EIC 2014 Oasis Workshop: Using XACML to implement Privacy by Design

David Brossard
David BrossardChief Technology Officer at Axiomatics
1
Implementing Privacy
Using the OASIS XACML Standard to
implement privacy using attribute-
based access control
Externalizing Authorization Introduction to XACML XACML & Privacy
© 2014 Axiomatics AB
Customer use cases
2
Externalizing Authorization
Next Generation Authorization
Attribute Based Access Control
© 2014 Axiomatics AB
Authentication & Authorization
© 2014 Axiomatics AB 3
Authentication:
Determine who the user is
Authorization:
Determine what the user can do
© 2014 Axiomatics AB 4
AuthZ
Business-
driven
Operation-
driven
Compliance
-driven
Examples
 Business-driven
 Finance: A junior teller can approve transactions up to 1,000 USD.
 Healthcare: A senior nurse can edit the notes of a medical record.
 Operations-driven
 Finance: No one can approve transactions between 5pm and 9am.
 Healthcare: No one can print a medical record from home.
 Compliance-driven
 Finance: a trader cannot approve a trade order he created (segregation of duty)
 Healthcare: mask the social security number on the X-ray print-out
© 2014 Axiomatics AB 5
This is where privacy fits in.
Privacy-enabling authorization: requirements
 A bank customer wants their account information to be available to bank staff.
 So long as their access is motivated by services they provide the customer
 The customer doesn’t want bank staff to access the data for other reasons
 E.g. gossip
 For privacy, CONTEXT IS KEY.
 A staff member viewing a record may be aligned with privacy requirements on Monday…
 But violating them on Tuesday.
 How do existing authorization frameworks cater for context?
 They don’t
 We need to look for a new framework or model?
© 2014 Axiomatics AB 6
Challenges with existing authorization solutions
 User-centric only
 Software-specific
 Static
 Lack of visibility  difficult to audit the system
 Cannot cater for context
 Cannot evolve to meet new business needs
 Expensive
 Developers don’t like it
© 2014 Axiomatics AB 7
The need for next-generation authorization
© 2014 Axiomatics AB 8
External from
applications
•Decouple
business logic
implementation
from
authorization
logic
Standards-based
•OASIS XACML:
eXtensible
Access Control
Markup
Language
Fine-grained
•It’s not just
about who the
user is, it’s
about who,
what, when,
where, why, and
how
Context-aware
•Context
matters: time of
day, device,
purpose of use…
Attribute-based Access Control (ABAC)
Implement privacy with Attribute-based access control
© 2014 Axiomatics AB 9
Doctors should be able to view the
records of patients assigned to their
unit and edit the records of those
patients with whom they have a care
relationship
Privacy by design: ONLY authorized persons can access/update the record
ABAC takes multiple factors into account
 Not just users and roles…
… but also attributes reflecting the business process and context
 Policies define precise access rules….
… which are dynamically enforced in real-time
© 2014 Axiomatics AB 10
WHO WHAT WHERE WHEN WHY HOW
It’s not
just about
but also and
Attribute-Based Access Control
© 2014 Axiomatics AB
User
Attributes
Policies
Example: Doctors can open &
edit a patient’s health record
in the hospital emergency
room between 5PM and 8 AM.
Action Resource Context
Read more here:
csrc.nist.gov/projects/abac/
Externalized Authorization Management Benefits
 User-, Resource-, Relationship-centric: *-based access control
 Standards-based, generic: implemented on top of OASIS XACML
 Dynamic: adapt to change and context
 Centrally managed authorization: all authorization policies are in one place
 Context is one of the parameters: take time, location and device into account
 Adapts to new requirements: authorization policies can grow independently
 Reusable, cost-effective: write once, enforce everywhere
 Easy on developers: developers no longer need to worry about authorization.
© 2014 Axiomatics AB 12
13
An introduction to XACML
OASIS XACML:
eXtensible Access Control Markup Language
© 2014 Axiomatics AB
What is XACML?
 Pronunciation
 eXtensible Access Control Markup Language
 OASIS standard
 V 3.0 approved in January 2013
 V 1.0 approved in 2003 (11 years ago!)
 XACML is expressed as
 A specification document and
 An XML schema
 http://www.oasis-open.org/committees/xacml/
© 2014 Axiomatics AB 14
What does XACML contain?
© 2014 Axiomatics AB 15
XACML
Reference
Architecture
Policy
Language
Request /
Response
Protocol
The XACML Architecture & Flow
© 2014 Axiomatics AB
Decide
Policy Decision Point
Manage
PolicyAdministration Point
Support
Policy Information Point
Policy Retrieval Point
Enforce
Policy Enforcement Point
Access Doc.
#123
Can Alice access
Document
#123?
Yes, Permit
Load XACML
policies
Retrieve user
role, clearance
and document
classification
Access Doc.
#123
Where do I protect?
 Choose a broad protection
 At the API level
 At the database level
© 2014 Axiomatics AB 17
Database Tier
DB
API & Business Tier
(Web Services,
REST…)
Presentation tier
(Portals)
Sample XACML Policy
© 2014 Axiomatics AB 18
Root Policy Set
PolicySet
Policy
Rule
Effect=Permit
Rule
Effect = Deny
PolicySet
Policy
Rule
Effect =
Permit
19
XACML & Privacy
Using XACML to implement various privacy regulations
© 2014 Axiomatics AB
XACML profiles on privacy
 Cross-Enterprise Security and Privacy Authorization (XSPA) Profile of XACML for
Healthcare (link)
 This profile provides a cross-enterprise security and privacy profile that describes how to use
XACML to provide privacy policies and consent directives in an interoperable manner.
 Cross-Enterprise Security and Privacy Authorization (XSPA) profile of XACML v2.0 for
Healthcare, Implementation Examples (link)
 This profile takes HL7 examples and converts to XACML
 Privacy policy profile of XACML v2.0
 Based on the Organization of Economic Cooperation and Development (1980) privacy
guidelines
 Other regulations on data protection (not specific to privacy)
 XACML Intellectual Property Control (IPC) Profile
 XACML 3.0 Export Compliance-US (EC-US) Profile
© 2014 Axiomatics AB 20
HL7 Security and Privacy Ontology Use Cases
© 2014 Axiomatics AB 21
/*
* Access Control Based on Category of Action
* Access to progress notes
*/
policy progressNotes{
target clause objectType=="progress note"
apply firstApplicable
/*
* A primary physician can create a patient's progress note
*/
rule createNote{
target clause role=="physician" and action=="create"
condition primaryPhysician==requestorId
permit
}
}
link
(the above is ALFA – a XACML pseudo-code. Download ALFA here.)
XACML & the 7 Foundational Principles (1/2)
© 2014 Axiomatics AB 22
Proactive not
