“…but please remember, it’s confidential! please avoid reading this in places with potentially curious people… …and in countries mentioned in the document, you know how sensitive it is and the consequences a disclosure can cause to our business… OK?”
“Yeah sure, I am just about to take off but I have a couple of hours to wait in the connecting airport… you don’t mind, right?”
How much do you trust people when you share information, that you are responsible for, with them? What care and attention do you expect? Or on the other hand, how much do terms, requirements and constraints on confidential documents stand in the way are complicated to remember while working under pressure or while travelling or both?
At SAP ACES Product Security Research group, we thought about a component that can simplify the consumption of contents in mobility, supporting users in consuming confidential pieces of information with a pleasant user experience and in a compliant way. We developed a mobile research prototype that is able to download confidential information, and allows its usage according to data-specific usage policies. The prototype relies on a cloud application (deployable on SAP HANA Cloud) for data & policy storage. This research prototype comes from SAP ACES Product Security Research group.
Our research prototype relies on a library, ProtectMe, that takes care of downloading pieces of information together with their specific policies; the library is then able to recognize and enforce such policies while the data are being used. Moreover, the library takes care of implementing any obligation prescribed by the policy and/or by regulative terms like the EU Directive 95/46/EC on data protection (e.g. delete data after a certain time, send notifications to information owner and so on). So, ProctectMe is also an effective tool for apps needing to comply with prescriptions connected with the safeguard of privacy of personal information.
The integration of ProtectMe with a third-party app minimizes the impact on user experience, thus to facilitate the user acceptance of the new functionality in existing apps; on the other hand, the ProtectMe simple API permits for a very easy integration with any app’s business logic, without requiring significant knowledge or training for app developers.
Let’s see a concrete example scenario, to see how all this works… and a bit of action!
Important: Please note that the following work stems from research activities and has prototypical character. It does not correspond to functionality offered by official SAP products
Let’s suppose that a hospital provides to its patients a mobile application for booking visits with specialists.
A hospital clerk receives visit requests and confirms them, assigning a time slot and a doctor.
Then, the hospital’s doctors are provided with an app for their tablets, that automatically keeps track of scheduled appointments.
But wait, where’s the novelty here?
Let’s see it live:
The use case diagram of this scenario is here:
And here is a simplified block diagram, showing the different scenario elements, and not detailing their connections for the sake of simplicity:
Much more is to say, for instance, with respect to the definition, management and enforcement of declarative policies on mobile devices, taking into account conditions gathered by sensors on mobile devices. These are perhaps good topics for upcoming posts…
More details on ProtectMe, on PPL and to the concept of “sticky policy” (usage control directives) can be found at the following links:
Special Thanks to Stuart SHORT for the precious help.