warrant.