Confidential1 ISTPA Framework Project Combining Security and Privacy Throughout the Life Cycle of...
-
Upload
virgil-cook -
Category
Documents
-
view
216 -
download
0
Transcript of Confidential1 ISTPA Framework Project Combining Security and Privacy Throughout the Life Cycle of...
Confidential 1
ISTPA Framework Project
Combining Security and Privacy
Throughout the Life Cycle of
Personal Information
MICHAEL WILLETT
Wave Systems Chair: ISTPA Framework Project
Personal
InformationPrivacy
Wave Wave
Michael Willett:
(Assume the listener is familiar with the overall ISTPA mission, projects, and objectives)
The objective of the Framework Project is to develop an analytic framework for privacy services that “implement” the privacy fair information practices and privacy principles.
The Framework can serve as both an operational model for evolving implementations and as a tool for assessing the completeness of solutions.
Michael Willett:
(Assume the listener is familiar with the overall ISTPA mission, projects, and objectives)
The objective of the Framework Project is to develop an analytic framework for privacy services that “implement” the privacy fair information practices and privacy principles.
The Framework can serve as both an operational model for evolving implementations and as a tool for assessing the completeness of solutions.
Confidential 2
PRIVACY
EU Data Protection DirectiveSafe Harbor/FTC
HIPAA
GLB
Web Services
Identity/Authentication/SSO
Liberty Alliance
Microsoft Passport
Trust @ the Edge
e-BusinessCOPPA
Confidential 3
PRIVACY ?Privacy = Isolation
Privacy = Anonymity
Privacy = Confidentiality
Privacy = Access Control
Confidential 4
Security: locks, guards, passwords, cryptography, digital signatures, … establishment and maintenance of measures to protect a system.
Privacy: proper handling and use of personal information (PI) throughout its life cycle, consistent with the preferences of the subject.
Confidence/trust: freedom from worry; a feeling.
Security + Privacy Confidence/TrustVALUE
Definitions
Michael Willett:
Security deals with PROTECTION of a system, whereas privacy deals with the USE of personal information (PI). Security is an essential element of privacy, but even in a secure environment, PI can be misused (ie, inconsistent with the preferences of the PI subject).
Trust is not a technology or even a process; rather, trust is a feeling. By implementing security and privacy and adding customer value, we strive to
engender trust in the customer/consumer.
Michael Willett:
Security deals with PROTECTION of a system, whereas privacy deals with the USE of personal information (PI). Security is an essential element of privacy, but even in a secure environment, PI can be misused (ie, inconsistent with the preferences of the PI subject).
Trust is not a technology or even a process; rather, trust is a feeling. By implementing security and privacy and adding customer value, we strive to
engender trust in the customer/consumer.
Confidential 5
PERSONAL INFORMATION
PREFERENCES
PROPER
HANDLING
CONSISTENCY USE OF
PERSONAL INFORMATION
PERSONAL INFORMATION LIFE CYCLE
PRIVACY MANAGEMENT
Confidential 6
Fair Information Practices
Notice and AwarenessChoice and ConsentIndividual AccessInformation Quality and IntegrityUpdate and CorrectionEnforcement and Recourse
Michael Willett:
These fair information practices are more “operational” than the principles, but are still missing the procedural and functional “glue” to tie them together into a system.
The names of the practices are self-explanatory as to the desired behavior. For example, Choice and Consent means that the subject of the requested PI can exercise choice over the types of PI collected and can consent to that collection (either opt-out or opt-in) and the subsequent use of the PI by the requestor.
Michael Willett:
These fair information practices are more “operational” than the principles, but are still missing the procedural and functional “glue” to tie them together into a system.
The names of the practices are self-explanatory as to the desired behavior. For example, Choice and Consent means that the subject of the requested PI can exercise choice over the types of PI collected and can consent to that collection (either opt-out or opt-in) and the subsequent use of the PI by the requestor.
Confidential 7
Life Cycle Management of PI
Source/Subject Intermediary Repository/Custodian
Requestor/Receiver
Touch Points
Michael Willett:
If PI never left the immediate control of the subject, then privacy would not be a problem. Issues arise when PI leaves the immediate control of the subject and moves through/to various touch points, where others may be able to “touch” and see the PI. Privacy is a PI life cycle issue.
Michael Willett:
If PI never left the immediate control of the subject, then privacy would not be a problem. Issues arise when PI leaves the immediate control of the subject and moves through/to various touch points, where others may be able to “touch” and see the PI. Privacy is a PI life cycle issue.
Confidential 8
“Operational” Requirements
Interfacing
ControlLife Cycle
Issues
Exception
Processing
Security
Integrity
Michael Willett:
To create an operational framework, various system capabilities must be identified that are not explicit at the privacy requirements level (requirements = privacy practices, principles ). For example, a Control function is essential to honoring the PI usage desires of the subject, but is not explicit in the privacy principles. Interfacing to the Framework is not explicit in the privacy principles , but is another essential operational service.
