Catalyst Concordia Policy Workshop 2008

From Project Concordia

Jump to: navigation, search

July 15, 2008

Presentation by Manny Rivera on several US Army Use-Cases:

US Army Use-Case

Relevant discussion taken from the minutes:

- Explanation of common authentication system - Explanation of system wide authorization model + depends upon thirteen identity attributes available for all personnel

- deeper dive into the call-for-fire use-case - overview of commander scenario

+ discussion of document meta-data and how its created and maintained? 

 ans: its part of the sharepoint interface for document, supports admins
      adding meta-data to docs

+ How is the document meta-data communicated to the PDP? 

 ans: the JaZP call to the PDP captures and communicates the document
      meta-data required for the Az call

+ Discussion of data ownership 

 ans: For example, HR controls a persons identification and attributes
      The challenge is how to get access to this information to "other"
      departments.

+ Why should departments agree to provide these data services 

 ans: DoD will mandate that these services be made available




A day-long workshop was held at the Burton Catalyst conference on 23 Jun 2008 on the topic of policy and entitlements (for example, examining interoperability needs around XACML and WS-Policy). You can find a list of Policy & Entitlements Management workshop participants here.

The day began with a marketplace overview by Gerry Gebel, Burton Group, and a technical deep dive on the related standards landscapeby Hal Lockhart, Oracle. Use case presentations were then given by:

Following all of the use case presentations, with Q&A scattered throughout, the group developed a list of commonalities/needs that had emerged from the presentations. This list follows:

Policy & Entitlements Management Requirements Discussion

• Regulations as drivers

• Data – i.e. format, acquisition, management, movement of meta-data with data, classification/categorization, (whose job is it?), integrity (modify), 

    o Data lineage – i.e properties associated with data elements

• There is also a concern/interest in DRM/ERM(IRM) i.e. data protection must move with the data

• Reusable consistent policy mechanisms separate from app logic

• Not only web apps, but also unstructured data – non-web apps, Databases & LDAP

• H2 map from tech app to business policy?

• Confusion with regard to entitlements vs. role management – better description of use-cases

• Relevance/applicability of automated data classification systems? 

    o Most are highly specialized vs. generalized
    o Subsequent use of data is problematic
    o Massive systems that fail spectacularly
    o Similarities with semantic web efforts

• Support for export laws & IP

• Heterogeneous environment support

• Need container-specific PEP bindings

• What low-bandwidth policy work is being done by vendors? 

    o There is some DoD activity
    o Mobile device vendors are active

• Access rule complexity esp in custom applications – how to generalize (export/transform) the rule set? 

    o Ref. “XACML-user” list in OASIS
    o E.g. privacy laws by locality
    o Union of privacy requirements vs. access rules
    o Policies need to reflect business relationships that may, in turn, depend on specific actions

• Vocabulary exists for defining policies using WS-Policy – would like to see discussion around non-XACML approaches

• How to request access to entitlements in the first place? 

    o“Authorized tag requests”

• Need to tie model-driven approach to XACML implementation – top-down abstract to granular 

    o Point solutions exist but no unified approaches
    o How to harmonize data discovery, user discovery, etc. into an easily deployable solution

• Resource metadata must be highly available

• PEP/PDP performance 

    o H2 make calls
    o Caching 
    o Coupling of PEP/PDP

• Scale of data management in an application-independent method – don’t want to touch the apps every time the metadata changes

• Need for standard interfaces 

    o W/b useful to have large application deployers discuss deployment scenarios/models and interoperability
    o Not only big vendors but also point solutions

• User experience 

    o Administrator
    o End users

• Role of workflow/lifecycle in policy management and IDM

• Governance importance

• Fine-grained control of IP with partners/competitors

• (Logically) centralized (unified) policy management

• Capture justification for policy management

• Error/exception processing – Fail Open or Fail Closed – analysis of effectiveness of underlying policy

• Importance of executive support

• Incorporating decision analysis modeling into policy development

• Mechanism for publishing vocabulary of attributes – NB #2 will be done in XACML Rev 3.0 

    o 1. All attribute labels
    o 2. All attribute labels named in policies
    o 3. Attributes used in this decision (must make the decision to determine)

• How to model policies

Retrieved from "http://projectconcordia.org/index.php/Catalyst_Concordia_Policy_Workshop_2008"