logging in or signing up powers tami portia topics Haggrid Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINT Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 39 Category: News & Reports.. License: All Rights Reserved Like it (0) Dislike it (0) Added: September 19, 2007 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... Premium member Presentation Transcript Privacy Topics for TAMI/PORTIA Conference: Privacy Topics for TAMI/PORTIA Conference Calvin Powers cspowers@us.ibm.com Topics: Topics Encryption At Rest California Bill SB 1386: California Bill SB 1386 This bill, operative July 1, 2003, would require a state agency, or a person or business that conducts business in California, that owns or licenses computerized data that includes personal information, as defined, to disclose in specified ways, any breach of the security of the data, as defined, to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. Similar laws being considered at the Federal Level Motivation for SB 1386: Motivation for SB 1386 http://www.nwfusion.com/news/2005/0408stolelapto.html?nl The Bottom Line: The Bottom Line Unencrypted data in database files on a hard drive falls under the notification requirements of SB1386 The legal assumption is that data can be accessed directly from the files even when the DB software is not running. Persisted personal information in data base tables must be encrypted. The Challenge: Doing this while minimizing the disruption to existing infrastructure The Challenge: Key Management is always the biggest impediment to encryption use. Topics: Topics Sticky Policy Paradigm Relating Policies To Data Base Schema : Relating Policies To Data Base Schema How Bad Things Happen To Data: How Bad Things Happen To Data The “Sticky Policy Paradigm”: The 'Sticky Policy Paradigm' Challenge: How can we do this for all repositories and all types of data flow? And not be completely disruptive. We can assume non-malicious environments Topics: Topics Purpose Based Access Control “Purpose of Usage” is a new element in policy: 'Purpose of Usage' is a new element in policy In the Past 'Members of the marketing dept. are allowed to query the accounting database.' Today: 'Members of the marketing dept. are permitted to see an individual’s credit score for the purpose of developing a new loan product only if the individual provides explicit authorization.' Break Down the Policy Into Key Concepts: Break Down the Policy Into Key Concepts From the human-readable policy, start identifying the Groups, Purposes and PII types. Sharing of information with third-parties Partners: When you buy something from us we may share your name and mailing address with a few carefully selected marketing partners, except for our customers who reside in the states of Vermont and California. When you place your order you will be given a clearly labeled opportunity to opt out of sharing this information. We will never share any telephone numbers, e-mail addresses, or financial information you have given us with any marketing partners. Credit card companies and Shippers: When you buy something from us we send your credit card information, name, billing address, and the amount of your purchase to your credit card company to verify and authorize your purchase. Your name, telephone number, and shipping information must be provided to third party shippers to deliver your purchase. In this policy, the Groups are given in generalized terms, as 'us' and 'we'. Creating Policy Rules From the Key Concepts: Creating Policy Rules From the Key Concepts After identifying the basic pieces of the policy statements, we can start to form the policy statements. We can break the text down into 3-4 policy statements that have a structured form. Widget's Billing Department will use credit card and address information to charge your credit card for the purchases you made. Widget's Shipping Department will use your address information to ship your order. If you opt-in, Widget's Shipping Department will use your e-mail address to notify you of your order's shipment status. Widget's Marketing Department will share your name and mailing address with selected marketing partners unless you opt out or if you live in Vermont or California. Please Note: : Please Note: 'Purposes' are not 'roles'! More transaction/unit of work oriented The issue is not 'what label(s) are attached to your credential' but 'what unit of work are you doing with my data.' Challenge: How can we determine 'at run time' what the purpose of a data access or usage is (in an efficient way)? Topics: Topics Expression of Policies The Privacy Place Research on Semantic Analysis of Privacy Policies: The Privacy Place Research on Semantic Analysis of Privacy