Privacy Management with HP Open View Identity Management

Privacy Management with HP Open. View Identity Management Archie Reed Director of Strategy, Identity Management, HP UK Marco Casassa Mont Senior Researcher TSL, HP Labs, Bristol, Tutorial Id: TH-1400/4 © 2004 Hewlett-Packard Development Company, L. P. The information contained herein is subject to change without notice

• • Privacy for Identity Management: Setting the Context Outline • Important Privacy Aspects to be Addressed: • Privacy Policy Enforcement • Privacy Obligation Management • HP Identity Management Portfolio: • HP Select Access, HP Select Identity, HP Select Federation • Current Support for Privacy • HP Labs Privacy Management work: • Privacy Policy Enforcement for HP Select Access • Obligation Management System and Integration with HP Select Identity • Conclusions 9/17/2020 2

Privacy: An Important Aspect of Regulatory Compliance Regulations (incomplete list …) Regulatory Compliance (Example of Process) PRIVACY 9/17/2020 3

Impact on Enterprises and Opportunities Privacy Legislation (EU Laws, HIPAA, COPPA, SOX, GLB, Safe Harbour, …) Customers’ Expectations Internal Guidelines Applications & Services Personal Data PEOPLE Customers’ Satisfaction 9/17/2020 ENTERPRISE Regulatory Compliance Positive Impact on Reputation, Brand, Customer Retention 4

Data Governance and Policy Management (Including Privacy Policies): Gaps Policy Development and Modelling Monitoring, Audit, Reporting and Policy Management People/Roles Data Inventory Systems/Applications/Services Policy Enforcement Confidential/Personal Data Gap and Risk Analysis Policy Deployment 9/17/2020 5

Privacy For Personal Data: Core Principles Purpose Specification Consent Privacy Permissions Limited Collection Privacy Rights Limited Use Limited Disclosure Privacy Obligations Limited Retention Privacy Policies 9/17/2020 6

• Privacy for Identity Management: Setting the Context Outline • • Important Privacy Aspects to to be be Addressed: Privacy Policy Enforcement • • Privacy Obligation Management • • Privacy • HP Identity Management Portfolio: • HP Select Access, HP Select Identity, HP Select Federation • Current Support for Privacy • HP Labs Privacy Management work: • Privacy Policy Enforcement for HP Select Access • Obligation Management System and Integration with HP Select Identity • Conclusions 9/17/2020 7

Terminology: Consent, Intent, Data Purpose, Privacy Policy Request for DATA + INTENT Applications & Services Data Subject Personal DATA + CONSENT is given by data subjects for the usage of their Personal Data (PII) for predefined PURPOSES Personal Data (PII) + Consent Privacy Office & Privacy Admins Definition of the PURPOSES data are collected for ENTERPRISE 9/17/2020 PRIVACY POLICIES: How data must be managed. What can be accessed by requestors, given their INTENT, the PURPOSE of Collecting the Data and CONSENT given by data subjects Data Requestors to access personal data they need to express their INTENT i. e. how they intend to use these data P. S. : INTENT could be hard coded in applications or part of role definitions 8

Purpose Specification Consent Limited Collection Limited Use Limited Disclosure Limited Retention Privacy Policies 9/17/2020 Privacy Enforcement: Access Control Implications Privacy Enforcement for Personal Data: Principles and Implications 9

Privacy Enforcement on Data: Access Control + “Intent, Purpose, Consent, …” Personal Data Traditional Access Control Owner’s Consent Access Control Actions Purpose Actions Rights Access Control Privacy Extension Constraints Rights Other… Requestor’s Intent Requestor Personal Data Privacy-Aware Access Control It is not just a matter of traditional access control: need to include data purpose, intent and user’s consent Moving Towards a “Privacy-Aware” Access Control … 9/17/2020 10