Reactive; Preventative not
Remedial
•XACML defines an
architecture enacted at
runtime
Privacy as the Default
Setting
•XACML policies enable
exact privilege settings
Privacy Embedded into
Design
•IT projects can focus on
authorization requirements
on the one hand and
business requirements on
the other
•Clear separation of
concerns
XACML & the 7 Foundational Principles (2/2)
© 2014 Axiomatics AB 23
Full Functionality — Positive-
Sum, not Zero-Sum
•XACML is a business enabler
•It allows for data to be securely
shared
•XACML helps deliver new services
End-to-End Security — Full
Lifecycle Protection
•XACML policies evolve with the
data they protect
•XACML policies can adapt to
regulatory change
Visibility and Transparency —
Keep it Open
•XACML policies are centrally
managed and can be easily
audited
•XACML policies mirror business
requirements closely
Respect for User Privacy — Keep
it User-Centric
•XACML policies focus on the
entire picture: from who is
accessing the data to the
relationships to the purpose of
use…
Privacy by Design:Trilogy of Applications & XACML
© 2014 Axiomatics AB 24
Information
Technology
Accountable
Business
Practices
Physical
Design
Watch Ann Cavoukian
on the Trilogy of Applications.
XACML promotes a
well-defined
architecture
XACML policies map
closely to business
requirements
XACML enables the positive-sum
 Example: medical records
 Medical records used to be stored in a physical location at the doctor’s office.
 Security was there by default: it is hard to access information stored in a file cabinet
 Today: new consumer & medical patterns emerge
 Let patients browse their medical data online
 Share data with other medical actors (hospitals, specialists, pharmacies…) and non-
medical actors (insurance companies…)
 The promise: deliver better care
 XACML, as an IT security artefact, can help go from high-level privacy designs
to technical implementations
© 2014 Axiomatics AB 25
Key take-aways
 Privacy is more about controlled information sharing than the prevention
thereof  XACML enables secure information sharing
 The privacy headache will explode once the new EU regulation becomes reality
 industries will need a means to quickly and efficiently implement privacy.
XACML is the way to go on a technical level
 Privacy is not just about compliance, it’s also about
 Brand
 Reputation, and
 Trust.
 A key challenge is that privacy is a human concept. XACML bridges the gap
between human & business requirements and technical implementations
© 2014 Axiomatics AB 26
27
Customer Implementations
Examples from the world of finance, healthcare, and
pharmaceutical
© 2014 Axiomatics AB
Norwegian bank (1/2)
 Lov om behandling av personopplysninger (personopplysningsloven | link)
 Datatilsynet (Norwegian Data Protection Authority) requires:
 that bank clients should be able to demand exact records of which staff member
accessed their account details or other privacy sensitive data and when this happened
 that the bank must ensure that only staff members with a purpose of use motivated by
tasks performed in the course of their professional duties access sensitive data. The
bank must be able to investigate any suspicions that this rule is being violated by staff
members.
 that the bank duly considers the risk assessment mandates of the legislation must be
recognized (for instance with regard to VIP accounts or accounts of citizens with a
protected identity due to witness protection etc.)
 The project used XACML to implement fine-grained access control in
conformance with privacy regulations
© 2014 Axiomatics AB 28
Norwegian bank (2/2) Details
 A whitelist is defined: customers have the right to define who can access their
data
 A blacklist is defined: customer have the right to define who cannot access
their data
 E.g. relatives…
 Common rules are implemented
 Only employees in a given branch can view customer data from that branch
 Exception handling and flags are implemented
 All access to data is logged for future accountability
© 2014 Axiomatics AB 29
Swedish National Healthcare
 Project driven by the Swedish Medical Care Advice Service
 Goal: comprehensive IT-solution for electronic patient record management
 Uniform technical choices for future security services
 Excerpt from the general goals for BIF services
 Provide access to authorized personnel
 Protect sensitive patient data against unauthorized access
 Functional requirements
 Strong emphasis on standard based approaches
 E.g. XACML shall be used for access control
 World’s largest deployment of XACML yet
© 2014 Axiomatics AB 30
Swedish National Healthcare: access control rules
 At the medical center level
 Only doctors that belong to the given medical center can see records of patients from
that medical center
 At the district level
 Only doctors that belong to the given district can see records of patients from that
district
 Patients can define their own policies: patient-defined disclosure policies (pddp)
 At the top level – the organization
 Patients need to provide an additional consent form for their data to be disclosed
 An emergency plan provides for exceptional policies to override patient-defined rules
Northern Spain Hospitals CancerTreatment (1/2)
 BEinGRID: EU-funded development of Business Models for the Grid Industry.
 Healthcare business use case
 Provide new compute intensive radiotherapy tools to hospitals remotely
 Challenge: A new treatment needs several hours or days.
 Goal: drive down the time it takes to design radiotherapy treatments
 Privacy?
 Radiotherapy records contain Personal Health Information (PHI) that must be stripped
before the records can be sent to the super computers
 Read more
 Link
© 2014 Axiomatics AB 32
Northern Spain Hospitals CancerTreatment (2/2)
© 2014 Axiomatics AB 33
Security GWHOSPITAL
Policy
Server
TREATMENT
SERVICES
Policies
DB
PDP
Web Service
getRole
verify
optimize
commissioning
verify
1
2
3
4
5
6
PDP
PEP
US Pharmaceutical
 Goal: share medical information (clinical trials, molecule…) with partners,
contractors, universities, and authorities
 Privacy?
 Clinical trials contain highly sensitive PHI.
 For the customer the alternative is not sharing the data at all to avoid breaches & fines.
© 2014 Axiomatics AB 34
More examples here at EIC 2014
 Drivers and Lessons learned from a Recent ABAC Implementation at Generali
 Manuel Schneider, Generali
 14.05.2014 14:30-15:30
 ABAC - Visions and Reality
 Finn Frisch, Axiomatics
 14.05.2014 14:30-15:30
 Dynamic Authorization Management: The Market and its Future
 Graham Williamson
 14.05.2014 12:00-13:00
 RBAC, ABAC, or Both?
 Panel
 14.05.2014 12:00-13:00
© 2014 Axiomatics AB 35
© 2014 Axiomatics AB 36
Thank you.
1 of 36