Policies 'Mining Rule Semantics to Understand Legislative Compliance' T. D. Breaux and A.I. Antón. Accepted to: ACM Workshop on Privacy in Electronic Society (WPES'05), NCSU CSC Technical Report #TR-2005-31, Alexandria, Virginia, USA, 2005. http://www.theprivacyplace.org/papers/TR_2005-31.pdf Analyzing Goals for Rights, Permissions and Obligations T. D. Breaux and A.I. Antón. In Proceedings 13th IEEE International Conference on Requirements Engineering (RE'05), NCSU CSC Technical Report #TR-2005-08, Paris, France, USA, 2005. http://www.theprivacyplace.org/papers/TR_2004-36.pdf Deriving Semantic Models from Privacy Policy Goals, T. D. Breaux and A.I. Antón. In Proceedings: 6th IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY'05), NCSU CSC Technical Report #TR-2004-36, Stockholm, Sweden, USA, 2005. http://www.theprivacyplace.org/papers/TR_2004-36.pdf http://www.theprivacyplace.org Semantics of Business Vocabulary and Business Rules (SBVR): Semantics of Business Vocabulary and Business Rules (SBVR) This specification defines the vocabulary and rules for documenting the semantics of business vocabulary, business facts, and business rules; as well as an XMI schema for the interchange of business vocabularies and business rules among organizations and between software tools. Why SBVR?: Why SBVR? Natural Language Text Representation Precise, yet reads like natural language text Important for review by policy makers and subject matter experts for domains Uses same vocabulary to express domain models and policies on domains Incorporates the notion of community vocabularies and domains of knowledge Machine Interpretable Expression XML/XMI representation of statements For further transformation into IT domain artifacts Establishes linkage between the 'policy' world and the 'IT World' Challenge: Can SBVR be used to express all the concepts we need for privacy policies? Topics: Topics Discovering Risks With Process Modeling Data Flow and Data Protection in the Jet Blue Case: Data Flow and Data Protection in the Jet Blue Case Lesson: How do we make sure that data protection requirements flow with the data as it is disclosed across organizational boundaries? See 'The Complexity Underlying JetBlue’s Privacy Policy Violations' andlt;http://www.theprivacyplace.org/papers/tr_2003_21.pdfandgt; Composite Apps Increase the Risk of Data Theft: Composite Apps Increase the Risk of Data Theft Time Warner lost tapes containing social security numbers for over 600,000 employees while in transit to off-site archival facilities. See 'After Data Losses Like Time Warner's, Companies Need To Rethink Tape-Storage Security' andlt;http://www.informationweek.com/shared/printableArticle.jhtml?articleID=162101437andgt; City National Bank, from Los Angeles California also lost two tapes containing sensitive data, including Social Security numbers and other customer account information. See 'Iron Mountain Loses More Tapes' andlt;http://www.informationweek.com/shared/printableArticle.jhtml?articleID=165701015andgt; In April, 2005, a laptop computer containing the names and Social Security numbers of about 16,500 current and former employees of MCI was stolen. See 'MCI: Employee Data Was On Stolen Laptop' andlt;http://www.nytimes.com/reuters/business/business-telecoms-mci-theft.html andgt; A medical group in San Jose California acknowledged that two computers were stolen from the organization's offices from behind locked doors. These computers contained information about 185,000 people, including social security numbers and confidential medical information. See 'Stolen laptops contain medical info on 185,000 patients' andlt;http://www.networkworld.com/news/2005/0408stolelapto.html?nl andgt; Types of Data Being Stolen Identity Information (information used in identity theft activities, especially SSNs, individual financial account information, etc. Bill of materials data for sensitive technology products that can’t be shared with rogue countries. Trade secret information (formulary information, source code, etc.) Lesson: Hindsight is 20/20. Why didn’t anyone detect these security exposures before they happened? How do you evaluate the potential risk of customer information on a tape in transit through a courier service? More important: How do you even make sure you think about evaluating the risk? Problem: Problem How Can I Ensure Customer Information Is Protected? Objectives: Customer data must always be encrypted with 56 bit keys or stronger when persisted. The following text must be in all agreements with business partners if they receive customer information: 'Lorem ipso foer tyr wuz de ramas cora dola tym ipso hor.Lorem ipso foer tyr wuz de ramas cora dola tym ipso hor tyr wuz de ramas