際際滷

際際滷Share a Scribd company logo

GRA, NIEM and XACML Security Profiles July 2012

Bizagi Inc
Bizagi Inc

Details how to use policy rule templates to manage content access rules. Avoiding the pitfalls of the ABAC approach. Providing a method for policy analysts to quickly markup content without requiring deep programming knowledge.

1 of 33
Downloaded 13 times
POLICY CONTROL PROFILES WITH GRA AND NIEM James Cabral, David Webber, Farrukh Najmi, July 2012
EXECUTIVE OVERVIEW Managing information privacy and access policies has become a critical need and technical challenge. The desired solution should be ubiquitous, syntax neutral but a simple and lightweight approach that meets the legal policy requirements though the application of clear, consistent and obvious assertions. Today we have low-level tools that developers know how to implement with, and we have legal documents created by lawyers, but then there is a chasm between these two worlds. 2
LEGAL AND RULES TECHNOLOGIES The RuleML community has long understood this and developed and is developing new and improved methods and solutions. The challenge is in taking these approaches and being able to apply these to NIEM XML based information sources in a high level conceptual way that is accessible to information analysts and general NIEM practitioners, rather than the provence of specialized XML-programmers only. Then we also need these techniques to be broadly applicable, using existing open public software standards and tools so we can enable the widest possible adoption within the NIEM community. 3
APPROACH The solution we are introducing will: Provide a clear declarative assertions based method, founded on policy approaches developed by the rules community, Leveraging open software standards and tools and Enabling business information analysts to apply and manage the policy profiles Show illustrative design time and run time examples by: Visually assigning exchange components and rule assertions Show applying this to retrieval of documents stored with registry and repository services. 4
APPLICATION SCENARIO OVERVIEW Electronic Policy Statements 5 Policy Rules Portal User Dashboard 1 Apply Policy Rules to Requested Case Content 4 Users see only information permitted by their role and policy profile Request Output Templates Output Templates Information Requests 2 Case Management Registry Services 3 Output Templates Output Templates Case Documents XML Response Output Templates Output Templates Requested Information 5 User Profiles
PRESENTATION AGENDA Part 1 Problem introduction and policy methods overview Part 2 Design time technical walkthrough of rule assertions example Part 3 Run time deployment with registry services
PART 1 PROBLEM INTRODUCTION Policy Methods Overview
USE CASE SAR CASE MANAGEMENT Three levels of information access Citizen level reporting - SAR statistics Local law enforcement officials - case review State and Federal - case management and coordination This means three profiles: Profile 1 - Registry query - statistics results Profile 2 - Local staff Profile 3 - Regional staff 8 SAR Suspicious Activity Report
POLICY GRANULARITY Electronic Policy Statements Coarse- Grained Role-based authorization of subjects. Access granted to coarse-grained data objects. E.g., Permit law enforcement to access the NCIC Wanted Persons Database. Fine-Grained Attribute-based authorization of subjects. Access limited to specific data objects based on attributes. E.g., Permit law enforcement to access criminal history records if the records were created by the requesters agency. 9
Actions. RULE AND CONTEXT METADATA Electronic Policy Statements 10 Properties of the access rules and environment. Conditions. Subject. Resource. Policy. Obligations.
Express policies in a structured language (e.g., XML) Identify requesters Compare data collection and release purposes Enforce retention rules Notify data owners and subscribers Verify compliance PRIVACY AND SECURITY ARCHITECTURES Privacy and Security Architectures 11
MAPPING TO DATA STANDARDS Privacy and Security Architectures 12 GFIPMUser Metadata NIEM GFIPM Content Metadata XACMLActions Electronic Policy Statements
A mechanism to specify policy rules in unambiguous terms XML Access Control Markup Language (XACML) Machine-readable Supports federated and dynamic policies POLICY AUTHORING LANGUAGE Privacy and Security Architectures 13
XACML ARCHITECTURE Privacy and Security Architectures 14 Term Description PAP Policy Administration Point - Point which manages policies PDP Policy Decision Point - Point which evaluates and issues authorization decisions PEP Policy Enforcement Point - Point which intercepts user's access request to a resource and enforces PDP's decision. PIP Policy Information Point - Point which can provide external information to a PDP, such as LDAP attribute information. http://en.wikipedia.org/wiki/XACML
XACML STATEMENTS Privacy and Security Architectures 15 PolicySets Policies Rules Obligations Functions Targets Attributes