Recommended

OASIS Workshop: Identity, Privacy, and Data Protection in the Cloud – What is... by
OASIS Workshop: Identity, Privacy, and Data Protection in the Cloud – What is...OASIS Workshop: Identity, Privacy, and Data Protection in the Cloud – What is...
OASIS Workshop: Identity, Privacy, and Data Protection in the Cloud – What is...David Brossard
1.5K views28 slides
Fine grained access control for cloud-based services using ABAC and XACML by
Fine grained access control for cloud-based services using ABAC and XACMLFine grained access control for cloud-based services using ABAC and XACML
Fine grained access control for cloud-based services using ABAC and XACMLDavid Brossard
2.8K views27 slides
OWASP Chicago 2016 - What is Attribute Based Access Control (ABAC)? by
OWASP Chicago 2016 - What is Attribute Based Access Control (ABAC)?OWASP Chicago 2016 - What is Attribute Based Access Control (ABAC)?
OWASP Chicago 2016 - What is Attribute Based Access Control (ABAC)?David Brossard
2.6K views58 slides
Authorization - it's not just about who you are by
Authorization - it's not just about who you areAuthorization - it's not just about who you are
Authorization - it's not just about who you areDavid Brossard
7.2K views41 slides
To the cloud and beyond: delivering policy-driven authorization for cloud app... by
To the cloud and beyond: delivering policy-driven authorization for cloud app...To the cloud and beyond: delivering policy-driven authorization for cloud app...
To the cloud and beyond: delivering policy-driven authorization for cloud app...David Brossard
265 views15 slides
XACML for Developers - Updates, New Tools, & Patterns for the Eager #IAM Deve... by
XACML for Developers - Updates, New Tools, & Patterns for the Eager #IAM Deve...XACML for Developers - Updates, New Tools, & Patterns for the Eager #IAM Deve...
XACML for Developers - Updates, New Tools, & Patterns for the Eager #IAM Deve...David Brossard
9.4K views40 slides

More Related Content

What's hot

Cloud design patterns - Federated Identity & Gatekeeper by
Cloud design patterns - Federated Identity & GatekeeperCloud design patterns - Federated Identity & Gatekeeper
Cloud design patterns - Federated Identity & GatekeeperRoger Chien
2K views10 slides
Identity as a Service by
Identity as a ServiceIdentity as a Service
Identity as a ServicePrabath Siriwardena
5.2K views78 slides
Entertainment case study - Scalable and secure cloud delivery framework speed... by
Entertainment case study - Scalable and secure cloud delivery framework speed...Entertainment case study - Scalable and secure cloud delivery framework speed...
Entertainment case study - Scalable and secure cloud delivery framework speed...Sendachi
110 views4 slides
Federated Identity Architectures Integrating With The Cloud by
Federated Identity Architectures   Integrating With The CloudFederated Identity Architectures   Integrating With The Cloud
Federated Identity Architectures Integrating With The Cloudrsnarayanan
1.3K views25 slides
Identiverse 2021 enterprise identity: What foundations by
Identiverse 2021 enterprise identity: What foundationsIdentiverse 2021 enterprise identity: What foundations
Identiverse 2021 enterprise identity: What foundationsBertrand Carlier
94 views26 slides
Getting Cloud Architecture Right the First Time Ver 2 by
Getting Cloud Architecture Right the First Time Ver 2Getting Cloud Architecture Right the First Time Ver 2
Getting Cloud Architecture Right the First Time Ver 2David Linthicum
1.7K views44 slides

What's hot(20)

