Have Your Cake and Eat It Too: Cascading Disclosure Control Language

  • View
    23

  • Download
    0

Embed Size (px)

DESCRIPTION

Have Your Cake and Eat It Too: Cascading Disclosure Control Language. GJXDM Users’ Conference September 6-8, 2006 San Diego, California. Agenda. Background CDCL Overview Rules Authoring Disclosure Concern Abstraction Use With GJXDM & NIEM Questions . - PowerPoint PPT Presentation

Text of Have Your Cake and Eat It Too: Cascading Disclosure Control Language

  • Have Your Cake and Eat It Too:Cascading Disclosure Control LanguageGJXDM Users ConferenceSeptember 6-8, 2006San Diego, California

  • AgendaBackgroundCDCL OverviewRules AuthoringDisclosure Concern AbstractionUse With GJXDM & NIEMQuestions

  • Data From A Disclosure Point of ViewRegardless of actual IEPD, XML Document, etc. Most document instances can be represented hierarchicallySimplifies thinking about the application of disclosure controlEquivalent to a simple XML data typeEquivalent to a complex XML data typeA Root XML document

    DataNode

    DataNodeGroup

    -value

    AtomicDataNode

    1

    *

    Paper Report

    Message

    XML Document

    DisclosureControlInformation

    1

    0..1

  • Data To XML From A Disclosure Point of View

    Adam Brooks 1960-10-07

    DataNode

    DataNodeGroup

    -value

    AtomicDataNode

    1

    *

    Paper Report

    Message

    XML Document

    DisclosureControlInformation

    1

    0..1

  • Traditional ApproachesDont Share Sensitive DataSafe, but Anyone who still isn't convinced that we really should share data is probably at the wrong conference.Write Restrictions Into Each Database, Application & ExchangesWorks fine at first.The costs start mounting when the rules change.The risks to production systems increase whenever code must be modified.

  • The CDCL ApproachProcess each data node individually.Define rules that match data nodes to recipient users, and specify what kind of disclosure will be permitted.Separate the rules from the application code.Define a predictable processing model.Make the rules easy to sight-read and author.Accommodate distributed authorship based on "Custodial" roles.

  • Hasnt this been done before?No.True, effective Permissions & Rights management languages have emerged, XACML/XRML/etc.CDCL is complementary, not competing, technologyAddresses a different problem space.

  • The Basis of CDCL: Data CustodianshipA Custodian is anybody who writes CDCL Rules that someone will pay attention to.There are two kinds of Custodian:Primary Custodians can write rules that:Authorize disclosure of data.Restrict disclosure of data.Stakeholder Custodians can onlyRestrict data disclosureNever authorize it.Primary Custodians are usually identified with the entity that owns the data.

  • Distributed Authoring: Multiple Custodians

  • The CDCL ProjectAd Hoc: make it happen. Cocktail Napkins instead of White Papers Public specifications, open standards, cross-platformOpen source reference implementations: parsers, editors and transformersAll content to be licensed under vendor-friendly Open Source licensesOpen to contributions from all interested partiesW3C Semantic Web development/compatibility pathAgile techniquesCommunity forum/publications at http://wijiscommons.org/cdcl/

  • Using The GatepointThe Gatepoint can be deployed in two ways:As a service component in your Enterprise architecture

    Or, because its a platform-independent specification of behaviorYou can build it into your applications, using any language and platform you chooseRoll your own or use an existing implementation

  • The CDCL GatepointThe primary CDCL Processing component is called a Gatepoint.

    The Gatepoint provides a single operational service.The service accepts:A document (i.e., a structure of information nodes), andInformation about the intended recipient.The service returns either:The document, unaltered;The document with some content redacted; orA distinguished value (such as an empty document) signifying that nothing in the document may be released to that particular recipient.

    Gatepoint

  • How Does CDCL Work?The Gatepoint consults CDCL Rules assembled, from various sources, into the Rulesheet Deck.Gatepoint

  • How Does CDCL Work?At runtime, the Gatepoint is aware of: The present document, which is a structured, well-understood collection of individual information items, or data nodes;The recipient user context, i.e. information about the authenticated User to whom the present document is to be disclosed.Gatepoint

  • How Does CDCL Work?The Gatepoint creates an output document which is to be provided to the recipient user.One by one, the nodes in the present document are evaluatedTo see whether they can be released to this recipient user.GatepointOutputDocument

  • How Does CDCL Work?In this manner, the output document is assembled on the fly; it may include all, some, or none of the present documents content. It is guaranteed to be compliant with all of the rules in the Rulesheet Deck, and can be safely released to the recipient user.Gatepoint

  • How Does the Gatepoint Evaluate a Node?It deals itself a hand from the deck:For the present item (i.e., the node being evaluated)Selects only those rules which are applicable:Checks whether the present item matches the rules nodeset specification.Checks whether the recipient users user context matches the rules userset specification.If the answer to both of those is yes, the rule is added to the Hand.