2 nd Example: Privacy-aware Access Control Consent, Purpose and Intent Mgmt Table T 1 with PII Data and Customers’ Consent T 1 uid Name Condition Diagnosis 1 2 Alice Rob Cirrhosis HIV 3 Julie Alcoholic Drug Addicted Contagious Illness T 2 Consent 1 2 3 Marketing If role==“empl. ” and intent == “Marketing” Then Allow Access (T 1. Condition, T 1. Diagnosis) & Enforce (Consent) Hepatitis Else If intent == “Research” Then Allow Access (T 1. Diagnosis) & Enforce (Consent) Research x x x Else Deny Access Table T 1 (SELECT * FROM T 1) Intent = “Marketing” uid 9/17/2020 Enterprise Privacy Policies & Customers’ Consent Privacy Policy Enforcement: Filter data SELECT “-”, Condition, Diagnosis FROM T 1, T 2 WHERE T 1. uid=T 2. Consent AND T 2. Marketing=“YES” Name Condition Diagnosis 1 - Alcoholism Cirrhosis 2 - 3 - Contagious Illness Hepatitis Filtered data 11

Implicit Approach to Enforce Privacy Policies: No Flexibility Implicit • Embed privacy policies within applications, queries, services/ad-hoc solutions • Simple Approach Privacy Policy Definition and Enforcement Applications & Services Business logic Privacy policies • It does not scale in terms of policy management • It is not flexible and adaptive to changes 9/17/2020 Personal Data 12

Explicit Approach to Enforce Privacy Policies: Vertical and Invasive Privacy Policy Definition and Enforcement Current Approaches IBM Privacy Manager Privacy-aware Hippocratic Databases 9/17/2020 Explicit • Fully deployed Privacy Management Frameworks • Explicit Management of Privacy Policies • Might require major changes to IT and data infrastructure • Usage of Vertical Solutions 13

HP Approach: Adaptive, Integrated and Flexible Enforcement of Privacy Policies Implicit Privacy Policy Definition and Enforcement Explicit HP Approach • Single solution for explicit management of Privacy Policies • Privacy Enforcement by Leveraging and Extending HP Select Access Control Framework and easy to use management UI • Does not require major changes to Applications/Services or Data Repositories 9/17/2020 14

• Privacy for Identity Management: Setting the Context Outline • • Important Privacy Aspects to to be be Addressed: Privacy Policy Enforcement • • Privacy Obligation Management • • Privacy • HP Identity Management Portfolio: • HP Select Access, HP Select Identity, HP Select Federation • Current Support for Privacy • HP Labs Privacy Management work: • Privacy Policy Enforcement for HP Select Access • Obligation Management System and Integration with HP Select Identity • Conclusions 9/17/2020 16

Privacy Obligation Refinement: Abstract vs. Refined Obligations can be very abstract: “Every financial institution has an affirmative and continuing obligation to respect customer privacy and protect the security and confidentiality of customer information” Gramm-Leach-Bliley Act More refined Privacy Obligations dictate Duties and Responsibilities with respect of Personal Information: • Notice Requirements • Enforcement of opt-in/opt-out options • Limits on reuse of Information and Information Sharing • Data Retention limitations … 9/17/2020 17

Privacy Obligations: A Complex Topic … Duration Enforcement Long-term Ongoing Short-term One-time Obligations Types Context Independent from Access Control Other Transactional Data Retention & Event-driven Dependent Handling on Access Control Data Subject “Notify User via e-mail 1 If his Data is Accessed” “Delete Data XYZ after 7 years” Enterprise Setting “How Represent Privacy Obligations? How to Stick them to Personal Data? How to Manage, Enforce and Monitor them? How to Integrate them into current IDM solutions? ” 9/17/2020 18

Privacy Obligations: Common Aspects • Timeframe (period of validity) of obligations • Events/Contexts that trigger the need to fulfil obligations • Target of an obligation (PII data) • Actions/Tasks/Workflows to be Enforced • Responsible for enforcing obligations • Exceptions and special cases 9/17/2020 19

Technical Work in this Space [1/2] Current Approaches to Deal with Privacy Obligations: - P 3 P (W 3 C): - Definition of User’s Privacy Expectations - Explicit Declaration of Enterprise Promises - No Definition of Mechanisms for their Enforcement - Data Retention Solutions and Document Management Systems. - Limited in terms of expressiveness and functionalities. - Focusing more on documents/files not personal data - Ad-hoc Solutions for Vertical Markets 9/17/2020 20