Cloud design patterns - Federated Identity & Gatekeeper by Roger Chien
Cloud design patterns - Federated Identity & GatekeeperCloud design patterns - Federated Identity & Gatekeeper
Cloud design patterns - Federated Identity & Gatekeeper
Roger Chien2K views
Entertainment case study - Scalable and secure cloud delivery framework speed... by Sendachi
Entertainment case study - Scalable and secure cloud delivery framework speed...Entertainment case study - Scalable and secure cloud delivery framework speed...
Entertainment case study - Scalable and secure cloud delivery framework speed...
Sendachi110 views
Federated Identity Architectures Integrating With The Cloud by rsnarayanan
Federated Identity Architectures   Integrating With The CloudFederated Identity Architectures   Integrating With The Cloud
Federated Identity Architectures Integrating With The Cloud
rsnarayanan1.3K views
Identiverse 2021 enterprise identity: What foundations by Bertrand Carlier
Identiverse 2021 enterprise identity: What foundationsIdentiverse 2021 enterprise identity: What foundations
Identiverse 2021 enterprise identity: What foundations
Bertrand Carlier94 views
Getting Cloud Architecture Right the First Time Ver 2 by David Linthicum
Getting Cloud Architecture Right the First Time Ver 2Getting Cloud Architecture Right the First Time Ver 2
Getting Cloud Architecture Right the First Time Ver 2
David Linthicum1.7K views
Identity and Access Management by Prashanth BS
Identity and Access ManagementIdentity and Access Management
Identity and Access Management
Prashanth BS722 views
Salesforce Backup, Restore & Archiving- Adam Best, Senior Program Architect by gemziebeth
Salesforce Backup, Restore & Archiving- Adam Best, Senior Program ArchitectSalesforce Backup, Restore & Archiving- Adam Best, Senior Program Architect
Salesforce Backup, Restore & Archiving- Adam Best, Senior Program Architect
gemziebeth272 views
#3 Wso2 masterclassitalia - wso2 Identity Server: must-have per gestire le id... by Profesia Srl, Lynx Group
#3 Wso2 masterclassitalia - wso2 Identity Server: must-have per gestire le id...#3 Wso2 masterclassitalia - wso2 Identity Server: must-have per gestire le id...
#3 Wso2 masterclassitalia - wso2 Identity Server: must-have per gestire le id...
Consumerizing Industrial IoT Access Control: Using UMA to Add Privacy and Usa... by Eve Maler
Consumerizing Industrial IoT Access Control: Using UMA to Add Privacy and Usa...Consumerizing Industrial IoT Access Control: Using UMA to Add Privacy and Usa...
Consumerizing Industrial IoT Access Control: Using UMA to Add Privacy and Usa...
Eve Maler2.1K views
Agility, Business Continuity & Security in a Digital World: Can we have it all? by Ocean9, Inc.
Agility, Business Continuity & Security in a Digital World: Can we have it all?Agility, Business Continuity & Security in a Digital World: Can we have it all?
Agility, Business Continuity & Security in a Digital World: Can we have it all?
Ocean9, Inc.405 views
SAP Identity Management Overview by SAP Technology
SAP Identity Management OverviewSAP Identity Management Overview
SAP Identity Management Overview
SAP Technology27.9K views
The New Venn of Access Control in the API-Mobile-IOT Era by ForgeRock
The New Venn of Access Control in the API-Mobile-IOT EraThe New Venn of Access Control in the API-Mobile-IOT Era
The New Venn of Access Control in the API-Mobile-IOT Era
ForgeRock1.9K views
Microsoft Insurance Solutions Keynote Presentation at the Financial Services ... by Mike Walker
Microsoft Insurance Solutions Keynote Presentation at the Financial Services ...Microsoft Insurance Solutions Keynote Presentation at the Financial Services ...
Microsoft Insurance Solutions Keynote Presentation at the Financial Services ...
Mike Walker1.5K views
Salesforce Shield: How to Deliver a New Level of Trust and Security in the Cloud by Dreamforce
Salesforce Shield: How to Deliver a New Level of Trust and Security in the CloudSalesforce Shield: How to Deliver a New Level of Trust and Security in the Cloud
Salesforce Shield: How to Deliver a New Level of Trust and Security in the Cloud
Dreamforce1.3K views
IdM Reference Architecture by Hannu Kasanen
IdM Reference ArchitectureIdM Reference Architecture
IdM Reference Architecture
Hannu Kasanen2.8K views
CIS14: User-Managed Access by CloudIDSummit
CIS14: User-Managed AccessCIS14: User-Managed Access
CIS14: User-Managed Access
CloudIDSummit1.2K views

Viewers also liked

Get data without the creepiness factor, the privacy by design concept by
Get data without the creepiness factor, the privacy by design conceptGet data without the creepiness factor, the privacy by design concept
Get data without the creepiness factor, the privacy by design conceptAurélie Pols
1.1K views33 slides
RBAC & ABAC: гибридное решение для управления правами доступа by
RBAC & ABAC: гибридное решение для управления правами доступаRBAC & ABAC: гибридное решение для управления правами доступа
RBAC & ABAC: гибридное решение для управления правами доступаCUSTIS
1.6K views17 slides
XACML - Fight For Your Love by
XACML - Fight For Your LoveXACML - Fight For Your Love
XACML - Fight For Your LoveDavid Brossard
1.7K views21 slides
Towards Privacy by Design. Key issues to unlock science. by
Towards Privacy by Design. Key issues to unlock science.Towards Privacy by Design. Key issues to unlock science.
Towards Privacy by Design. Key issues to unlock science.Marlon Domingus
428 views18 slides
XACML in five minutes: excerpt from Catalyst 2013 panel "New school identity ... by
XACML in five minutes: excerpt from Catalyst 2013 panel "New school identity ...XACML in five minutes: excerpt from Catalyst 2013 panel "New school identity ...
XACML in five minutes: excerpt from Catalyst 2013 panel "New school identity ...David Brossard
3.1K views20 slides
Case Study: Healthcare Outsourcing - Operational Efficiencies and Cost Saving... by
Case Study: Healthcare Outsourcing - Operational Efficiencies and Cost Saving...Case Study: Healthcare Outsourcing - Operational Efficiencies and Cost Saving...
Case Study: Healthcare Outsourcing - Operational Efficiencies and Cost Saving...Infinit-O Global, Limited
1.7K views8 slides

Viewers also liked(9)

Get data without the creepiness factor, the privacy by design concept by Aurélie Pols
Get data without the creepiness factor, the privacy by design conceptGet data without the creepiness factor, the privacy by design concept
Get data without the creepiness factor, the privacy by design concept
Aurélie Pols1.1K views
RBAC & ABAC: гибридное решение для управления правами доступа by CUSTIS
RBAC & ABAC: гибридное решение для управления правами доступаRBAC & ABAC: гибридное решение для управления правами доступа
RBAC & ABAC: гибридное решение для управления правами доступа
CUSTIS1.6K views
XACML - Fight For Your Love by David Brossard
XACML - Fight For Your LoveXACML - Fight For Your Love
XACML - Fight For Your Love
David Brossard1.7K views
Towards Privacy by Design. Key issues to unlock science. by Marlon Domingus
Towards Privacy by Design. Key issues to unlock science.Towards Privacy by Design. Key issues to unlock science.
Towards Privacy by Design. Key issues to unlock science.
Marlon Domingus428 views
XACML in five minutes: excerpt from Catalyst 2013 panel "New school identity ... by David Brossard
XACML in five minutes: excerpt from Catalyst 2013 panel "New school identity ...XACML in five minutes: excerpt from Catalyst 2013 panel "New school identity ...
XACML in five minutes: excerpt from Catalyst 2013 panel "New school identity ...
David Brossard3.1K views
Case Study: Healthcare Outsourcing - Operational Efficiencies and Cost Saving... by Infinit-O Global, Limited
Case Study: Healthcare Outsourcing - Operational Efficiencies and Cost Saving...Case Study: Healthcare Outsourcing - Operational Efficiencies and Cost Saving...
Case Study: Healthcare Outsourcing - Operational Efficiencies and Cost Saving...
Oasis Home healthcare slide show by Anab Ali
Oasis Home healthcare  slide showOasis Home healthcare  slide show
Oasis Home healthcare slide show
Anab Ali404 views
WSO2Con USA 2017: Enhancing Customer Experience with WSO2 Identity Server by WSO2
WSO2Con USA 2017: Enhancing Customer Experience with WSO2 Identity ServerWSO2Con USA 2017: Enhancing Customer Experience with WSO2 Identity Server
WSO2Con USA 2017: Enhancing Customer Experience with WSO2 Identity Server
WSO21.3K views
Oasis Canada Presentation by Orm India
Oasis Canada PresentationOasis Canada Presentation
Oasis Canada Presentation
Orm India887 views

