XACML Privacy Policy Editor for Critical Infrastructures Nils Ulltveit-Moe1 , Henrik Nergaard1 , Terje Gjøsæter1 , and Jennifer Betts 2 1 Universitetet i Agder, Jon Lilletuns Vei 9, 4879 Grimstad, Norway {nils.ulltveit-moe, henrin10, terje.gjosater}@uia.no 2 School of EEECS Queens University Belfast, Belfast, Northern Ireland [email protected] Abstract. This paper describes a Scratch-based eXtensible Access Control Markup Language (XACML) editor ViSPE that can be used for designing authorisation and anonymisation policies, and how these policies can be enforced by using the Reversible anonymiser. Private and confidential information can be protected based on identified security requirements, as described in two case studies. The first case covers privacy-enhanced IDS-alarm handling in a traffic control centre, and in the second case, we mitigate insider threats with a secure configuration deployment policy. Keywords: XACML· Privacy · Security · Anonymisation · Critical Infrastructure 1 Introduction This paper demonstrates modelling of privacy and trust policies using a novel highlevel graphical policy editor. The privacy requirements are based on the results of two case studies, done as part of two EU-projects. The results of these analyses are then used to propose how policies can be implemented using the eXtensible Access Control Markup Language (XACML) [1], enhanced with the reversible anonymisation protocol in [2], [3]. The policies are modelled using our visual policy editor ViSPE [4], which is implemented in Smalltalk based on the children’s programming language Scratch [5], [6]. ViSPE focuses on providing an easy to use interface for defining XACML policies for access control, anonymisation and encryption of information in XML documents or messages. The paper demonstrates how the policy editor can be used for mitigating insider threats as well as protecting private or confidential information. The rest of this article is organised as follows: Section 2 covers issues of privacy in Critical Information Infrastructures (CII), and present the tools and technologies used to mitigate the issues in the two case studies. Section 3 presents the two cases, including the policies created to support them. Section 4 provides a brief discussion of ViSPE and its applicability to the cases, and in Section 5 we make our conclusions. Finally, Section 6 presents some ideas for future work. adfa, p. 1, 2011. © Springer-Verlag Berlin Heidelberg 2011 2 Privacy in Critical Infrastructure There are several important objectives for privacy regulation. Personal data and similar information must only be collected using legitimate means and for legitimate purposes to comply with data protection legislation. Access to personally identifiable information (PII) and/or confidential information must only be granted to those with appropriate authorisation. Identities must not be compromised by any action of the system. No change in ownership, responsibility, content or collection of personal data must take place without the knowledge and consent of the data subject. An audit trail of all actions having an impact on personal data and confidential information must be maintained within the system to allow for forensic analysis in the event of a data breach. Our long-term goal is to build and extend the ViSPE policy editor combined with our reversible anonymisation scheme to model such privacy requirements. We can already model a range of scenarios, however other remain as future work, for example adding policy controlled secure logging obligations. The privacy enforcement tool is based on the reversible anonymisation scheme [3]. It has been integrated with the Prelude-IDS Security Incident Event Management (SIEM) system1 in order to demonstrate privacy-enhanced intrusion detection services, as shown in Fig. 7. 2.1 Privacy Enforcement Mechanism Fig. 1 gives a high-level overview over the XACML based anonymisation scheme for anonymising XML documents or messages [2]. The scheme consists of an initial authorisation policy with a set of XACML Obligations, which amongst others define multiple XPath resource definitions identifying XML elements or attributes that need to be authorised. The XACML Policy Enforcement Point (PEP) of the anonymiser will subsequently loop through all resource definitions and extract and authorise each match of the XPath resource against the XACML Policy Decision Point (PDP). The PEP sends the resource identifier with each resource to be authorised, so that the respective XML element authorisation policy is evaluated to decide whether the given XML element should be authorised or not. If the XML element is authorised, then an XACML Obligation describes how the element should be anonymised, for example whether the data should be replaced with a fixed string (e.g. “confidential”) or whether it should be padded using a character (e.g. pad-with X). The anonymisation scheme supports a decision caching protocol in order to improve efficiency [2], and can also describe cache timeout values and similar parameters from the XACML Obligations. The anonymisation scheme has been extended to support XACML controlled reversible anonymisation of XML documents or messages based on storing the anonymised information encrypted in different security levels, so that only authorised users or roles can access this information [3]. 