Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
Anne AndersonStaff EngineerSun Microsystems Labs Burlington, MA, USA [email protected]
Privacy Policy Languages:
XACML vs EPAL5th Annual Privacy & Security Workshop
29 October 2004
Copyright © 2004 Sun Microsystems, Inc. All rights reserved.
Copyright © 2004 Sun Microsystems, Inc. All rights reserved.
Outline●Privacy policy language context●XACML overview●EPAL overview●Language comparison●Problem areas●Conclusions●Further information
Copyright © 2004 Sun Microsystems, Inc. All rights reserved.
Outline➔Privacy policy language context●XACML overview●EPAL overview●Language comparison●Problem areas●Conclusions●Further information
Copyright © 2004 Sun Microsystems, Inc. All rights reserved.
Automated Privacy Policy Enforcement
Users
Applications
Data/Resources- Files- Equipment- Databases- Other applications...
Copyright © 2004 Sun Microsystems, Inc. All rights reserved.
Automated Privacy Policy Enforcement
Users
Applications
Data/Resources- Files- Equipment- Databases- Other applications...
Access Control
Copyright © 2004 Sun Microsystems, Inc. All rights reserved.
Automated Privacy Policy Enforcement
ApplicationsData/Resources- Files- Equipment- Databases- Other applications...
AccessControl
Policies Policies Obligations
Permit
Deny
Policy Administrators
AuditNotify
...
Copyright © 2004 Sun Microsystems, Inc. All rights reserved.
Automated Privacy Policy Enforcement
PEP
Policy Enforcement Point
PDP
Policy Decision Point
Application Business Logic
policiesdata/resources
access request
response
decision request
decision +obligations
attributes
PEP:-access interception-decision enforcement-obligation fulfillment
Copyright © 2004 Sun Microsystems, Inc. All rights reserved.
Privacy/Access Control Policies●Who - user identities or roles●What - resources or data●How - actions●Why - purpose/context●Conditions - under which allowed or denied●Obligations - if allowed or denied
Copyright © 2004 Sun Microsystems, Inc. All rights reserved.
Privacy/Access Control Policies
Two candidate languages
●XACML: OASIS eXtensible Access Control Markup Language Standard
●EPAL: IBM Enterprise Privacy Authorization Language
Copyright © 2004 Sun Microsystems, Inc. All rights reserved.
Outline●Privacy policy language context➔XACML overview●EPAL overview●Language comparison●Problem areas●Conclusions●Further information
Copyright © 2004 Sun Microsystems, Inc. All rights reserved.
XACML Overview (1)●eXtensible Access Control Markup Language
●OASIS Access Control Technical Committee (TC)
●OASIS Standard, February 2003
●Publicly available and open source implementations (Java*, C++, C#)
* Java (TM) programming language
Copyright © 2004 Sun Microsystems, Inc. All rights reserved.
XACML Overview (2)●Works with OASIS Security Assertion Markup Language (SAML)
●Version 2.0 out for public review
● “Privacy profile of XACML”
● Part of XACML 2.0 package● Works with XACML 1.0 and XACML 1.1 also
Copyright © 2004 Sun Microsystems, Inc. All rights reserved.
XACML Policy Structure
PolicySet
Policy
Rule
PolicySet
Copyright © 2004 Sun Microsystems, Inc. All rights reserved.
XACML policy example EnterprisePolicySet
PolicySet Target
Combining Algorithm
HR Policy
Facilities Policy
Legal Policy
HR Policy
Policy Target
Rule 1
Combining Algorithm
Rule 2
Obligations
Rule 1: Effect=”Permit”
SubjectRole = “HRSupervisor”
SubjectId ≠/Staff/SalaryAction/*#Employee-Id
Rule Target Resource = /Staff/SalaryAction/*
Purpose = “Audit”
Action = “Read”
Note: typos in printed version
Copyright © 2004 Sun Microsystems, Inc. All rights reserved.
Outline●Privacy policy language context●XACML overview➔EPAL overview●Language comparison●Problem areas●Conclusions●Further information
Copyright © 2004 Sun Microsystems, Inc. All rights reserved.
EPAL Overview●Enterprise Privacy Authorization Language
●IBM specification
●Submitted to W3C 10 November 2003; no action
●EPAL 1.1 used XACML explicitly
●EPAL 1.2 uses a lot of XACML (attribute concepts, functions, datatypes, obligations)
Copyright © 2004 Sun Microsystems, Inc. All rights reserved.
EPAL Policy Structure
Rule
Vocabulary
Policyuser-category
data-category
purpose
action
container
obligation
Copyright © 2004 Sun Microsystems, Inc. All rights reserved.
Outline●Privacy policy language context●XACML overview●EPAL overview➔Language comparison●Problem areas●Conclusions●Further information
Copyright © 2004 Sun Microsystems, Inc. All rights reserved.
Language comparison
Both have:● Policies made up of Rules
● Rule = effect, target, conditions
● “Effect” of permit or deny
● Rules can be “Not applicable”
● Same basic “attribute” concept
● Almost identical constraints on attributes
Copyright © 2004 Sun Microsystems, Inc. All rights reserved.