Similar to EIC 2014 Oasis Workshop: Using XACML to implement Privacy by Design

Twin Cities IAM Meet Up - May 2014 - The latest in authorization trends and s... by
Twin Cities IAM Meet Up - May 2014 - The latest in authorization trends and s...Twin Cities IAM Meet Up - May 2014 - The latest in authorization trends and s...
Twin Cities IAM Meet Up - May 2014 - The latest in authorization trends and s...ggebel
283 views36 slides
Top Ten Reasons Why Developers Don't Adopt ABAC by
Top Ten Reasons Why Developers Don't Adopt ABACTop Ten Reasons Why Developers Don't Adopt ABAC
Top Ten Reasons Why Developers Don't Adopt ABACForgeRock
2.9K views38 slides
Authorization The Missing Piece of the Puzzle by
Authorization The Missing Piece of the PuzzleAuthorization The Missing Piece of the Puzzle
Authorization The Missing Piece of the PuzzleNordic APIs
1.8K views35 slides
Do you have a business case for Attribute Based Access Control (ABAC)? by
Do you have a business case for Attribute Based Access Control (ABAC)?Do you have a business case for Attribute Based Access Control (ABAC)?
Do you have a business case for Attribute Based Access Control (ABAC)?Finn Frisch
349 views34 slides
Do you have a business case for Attribute Based Access Control (ABAC)? by
Do you have a business case for Attribute Based Access Control (ABAC)?Do you have a business case for Attribute Based Access Control (ABAC)?
Do you have a business case for Attribute Based Access Control (ABAC)?Finn Frisch
366 views34 slides
Cut Through Cloud Clutter: Insights from Visible Ops Private Cloud by
Cut Through Cloud Clutter: Insights from Visible Ops Private CloudCut Through Cloud Clutter: Insights from Visible Ops Private Cloud
Cut Through Cloud Clutter: Insights from Visible Ops Private CloudFlexera
523 views23 slides

Similar to EIC 2014 Oasis Workshop: Using XACML to implement Privacy by Design(20)

Twin Cities IAM Meet Up - May 2014 - The latest in authorization trends and s... by ggebel
Twin Cities IAM Meet Up - May 2014 - The latest in authorization trends and s...Twin Cities IAM Meet Up - May 2014 - The latest in authorization trends and s...
Twin Cities IAM Meet Up - May 2014 - The latest in authorization trends and s...
ggebel283 views
Top Ten Reasons Why Developers Don't Adopt ABAC by ForgeRock
Top Ten Reasons Why Developers Don't Adopt ABACTop Ten Reasons Why Developers Don't Adopt ABAC
Top Ten Reasons Why Developers Don't Adopt ABAC
ForgeRock2.9K views
Authorization The Missing Piece of the Puzzle by Nordic APIs
Authorization The Missing Piece of the PuzzleAuthorization The Missing Piece of the Puzzle
Authorization The Missing Piece of the Puzzle
Nordic APIs1.8K views
Do you have a business case for Attribute Based Access Control (ABAC)? by Finn Frisch
Do you have a business case for Attribute Based Access Control (ABAC)?Do you have a business case for Attribute Based Access Control (ABAC)?
Do you have a business case for Attribute Based Access Control (ABAC)?
Finn Frisch349 views
Do you have a business case for Attribute Based Access Control (ABAC)? by Finn Frisch
Do you have a business case for Attribute Based Access Control (ABAC)?Do you have a business case for Attribute Based Access Control (ABAC)?
Do you have a business case for Attribute Based Access Control (ABAC)?
Finn Frisch366 views
Cut Through Cloud Clutter: Insights from Visible Ops Private Cloud by Flexera
Cut Through Cloud Clutter: Insights from Visible Ops Private CloudCut Through Cloud Clutter: Insights from Visible Ops Private Cloud
Cut Through Cloud Clutter: Insights from Visible Ops Private Cloud
Flexera523 views
Oracle Revenue Management and Billing; ORMB para Actividades Bancarias by claudiablest
Oracle Revenue Management and Billing; ORMB para Actividades BancariasOracle Revenue Management and Billing; ORMB para Actividades Bancarias
Oracle Revenue Management and Billing; ORMB para Actividades Bancarias
claudiablest3K views
EXL - Global Risk Privacy Framework by Ashish Kumar
EXL -  Global Risk Privacy FrameworkEXL -  Global Risk Privacy Framework
EXL - Global Risk Privacy Framework
Ashish Kumar17 views
Jelecos: Achieving Compliance with Axcient by Erin Olson
Jelecos: Achieving Compliance with AxcientJelecos: Achieving Compliance with Axcient
Jelecos: Achieving Compliance with Axcient
Erin Olson391 views
CIS14: The Very Latest in Authorization Standards by CloudIDSummit
CIS14: The Very Latest in Authorization StandardsCIS14: The Very Latest in Authorization Standards
CIS14: The Very Latest in Authorization Standards
CloudIDSummit1.9K views
Accenture: ACIC Rome & Commvault by Accenture Italia
Accenture: ACIC Rome & Commvault Accenture: ACIC Rome & Commvault
Accenture: ACIC Rome & Commvault
Accenture Italia4.6K views
CIS 2015- Rethinking Your Authorization Strategy- Gerry Gebel by CloudIDSummit
CIS 2015- Rethinking Your Authorization Strategy- Gerry GebelCIS 2015- Rethinking Your Authorization Strategy- Gerry Gebel
CIS 2015- Rethinking Your Authorization Strategy- Gerry Gebel
CloudIDSummit897 views
Safe Cloud Principles for the FSI Industry 2014, endorsed by the Asia Cloud C... by accacloud
Safe Cloud Principles for the FSI Industry 2014, endorsed by the Asia Cloud C...Safe Cloud Principles for the FSI Industry 2014, endorsed by the Asia Cloud C...
Safe Cloud Principles for the FSI Industry 2014, endorsed by the Asia Cloud C...
accacloud121 views
Oracle Insurance: A Clear Vision for the Industry by muratc2a
Oracle Insurance: A Clear Vision for the IndustryOracle Insurance: A Clear Vision for the Industry
Oracle Insurance: A Clear Vision for the Industry
muratc2a5.1K views
Key Considerations for Cloud Procurement - AWS Innovate Ottawa: by Amazon Web Services
 Key Considerations for Cloud Procurement - AWS Innovate Ottawa: Key Considerations for Cloud Procurement - AWS Innovate Ottawa:
Key Considerations for Cloud Procurement - AWS Innovate Ottawa:
End User Computing at CloudHesive.pptx by CloudHesive
End User Computing at CloudHesive.pptxEnd User Computing at CloudHesive.pptx
End User Computing at CloudHesive.pptx
CloudHesive16 views
1.Innova Zurich by Ermando
1.Innova Zurich1.Innova Zurich
1.Innova Zurich
Ermando877 views
Get Started Today with Cloud-Ready Contracts | AWS Public Sector Summit 2016 by Amazon Web Services
Get Started Today with Cloud-Ready Contracts | AWS Public Sector Summit 2016Get Started Today with Cloud-Ready Contracts | AWS Public Sector Summit 2016
Get Started Today with Cloud-Ready Contracts | AWS Public Sector Summit 2016
Amazon Web Services1.4K views