Policy Matrix Rule XACML Statement Party Subject to Rule Subject Condition(s) Conditions. Subject(s) Subject(s). Subject Information Context Subject(s) attributes. Rule Action Action(s). Action(s) attributes. Data Resource Subject to Rule Target Resource(s) Resource(s). Other Resource Context Resource(s) attributes. Other Resource Conditions Conditions. Circumstances in Which the Rule Applies General or Action Policy Conditions Purpose(s). Obligations and Environments If [zero or more [Subject(s) Action(s) and/or Resource(s), and/or Environment(s) attributes) [Condition(s)] are met] with [zero or more Obligation(s) to be performed]. Rule Activity Deny/Permit by Statute/Policy Effect = PERMIT or DENY. Administrative Information Precedence PolicyCombiningAlgorithm(s), RuleCombiningAlgorithm(s). References PolicyID, RuleID. Linkages PolicyID, RuleID. Policy Matrix Editors Does not translate to XACML. ENCODING RULES INTO XACML Privacy and Security Architectures 16
PART 2 DESIGN TIME WALKTHROUGH Design Time Rule Assertions Concepts
USING POLICY TEMPLATES Traditional NIEM approach focuses on the information exchange data handling Uses XSD schema to define content structure and metadata Need is for a bridge between the NIEM schema, the XML information instances and the XACML rule assertion language Approach is based on visual content structure templates with declarative rule assertions 18
D E P L O Y E D APPROACH IN A NUTSHELL XACML Engine Rule Assertions P O L I C I E S Output Templates Output Templates Exchange Structures Policy Assertion Template 2 S C H E M A NIEM IEPD 1 XACML Generation Tool 3 XACML XML Script 4 Rules Asserted to Nodes in the Exchange Structure via simple XPath associations 19
SAR VISUAL TEMPLATE + RULE ASSERTIONS Rules Assertions associate and control access privacy to specific content areas in the SAR details structure Visual metaphor allows policy analysts to verify directly 20
Rule Assertions NIEM data flows NIEM / GRA OPERATIONAL SCENARIO XACML Engine Information Exchange 5 INTERFACES P O L I C I E S CAM Editor Visual Designer Output Templates Output Templates Exchange Templates 1 Information Exchange 3 INTERFACES 4 S C H E M A NIEM IEPD NIEM XML NIEM XML Generated XACML Rules 2 21
CAM TOOLKIT + CAMV ENGINE Open source solutions designed to support XML and industry vocabularies and components for information exchanges Implementing the OASIS Content Assembly Mechanism (CAM) public standard CAMV validation framework and test suite tools Development sponsored by Oracle CAM Editor resources site: http://www.cameditor.org 22
NEXT STEPS Enhance CAM Editor UI to provide wizards for policy rule assertion entry Provide XSLT to generate XACML from CAM template Enhance reporting tools to show policy details in plain English details Test with sample JPS NIEM exchange schema 23
PART 3 DEPLOYMENT WITH REGISTRY Illustrative deployment with XACML services and application
APPLICATION SCENARIO DETAILS Electronic Policy Statements 25 Policy Rules Portal User Dashboard 1 Apply Policy Rules to Requested Case Content (PDP Engine) 4Users see only information permitted by their role and policy profile Request Output Templates Output Templates Information Requests 2 Case Management + PAP Registry Services 3 Output Templates Output Templates Case Documents XML Response (PEP) Output Templates Output Templates Requested Information 5 User Profiles XMLXMLXML XACML
REGISTRY POLICY ENFORCEMENT Privacy and Security Architectures 26 PAP Defines policies. Monitors compliance. PDP Receives requests from the PEP. Identifies policies that match each request. Evaluates request and environment attributes. Directs the PEP. PEP Discloses or redacts the information or denies the request. Logs the request and action. Notifies of the request and action.
PRIVACY POLICY TECHNICAL FRAMEWORK Privacy and Security Architectures 27
PUBLISHING CONTENT (BULK IMPORT TOOL) Bulk loader will trawl server and folder location for content e.g. original SAR XML documents Bulk Publish of SAR documents 28
SAR DISCOVERY AND RETRIEVAL SAR Discovery Query (easily extended / tailored without code changes) allows rapid prototyping and verification of content and operations Results returned digest and content retrieval options 29
SUMMARY Review
KEY MESSAGES Dramatically simpler policies adoption Can be rapidly developed with existing tools Can be visually inspected and verified by policy analysts Enables use of dynamic contextual policies Supports international standards work 31
CONTRIBUTORS James E. Cabral Jr. IJIS/OASIS and MTGM LLC David Webber Oracle Public Sector NIEM team Farrukh Najmi OASIS ebXML RegRep, SunXACML project and Wellfleet Software 32
RESOURCES OASIS CAM and tools project site https://www.oasis-open.org/committees/cam http://cameditor.org (sourceforge.net) OASIS XACML and tools project site https://www.oasis-open.org/committees/xacml http://sunxacml.sourceforge.net/ OASIS ebXML RegRep and Implementing Registry https://wiki.oasis-open.org/regrep/ http://goo.gl/cEpnC 33

