Privacy Policy Languages:

Transcription

1 Privacy Policy Languages: XACML vs EPAL 5 th Annual Privacy & Security Workshop 29 October 2004 Anne Anderson Staff Engineer Sun Microsystems Labs Burlington, MA, USA Anne.Anderson@sun.com Copyright 2004 Sun Microsystems, Inc. All rights reserved.

2 Outline Privacy policy language context XACML overview EPAL overview Language comparison Problem areas Conclusions Further information

3 Outline Privacy policy language context XACML overview EPAL overview Language comparison Problem areas Conclusions Further information

4 Automated Privacy Policy Enforcement Users Applications Data/Resources - Files - Equipment - Databases - Other applications...

5 Automated Privacy Policy Enforcement Users Applications Access Control Data/Resources - Files - Equipment - Databases - Other applications...

6 Automated Privacy Policy Enforcement Applications Permit AccessControl Deny Data/Resources - Files - Equipment - Databases - Other applications... Policy Administrators Policies Obligations... Audit Notify

7 Automated Privacy Policy Enforcement Application Business Logic access request response Policy Enforcement Point PEP decision request decision + obligations Policy Decision Point PDP PEP: -access interception -decision enforcement -obligation fulfillment data/ resources attributes policies

8 Privacy/Access Control Policies Who - user identities or roles What - resources or data How - actions Why - purpose/context Conditions - under which allowed or denied Obligations - if allowed or denied

9 Privacy/Access Control Policies Two candidate languages XACML: OASIS extensible Access Control Markup Language Standard EPAL: IBM Enterprise Privacy Authorization Language

10 Outline Privacy policy language context XACML overview EPAL overview Language comparison Problem areas Conclusions Further information

11 XACML Overview (1) extensible Access Control Markup Language OASIS Access Control Technical Committee (TC) OASIS Standard, February 2003 Publicly available and open source implementations (Java *, C++, C#) * Java (TM) programming language

12 XACML Overview (2) Works with OASIS Security Assertion Markup Language (SAML) Version 2.0 out for public review Privacy profile of XACML Part of XACML 2.0 package Works with XACML 1.0 and XACML 1.1 also

13 XACML Policy Structure PolicySet PolicySet Rule Policy

14 XACML policy example EnterprisePolicySet Combining Algorithm PolicySet Target HR Policy Facilities Policy Legal Policy HR Policy Combining Algorithm Policy Target Rule 1 Rule 2 Obligations Rule 1: Effect= Permit Rule Target Resource = /Staff/SalaryAction/* SubjectRole = HRSupervisor SubjectId /Staff/SalaryAction/*#Employee-Id Action = Read Purpose = Audit Note: typos in printed version

15 Outline Privacy policy language context XACML overview EPAL overview Language comparison Problem areas Conclusions Further information

16 EPAL Overview Enterprise Privacy Authorization Language IBM specification Submitted to W3C 10 November 2003; no action EPAL 1.1 used XACML explicitly EPAL 1.2 uses a lot of XACML (attribute concepts, functions, datatypes, obligations)

17 EPAL Policy Structure Policy Vocabulary user-category data-category container Rule purpose action obligation

18 Outline Privacy policy language context XACML overview EPAL overview Language comparison Problem areas Conclusions Further information

19 Language comparison Both have: Policies made up of Rules Rule = effect, target, conditions Effect of permit or deny Rules can be Not applicable Same basic attribute concept Almost identical constraints on attributes

20 Language comparison Obligations EPAL: in Rules EPAL: by reference, thus need parameters EPAL: associated with the Rule Identifier XACML: in Policies (can have a 1-Rule Policy) XACML: direct; include any parameters XACML: associated with the accessed Resource

21 Language comparison Vocabulary and Variables EPAL: one reference to one vocabulary EPAL: vocabulary defines all attributes and obligations XACML: optional Variable Definitions XACML: Variable Definition can be for an attribute or for an entire constraint XACML: supports optional vocabulary attributes

22 Outline Privacy policy language context XACML overview EPAL overview Language comparison Problem areas Conclusions Further information

23 EPAL limitations EPAL: Not designed for access control Unlike access control, the <purpose> is part of an EPAL authorization query. Without knowing the purpose of an access, authorization cannot be decided. As a consequence, any system using EPAL must be able to determine a purpose before asking the EPAL engine to evaluate a given policy. [EPAL 1.2, Section 3.5] XACML: designed for access control, including privacy. Two optional purpose attributes: purpose data collected, purpose data accessed.

24 Privacy and access control Privacy policy is one component of access control policy Must be integrated for security, manageability, consistency, effective enforcement and auditing

25 EPAL limitations EPAL: Not designed for enterprise-level policies No nested policies No distributed policies Uses features not supporting digitally signed policies Only one subject allowed per access request Only first-applicable Rule is evaluated XACML: deals with all of these.

26 EPAL limitations EPAL:Inconsistent treatment of attributes user-category, data-category vs container attributes: handled differently Requester must know policy to specify an attribute as a category or as a container attribute XACML All attributes same type of object Attributes handled consistently Requester does not have to know the policy

27 EPAL limitations EPAL: Limited concept of role Must be a manager AND Must be a member of the Strategy Team : Manager and Strategy Team member must be specified differently XACML: consistent specification of role attributes.

28 EPAL limitations EPAL: Limited concept of hierarchical role EPAL: Each policy writer has to know the role hierarchy. XACML: independent management of role hierarchies. Note: typos in printed version

29 EPAL limitations EPAL: One vocabulary per policy: Policies may cover data defined by multiple standards. Policy writer must re-write them into one vocabulary. XACML: supports optional vocabulary attributes and Variable Definitions

30 EPAL limitations EPAL: Not a standard Submitted to W3C Nov 2003 W3C has taken no action Currently a proprietary IBM product XACML: OASIS Standard since Feb 2003.

31 Outline Privacy policy language context XACML overview EPAL overview Language comparison Problem areas Conclusions Further information

32 Conclusions EPAL: functional subset of XACML EPAL: proprietary; not a standard EPAL: design limitations XACML: access control + privacy XACML: open standard XACML: multiple implementations XACML: multiple vendors

33 Outline Privacy policy language context XACML overview EPAL overview Language comparison Problem areas Conclusions Further information

34 Further information A Comparison of EPAL and XACML Privacy profile of XACML A Brief Introduction to XACML OASIS Access Control (XACML) Technical Committee (all specifications and other documents) xx Sun's XACML Open Source Implementation Anne Anderson <Anne.Anderson@sun.com>

35 Sun, Sun Microsystems, the Sun logo, and Java are trademarks or registered trademarks of Sun Microsystems, Inc. in the United States and in other countries. Copyright 2004 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, California 95054, U.S.A. All rights reserved.