Recently uploaded

The Forbidden VPN Secrets.pdf by
The Forbidden VPN Secrets.pdfThe Forbidden VPN Secrets.pdf
The Forbidden VPN Secrets.pdfMariam Shaba
20 views72 slides
Piloting & Scaling Successfully With Microsoft Viva by
Piloting & Scaling Successfully With Microsoft VivaPiloting & Scaling Successfully With Microsoft Viva
Piloting & Scaling Successfully With Microsoft VivaRichard Harbridge
13 views160 slides
Five Things You SHOULD Know About Postman by
Five Things You SHOULD Know About PostmanFive Things You SHOULD Know About Postman
Five Things You SHOULD Know About PostmanPostman
38 views43 slides
Future of Indian ConsumerTech by
Future of Indian ConsumerTechFuture of Indian ConsumerTech
Future of Indian ConsumerTechKapil Khandelwal (KK)
24 views68 slides
【USB韌體設計課程】精選講義節錄-USB的列舉過程_艾鍗學院 by
【USB韌體設計課程】精選講義節錄-USB的列舉過程_艾鍗學院【USB韌體設計課程】精選講義節錄-USB的列舉過程_艾鍗學院
【USB韌體設計課程】精選講義節錄-USB的列舉過程_艾鍗學院IttrainingIttraining
69 views8 slides
Kyo - Functional Scala 2023.pdf by
Kyo - Functional Scala 2023.pdfKyo - Functional Scala 2023.pdf
Kyo - Functional Scala 2023.pdfFlavio W. Brasil
418 views92 slides

Recently uploaded(20)

The Forbidden VPN Secrets.pdf by Mariam Shaba
The Forbidden VPN Secrets.pdfThe Forbidden VPN Secrets.pdf
The Forbidden VPN Secrets.pdf
Mariam Shaba20 views
Piloting & Scaling Successfully With Microsoft Viva by Richard Harbridge
Piloting & Scaling Successfully With Microsoft VivaPiloting & Scaling Successfully With Microsoft Viva
Piloting & Scaling Successfully With Microsoft Viva
Five Things You SHOULD Know About Postman by Postman
Five Things You SHOULD Know About PostmanFive Things You SHOULD Know About Postman
Five Things You SHOULD Know About Postman
Postman38 views
【USB韌體設計課程】精選講義節錄-USB的列舉過程_艾鍗學院 by IttrainingIttraining
【USB韌體設計課程】精選講義節錄-USB的列舉過程_艾鍗學院【USB韌體設計課程】精選講義節錄-USB的列舉過程_艾鍗學院
【USB韌體設計課程】精選講義節錄-USB的列舉過程_艾鍗學院
ESPC 2023 - Protect and Govern your Sensitive Data with Microsoft Purview in ... by Jasper Oosterveld
ESPC 2023 - Protect and Govern your Sensitive Data with Microsoft Purview in ...ESPC 2023 - Protect and Govern your Sensitive Data with Microsoft Purview in ...
ESPC 2023 - Protect and Govern your Sensitive Data with Microsoft Purview in ...
GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N... by James Anderson
GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N...GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N...
GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N...
James Anderson126 views
"Running students' code in isolation. The hard way", Yurii Holiuk by Fwdays
"Running students' code in isolation. The hard way", Yurii Holiuk "Running students' code in isolation. The hard way", Yurii Holiuk
"Running students' code in isolation. The hard way", Yurii Holiuk
Fwdays24 views
STKI Israeli Market Study 2023 corrected forecast 2023_24 v3.pdf by Dr. Jimmy Schwarzkopf
STKI Israeli Market Study 2023   corrected forecast 2023_24 v3.pdfSTKI Israeli Market Study 2023   corrected forecast 2023_24 v3.pdf
STKI Israeli Market Study 2023 corrected forecast 2023_24 v3.pdf
Igniting Next Level Productivity with AI-Infused Data Integration Workflows by Safe Software
Igniting Next Level Productivity with AI-Infused Data Integration Workflows Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Safe Software317 views
TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f... by TrustArc
TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...
TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...
TrustArc72 views
STPI OctaNE CoE Brochure.pdf by madhurjyapb
STPI OctaNE CoE Brochure.pdfSTPI OctaNE CoE Brochure.pdf
STPI OctaNE CoE Brochure.pdf
madhurjyapb14 views
"Surviving highload with Node.js", Andrii Shumada by Fwdays
"Surviving highload with Node.js", Andrii Shumada "Surviving highload with Node.js", Andrii Shumada
"Surviving highload with Node.js", Andrii Shumada
Fwdays33 views
Future of AR - Facebook Presentation by Rob McCarty
Future of AR - Facebook PresentationFuture of AR - Facebook Presentation
Future of AR - Facebook Presentation
Rob McCarty22 views
Special_edition_innovator_2023.pdf by WillDavies22
Special_edition_innovator_2023.pdfSpecial_edition_innovator_2023.pdf
Special_edition_innovator_2023.pdf
WillDavies2218 views