1 https://www.prelude-ids.org Fig. 1. Overview over XACML anonymisation scheme The reversible anonymisation protocol is based on a hybrid encryption scheme where a user can unlock an encryption key using her secret key, and this encryption key is furthermore used to unlock an authorisation mapping which contains the encryption keys for the security levels the user has access to. The reversible anonymiser supports advanced functionality, such as default PERMIT, or default DENY anonymisation policies, multiple security levels and policy defined key sharing, so that several users or roles must collaborate to reverse the anonymisation. This paper shows how we have created a high-level abstraction for creating XACML-based anonymisation policies using the Scratch-based policy editor ViSPE [4]. 2.2 ViSPE’s Graphic Primitives for XACML Policy Elements XACML is an XML-based policy-definition language. The syntax is human/machinereadable, but not trivial to write without comprehensive editor support. While there are editors that support writing of XACML policies, like UMU-XACML2 or the WSO2 Identity Server3, the novel editor ViSPE takes a new approach by presenting XACML elements as graphical blocks [4]. ViSPE allows non-programmers like policymakers to implement privacy, anonymisation and authorisation policies using a high-level graphic XACML-like policy language, which is generated into XACML XML policies. The blocks follow the same structure as the underlying XACML syntax. This makes it easy to visualise the containing element of a tag. The colour differentiation between blocks is also a helpful tool for quickly orienting the start and end of a tag element. The editor also includes specialised blocks tailored to present the obligations and their assignments. This means that the user does not need to have knowledge of the underlying XACML syntax, e.g. for the different obligations supported by the anonymiser. 2 3 UMU-XACML editor: http://umu-xacmleditor.sourceforge.net WSO2 Identity Server: https://docs.wso2.com/display/IS450/Creating+an+XACML+Policy Fig. 2. The ViSPE editor with resource definition examples Fig. 3. XACML obligation corresponding to the Declassify resource block The editor is shown by Fig. 2, and includes two example XACML Obligation blocks in ViSPE, while Fig. 3 shows the more verbose XACML implementation of the first block. The Declassify block implements an obligation to declassify the content of an entire XML element or attribute from a security level secret, so that this attribute is shown in the anonymised document when a default DENY anonymisation policy is being used. The Anonymise block on the other hand explicitly anonymises data in the document and stores this in a security level secret for default PERMIT protocols. The ViSPE block is far easier to read and understand than the underlying XACML Obligation. The editor furthermore uses a consistent colour scheme for Obligation blocks, so that it is easy to recognise which blocks that will be mapped to Obligations. XACML is very verbose and not easy to read or write. While the graphical block representation is much more compact, the readability is also better, since it highlights the important parts of each block while hiding the verbose syntax. 3 Case Studies Here, we will present two use cases that highlight the issues at hand. The first is a critical infrastructure network related to a traffic control centre, and the second is a multinational smart grid demand/response operator. Fig. 4. The two scenarios 3.1 Case 1: Privacy in Critical Cyber-Infrastructure This case describes how to define a default DENY privacy policy for an outsourced managed security service provider, so that a first-line security analyst can only see information defined as non-sensitive in the privacy policy, while an authorised Computer Emergency Response Team (CERT) doing attack investigations is authorised to deanonymise the information in the Intrusion Detection System (IDS) alarms. An advantage with such a policy, is that only information that is explicitly allowed will be presented to the first line security analyst, effectively implementing privacy by default [7]. In this scenario, the operators on the critical infrastructure network of the traffic control centre may trigger IDS alarms that may in turn leak PII if they are not anonymised. IDS Alarm Anonymisation Policy for a Traffic Control Centre Fig. 5. ViSPE anonymisation policy for the privacy-enhanced IDS case In the traffic control centre, security monitoring using IDS is outsourced to a managed security service company. It