Technical Work in this Space [2/2] Recent relevant Work done in this Space: - IBM Enterprise Privacy Architecture, including a policy management system, a privacy enforcement system and audit - Initial work on privacy obligations in the context of Enterprise Privacy Authorization Language (EPAL) lead by IBM - XACML (OASIS): similar standard proposal - No Refined Model of Privacy Obligations - Privacy Obligations Subordinated to AC. Incorrect … 9/17/2020 21

Privacy Obligations: Suggested Approach • Deal with Privacy Obligations as “first-class citizens” in the context of Enterprises and Organisations – recognise its importance for Regulatory Compliance • Recognise the Importance of Separation of Concerns: explore how to explicitly represent, manage and enforce privacy obligations without imposing any dominant view (for example, the authorization perspective) • Research and Work on Longer-term Issues, such as accountability, stronger associations of obligations to data, obligation versioning and tracking 9/17/2020 22

• Privacy for Identity Management: Setting the Context Outline • Important Privacy Aspects to be Addressed: • Privacy Policy Enforcement • Privacy Obligation Management HP Identity Management Portfolio: • • HP HP Select Access, HP HP Select Identity, HP HP Select Federation • • HP Current Support for Privacy • • Current • HP Labs Privacy Management work: • Privacy Policy Enforcement for HP Select Access • Obligation Management System and Integration with HP Select Identity • Conclusions 9/17/2020 24

HP Open. View Identity Management Registration/ Creation Propagation Authentication Authorization Federati on Accounts & Policies Complian ce Privacy Single Sign-On Terminatio n HP Select Identity • Cross-enterprise user lifecycle management • Provisioning • Workflow • Password management • Self Service • Delegated administration 9/17/2020 Maintenanc e/ Managemen t Personalizatio n HP Select Access • Authentication • Policy-based Access control • Single sign-on • Web Services Security &Access Mgmt • Personalization HP Select Federation • Open protocol federation • Automated inter-organizational user activation & provisioning • Privacy management • Federation auditing & governance 25

[1] HP Select Access Control product • Policy Authoring • Policy Decisions • Policy Enforcement • Auditing • 9/17/2020 26

[1] HP Select Access Control System: Definition, Enforcement and Auditing of Access Control Policies 9/17/2020 27

[1] Policy Builder: Authoring Access Control Constraints High-Level matrix-based UI to set-up access control constrains on resources given users/groups 9/17/2020 28

[1] Rule Editor: fine grained Access Control Rules Rule editor fine-grained definition of access control policies 9/17/2020 29

[1] HP Select Access: Summary • Access Control System • Fine-grained Policy Authoring, Deployment and Enforcement • Intuitive and Simple to use GUIs • Enforcement for Web Resources • Auditing 9/17/2020 30

[2] HP Select Identity • Management of Identities in Organisations • Support for Self Registration and User Provisioning • Account Management across Platforms, Applications and Corporate Boundaries 9/17/2020 31

[2] HP Select Identity Connector Bus Security & Access Controls Policy & Security Mainframe Identity Management Functions Workflow Policies Notifications Business Apps Directories Id. M Services Windows Business Relationships Web SSO H. R. Groups 9/17/2020 Identity Store (users) Databases 32

[2] HP Select Identity: Summary • Centralised Management of Users and Entitlements • User Provisioning: create, update and delete • Administrative Delegation • User Self Service • Approval Workflow • Password & Profile Management • Audit and Reporting 9/17/2020 33

[3] HP Select Federation • Enables web SSO and Cross Domain Federated Identity Management • No need for Centralised Data Repository • Support for Liberty Alliance, SAML, WS Federation 9/17/2020 34

[3] HP Select Federation Open. View Select Federation enables secure, cross-enterprise single sign-on and identity data sharing 9/17/2020 • Supports multiple federation protocols, including Liberty and SAML • Supports heterogeneous identity management environments • Includes a comprehensive management console • Provides extensive audit capabilities • Enables policy-based privacy management • Enables 1 -click smart user activation/provisioning 35

• Privacy for Identity Management: Setting the Context Outline • Important Privacy Aspects to be Addressed: • Privacy Policy Enforcement • Privacy Obligation Management HP Identity Management Portfolio: • • HP HP Select Access, HP HP Select Identity, HP HP Select Federation • • HP Current Support for Privacy • • Current • HP Labs Privacy Management work: • Privacy Policy Enforcement for HP Select Access • Obligation Management System and Integration with HP Select Identity • Conclusions 9/17/2020 36

HP IDM Solutions: HPL Privacy Extensions HP Select Access HP Select Identity HP Select Federation Data Modelling & Management Privacy-aware Policy Authoring Federated Environments Privacy-aware Policy Deployment Federated Environments Privacy-aware Policy Enforcement Federated Environments (Access Control) Obligation Management & Enforcement Audit & Reporting Supported 9/17/2020 Can Be Extended Not Relevant 37

• Privacy for Identity Management: Setting the Context Outline • Important Privacy Aspects to be Addressed: • Privacy Policy Enforcement • Privacy Obligation Management • HP Identity Management Portfolio: • HP Select Access, HP Select Identity, HP Select Federation • Current Support for Privacy • • HP HP Labs Privacy Management work: • • Privacy Policy Enforcement for HP HP Select Access • • Obligation Management System and Integration with HP HP Select Identity • Conclusions 9/17/2020 38

HP IDM Solutions: HPL Privacy Extensions HP Select Access HP Select Identity HP Select Federation Data Modelling & Management Privacy-aware Policy Authoring Federated Environments Privacy-aware Policy Deployment Federated Environments Privacy-aware Policy Enforcement Federated Environments (Access Control) Obligation Management & Enforcement Audit & Reporting Supported 9/17/2020 Can Be Extended Not Relevant HPL Work 39

• Privacy for Identity Management: Setting the Context Outline • Important Privacy Aspects to be Addressed: • Privacy Policy Enforcement • Privacy Obligation Management • HP Identity Management Portfolio: • HP Select Access, HP Select Identity, HP Select Federation • Current Support for Privacy • • HP HP Labs Privacy Management work: • • Privacy Policy Enforcement for HP HP Select Access • • Obligation Management System and Integration with HP HP Select Identity • Conclusions 9/17/2020 40

Privacy Policy Enforcement: Requirements for HP Select Access Core requirements: 1 Explicit Modelling of Confidential Data 2 Describe Privacy Policy based on the Content of Data, Consent, Intent and Data Purpose 3 Make Decisions based on these Privacy Policies 4 Enforce these Privacy Decisions à Extend Select Access mainly via its Standard APIs to implement the above requirements 9/17/2020 41

Privacy Enforcement in HP Select Access Web Services Access Request Enforcer Plug -in Plug-in Applications, Services, … Data Access Validator (Policy Decision) Grant/Deny Requestor’s Intent + Request to Access Data Privacy- aware Access Request HPL Data Enforcer Privacy-aware Privacy Access to Data Policy Enforcement On Personal Data + Owners’ Consent 9/17/2020 Privacy Policy Deployment & Decisions Privacyaware Decision Policy Repository HPL Plug-ins Access. Control Policies + Privacy Policies (intent, purpose, consent, constraints…) Audit Policy Builder Data Modelling & Privacy Policy Authoring HPL Plug-ins 42

Select Access: Privacy Extension [1/4] 1 Modelling Data Resources in SA Policy Builder: Data Resources Added to Policy Builder 9/17/2020 43

Select Access: Privacy Extension [2/4] 2 Author Privacy Policies in SA Policy Builder via SA Plugins: • Add Privacy Constraints on “Data Resources”: checking Intent vs. Purpose, Consent, etc. • Describe Policies the evaluation of which is: “Allow Access to Data + Privacy Constraints to be Enforced” Rule Editor Purpose-based Decision plug-in Data Filtering plug-in Consent Management plug-in Data Expiration plug-in Privacy Constraints: - Filtering data - Enforce Consent - Obfuscating data - Transformation of Data … 9/17/2020 44

Select Access: Privacy Extension [3/4] 3 Privacy Decisions by SA Validator (PDP): • Validator Plug-in makes decisions based on Privacy Policies (1 -1 correspondence with Policy Builder plug-in) • Decisions must support Privacy-oriented Constraints (to be enforced): “Allow Access to Data + Constraints to be Enforced” Request: Data Resource + Intent+ (Parameters) SA Validator Plug-in (e. g. allow access to table “Patients Details”, but strip-out the columns “Name, Surname, Address”) • The SA Validator is general purpose. It does not examine Confidential Data for performance/logistic reasons. 9/17/2020 Decisions: • NO • YES + Constraints 45

Select Access: Privacy Extension [4/4] Privacy Constraints enforced by a Data Enforcer … The SA Web Enforcer focuses on Web Resources. It does not explicitly deal with Data Resources… Add a SA “Data Enforcer”: • located nearby the Data Repository (performance …) • knows how to access/handle Data and “Queries” • know how to enforce Privacy Constraints • can support “Query rewriting” (i. e. filtering, etc. ) The new SA “Data Enforcer” is designed to have: • A General Purpose Engine (to interact with SA Validator) • Ad-hoc plug-ins for different Data Sources to interpret and enforce privacy decisions (e. g. RDBMS, LDAP servers, virtual directories, meta-directories, …) 9/17/2020 Data Access Request allowed to + Intent access Enforcer SA Logic API Data Enforcer (Data Proxy) Plug-in Constraint Enforcement Engine RDBMS Constraint Enforcement Engine LDAP Server Validator 4 Constraint Enforcement Engine Meta Directory 46

Data Enforcer SQL Query Transformation Original SQL Query: SELECT * FROM Patient. Records; SQL Query Transformed by Data Enforcer (Pre-Processing): SELECT Patient. Records. NAME, Patient. Records. Do. B, Patient. Records. GENDER, '-‘ AS SSN, Patient. Records. ADDRESS, Patient. Records. LOCATION, Patient. Records. EMAIL, Patient. Records. COMM, Patient. Records. LIFESTYLE, '-' AS GP, '-' AS HEALTH, '-' AS CONSULTATIONS, '-' AS HOSPITALISATIONS, '-' AS FAMILY, '-' AS Username FROM Patient. Records, Privacy. Preferences WHERE Patient. Records. Name=Privacy. Preferences. Name AND Privacy. Preferences. Marketing='Yes'; 9/17/2020 47

Data Enforcer: Performance Based on Type of Queries 9/17/2020 48

Demo: Health. Care Scenario SA Web Enforcer JDBC Proxy Web Services Accessing PII Data (SQL) LDAP Directories Privacy Plug-ins User’s Web Browser Web Portal SA Validator + Privacy plug-ins SA Data Enforcer Personal Database 9/17/2020 Privacy Plug-ins SA Policy Builder 49

Demo Snapshot 9/17/2020 50

Demo Snapshot Effect of applying the privacy policy (data filtering) Effect of enforcing customers’ consent 9/17/2020 51

Benefits Integration of: - Resource Management: data, IT resources, web resources, … - Management of Access Control and Privacy Policies - Policy Authoring and Administration GUI - Policy Deployment and Enforcement Framework Rationalization and Simplification of policy management and enforcement solutions 9/17/2020 52

Next Steps • HP Software Business Considering the Productisation of Privacy Enforcement for HP Select Access in 2006 • HP interested in “lighthouse” customers for collaborations and joint technological trials 9/17/2020 53

• Privacy for Identity Management: Setting the Context Outline • Important Privacy Aspects to be Addressed: • Privacy Policy Enforcement • Privacy Obligation Management • HP Identity Management Portfolio: • HP Select Access, HP Select Identity, HP Select Federation • Current Support for Privacy • • HP HP Labs Privacy Management work: • • Privacy Policy Enforcement for HP HP Select Access • • Obligation Management System and Integration with HP HP Select Identity • Conclusions 9/17/2020 54

Obligation Management System (OMS): Model Obligations Monitoring Obligations Scheduling Obligations Enforcement Data Subjects Obligation Management Framework Administrators Privacy Obligations Personal Data (PII) 9/17/2020 ENTERPRISE 55

[1] Privacy Obligations: Modelling and Representation Privacy Obligation Identifier References to stored PII data Targeted Personal Data e. g. Database query, LDAP reference, etc. Triggering Events Actions Additional Metadata (Future Extensions) 9/17/2020 One or more Events that trigger different Actions potentially involving changes to PII data e. g. Event: Time-based events Actions: Delete PII, Notify 56

[1] Privacy Obligations: Format Example <obligation id=“gfrbg 7645 gt 45"> <target> <database> <dbname>Customers</dbname> <tname>Customers</tname> <locator> <key name=“User. ID">oid_a 83 b 8 a: fdfc 44 df 3 b: -7 f 9 c</key> </locator> <data attr="part"> <item>creditcard</item> <item>firstname</item> </database> </target> <obligationitem sid="1"> <metadata> <type>LONGTERM</type> <description>Delete [firstname, surname] at Sat Aug 15 17: 26: 21 BST 2004. ]</description> </metadata> <events> <event> <type>TIMEOUT</type> <date now="no"> <year>2004</year> <month>08</month> <day>14</day> <hour>17</hour><minute>26</minute> </events> <action> <type>DELETE</type> <data attr="part"> <item>creditcard</item> <item>firstname</item> </data> </actions> </obligationitem> </obligation> 9/17/2020 57

[2] OMS: High Level System Architecture Enforcing Privacy-enabled Privacy Portal Obligations ENTERPRISE Monitoring Privacy Obligations Admins 9/17/2020 Obligation Server Obligation Applications and Services Admins Events Obligation Monitoring Service. Obligations Setting Privacy Handler Data Monitoring. On Task. Personal Handler Obligation Scheduler Workflows Obligation Enforcer Action Adaptors Audit Server Data Ref. Obligation Store & Versioning Information Tracker Data Subjects Confidential Data 58

Privacy Obligation Management System: Use Case Explicit Management, Enforcement and Monitoring of Privacy Preferences and Constraints associated to Personal Data and Digital Identities: Personal Data + Privacy Preferences Data Subject Self Registration And User Account Management HP Select Identity User Provisioning 9/17/2020 Enterprise Data Repositories Turning privacy preferences into Privacy Obligations Connectors Privacy Obligation Enforcement & Monitoring Obligation Management System Audit Logs Web Service API 60

Demo Screenshots … 9/17/2020 61

Demo: Environment 9/17/2020 HP Select Identity Obligation Management System - GUI 62

OMS UI – Managed Obligations [1/2] View: List of Managed Obligations (to be enforced and enforced obligations) Note: in this example all obligations are enforced (status OK or Violated) 9/17/2020 63

OMS UI – Managed Obligations [2/2] Details of Selected Obligation 9/17/2020 64

OMS UI – Monitored Obligations View: Monitored Obligations (enforced obligations) Note: In this example, the last two obligations in the list are in the “Violated” status (RED colour). This status and the details can be logged/audited and reported to the administrator follow-up actions 9/17/2020 65

OMS UI – System Status View: Status of OMS Internal Components Note: More than an instance of each OMS component could be running, on different systems, for fault tolerance and workload balancing 9/17/2020 66

HP SI – Provisioning a New User [1/2] Privacy Preferences (deletion times of selected attributes and of the entire account) 9/17/2020 67

HP SI – Provisioning a New User [2/2] Privacy Preferences (notification of deletions via e-mail) 9/17/2020 68

HP SI – Provisioning Request OK The new user provisioning request has been successful – User information will also be provisioned via the OMS connector that will cause the creation of new privacy obligations based on previous user’ privacy preferences 9/17/2020 69

OMS – New Privacy Obligations Generated New Privacy Obligations generated as Effect of provisioning a new User and Handling Privacy preferences (Deletion and Notification) 9/17/2020 70

