5th Annual Privacy & Security Workshop 29 October 2004cacr.uwaterloo.ca/conferences/2004/isw/slides/Anne... · Copyright © 2004 Sun Microsystems, Inc. All rights reserved. XACML

Anne AndersonStaff EngineerSun Microsystems Labs Burlington, MA, USA [email protected]

Privacy Policy Languages:

XACML vs EPAL5th Annual Privacy & Security Workshop

29 October 2004

Copyright © 2004 Sun Microsystems, Inc. All rights reserved.


Outline●Privacy policy language context●XACML overview●EPAL overview●Language comparison●Problem areas●Conclusions●Further information


Outline➔Privacy policy language context●XACML overview●EPAL overview●Language comparison●Problem areas●Conclusions●Further information


Automated Privacy Policy Enforcement

Users

Applications

Data/Resources- Files- Equipment- Databases- Other applications...



Users

Applications

Data/Resources- Files- Equipment- Databases- Other applications...

Access Control



ApplicationsData/Resources- Files- Equipment- Databases- Other applications...

AccessControl

Policies Policies Obligations

Permit

Deny

Policy Administrators

AuditNotify

...



PEP

Policy Enforcement Point

PDP

Policy Decision Point

Application Business Logic

policiesdata/resources

access request

response

decision request

decision +obligations

attributes

PEP:-access interception-decision enforcement-obligation fulfillment


Privacy/Access Control Policies●Who - user identities or roles●What - resources or data●How - actions●Why - purpose/context●Conditions - under which allowed or denied●Obligations - if allowed or denied


Privacy/Access Control Policies

Two candidate languages

●XACML: OASIS eXtensible Access Control Markup Language Standard

●EPAL: IBM Enterprise Privacy Authorization Language


Outline●Privacy policy language context➔XACML overview●EPAL overview●Language comparison●Problem areas●Conclusions●Further information


XACML Overview (1)●eXtensible Access Control Markup Language

●OASIS Access Control Technical Committee (TC)

●OASIS Standard, February 2003

●Publicly available and open source implementations (Java*, C++, C#)

* Java (TM) programming language


XACML Overview (2)●Works with OASIS Security Assertion Markup Language (SAML)

●Version 2.0 out for public review

● “Privacy profile of XACML”

● Part of XACML 2.0 package● Works with XACML 1.0 and XACML 1.1 also


XACML Policy Structure

PolicySet

Policy

Rule

PolicySet


XACML policy example EnterprisePolicySet

PolicySet Target

Combining Algorithm

HR Policy

Facilities Policy

Legal Policy

HR Policy

Policy Target

Rule 1

Combining Algorithm

Rule 2

Obligations

Rule 1: Effect=”Permit”

SubjectRole = “HRSupervisor”

SubjectId ≠/Staff/SalaryAction/*#Employee-Id

Rule Target Resource = /Staff/SalaryAction/*

Purpose = “Audit”

Action = “Read”

Note: typos in printed version


Outline●Privacy policy language context●XACML overview➔EPAL overview●Language comparison●Problem areas●Conclusions●Further information


EPAL Overview●Enterprise Privacy Authorization Language

●IBM specification

●Submitted to W3C 10 November 2003; no action

●EPAL 1.1 used XACML explicitly

●EPAL 1.2 uses a lot of XACML (attribute concepts, functions, datatypes, obligations)


EPAL Policy Structure

Rule

Vocabulary

Policyuser-category

data-category

purpose

action

container

obligation


Outline●Privacy policy language context●XACML overview●EPAL overview➔Language comparison●Problem areas●Conclusions●Further information


Language comparison

Both have:● Policies made up of Rules

● Rule = effect, target, conditions

● “Effect” of permit or deny

● Rules can be “Not applicable”

● Same basic “attribute” concept

● Almost identical constraints on attributes


Language comparison

Obligations

● EPAL: in Rules● EPAL: by reference, thus need parameters● EPAL: associated with the Rule Identifier

● XACML: in Policies (can have a 1-Rule Policy)● XACML: direct; include any parameters● XACML: associated with the accessed Resource