cora dola tymon ipso foer tyr wuz de ramas cora dola tymo. Lorem ipso hoccer foer tyr wuz de ras cora dola tymon ipso hoc cer fuz de ramas cora dola tymon ipso hoccer. Lorem ipso foer tyr wuz de ramas cora dola tym ipso hor. . .' Create a Policy Artifact in the Modeling Tool: Create a Policy Artifact in the Modeling Tool -- persisted customer info encrypted with 56 bit keys or stronger? -- customer info protection clause in agreements with business partners? This policy has two policy artifacts in it which must be implemented in all business processes which handle customer information. Attach the Policy To The Customer Information : Attach the Policy To The Customer Information The policy would be attached to the customer information at the point it enters the company. This association of policy to business object is a type of classification. Policy Flows with Data Automatically: Policy Flows with Data Automatically Tool could understand how fields from the order request are propagated to other business items in the flow. Policy Attachment Flows to Sub-processes: Policy Attachment Flows to Sub-processes The policy attached business item from the overall process would get propagated to the flows in the sub process. Tool knows that OrderInfo objects stored in shared database have this policy associated with them. Policy Attachment Flows Out Of Database: Policy Attachment Flows Out Of Database Tool knows that OrderInfo objects flowing out of database have the policy attached to them. What’s Next: What’s Next Policy Attached Data is Now Mapped through the process Each Process and Activity Can Be Evaluated Against the Policy Artifacts Documentation About Policy Compliance Is Collected (1): Documentation About Policy Compliance Is Collected (1) Documentation About Policy Compliance Is Collected (2): Documentation About Policy Compliance Is Collected (2) The owner of each activity would be prompted to document how policy artifacts are implemented. (Or at least state that they are not applicable.) -- persisted customer info encrypted with 56 bit keys or stronger? A: DB2 Table level encryption configuration has been set to x, y, and z to provide the necessary level of encrytion. See XXX in Tivoli Configuration Manager for more details. -- customer info protection clause in agreements with business partners? A: Business Partners do not have access to this database. -- Signed, Alice Jones, Database Administrator Documentation About Policy Compliance Is Collected (3): Documentation About Policy Compliance Is Collected (3) Process Summary Report To Create Big Picture View: Process Summary Report To Create Big Picture View Process Summary as Of September 19, 2005 Order Fulfillment Process Update Order Information Activity Customer Info Protection Policy Q:persisted customer info encrypted with 56 bit keys or stronger? A: No customer information is persisted in this Activity Q: Customer info protection clause in agreements with business partners? A: No customer information is disclosed to business partners in this step. Reported and signed by Bob Smith, Order Fulfillment Manager Place Supplier Order Activity No Information Available Place Carrier Order Activity No Information Available Order Information Database Q:persisted customer info encrypted with 56 bit keys or stronger? A: DB2 Table level encryption configuration has been set to x, y, and z to provide the necessary level of encrytion. See XXX in Tivoli Configuration Manager for more details. Q: Customer info protection clause in agreements with business partners? A: Business Partners do not have access to this database. Reported and signed by Alice Jones, Database Administrator Order Archival Process Extract Orders Older Than 2 Years Activity No Information Available Create Archival Tape Activity No Information Available Tape Storage Service Customer Info Protection Policy Q:persisted customer info encrypted with 56 bit keys or stronger? A: Customer information is NOT encrypted when written to tape!. Q: Customer info protection clause in agreements with business partners? A: yes. See business partner agreement with Iron Mountain. Document 12-3456-B last revision January 1, 2005. . Reported and signed by Charlie Davis, Archival Adminisrator ? ? ? ? Summary: Summary Process Model Tools Can Understand Data Flow Policy Should be Attached to Data, Not Systems Tools Should track the policy attached data through all processes, activities, and services. Difficult for people to understand flow and track the data. Each Activity Owner should be responsible for documenting the policy artifact implementation for the processes, activities, and services he/she owns. Policy artifacts which aren’t implemented should be flagged as risk items for analysis, prioritization, and remediation. 