Michael Willett:
To create an operational framework, various system capabilities must be identified that are not explicit at the privacy requirements level (requirements = privacy practices, principles ). For example, a Control function is essential to honoring the PI usage desires of the subject, but is not explicit in the privacy principles. Interfacing to the Framework is not explicit in the privacy principles , but is another essential operational service.
Confidential 9
Privacy Services/Capabilities (©)
InteractionAgent ©ValidationNegotiationEnforcement
ControlAudit (Log)CertificationUsage ©Access ©
Michael Willett:
After several iterative rounds, the Framework Project team has evolved the following operational Services:
SERVICE DESCRIPTION
Agent
A software process acting on behalf of a data subject or a requestor to engage with one or more of the other Services defined in this Framework. Agent also refers to the human data subject in the case of a manual process.
Interaction
Handles presentation of proposed agreements from a data collection entity to a data subject; input of the subject’s personal information, preferences, and actions; and confirmation of actions. To the extent the data subject is represented by an Agent, this service comprises the interface to the Agent.
Control
Handles the role of “repository gatekeeper” to ensure that access to personal information stored by a data collection entity complies with the terms and policies of an agreement and any applicable regulations.
Validation
Handles checking for correctness of personal information at any point in its life cycle.
Negotiation
Handles arbitration of a proposal between a data collection entity and a data subject. Successful negotiation results in an agreement. Negotiation can be handled by humans, by agents, or any combination.
Usage
Handles the role of “processing monitor” to ensure that active use of personal information outside of the Control Service complies with the terms and policies of an agreement and any applicable regulations. Such uses include derivation, aggregation, anonymization, linking, and inference of data.
Audit
Handles the recording and maintenance of events in any Service to capture the data necessary to ensure compliance with the terms and policies of an agreement and any applicable regulations.
Certification
Handles validation of the credentials of any party involved in processing of a personal information transaction.
Enforcement
Handles redress when a data collection entity is not in conformance with the terms and policies of an agreement and any applicable regulations.
Michael Willett:
After several iterative rounds, the Framework Project team has evolved the following operational Services:
SERVICE DESCRIPTION
Agent
A software process acting on behalf of a data subject or a requestor to engage with one or more of the other Services defined in this Framework. Agent also refers to the human data subject in the case of a manual process.
Interaction
Handles presentation of proposed agreements from a data collection entity to a data subject; input of the subject’s personal information, preferences, and actions; and confirmation of actions. To the extent the data subject is represented by an Agent, this service comprises the interface to the Agent.
Control
Handles the role of “repository gatekeeper” to ensure that access to personal information stored by a data collection entity complies with the terms and policies of an agreement and any applicable regulations.
Validation
Handles checking for correctness of personal information at any point in its life cycle.
Negotiation
Handles arbitration of a proposal between a data collection entity and a data subject. Successful negotiation results in an agreement. Negotiation can be handled by humans, by agents, or any combination.
Usage
Handles the role of “processing monitor” to ensure that active use of personal information outside of the Control Service complies with the terms and policies of an agreement and any applicable regulations. Such uses include derivation, aggregation, anonymization, linking, and inference of data.
Audit
Handles the recording and maintenance of events in any Service to capture the data necessary to ensure compliance with the terms and policies of an agreement and any applicable regulations.
Certification
Handles validation of the credentials of any party involved in processing of a personal information transaction.
Enforcement
Handles redress when a data collection entity is not in conformance with the terms and policies of an agreement and any applicable regulations.
Confidential 10
Subject “Permission” Bound to PI
BINDING
PERMISSION
PERSONAL
INFORMATION
LIFE
CYCLE
CONTAINER
Michael Willett:
In order for the PI subject to exercise vicarious control over the PI as it travels beyond the immediate control of the subject, the ‘permissions’ (allowable uses) granted by the PI subject must be bound in some way to the PI. Further, the binding mechanism must be robust enough and respected by subsequent touch points in the PI life cycle so as to faithfully support the usage desires of the subject.
Depending on local or jurisdictional requirements, the binding mechanism could range from simple pointers to robust cryptography. The Framework does not mandate a particular binding, but rather treats the binding selection as a configuration parameter to the Framework.
Michael Willett:
In order for the PI subject to exercise vicarious control over the PI as it travels beyond the immediate control of the subject, the ‘permissions’ (allowable uses) granted by the PI subject must be bound in some way to the PI. Further, the binding mechanism must be robust enough and respected by subsequent touch points in the PI life cycle so as to faithfully support the usage desires of the subject.
Depending on local or jurisdictional requirements, the binding mechanism could range from simple pointers to robust cryptography. The Framework does not mandate a particular binding, but rather treats the binding selection as a configuration parameter to the Framework.