More Related Content

GRA, NIEM and XACML Security Profiles July 2012

  • 1. POLICY CONTROL PROFILES WITH GRA AND NIEM James Cabral, David Webber, Farrukh Najmi, July 2012
  • 2. EXECUTIVE OVERVIEW Managing information privacy and access policies has become a critical need and technical challenge. The desired solution should be ubiquitous, syntax neutral but a simple and lightweight approach that meets the legal policy requirements though the application of clear, consistent and obvious assertions. Today we have low-level tools that developers know how to implement with, and we have legal documents created by lawyers, but then there is a chasm between these two worlds. 2
  • 3. LEGAL AND RULES TECHNOLOGIES The RuleML community has long understood this and developed and is developing new and improved methods and solutions. The challenge is in taking these approaches and being able to apply these to NIEM XML based information sources in a high level conceptual way that is accessible to information analysts and general NIEM practitioners, rather than the provence of specialized XML-programmers only. Then we also need these techniques to be broadly applicable, using existing open public software standards and tools so we can enable the widest possible adoption within the NIEM community. 3
  • 4. APPROACH The solution we are introducing will: Provide a clear declarative assertions based method, founded on policy approaches developed by the rules community, Leveraging open software standards and tools and Enabling business information analysts to apply and manage the policy profiles Show illustrative design time and run time examples by: Visually assigning exchange components and rule assertions Show applying this to retrieval of documents stored with registry and repository services. 4
  • 5. APPLICATION SCENARIO OVERVIEW Electronic Policy Statements 5 Policy Rules Portal User Dashboard 1 Apply Policy Rules to Requested Case Content 4 Users see only information permitted by their role and policy profile Request Output Templates Output Templates Information Requests 2 Case Management Registry Services 3 Output Templates Output Templates Case Documents XML Response Output Templates Output Templates Requested Information 5 User Profiles
  • 6. PRESENTATION AGENDA Part 1 Problem introduction and policy methods overview Part 2 Design time technical walkthrough of rule assertions example Part 3 Run time deployment with registry services
  • 7. PART 1 PROBLEM INTRODUCTION Policy Methods Overview
  • 8. USE CASE SAR CASE MANAGEMENT Three levels of information access Citizen level reporting - SAR statistics Local law enforcement officials - case review State and Federal - case management and coordination This means three profiles: Profile 1 - Registry query - statistics results Profile 2 - Local staff Profile 3 - Regional staff 8 SAR Suspicious Activity Report
  • 9. POLICY GRANULARITY Electronic Policy Statements Coarse- Grained Role-based authorization of subjects. Access granted to coarse-grained data objects. E.g., Permit law enforcement to access the NCIC Wanted Persons Database. Fine-Grained Attribute-based authorization of subjects. Access limited to specific data objects based on attributes. E.g., Permit law enforcement to access criminal history records if the records were created by the requesters agency. 9
  • 10. Actions. RULE AND CONTEXT METADATA Electronic Policy Statements 10 Properties of the access rules and environment. Conditions. Subject. Resource. Policy. Obligations.
  • 11. Express policies in a structured language (e.g., XML) Identify requesters Compare data collection and release purposes Enforce retention rules Notify data owners and subscribers Verify compliance PRIVACY AND SECURITY ARCHITECTURES Privacy and Security Architectures 11
  • 12. MAPPING TO DATA STANDARDS Privacy and Security Architectures 12 GFIPMUser Metadata NIEM GFIPM Content Metadata XACMLActions Electronic Policy Statements
  • 13. A mechanism to specify policy rules in unambiguous terms XML Access Control Markup Language (XACML) Machine-readable Supports federated and dynamic policies POLICY AUTHORING LANGUAGE Privacy and Security Architectures 13
  • 14. XACML ARCHITECTURE Privacy and Security Architectures 14 Term Description PAP Policy Administration Point - Point which manages policies PDP Policy Decision Point - Point which evaluates and issues authorization decisions PEP Policy Enforcement Point - Point which intercepts user's access request to a resource and enforces PDP's decision. PIP Policy Information Point - Point which can provide external information to a PDP, such as LDAP attribute information. http://en.wikipedia.org/wiki/XACML
  • 15. XACML STATEMENTS Privacy and Security Architectures 15 PolicySets Policies Rules Obligations Functions Targets Attributes