EIC 2014 Oasis Workshop: Using XACML to implement Privacy by Design

  • 1. 1 Implementing Privacy Using the OASIS XACML Standard to implement privacy using attribute- based access control Externalizing Authorization Introduction to XACML XACML & Privacy © 2014 Axiomatics AB Customer use cases
  • 2. 2 Externalizing Authorization Next Generation Authorization Attribute Based Access Control © 2014 Axiomatics AB
  • 3. Authentication & Authorization © 2014 Axiomatics AB 3 Authentication: Determine who the user is Authorization: Determine what the user can do
  • 4. © 2014 Axiomatics AB 4 AuthZ Business- driven Operation- driven Compliance -driven
  • 5. Examples  Business-driven  Finance: A junior teller can approve transactions up to 1,000 USD.  Healthcare: A senior nurse can edit the notes of a medical record.  Operations-driven  Finance: No one can approve transactions between 5pm and 9am.  Healthcare: No one can print a medical record from home.  Compliance-driven  Finance: a trader cannot approve a trade order he created (segregation of duty)  Healthcare: mask the social security number on the X-ray print-out © 2014 Axiomatics AB 5 This is where privacy fits in.
  • 6. Privacy-enabling authorization: requirements  A bank customer wants their account information to be available to bank staff.  So long as their access is motivated by services they provide the customer  The customer doesn’t want bank staff to access the data for other reasons  E.g. gossip  For privacy, CONTEXT IS KEY.  A staff member viewing a record may be aligned with privacy requirements on Monday…  But violating them on Tuesday.  How do existing authorization frameworks cater for context?  They don’t  We need to look for a new framework or model? © 2014 Axiomatics AB 6
  • 7. Challenges with existing authorization solutions  User-centric only  Software-specific  Static  Lack of visibility  difficult to audit the system  Cannot cater for context  Cannot evolve to meet new business needs  Expensive  Developers don’t like it © 2014 Axiomatics AB 7
  • 8. The need for next-generation authorization © 2014 Axiomatics AB 8 External from applications •Decouple business logic implementation from authorization logic Standards-based •OASIS XACML: eXtensible Access Control Markup Language Fine-grained •It’s not just about who the user is, it’s about who, what, when, where, why, and how Context-aware •Context matters: time of day, device, purpose of use… Attribute-based Access Control (ABAC)
  • 9. Implement privacy with Attribute-based access control © 2014 Axiomatics AB 9 Doctors should be able to view the records of patients assigned to their unit and edit the records of those patients with whom they have a care relationship Privacy by design: ONLY authorized persons can access/update the record
  • 10. ABAC takes multiple factors into account  Not just users and roles… … but also attributes reflecting the business process and context  Policies define precise access rules…. … which are dynamically enforced in real-time © 2014 Axiomatics AB 10 WHO WHAT WHERE WHEN WHY HOW It’s not just about but also and
  • 11. Attribute-Based Access Control © 2014 Axiomatics AB User Attributes Policies Example: Doctors can open & edit a patient’s health record in the hospital emergency room between 5PM and 8 AM. Action Resource Context Read more here: csrc.nist.gov/projects/abac/
  • 12. Externalized Authorization Management Benefits  User-, Resource-, Relationship-centric: *-based access control  Standards-based, generic: implemented on top of OASIS XACML  Dynamic: adapt to change and context  Centrally managed authorization: all authorization policies are in one place  Context is one of the parameters: take time, location and device into account  Adapts to new requirements: authorization policies can grow independently  Reusable, cost-effective: write once, enforce everywhere  Easy on developers: developers no longer need to worry about authorization. © 2014 Axiomatics AB 12
  • 13. 13 An introduction to XACML OASIS XACML: eXtensible Access Control Markup Language © 2014 Axiomatics AB
  • 14. What is XACML?  Pronunciation  eXtensible Access Control Markup Language  OASIS standard  V 3.0 approved in January 2013  V 1.0 approved in 2003 (11 years ago!)  XACML is expressed as  A specification document and  An XML schema  http://www.oasis-open.org/committees/xacml/ © 2014 Axiomatics AB 14
  • 15. What does XACML contain? © 2014 Axiomatics AB 15 XACML Reference Architecture Policy Language Request / Response Protocol
  • 16. The XACML Architecture & Flow © 2014 Axiomatics AB Decide Policy Decision Point Manage PolicyAdministration Point Support Policy Information Point Policy Retrieval Point Enforce Policy Enforcement Point Access Doc. #123 Can Alice access Document #123? Yes, Permit Load XACML policies Retrieve user role, clearance and document classification Access Doc. #123
  • 17. Where do I protect?  Choose a broad protection  At the API level  At the database level © 2014 Axiomatics AB 17 Database Tier DB API & Business Tier (Web Services, REST…) Presentation tier (Portals)
  • 18. Sample XACML Policy © 2014 Axiomatics AB 18 Root Policy Set PolicySet Policy Rule Effect=Permit Rule Effect = Deny PolicySet Policy Rule Effect = Permit
  • 19. 19 XACML & Privacy Using XACML to implement various privacy regulations © 2014 Axiomatics AB
  • 20. XACML profiles on privacy  Cross-Enterprise Security and Privacy Authorization (XSPA) Profile of XACML for Healthcare (link)  This profile provides a cross-enterprise security and privacy profile that describes how to use XACML to provide privacy policies and consent directives in an interoperable manner.  Cross-Enterprise Security and Privacy Authorization (XSPA) profile of XACML v2.0 for Healthcare, Implementation Examples (link)  This profile takes HL7 examples and converts to XACML  Privacy policy profile of XACML v2.0  Based on the Organization of Economic Cooperation and Development (1980) privacy guidelines  Other regulations on data protection (not specific to privacy)  XACML Intellectual Property Control (IPC) Profile  XACML 3.0 Export Compliance-US (EC-US) Profile © 2014 Axiomatics AB 20
  • 21. HL7 Security and Privacy Ontology Use Cases © 2014 Axiomatics AB 21 /* * Access Control Based on Category of Action * Access to progress notes */ policy progressNotes{ target clause objectType=="progress note" apply firstApplicable /* * A primary physician can create a patient's progress note */ rule createNote{ target clause role=="physician" and action=="create" condition primaryPhysician==requestorId permit } } link (the above is ALFA – a XACML pseudo-code. Download ALFA here.)
