Welcome to the third part of a story started in two other posts about using business resources in mobility, here's the first and the second post. Here, we talk about compliance. More precisely, about solutions that can help us to be compliant in our daily operations

The story, in short:

>>> "...ok here you are, but pay attention to the confidentiality policy, that's very confidential stuff and I am responsible for this... OK???"

<<< "Yeah sure, ... wait, what exactly? well nevermind, need to go! Bye!"

>>> "..."

The problem

The problem in essence is that specific information classification policies exist and define well how to protect a piece of information. However, in many cases the adequate implementation of such terms depends solely on information consumers. Not only deliberate policy violations or theft, but also human factors like stress, fatigue or sometimes even little oversights may lead to breaching the confidentiality of a data asset.

For instance, if we receive a critical and urgent request to perform a task while on a connection in an airport, are we compliant with our confidentiality policy when accessing a customer's private data on our tablet and discussing them in a confcall?

What if we could have a simple tool to store data securely but that supports a compliant information consumption, assisting users especially when in mobility?

To do so, we would need:

• Requirement #1: to describe confidentiality policy terms in a machine-understandable manner in a computer artefact
• Requirement #2: to enforce policy terms considering contextual information captured by mobile sensors
• Requirement #3: to harmonise such enforcement mechanism with the mobile user experience

At SAP ASCOT Product Security Research group, we are working on this problem and we will show you the earliest findings (for a bit of background, here is the first and the second post).

Important: Please note that the following work stems from research activities and has prototypical character. It does not correspond to functionality offered by official SAP products

Let's start with Requirement #1.

Obtaining a machine-understandable policy for achieving compliance

This task can easily become very hard, for instance: regulations and standards use high-level terms, expressions and indirect references; require ordered temporal action sequences that can span on long periods; does not always define explicitly forbidden actions or operations, and so on.

Let's consider a simple example: what are the requirements for a mobile application that consumes Personal Identifiable Information of EU citizens? Look at this this table:

This table is currently proposed as part of the new EU Data Privacy Regulation, in one of the drafts discussed by the European Parliament. If the proposal will get accepted, every software will present this table to its users in order to explain in a nutshell its privacy policy terms. Application developers have to declare whether their software complies or not with the terms proposed, it is only mandatory to say "yes" to rows 1-3.  We chose this example as it allows to synthesize few relevant privacy requirements that could be of general interest for many application developers.

So, as application developers, we may want to define a policy to comply with these privacy requirements. A simple approach can be to elaborate on each of the rows in the previous table, thus defining some lower-level requirements like in the following example:

Ok this seems useful but... Which conceptual foundation could we use for implementing the finer-grained requirements and conditions? Well, for instance, Access Control and one of its refinements, Usage Control, may be of use: for instance, to describe whether personal data are disseminated to commercial third parties (point #6 of the table on the right in the previous picture). Let's see how do they work.

In a nutshell, Access and Usage Control permit to control and monitor how protected resources are accessed and processed. In  particular, it is possible to use conditions and obligations for access and usage control, so that, for example, a notification email must be sent if a piece of data is consumed  outside of a secured building. We use XACML and PPL as policy languages to transform compliance directives in machine-readable policies, and we enforce them using a specific engine (see here and here for more details). In fact, now we are starting to address also Requirement #2.

Enforce policy terms

Using XACML and PPL, it is possible to define a machine-readable policy that describes all the finer-level requirements. Let's see how:

OK, but what does it mean in practice??? where's the code??? Here you are!

Therefore, it is possible to define machine-readable policies following EC Data Privacy Draft Regulation (or the existing Directive). Of course, many other policies, like corporate confidentiality policies, may be implemented in the same way.

Lastly, considering Requirement #3, we tried to develop some proof-of-concepts that are smoothly integrated in everyone's mobile UX.

Integrate enforcement in UX

Let's see some results:

Conclusion

In this post, we saw how it is possible to progress towards achieving compliance in information distribution and consumption by means of machine-understandable policies and specific policy enforcement solutions.

We defined XACML+PPL implementations with enforcement mechanisms for cloud and mobile, defining context-specific triggers, conditions and obligations. All the previous screenshots come from our mobile enforcement engine.

We are involved in the EU-funded Coco Cloud collaborative research project that investigates on compliance and confidentiality issues connected to information exchanges on cloud and mobile, for inquiries, suggestions or just for more details feel free to get in touch with us:

francesco.dicerbo slim.trabelsi or laurent.gomez from SAP ASCOT Product Security Research group.

Special Thanks to stuart.short for the precious help.