Confidential 11
PI Container (PIC)
PI Contract
PI
Intended Use
Credentials
Policies
Conditions
Permissions
Identity Credentials
Signature
BINDING
Michael Willett:
In order to transport the PI bound to the permissions throughout its life cycle, a “PI Container” is used. The binding mechanism is a configuration parameter, from simple pointers to full cryptographic binding.
Included in the container are the Contract (including the negotiated Permissions) and the Credentials for the subject.
Michael Willett:
In order to transport the PI bound to the permissions throughout its life cycle, a “PI Container” is used. The binding mechanism is a configuration parameter, from simple pointers to full cryptographic binding.
Included in the container are the Contract (including the negotiated Permissions) and the Credentials for the subject.
Confidential 12
PI Touch Point Structure
Requestor/Receiver (pull/push PI)
Legal, Technical, Administrative
Security/Privacy (technologies/practices)
Personal Information
Michael Willett:
At each touch point, a layered structure can be provided, with the requestor/receiver of PI at the top and the PI itself at the bottom (or innermost). The intervening layers consist of the security and privacy functions (ie, the Framework), with a legal, technical, and administrative upper layer serving as the
configuration or ‘parameterization’ layer for the Framework. Specific technology and policy choices are not hard-wired into the Framework, but rather are configured into the Framework at run time.
It is better to have ample, selectable parameters in the overall design, so that an installed implementation can simply be configured, instead of being replaced or upgraded.
Michael Willett:
At each touch point, a layered structure can be provided, with the requestor/receiver of PI at the top and the PI itself at the bottom (or innermost). The intervening layers consist of the security and privacy functions (ie, the Framework), with a legal, technical, and administrative upper layer serving as the
configuration or ‘parameterization’ layer for the Framework. Specific technology and policy choices are not hard-wired into the Framework, but rather are configured into the Framework at run time.
It is better to have ample, selectable parameters in the overall design, so that an installed implementation can simply be configured, instead of being replaced or upgraded.
Confidential 13Legal, Regulatory, and Policy Context
Security Foundation
Agent
Control
Interaction
Negotiation
Data Subject Data Requestor
Usage
PI, Preferences& PIC Repository
Agent
Control
Interaction
Negotiation
PIC Repository
PIContainer
(PIC)
EnforcementAuditCertificationValidation
Privacy SERVICES/CAPABILITIES
Assurance Services
Access
Michael Willett:
Shown is a typical configuration of the privacy Services, with an Agent Service representing both the Subject and the Data Requestor. Interaction, Negotiation, and the all-important Control function provide a front-end to the secure data repository. The Assurance Services of Validation, Certification, Audit, and Enforcement support both nodes, whereas Usage supports the Data Requestor.
The security services (eg, OpenGroup taxonomy) are available to all the privacy services. The Legal, Regulatory, and Policy Context provides the necessary configuration and parameterization layer.
Michael Willett:
Shown is a typical configuration of the privacy Services, with an Agent Service representing both the Subject and the Data Requestor. Interaction, Negotiation, and the all-important Control function provide a front-end to the secure data repository. The Assurance Services of Validation, Certification, Audit, and Enforcement support both nodes, whereas Usage supports the Data Requestor.
The security services (eg, OpenGroup taxonomy) are available to all the privacy services. The Legal, Regulatory, and Policy Context provides the necessary configuration and parameterization layer.
Confidential 14Legal, Regulatory, and Policy Context
Security Foundation
Agent
Control
Interaction
Negotiation
Data Subject Data Requestor
Usage
PI, Preferences& PIC Repository
Agent
Control
Interaction
Negotiation
PIC Repository
PIContainer
(PIC)
EnforcementAuditCertificationValidation
Privacy Practices
Assurance Services
Notice
Awareness
Choice
Consent
Quality/Integrity
Access Update
Correction
Enforcement
Recourse
Michael Willett:
The original fair information practices are overlaid on the Privacy Framework, showing the operational “implementation” of the practices. Note that Individual Access is a “use case” application of the Framework, exploiting Negotiation.
Michael Willett:
The original fair information practices are overlaid on the Privacy Framework, showing the operational “implementation” of the practices. Note that Individual Access is a “use case” application of the Framework, exploiting Negotiation.
Confidential 15
Summary-Privacy: consumer prejudice, legal time bomb
- ISTPA: “… admin/technical/legal framework…”
- Privacy = proper handling...consistent…preferences
- Operational privacy principles/practices: SERVICES
- Combine with Security Services (eg, OpenGroup)
- Usability studies (w/Johns Hopkins Univ)
- Privacy Framework version 1 document (30 May)
- CMU + ISTPA Technical Partnership
Michael Willett:
The Privacy Framework structure is still evolving; your input and suggestions are welcome. The Framework Project is actively validating the Framework with Use Cases.
Michael Willett:
The Privacy Framework structure is still evolving; your input and suggestions are welcome. The Framework Project is actively validating the Framework with Use Cases.
Confidential 16
ISTPA: www.istpa.org
To receive a copy of the ISTPA Privacy Framework v1.0 doc,
Write to: