Compliance & Mobile: “Yes I can share this, but handle with care!”
Welcome to the third part of a story started in two other posts about using business resources in mobility, here’s the first and the second post. Here, we talk about compliance. More precisely, about solutions that can help us to be compliant in our daily operations
The story, in short:
>>> “…ok here you are, but pay attention to the confidentiality policy, that’s very confidential stuff and I am responsible for this… OK???“
<<< “Yeah sure, … wait, what exactly? well nevermind, need to go! Bye!”
The problem in essence is that specific information classification policies exist and define well how to protect a piece of information. However, in many cases the adequate implementation of such terms depends solely on information consumers. Not only deliberate policy violations or theft, but also human factors like stress, fatigue or sometimes even little oversights may lead to breaching the confidentiality of a data asset.
For instance, if we receive a critical and urgent request to perform a task while on a connection in an airport, are we compliant with our confidentiality policy when accessing a customer’s private data on our tablet and discussing them in a confcall?
What if we could have a simple tool to store data securely but that supports a compliant information consumption, assisting users especially when in mobility?
To do so, we would need:
- Requirement #1: to describe confidentiality policy terms in a machine-understandable manner in a computer artefact
- Requirement #2: to enforce policy terms considering contextual information captured by mobile sensors
- Requirement #3: to harmonise such enforcement mechanism with the mobile user experience
Important: Please note that the following work stems from research activities and has prototypical character. It does not correspond to functionality offered by official SAP products
Let’s start with Requirement #1.
Obtaining a machine-understandable policy for achieving compliance
This task can easily become very hard, for instance: regulations and standards use high-level terms, expressions and indirect references; require ordered temporal action sequences that can span on long periods; does not always define explicitly forbidden actions or operations, and so on.
Let’s consider a simple example: what are the requirements for a mobile application that consumes Personal Identifiable Information of EU citizens? Look at this this table:
So, as application developers, we may want to define a policy to comply with these privacy requirements. A simple approach can be to elaborate on each of the rows in the previous table, thus defining some lower-level requirements like in the following example:
Ok this seems useful but… Which conceptual foundation could we use for implementing the finer-grained requirements and conditions? Well, for instance, Access Control and one of its refinements, Usage Control, may be of use: for instance, to describe whether personal data are disseminated to commercial third parties (point #6 of the table on the right in the previous picture). Let’s see how do they work.
In a nutshell, Access and Usage Control permit to control and monitor how protected resources are accessed and processed. In particular, it is possible to use conditions and obligations for access and usage control, so that, for example, a notification email must be sent if a piece of data is consumed outside of a secured building. We use XACML and PPL as policy languages to transform compliance directives in machine-readable policies, and we enforce them using a specific engine (see here and here for more details). In fact, now we are starting to address also Requirement #2.
Enforce policy terms
Using XACML and PPL, it is possible to define a machine-readable policy that describes all the finer-level requirements. Let’s see how:
OK, but what does it mean in practice??? where’s the code??? Here you are!
Therefore, it is possible to define machine-readable policies following EC Data Privacy Draft Regulation (or the existing Directive). Of course, many other policies, like corporate confidentiality policies, may be implemented in the same way.
Lastly, considering Requirement #3, we tried to develop some proof-of-concepts that are smoothly integrated in everyone’s mobile UX.
Integrate enforcement in UX
Let’s see some results:
It is possible to render where and when a piece of data was consumed.
It is possible to render a policy to end-users in a simple and clear manner.
It is possible to enforce automatically the policy terms.
In this post, we saw how it is possible to progress towards achieving compliance in information distribution and consumption by means of machine-understandable policies and specific policy enforcement solutions.
We defined XACML+PPL implementations with enforcement mechanisms for cloud and mobile, defining context-specific triggers, conditions and obligations. All the previous screenshots come from our mobile enforcement engine.
We are involved in the EU-funded Coco Cloud collaborative research project that investigates on compliance and confidentiality issues connected to information exchanges on cloud and mobile, for inquiries, suggestions or just for more details feel free to get in touch with us:
Special Thanks to Stuart SHORT for the precious help.