Marco Casassa Mont

Sticky Policies: An Approach for Managing Privacy across Multiple Parties

Machine-readable policies can stick to data to define allowed usage and obligations as it travels across multiple parties, enabling users to improve control over their personal information. The EnCoRe project has developed such a technical solution for privacy management that is suitable for use in a broad range of domains.

Dealing with Privacy Obligations: Important Aspects and Technical Approaches

The management and enforcement of privacy obligations is a challenging task: it involves legal, organizational, behavioral and technical aspects. This area is relevant for enterprises and government agencies that deal with personal identity information. Privacy and data protection laws already regulate some of the related aspects. Technical work has been done for the management of obligations subordinated to authorization aspects and simple data retention obligations: however, dealing with ongoing and long-term aspects of obligations is still a green field and open to research. This paper explores and analyses the explicit management of privacy obligations for identity information. It focuses on technical aspects even if the problem cannot be solved only by deploying technological solutions. Mechanisms are required to represent, manage, monitor and enforce obligation policies in complex and heterogeneous environments. Our research is work in progress: we illustrate some of our technical work and investigations in this space.

A flexible role-based secure messaging service: exploiting IBE technology for privacy in health care

The management of private and confidential information is a major problem for dynamic organizations. Secure solutions are needed to exchange confidential documents, protect them against unauthorized accesses and cope with changes of peoples roles and permissions. Traditional cryptographic systems and PKI show their limitations, in terms of flexibility and manageability. This paper describes an innovative technical solution in the area of secure messaging that exploits identifier-based encryption (IBE) technology. It illustrates the advantages against a similar approach based on traditional cryptography and PKI. It discusses a few open issues. Our main contribution is a practical solutions based on IBE technology. A secure messaging system based on IBE has been fully implemented and it is currently used in a trial with a UK health service organization.

Privacy policy enforcement in enterprises with identity management solutions

People are usually asked by enterprises to disclose their personal information to access web services and engage in business interactions. Enterprises need this information to enable their business processes. This is unlikely to change, at least in the foreseeable future. When collecting personal data, enterprises must satisfy privacy laws and policies along with addressing peoples expectations on how their data should be handled. Currently much is done by means of manual processes, in particular in terms of privacy enforcement: these processes are prone to mistakes and hard to comply with. Automation can help enterprises to deal with these privacy management issues, in particular the enforcement of privacy policies on collected personal data. Enterprises have already been investing in identity management solutions: they require that approaches to automate privacy management should keep into account and leverage these solutions. This paper discusses our research and development work to automate the enforcement of privacy policies in enterprises. Our model of privacy policy enforcement is introduced along with the technical details of a related prototype, integrated (as a proof of concept) with HP Select Access, a state-of-the-art identity management solution. This technology is currently under productisation. We discuss our current results and next steps.

Persistent and dynamic trust: analysis and the related impact of trusted platforms

This paper reviews trust from both a social and technological perspective and proposes a distinction between persistent and dynamic trust. Furthermore, this analysis is applied within the context of trusted computing technology.

Towards accountable management of privacy and identity information

Digital identities and profiles are valuable assets: they are more and more relevant to allow people to access services and information on the Internet. They need to be secured and protected. Unfortunately people have little control over the destiny of this information once it has been disclosed to third parties. People rely on enterprises and organizations for its management. In most cases this is a matter of trust. This paper describes an approach to make organizations more accountable, provide strong but not impregnable privacy enforcement mechanisms and allow users to be more involved in the management of the privacy of their confidential information. As part of our ongoing research, we introduce a technical solution based on ”sticky” privacy policies and tracing services that leverages Identifier-based Encryption (IBE) along with trusted platform technologies such as TCPA (TCG) and Tagged Operating Systems. Work is in progress to prototype this solution.

End-to-End Policy-Based Encryption and Management of Data in the Cloud

This paper introduces and discusses a data management solution to provide accountability within the cloud as well as addressing privacy issues. The central idea is as follows: Customers allow cloud (service) providers to have access to specific data based on agreed policies and by forcing interactions with interchangeable independent third parties called Trust Authorities. The access to data can be as fine-grained as necessary, based on policy definitions, underlying encryption mechanisms (supporting the stickiness of policies to the data) and a related key management approach that allows (sets of) data attribute(s) to be encrypted specifically based on the policy. Access to data is mediated by a Trust Authority that checks for compliance to policies in order to release decryption keys. By these means users can be provided with fine-grained control over access and usage of their data within the cloud, even in public cloud models.

Dealing with Privacy Obligations in Enterprises

This paper focuses on the problem of dealing with privacy obligations in enterprises. Privacy obligations dictate expected behaviours, tasks and constraints that must be satisfied when handling personal and confidential data. This includes being compliant with data retention policies and satisfying constraints dictated by customers’ opt-in and opt-out choices.

A Conceptual Model for Privacy Policies with Consent and Revocation Requirements

This paper proposes a conceptual model for privacy policies that takes into account privacy requirements arising from different stakeholders, with legal, business and technical backgrounds. Current approaches to privacy management are either high-level, enforcing privacy of personal data using legal compliance, risk and impact assessments, or low-level, focusing on the technical implementation of access controls to personal data held by an enterprise. High-level approaches tend to address privacy as an afterthought in ordinary business practice, and involve ad hoc enforcement practices; low-level approaches often leave out important legal and business considerations focusing solely on technical management of privacy policies. Hence, neither is a panacea and the low level approaches are often not adopted in real environments. Our conceptual model provides a means to express privacy policy requirements as well as users’ privacy preferences. It enables structured reasoning regarding containment and implementation between various policies at the high level, and enables easy traceability into the low-level policy implementations. Thus it offers a means to reason about correctness that links low-level privacy management mechanisms to stakeholder requirements, thereby encouraging exploitation of the low-level methods. We also present the notion of a consent and revocation policy. A consent and revocation policy is different from a privacy policy in that it defines not enterprise practices with regards to personal data, but more specifically, for each item of personal data held by an enterprise, what consent preferences a user may express and to what degree, and in what ways he or she can revoke their personal data. This builds on earlier work on defining the different forms of revocation for personal data, and on formal models of consent and revocation processes. The work and approach discussed in this paper is currently carried out in the context of the UK collaborative project EnCoRe (Ensuring Consent and Revocation).

On identity assurance in the presence of federated identity management systems

In this paper we address the appropriate management of risk in federated identity management systems by presenting an identity assurance framework and supporting technologies. We start by discussing the risk mitigation framework that should be part of any identity assurance solution. We then demonstrate how our model based assurance technologies can be used to report success of an identity assurance programme. We discuss how this approach can be used to gain trust within a federated identity management solution both by communicating the nature of the assurance framework and that risks are successfully being mitigated. Finally, we show the importance of automation of controls in easing operational costs (and we describe related approaches developed at HP Labs and PRIME project); providing improved audit information and changing the risk mitigation landscape.