  • 22. XACML & the 7 Foundational Principles (1/2) © 2014 Axiomatics AB 22 Proactive not Reactive; Preventative not Remedial •XACML defines an architecture enacted at runtime Privacy as the Default Setting •XACML policies enable exact privilege settings Privacy Embedded into Design •IT projects can focus on authorization requirements on the one hand and business requirements on the other •Clear separation of concerns
  • 23. XACML & the 7 Foundational Principles (2/2) © 2014 Axiomatics AB 23 Full Functionality — Positive- Sum, not Zero-Sum •XACML is a business enabler •It allows for data to be securely shared •XACML helps deliver new services End-to-End Security — Full Lifecycle Protection •XACML policies evolve with the data they protect •XACML policies can adapt to regulatory change Visibility and Transparency — Keep it Open •XACML policies are centrally managed and can be easily audited •XACML policies mirror business requirements closely Respect for User Privacy — Keep it User-Centric •XACML policies focus on the entire picture: from who is accessing the data to the relationships to the purpose of use…
  • 24. Privacy by Design:Trilogy of Applications & XACML © 2014 Axiomatics AB 24 Information Technology Accountable Business Practices Physical Design Watch Ann Cavoukian on the Trilogy of Applications. XACML promotes a well-defined architecture XACML policies map closely to business requirements
  • 25. XACML enables the positive-sum  Example: medical records  Medical records used to be stored in a physical location at the doctor’s office.  Security was there by default: it is hard to access information stored in a file cabinet  Today: new consumer & medical patterns emerge  Let patients browse their medical data online  Share data with other medical actors (hospitals, specialists, pharmacies…) and non- medical actors (insurance companies…)  The promise: deliver better care  XACML, as an IT security artefact, can help go from high-level privacy designs to technical implementations © 2014 Axiomatics AB 25
  • 26. Key take-aways  Privacy is more about controlled information sharing than the prevention thereof  XACML enables secure information sharing  The privacy headache will explode once the new EU regulation becomes reality  industries will need a means to quickly and efficiently implement privacy. XACML is the way to go on a technical level  Privacy is not just about compliance, it’s also about  Brand  Reputation, and  Trust.  A key challenge is that privacy is a human concept. XACML bridges the gap between human & business requirements and technical implementations © 2014 Axiomatics AB 26
  • 27. 27 Customer Implementations Examples from the world of finance, healthcare, and pharmaceutical © 2014 Axiomatics AB
  • 28. Norwegian bank (1/2)  Lov om behandling av personopplysninger (personopplysningsloven | link)  Datatilsynet (Norwegian Data Protection Authority) requires:  that bank clients should be able to demand exact records of which staff member accessed their account details or other privacy sensitive data and when this happened  that the bank must ensure that only staff members with a purpose of use motivated by tasks performed in the course of their professional duties access sensitive data. The bank must be able to investigate any suspicions that this rule is being violated by staff members.  that the bank duly considers the risk assessment mandates of the legislation must be recognized (for instance with regard to VIP accounts or accounts of citizens with a protected identity due to witness protection etc.)  The project used XACML to implement fine-grained access control in conformance with privacy regulations © 2014 Axiomatics AB 28
  • 29. Norwegian bank (2/2) Details  A whitelist is defined: customers have the right to define who can access their data  A blacklist is defined: customer have the right to define who cannot access their data  E.g. relatives…  Common rules are implemented  Only employees in a given branch can view customer data from that branch  Exception handling and flags are implemented  All access to data is logged for future accountability © 2014 Axiomatics AB 29
  • 30. Swedish National Healthcare  Project driven by the Swedish Medical Care Advice Service  Goal: comprehensive IT-solution for electronic patient record management  Uniform technical choices for future security services  Excerpt from the general goals for BIF services  Provide access to authorized personnel  Protect sensitive patient data against unauthorized access  Functional requirements  Strong emphasis on standard based approaches  E.g. XACML shall be used for access control  World’s largest deployment of XACML yet © 2014 Axiomatics AB 30
  • 31. Swedish National Healthcare: access control rules  At the medical center level  Only doctors that belong to the given medical center can see records of patients from that medical center  At the district level  Only doctors that belong to the given district can see records of patients from that district  Patients can define their own policies: patient-defined disclosure policies (pddp)  At the top level – the organization  Patients need to provide an additional consent form for their data to be disclosed  An emergency plan provides for exceptional policies to override patient-defined rules
  • 32. Northern Spain Hospitals CancerTreatment (1/2)  BEinGRID: EU-funded development of Business Models for the Grid Industry.  Healthcare business use case  Provide new compute intensive radiotherapy tools to hospitals remotely  Challenge: A new treatment needs several hours or days.  Goal: drive down the time it takes to design radiotherapy treatments  Privacy?  Radiotherapy records contain Personal Health Information (PHI) that must be stripped before the records can be sent to the super computers  Read more  Link © 2014 Axiomatics AB 32
  • 33. Northern Spain Hospitals CancerTreatment (2/2) © 2014 Axiomatics AB 33 Security GWHOSPITAL Policy Server TREATMENT SERVICES Policies DB PDP Web Service getRole verify optimize commissioning verify 1 2 3 4 5 6 PDP PEP
  • 34. US Pharmaceutical  Goal: share medical information (clinical trials, molecule…) with partners, contractors, universities, and authorities  Privacy?  Clinical trials contain highly sensitive PHI.  For the customer the alternative is not sharing the data at all to avoid breaches & fines. © 2014 Axiomatics AB 34
  • 35. More examples here at EIC 2014  Drivers and Lessons learned from a Recent ABAC Implementation at Generali  Manuel Schneider, Generali  14.05.2014 14:30-15:30  ABAC - Visions and Reality  Finn Frisch, Axiomatics  14.05.2014 14:30-15:30  Dynamic Authorization Management: The Market and its Future  Graham Williamson  14.05.2014 12:00-13:00  RBAC, ABAC, or Both?  Panel  14.05.2014 12:00-13:00 © 2014 Axiomatics AB 35
  • 36. © 2014 Axiomatics AB 36 Thank you.