Language comparison

Vocabulary and Variables

● EPAL: one reference to one vocabulary● EPAL: vocabulary defines all attributes and

obligations

● XACML: optional “Variable Definitions”● XACML: Variable Definition can be for an attribute

or for an entire constraint● XACML: supports optional “vocabulary” attributes


Outline●Privacy policy language context●XACML overview●EPAL overview●Language comparison➔Problem areas●Conclusions●Further information


EPAL limitations

EPAL: Not designed for access control

“Unlike access control, the <purpose> is part of an EPAL authorization query. Without knowing the purpose of an access, authorization cannot be decided. As a consequence, any system using EPAL must be able to determine a purpose before asking the EPAL engine to evaluate a given policy.” [EPAL 1.2, Section 3.5]

XACML: designed for access control, including privacy. Two optional purpose attributes: purpose data collected, purpose data accessed.


Privacy and access control

●Privacy policy is one component of access control policy

●Must be integrated for security, manageability, consistency, effective enforcement and auditing


EPAL limitations

EPAL: Not designed for enterprise-level policies

●No nested policies●No distributed policies●Uses features not supporting digitally signed policies●Only one subject allowed per access request●Only first-applicable Rule is evaluated

XACML: deals with all of these.


EPAL limitationsEPAL:Inconsistent treatment of attributes● user-category, data-category vs “container” attributes: handled

differently● Requester must know policy to specify an attribute as a

“category” or as a “container” attribute

XACML● All attributes same type of object● Attributes handled consistently● Requester does not have to know the policy


EPAL limitations

EPAL: Limited concept of “role”

“Must be a manager” AND “Must be a member of the Strategy Team”:

“Manager” and “Strategy Team member” must be specified differently

XACML: consistent specification of role attributes.


EPAL limitations

EPAL: Limited concept of “hierarchical role”

EPAL: Each policy writer has to know the role hierarchy.

XACML: independent management of role hierarchies.

Note: typos in printed version


EPAL limitations

EPAL: One “vocabulary” per policy:

Policies may cover data defined by multiple standards. Policy writer must re-write them into one vocabulary.

XACML: supports optional “vocabulary” attributes and Variable Definitions


EPAL limitations

EPAL: Not a standard

● Submitted to W3C Nov 2003● W3C has taken no action● Currently a proprietary IBM product

XACML: OASIS Standard since Feb 2003.


Outline●Privacy policy language context●XACML overview●EPAL overview●Language comparison●Problem areas➔Conclusions●Further information


Conclusions●EPAL: functional subset of XACML●EPAL: proprietary; not a standard●EPAL: design limitations

●XACML: access control + privacy●XACML: open standard●XACML: multiple implementations●XACML: multiple vendors


Outline●Privacy policy language context●XACML overview●EPAL overview●Language comparison●Problem areas●Conclusions➔Further information


Further information● A Comparison of EPAL and XACML http://research.sun.com/projects/xacml/CompareEPALandXACML.html

● Privacy profile of XACML http://docs.oasis-open.org/xacml/access_control-xacml-2_0-privacy_profile-spec-cd-01.pdf

● A Brief Introduction to XACML http://www.oasis-open.org/committees/download.php/2713/Brief_Introduction_to_XACML.html

●OASIS Access Control (XACML) Technical Committee (all specifications and other documents) http://www.oasis-open.org/committees/xacml

●Sun's XACML Open Source Implementation http://sunxacml.sourceforge.net

Anne Anderson <[email protected]>

xx


Sun, Sun Microsystems, the Sun logo, and Java are trademarks or registered trademarks of Sun Microsystems, Inc. in the United States and in other countries.

Copyright 2004 Sun Microsystems, Inc., 4150 Network Circle,

Santa Clara, California 95054, U.S.A. All rights reserved.

Documents

5th Annual Privacy & Security Workshop 29 October 2004cacr.uwaterloo.ca/conferences/2004/isw/slides/Anne... · Copyright © 2004 Sun Microsystems, Inc. All rights reserved. XACML