Benefits - Explicit Control, Enforcement and Monitoring of Privacy Obligations - Explicitly Address Data Subjects’ Preferences and Laws/Enterprise Obligations - Integration of User Provisioning and Data Subject’s Preference Rationalization and Simplification of Obligation Management and Enforcement 9/17/2020 75

Next Steps • Addressing open issues such as obligation life-cycle management, overall efficiency, stickiness of privacy obligations to PII data • Further research to be done in the context of the EU PRIME project • HPL interest in “lighthouse” customers for collaborations and joint technological trials 9/17/2020 76

• Privacy for Identity Management: Setting the Context Outline • Important Privacy Aspects to be Addressed: • Privacy Policy Enforcement • Privacy Obligation Management • HP Identity Management Portfolio: • HP Select Access, HP Select Identity, HP Select Federation • Current Support for Privacy • HP Labs Privacy Management work: • Privacy Policy Enforcement for HP Select Access • Obligation Management System and Integration with HP Select Identity Conclusions • • Conclusions 9/17/2020 77

Conclusions • Privacy Management is a Key Aspect of IT Governance and Regulatory Compliance • Important Privacy Issues that Must be Addressed: - Privacy Policy Enforcement - Privacy Obligation Management • Current HP IDM Solutions already Address part of these Issues: Privacy Management as a Key Differentiator for HP IDM solutions • HP Labs’ Contributions: - Vision and R&D in the Privacy Management Space - Privacy Extensions of HP Select Access and HP Select Identity • Privacy Enforcement for HP Select Access to be Productised in 2006 • HP keen in Collaborations with Customers for Trials and Requirements 9/17/2020 78

Contacts Archie Reed (archie. reed@hp. com) Marco Casassa Mont (marco. casassa-mont@hp. com) Please Visit the HP Identity Management Booth for Additional Details on HP IDM Solutions 9/17/2020 79

Backup Slides 9/17/2020 80

Building SA Policy Builder Plug-ins … com. hp. ov. selectaccess. rulebuilder Rule. Component. Panel • initialise() • ok. Clicked() • help. Clicked() • cancel. Clicked() • extends JPanel • comm. to Policy Store SA XML API com. hp. ov. selectaccess. util. property. Element com. hp. ov. selectaccess. util. property. List. Eleme extends import Java-based Plug-in Decision Point Plug-in code GUIs Filter Point Plug-in read component. xml • default configuration values for plug-in • link to the correspondent Validator plug-in 9/17/2020 81

Building SA Validator Plug-ins … #include Validator. h #include Decider. h SA XML API Property. Element. h Property. LIst. Element. h Decider • init() • factory() • decide() extends • comm. to Enforcer • comm. to Policy Store import C/C++-based Plug-in Decision Point Plug-in code Filter Point Plug-in init() register plug-in factory() retrieve portion of privacy policy from LDAP. Create plug-in instance decide() 9/17/2020 • decision point plug-in: decide path to follow based on Enforcer’s request • filter point plug-in: add constraints to Validator’s reply 82

Data Enforcer - Technical Details Application/Service JDBC Requests JDBC Proxy Client Enforcer API RMI SSL Database SA Validator SSL com. hp. ov. selectaccess. enforcer Enforcer API • Enforcer() • XMLQuery. Init() • 9/17/2020 XMLQuery. Send() JDBC Proxy Server Enforcer API Java C++ COM - Work in Progress - Exploring similar approaches for LDAP and Virtual Directories 83

Personal Data + Privacy Preferences (deletion, notification) Data Subject 1 HP Select Identity Web Services Obligation Enforcement (attributes & user account deletion) 2 Personal Data MS SQL Server 2 OMS Privacy Obligation Connector Generation Personal Data + Obligations 4 Data Storage Personal Data 9/17/2020 Personal Data 3 Obligation Enforcement (e-mail notifications) HP Labs Contribution User Provisioning OMS and HP Select Identity Integration: Current Prototype My. SQL Obligation Monitoring Obligation Management System (OMS) Privacy Obligations My. SQL 5 84

9/17/2020 85