'Roll Up' reports should summarize current state of policy implementation for the processes. Challenge: How can this be done in an automated way or with minimal work effort? If automated, how are the policy requirements expressed? Topics: Topics Hippocratic Database Technology Slide35: HDB Active Enforcement Database Powered by HDB Give me the names, incomes andamp; addresses of your clients I can only disclosure incomes andamp; addresses of clients who have given consent Slide36: Installation Policy Parser Negotiation User Preferences and Policy Matching Enforcement Database Query Interface Policy Metadata User Data Database Powered by HDB HDB Active Enforcement Enforcement: Value Proposition: Enforcement: Value Proposition Easy of Integration Implementation intercepts and rewrites incoming queries to factor in policy, user choices, and context (e.g. purpose). Fine-Grained Database-enforced disclosure control at cell-level of an organization’s data policy and user preferences. Easier Enforcement after Policy Modification Centralized and seamless policy creation and update. System Impact Applications do not require any modification. Enforcement: Value Proposition: cont’d: Enforcement: Value Proposition: cont’d Database agnostic Does not require any change in the database engine. Reuses current features Rewritten queries benefit from all the optimizations and performance enhancements provided by underlying engine (e.g. parallelism). Performance 10 million records Worst Case: Choice Selectivity = 1. Everyone discloses everything. Query processing yields no value. The penalty is 5-15% of the execution time of the original query. Standard Cases: Choice Selectivity varies. In best case, HDB Active Enforcement gives an order of magnitude improvement. HDB Active Enforcement Core Cell-Level Policy Enforcement: HDB Active Enforcement Core Cell-Level Policy Enforcement Example Scenario For a certain user (data accessor) and purpose, name is allowed under the privacy policy, phone and salary are allowed on an opt-in basis. Slide40: Forbidden values covered by null values in resulting tables Results of query… SELECT Name, Phone, Salary FROM Customer HDB Active Enforcement Core Cell-Level Policy Enforcement : cont’d Questions?: Questions? You do not have the permission to view this presentation. In order to view it, please contact the author of the presentation.
powers tami portia topics Haggrid Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINT Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 39 Category: News & Reports.. License: All Rights Reserved Like it (0) Dislike it (0) Added: September 19, 2007 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... Premium member Presentation Transcript Privacy Topics for TAMI/PORTIA Conference: Privacy Topics for TAMI/PORTIA Conference Calvin Powers cspowers@us.ibm.com Topics: Topics Encryption At Rest California Bill SB 1386: California Bill SB 1386 This bill, operative July 1, 2003, would require a state agency, or a person or business that conducts business in California, that owns or licenses computerized data that includes personal information, as defined, to disclose in specified ways, any breach of the security of the data, as defined, to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. Similar laws being considered at the Federal Level Motivation for SB 1386: Motivation for SB 1386 http://www.nwfusion.com/news/2005/0408stolelapto.html?nl The Bottom Line: The Bottom Line Unencrypted data in database files on a hard drive falls under the notification requirements of SB1386 The legal assumption is that data can be accessed directly from the files even when the DB software is not running. Persisted personal information in data base tables must be encrypted. The Challenge: Doing this while minimizing the disruption to existing infrastructure The Challenge: Key Management is always the biggest impediment to encryption use. Topics: Topics Sticky Policy Paradigm Relating Policies To Data Base Schema : Relating Policies To Data Base Schema How Bad Things Happen To Data: How Bad Things Happen To Data The “Sticky Policy Paradigm”: The 'Sticky Policy Paradigm' Challenge: How can we do this for all repositories and all types of data flow? And not be completely disruptive. We can assume non-malicious environments Topics: Topics Purpose Based Access Control “Purpose of Usage” is a new element in policy: 'Purpose of Usage' is a new element in policy In the Past 'Members of the marketing dept. are allowed to query the accounting database.' Today: 'Members of the marketing dept. are permitted to see an individual’s credit score for the purpose of developing a new