Language comparison
Obligations
● EPAL: in Rules● EPAL: by reference, thus need parameters● EPAL: associated with the Rule Identifier
● XACML: in Policies (can have a 1-Rule Policy)● XACML: direct; include any parameters● XACML: associated with the accessed Resource
Copyright © 2004 Sun Microsystems, Inc. All rights reserved.
Language comparison
Vocabulary and Variables
● EPAL: one reference to one vocabulary● EPAL: vocabulary defines all attributes and
obligations
● XACML: optional “Variable Definitions”● XACML: Variable Definition can be for an attribute
or for an entire constraint● XACML: supports optional “vocabulary” attributes
Copyright © 2004 Sun Microsystems, Inc. All rights reserved.
Outline●Privacy policy language context●XACML overview●EPAL overview●Language comparison➔Problem areas●Conclusions●Further information
Copyright © 2004 Sun Microsystems, Inc. All rights reserved.
EPAL limitations
EPAL: Not designed for access control
“Unlike access control, the <purpose> is part of an EPAL authorization query. Without knowing the purpose of an access, authorization cannot be decided. As a consequence, any system using EPAL must be able to determine a purpose before asking the EPAL engine to evaluate a given policy.” [EPAL 1.2, Section 3.5]
XACML: designed for access control, including privacy. Two optional purpose attributes: purpose data collected, purpose data accessed.
Copyright © 2004 Sun Microsystems, Inc. All rights reserved.
Privacy and access control
●Privacy policy is one component of access control policy
●Must be integrated for security, manageability, consistency, effective enforcement and auditing
Copyright © 2004 Sun Microsystems, Inc. All rights reserved.
EPAL limitations
EPAL: Not designed for enterprise-level policies
●No nested policies●No distributed policies●Uses features not supporting digitally signed policies●Only one subject allowed per access request●Only first-applicable Rule is evaluated
XACML: deals with all of these.
Copyright © 2004 Sun Microsystems, Inc. All rights reserved.
EPAL limitationsEPAL:Inconsistent treatment of attributes● user-category, data-category vs “container” attributes: handled
differently● Requester must know policy to specify an attribute as a
“category” or as a “container” attribute
XACML● All attributes same type of object● Attributes handled consistently● Requester does not have to know the policy
Copyright © 2004 Sun Microsystems, Inc. All rights reserved.
EPAL limitations
EPAL: Limited concept of “role”
“Must be a manager” AND “Must be a member of the Strategy Team”:
“Manager” and “Strategy Team member” must be specified differently
XACML: consistent specification of role attributes.
Copyright © 2004 Sun Microsystems, Inc. All rights reserved.
EPAL limitations
EPAL: Limited concept of “hierarchical role”
EPAL: Each policy writer has to know the role hierarchy.
XACML: independent management of role hierarchies.
Note: typos in printed version
Copyright © 2004 Sun Microsystems, Inc. All rights reserved.
EPAL limitations
EPAL: One “vocabulary” per policy:
Policies may cover data defined by multiple standards. Policy writer must re-write them into one vocabulary.
XACML: supports optional “vocabulary” attributes and Variable Definitions
Copyright © 2004 Sun Microsystems, Inc. All rights reserved.
EPAL limitations
EPAL: Not a standard
● Submitted to W3C Nov 2003● W3C has taken no action● Currently a proprietary IBM product
XACML: OASIS Standard since Feb 2003.
Copyright © 2004 Sun Microsystems, Inc. All rights reserved.
Outline●Privacy policy language context●XACML overview●EPAL overview●Language comparison●Problem areas➔Conclusions●Further information
Copyright © 2004 Sun Microsystems, Inc. All rights reserved.
Conclusions●EPAL: functional subset of XACML●EPAL: proprietary; not a standard●EPAL: design limitations
●XACML: access control + privacy●XACML: open standard●XACML: multiple implementations●XACML: multiple vendors
Copyright © 2004 Sun Microsystems, Inc. All rights reserved.
Outline●Privacy policy language context●XACML overview●EPAL overview●Language comparison●Problem areas●Conclusions➔Further information
Copyright © 2004 Sun Microsystems, Inc. All rights reserved.
Further information● A Comparison of EPAL and XACML http://research.sun.com/projects/xacml/CompareEPALandXACML.html
● Privacy profile of XACML http://docs.oasis-open.org/xacml/access_control-xacml-2_0-privacy_profile-spec-cd-01.pdf
● A Brief Introduction to XACML http://www.oasis-open.org/committees/download.php/2713/Brief_Introduction_to_XACML.html
●OASIS Access Control (XACML) Technical Committee (all specifications and other documents) http://www.oasis-open.org/committees/xacml
●Sun's XACML Open Source Implementation http://sunxacml.sourceforge.net
Anne Anderson <[email protected]>
xx
Copyright © 2004 Sun Microsystems, Inc. All rights reserved.
Sun, Sun Microsystems, the Sun logo, and Java are trademarks or registered trademarks of Sun Microsystems, Inc. in the United States and in other countries.
Copyright 2004 Sun Microsystems, Inc., 4150 Network Circle,
Santa Clara, California 95054, U.S.A. All rights reserved.