  • 16. Policy Matrix Rule XACML Statement Party Subject to Rule Subject Condition(s) Conditions. Subject(s) Subject(s). Subject Information Context Subject(s) attributes. Rule Action Action(s). Action(s) attributes. Data Resource Subject to Rule Target Resource(s) Resource(s). Other Resource Context Resource(s) attributes. Other Resource Conditions Conditions. Circumstances in Which the Rule Applies General or Action Policy Conditions Purpose(s). Obligations and Environments If [zero or more [Subject(s) Action(s) and/or Resource(s), and/or Environment(s) attributes) [Condition(s)] are met] with [zero or more Obligation(s) to be performed]. Rule Activity Deny/Permit by Statute/Policy Effect = PERMIT or DENY. Administrative Information Precedence PolicyCombiningAlgorithm(s), RuleCombiningAlgorithm(s). References PolicyID, RuleID. Linkages PolicyID, RuleID. Policy Matrix Editors Does not translate to XACML. ENCODING RULES INTO XACML Privacy and Security Architectures 16
  • 17. PART 2 DESIGN TIME WALKTHROUGH Design Time Rule Assertions Concepts
  • 18. USING POLICY TEMPLATES Traditional NIEM approach focuses on the information exchange data handling Uses XSD schema to define content structure and metadata Need is for a bridge between the NIEM schema, the XML information instances and the XACML rule assertion language Approach is based on visual content structure templates with declarative rule assertions 18
  • 19. D E P L O Y E D APPROACH IN A NUTSHELL XACML Engine Rule Assertions P O L I C I E S Output Templates Output Templates Exchange Structures Policy Assertion Template 2 S C H E M A NIEM IEPD 1 XACML Generation Tool 3 XACML XML Script 4 Rules Asserted to Nodes in the Exchange Structure via simple XPath associations 19
  • 20. SAR VISUAL TEMPLATE + RULE ASSERTIONS Rules Assertions associate and control access privacy to specific content areas in the SAR details structure Visual metaphor allows policy analysts to verify directly 20
  • 21. Rule Assertions NIEM data flows NIEM / GRA OPERATIONAL SCENARIO XACML Engine Information Exchange 5 INTERFACES P O L I C I E S CAM Editor Visual Designer Output Templates Output Templates Exchange Templates 1 Information Exchange 3 INTERFACES 4 S C H E M A NIEM IEPD NIEM XML NIEM XML Generated XACML Rules 2 21
  • 22. CAM TOOLKIT + CAMV ENGINE Open source solutions designed to support XML and industry vocabularies and components for information exchanges Implementing the OASIS Content Assembly Mechanism (CAM) public standard CAMV validation framework and test suite tools Development sponsored by Oracle CAM Editor resources site: http://www.cameditor.org 22
  • 23. NEXT STEPS Enhance CAM Editor UI to provide wizards for policy rule assertion entry Provide XSLT to generate XACML from CAM template Enhance reporting tools to show policy details in plain English details Test with sample JPS NIEM exchange schema 23
  • 24. PART 3 DEPLOYMENT WITH REGISTRY Illustrative deployment with XACML services and application
  • 25. APPLICATION SCENARIO DETAILS Electronic Policy Statements 25 Policy Rules Portal User Dashboard 1 Apply Policy Rules to Requested Case Content (PDP Engine) 4Users see only information permitted by their role and policy profile Request Output Templates Output Templates Information Requests 2 Case Management + PAP Registry Services 3 Output Templates Output Templates Case Documents XML Response (PEP) Output Templates Output Templates Requested Information 5 User Profiles XMLXMLXML XACML
  • 26. REGISTRY POLICY ENFORCEMENT Privacy and Security Architectures 26 PAP Defines policies. Monitors compliance. PDP Receives requests from the PEP. Identifies policies that match each request. Evaluates request and environment attributes. Directs the PEP. PEP Discloses or redacts the information or denies the request. Logs the request and action. Notifies of the request and action.
  • 27. PRIVACY POLICY TECHNICAL FRAMEWORK Privacy and Security Architectures 27
  • 28. PUBLISHING CONTENT (BULK IMPORT TOOL) Bulk loader will trawl server and folder location for content e.g. original SAR XML documents Bulk Publish of SAR documents 28
  • 29. SAR DISCOVERY AND RETRIEVAL SAR Discovery Query (easily extended / tailored without code changes) allows rapid prototyping and verification of content and operations Results returned digest and content retrieval options 29
  • 31. KEY MESSAGES Dramatically simpler policies adoption Can be rapidly developed with existing tools Can be visually inspected and verified by policy analysts Enables use of dynamic contextual policies Supports international standards work 31
  • 32. CONTRIBUTORS James E. Cabral Jr. IJIS/OASIS and MTGM LLC David Webber Oracle Public Sector NIEM team Farrukh Najmi OASIS ebXML RegRep, SunXACML project and Wellfleet Software 32
  • 33. RESOURCES OASIS CAM and tools project site https://www.oasis-open.org/committees/cam http://cameditor.org (sourceforge.net) OASIS XACML and tools project site https://www.oasis-open.org/committees/xacml http://sunxacml.sourceforge.net/ OASIS ebXML RegRep and Implementing Registry https://wiki.oasis-open.org/regrep/ http://goo.gl/cEpnC 33
AboutCopyright
息 2025 際際滷