loan product only if the individual provides explicit authorization.' Break Down the Policy Into Key Concepts: Break Down the Policy Into Key Concepts From the human-readable policy, start identifying the Groups, Purposes and PII types. Sharing of information with third-parties Partners: When you buy something from us we may share your name and mailing address with a few carefully selected marketing partners, except for our customers who reside in the states of Vermont and California. When you place your order you will be given a clearly labeled opportunity to opt out of sharing this information. We will never share any telephone numbers, e-mail addresses, or financial information you have given us with any marketing partners. Credit card companies and Shippers: When you buy something from us we send your credit card information, name, billing address, and the amount of your purchase to your credit card company to verify and authorize your purchase. Your name, telephone number, and shipping information must be provided to third party shippers to deliver your purchase. In this policy, the Groups are given in generalized terms, as 'us' and 'we'. Creating Policy Rules From the Key Concepts: Creating Policy Rules From the Key Concepts After identifying the basic pieces of the policy statements, we can start to form the policy statements. We can break the text down into 3-4 policy statements that have a structured form. Widget's Billing Department will use credit card and address information to charge your credit card for the purchases you made. Widget's Shipping Department will use your address information to ship your order. If you opt-in, Widget's Shipping Department will use your e-mail address to notify you of your order's shipment status. Widget's Marketing Department will share your name and mailing address with selected marketing partners unless you opt out or if you live in Vermont or California. Please Note: : Please Note: 'Purposes' are not 'roles'! More transaction/unit of work oriented The issue is not 'what label(s) are attached to your credential' but 'what unit of work are you doing with my data.' Challenge: How can we determine 'at run time' what the purpose of a data access or usage is (in an efficient way)? Topics: Topics Expression of Policies The Privacy Place Research on Semantic Analysis of Privacy Policies: The Privacy Place Research on Semantic Analysis of Privacy Policies 'Mining Rule Semantics to Understand Legislative Compliance' T. D. Breaux and A.I. Antón. Accepted to: ACM Workshop on Privacy in Electronic Society (WPES'05), NCSU CSC Technical Report #TR-2005-31, Alexandria, Virginia, USA, 2005. http://www.theprivacyplace.org/papers/TR_2005-31.pdf Analyzing Goals for Rights, Permissions and Obligations T. D. Breaux and A.I. Antón. In Proceedings 13th IEEE International Conference on Requirements Engineering (RE'05), NCSU CSC Technical Report #TR-2005-08, Paris, France, USA, 2005. http://www.theprivacyplace.org/papers/TR_2004-36.pdf Deriving Semantic Models from Privacy Policy Goals, T. D. Breaux and A.I. Antón. In Proceedings: 6th IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY'05), NCSU CSC Technical Report #TR-2004-36, Stockholm, Sweden, USA, 2005. http://www.theprivacyplace.org/papers/TR_2004-36.pdf http://www.theprivacyplace.org Semantics of Business Vocabulary and Business Rules (SBVR): Semantics of Business Vocabulary and Business Rules (SBVR) This specification defines the vocabulary and rules for documenting the semantics of business vocabulary, business facts, and business rules; as well as an XMI schema for the interchange of business vocabularies and business rules among organizations and between software tools. Why SBVR?: Why SBVR? Natural Language Text Representation Precise, yet reads like natural language text Important for review by policy makers and subject matter experts for domains Uses same vocabulary to express domain models and policies on domains Incorporates the notion of community vocabularies and domains of knowledge Machine Interpretable Expression XML/XMI representation of statements For further transformation into IT domain artifacts Establishes linkage between the 'policy' world and the 'IT World' Challenge: Can SBVR be used to express all the concepts we need for privacy policies? Topics: Topics Discovering Risks With Process Modeling Data Flow and Data Protection in the Jet Blue Case: Data Flow and Data Protection in the Jet Blue Case Lesson: How do we make sure that data protection requirements flow with the data as it is disclosed across organizational boundaries? See 'The Complexity Underlying JetBlue’s Privacy Policy Violations' andlt;http://www.theprivacyplace.org/papers/tr_2003_21.pdfandgt; Composite