  • How Does the Gatepoint Evaluate a Node?Resolves any conflicts between rulesProbably, the rules in the hand will specify some different outcomes. Those outcomes are then resolved by the Cascade. CascadeNot a sequence of waterfallsNot a popular brand of dish soap. Cascade is cribbed from the W3Cs Cascading Style Sheets activity. It means:

  • The Structure of a CDCL RuleA CDCL Rule consists of three parts:A Userset specificationA Nodeset specificationAn OutcomeIn general, you can think of it as a simple imperative statement: "If these users want to see these data items, I want this outcome to happen."Outcomes are things like:Disclose the infoWithhold/RedactDeny knowledge of the info

  • Avoiding the Lost In Translation EffectPolicymakers should be able to read & write the rulesShould minimize programmer time spent understanding and implementing rulesWant to be able to react to rule changes quicklyThird parties (the average Joe) should be able to review and understand the rulesOne of the hardest problems for non-programmers is Boolean logic

  • Booliette NotationUserset and Nodeset specifications are written in a special notation called Booliette.Booliette expresses Boolean logic as nested bullet-point lists.Whats a bullet-point list? Ha Ha just kidding.Example:* exactly-one-true:* my job is awesome* all-must-be-true:* my job is adequate* my job sends me to San Diego!* my job pays the big bucks* I am buffing The Resume. Ya hey! is here for humor. Higher order ANSI characters are not part of the permitted Booliette character set

  • End to End CDCL

    Use Case

    Authorized Policymaker

    CDCL Parser

    CDCL Gatepoint

    Member of Public

    Data Access Point

    Write Poilcies

    Business Analyst

    Parses CDCL intoXMLCode

    1

    *

    Generate maps

    *

    *

    *

    1

    1

    1

    1

    1

    extends

    The rules are written using CDCL notation,which explicitly codifies the abstact notion of a ploicy into a semantically unique rule

    Takes unique semantic rules andenumerates specific associationsto a specific data element within an IEPD or other data source

    *

    *

    Associate maps toData

    *

    *

    User

    Request Data

    *

    *

    Applies CDCL

    *

    *

    *

    *

    *

    *

    *

    *

    extends

    Audit Rules

    Requests for data associate elementto rule maps with the elements of adata instance

    Rephrase Policiesinto CDCL

    Developer

    extends

    *

    *

  • Authoring a CDCL Rulesheetstep 0: Determine policy and write it down.Authorized Policymakerstep 1: Rephrase policy statements as empty CDCL Rules.Business Analyststep 2: Fill Rules with an outcome specification, & logically exact implementation assertions.Business Analyststep 3: Write technical statements that test assertions at runtime. Business Analyst/DeveloperThe following examples of this are from a lengthier demonstration at wijiscommons.org/

  • Step 0: Write Policyrule D

    Disclose all sentence information either to members of all Wisconsin Corrections roles or to members of all Wisconsin Courts roles or, as long as the prisoner's entry date is more than 30 days ago, to anyone.

  • Step 1: Rewrite as Empty CDCL Rule# Disclose all sentence information either to members of # all Wisconsin Corrections roles or to members of # all Wisconsin Courts rolesrule id = {D1}

  • Step 2: Fill in outcome and assertions# Disclose all sentence information either to members of # all Wisconsin Corrections roles or to members of # all Wisconsin Courts rolesrule id = {D1}

    apply-outcome:{disclose} for-items: * plain [sentence info] for-any-user-like-this: * at-least-one-of-these-true: * plain [Wisconsin Corrections user] * plain [Wisconsin Courts user]

  • Step 3: Apply Technical Content # Disclose all sentence information either to members of # all Wisconsin Corrections roles or to members of # all Wisconsin Courts rolesrule id = {D1}

    apply-outcome:{disclose} for-items: * plain [sentence info] * presentitem-or-parent described-by xpath [//Prisoner/Sentence] for-any-user-like-this: * at-least-one-of-these-true: * plain [Wisconsin Corrections user] * recipientuser in ldap [dir.wi-doc.com/o=doc.wi.us?memberOf(ou=correctionalroles)] * plain [Wisconsin Courts user] * recipientuser in ldap [dir.wicourts.gov/o=wicourts.gov]

  • Bareknuckle RulesWhen you