Apps Increase the Risk of Data Theft: Composite Apps Increase the Risk of Data Theft Time Warner lost tapes containing social security numbers for over 600,000 employees while in transit to off-site archival facilities. See 'After Data Losses Like Time Warner's, Companies Need To Rethink Tape-Storage Security' andlt;http://www.informationweek.com/shared/printableArticle.jhtml?articleID=162101437andgt; City National Bank, from Los Angeles California also lost two tapes containing sensitive data, including Social Security numbers and other customer account information. See 'Iron Mountain Loses More Tapes' andlt;http://www.informationweek.com/shared/printableArticle.jhtml?articleID=165701015andgt; In April, 2005, a laptop computer containing the names and Social Security numbers of about 16,500 current and former employees of MCI was stolen. See 'MCI: Employee Data Was On Stolen Laptop' andlt;http://www.nytimes.com/reuters/business/business-telecoms-mci-theft.html andgt; A medical group in San Jose California acknowledged that two computers were stolen from the organization's offices from behind locked doors. These computers contained information about 185,000 people, including social security numbers and confidential medical information. See 'Stolen laptops contain medical info on 185,000 patients' andlt;http://www.networkworld.com/news/2005/0408stolelapto.html?nl andgt; Types of Data Being Stolen Identity Information (information used in identity theft activities, especially SSNs, individual financial account information, etc. Bill of materials data for sensitive technology products that can’t be shared with rogue countries. Trade secret information (formulary information, source code, etc.) Lesson: Hindsight is 20/20. Why didn’t anyone detect these security exposures before they happened? How do you evaluate the potential risk of customer information on a tape in transit through a courier service? More important: How do you even make sure you think about evaluating the risk? Problem: Problem How Can I Ensure Customer Information Is Protected? Objectives: Customer data must always be encrypted with 56 bit keys or stronger when persisted. The following text must be in all agreements with business partners if they receive customer information: 'Lorem ipso foer tyr wuz de ramas cora dola tym ipso hor.Lorem ipso foer tyr wuz de ramas cora dola tym ipso hor tyr wuz de ramas cora dola tymon ipso foer tyr wuz de ramas cora dola tymo. Lorem ipso hoccer foer tyr wuz de ras cora dola tymon ipso hoc cer fuz de ramas cora dola tymon ipso hoccer. Lorem ipso foer tyr wuz de ramas cora dola tym ipso hor. . .' Create a Policy Artifact in the Modeling Tool: Create a Policy Artifact in the Modeling Tool -- persisted customer info encrypted with 56 bit keys or stronger? -- customer info protection clause in agreements with business partners? This policy has two policy artifacts in it which must be implemented in all business processes which handle customer information. Attach the Policy To The Customer Information : Attach the Policy To The Customer Information The policy would be attached to the customer information at the point it enters the company. This association of policy to business object is a type of classification. Policy Flows with Data Automatically: Policy Flows with Data Automatically Tool could understand how fields from the order request are propagated to other business items in the flow. Policy Attachment Flows to Sub-processes: Policy Attachment Flows to Sub-processes The policy attached business item from the overall process would get propagated to the flows in the sub process. Tool knows that OrderInfo objects stored in shared database have this policy associated with them. Policy Attachment Flows Out Of Database: Policy Attachment Flows Out Of Database Tool knows that OrderInfo objects flowing out of database have the policy attached to them. What’s Next: What’s Next Policy Attached Data is Now Mapped through the process Each Process and Activity Can Be Evaluated Against the Policy Artifacts Documentation About Policy Compliance Is Collected (1): Documentation About Policy Compliance Is Collected (1) Documentation About Policy Compliance Is Collected (2): Documentation About Policy Compliance Is Collected (2) The owner of each activity would be prompted to document how policy artifacts are implemented. (Or at least state that they are not applicable.) -- persisted customer info encrypted with 56 bit keys or stronger? A: DB2 Table level encryption configuration has been set to x, y, and z to provide the necessary level of encrytion. See XXX in Tivoli Configuration Manager for more details. -- customer info protection clause in agreements with business partners? A: Business Partners do not have access to this database. -- Signed, Alice Jones, Database Administrator Documentation About Policy Compliance Is Collected (3): Documentation About Policy Compliance Is Collected (3) Process Summary Report To Create Big Picture View: Process Summary Report To Create Big Picture View Process Summary as Of September 19, 2005 Order Fulfillment Process Update Order Information Activity Customer Info Protection Policy Q:persisted customer info encrypted with 56 bit keys or stronger? A: No customer information is persisted in this Activity Q: Customer info protection clause in agreements with business partners? A: No customer information is disclosed to business partners in this step. Reported and signed by Bob Smith, Order Fulfillment Manager Place Supplier Order Activity No Information Available Place Carrier Order Activity No Information Available Order Information Database Q:persisted customer info encrypted with 56 bit keys or stronger? A: DB2 Table level encryption configuration has been set to x, y, and z to provide the necessary level of encrytion. See XXX in Tivoli Configuration Manager for more details. Q: Customer info protection clause in agreements with business partners? A: Business Partners do not have access to this database. Reported and signed by Alice Jones, Database Administrator Order Archival Process Extract Orders Older Than 2 Years Activity No Information Available Create Archival Tape Activity No Information Available Tape Storage Service Customer Info Protection Policy Q:persisted customer info encrypted with 56 bit keys or stronger? A: Customer information is NOT encrypted when written to tape!. Q: Customer info protection clause in agreements with business partners? A: yes. See business partner agreement with Iron Mountain. Document 12-3456-B last revision January 1, 2005. . Reported and signed by Charlie Davis, Archival Adminisrator ? ? ? ? Summary: Summary Process Model Tools Can Understand Data Flow Policy Should be Attached to Data, Not Systems Tools Should track the policy attached data through all processes, activities, and services. Difficult for people to understand flow and track the data. Each Activity Owner should be responsible for documenting the policy artifact implementation for the processes, activities, and services he/she owns. Policy artifacts which aren’t implemented should be flagged as risk items for analysis, prioritization, and remediation. 'Roll Up' reports should summarize current state of policy implementation for the processes. Challenge: How can this be done in an automated way or with minimal work effort? If automated, how are the policy requirements expressed? Topics: Topics Hippocratic Database Technology Slide35: HDB Active Enforcement Database Powered by HDB Give me the names, incomes andamp; addresses of your clients I can only disclosure incomes andamp; addresses of clients who have given consent Slide36: Installation Policy Parser Negotiation User Preferences and Policy Matching Enforcement Database Query Interface Policy Metadata User Data Database Powered by HDB HDB Active Enforcement Enforcement: Value Proposition: Enforcement: Value Proposition Easy of Integration Implementation intercepts and rewrites incoming queries to factor in policy, user choices, and context (e.g. purpose). Fine-Grained Database-enforced disclosure control at cell-level of an organization’s data policy and user preferences. Easier Enforcement after Policy Modification Centralized and seamless policy creation and update. System Impact Applications do not require any modification. Enforcement: Value Proposition: cont’d: Enforcement: Value Proposition: cont’d Database agnostic Does not require any change in the database engine. Reuses current features Rewritten queries benefit from all the optimizations and performance enhancements provided by underlying engine (e.g. parallelism). Performance 10 million records Worst Case: Choice Selectivity = 1. Everyone discloses everything. Query processing yields no value. The penalty is 5-15% of the execution time of the original query. Standard Cases: Choice Selectivity varies. In best case, HDB Active Enforcement gives an order of magnitude improvement. HDB Active Enforcement Core Cell-Level Policy Enforcement: HDB Active Enforcement Core Cell-Level Policy Enforcement Example Scenario For a certain user (data accessor) and purpose, name is allowed under the privacy policy, phone and salary are allowed on an opt-in basis. Slide40: Forbidden values covered by null values in resulting tables Results of query… SELECT Name, Phone, Salary FROM Customer HDB Active Enforcement Core Cell-Level Policy Enforcement : cont’d Questions?: Questions?