is assumed that possible exposure to PII sampled in IP packets from the traffic control center must be avoided, so that this information does not leave the network perimeter of the traffic control center. This means that IDS alarms normally will be anonymised, however it will be possible for a trusted Computer Emergency Response Team (CERT) to investigate suspected attacks on the traffic control network when necessary. This case assumes that the security operator escalates suspected attacks to the Computer Emergency Response Team (CERT), which is trusted to de-anonymise the secret information in order to perform a more in-depth forensic analysis. This is implemented using the encryption key schema in Fig. 4a, where the CERT Team first needs to decrypt the ephemeral key 𝐸𝐾1 using its secret key 𝑆𝐾1 . 𝐸𝐾1 is then used to decrypt the encryption key 𝐾1 , which can be used to decrypt the secret information in security level ‘secret’. The de-anonymiser then replaces the anonymised content in the IDS alarm with the decrypted information. 𝐸𝐾1 is regenerated after a given time interval (one day), which allows for reusing it for subsequent de-anonymisation operations for the given user, as long as the key is valid. Fig. 5, shows the full anonymisation policy, created in ViSPE. The policy allows for using symbolic names (for example security level secret), which is easier to understand than the numeric IDs used in the mathematical notation in [3]. Some parts of the obligation attributes are optional for the user to define. These are presented as an oval placeholder which generates the default values if left alone. The anonymisation specification/decision cache declaration consists of two visual blocks Default policy and Authorized-elements that are mapped to XACML Obligations. The first block specifies the default policy, which is set to default DENY in order to ensure that all information by default is being anonymised (privacy by default). The second block is an XACML Obligation with id authorize-elements, which is performed on successful initial authorisation. This obligation consists of a set of one or more Resource declarations defining XPath expressions of XML resources to be authorised, and Assertion scope declarations which are XPath expressions that can be used for conditional policy evaluation based on document content. These are mapped to XACML AttributeAssignments (simplified to Assignments in ViSPE). The XPath expressions identify XML resources and attributes in the input document which need to be authorised. The next block is the security level declaration, which defines the name of the security level ‘secret’, and the encryption key used to encrypt the security level. The security level ‘secret’ corresponds to level ‘1’ in the mathematical notation in Fig. 4. The encryption key block also contains the time duration until the key needs to be regenerated, in order to reduce the effect of compromised security level keys. The Authorisation map defines the connection between an authorised user or role, the public key associated with this user or role, and the security levels that this user or role has access to. We use an intermediate encryption key (ephemeral key) which acts as an alias for the user4. The authorisation map can be defined for a set of one or more users/roles, security levels or key shares. 3.2 Case 2: Reducing Insider Threats. Insider threat is a common problem, particularly for critical infrastructures, where they can have severe consequences. It is important to emphasise that insider threats are not necessarily malicious, but may be the result of responding to a phishing email, or from a simple error. This case study investigates how a critical infrastructure, for example a Smart grid Demand/Response system, can reduce the risk of accidental or malicious deployment of faulty system configurations by implementing a security policy using the graphical XACML editor. Staff may not always have background checks performed before hiring, even in critical infrastructures, and may not receive training in security and privacy. In a pilot study conducted among critical infrastructure providers for the PIA developed for the PRECYSE project, it was found that less than half of respondents carried out employee background checks, and half conducted staff training in security and privacy, at least annually. 4 Note that this only is a truly ephemeral key if the renegotiation time is set to zero. One way to mitigate both types of insider threat is to implement a multi-party authorisation (MPA) policy; that is to require more than one authorised employee to cosign for deployment of security-critical configuration changes. If there is a mistake made by an inexperienced employee, or an intentionally malicious change in the new configuration, it should be detected by one of the co-signing parties. This will discourage malicious attacks, as well as encourage employees to do a careful examination of a policy. In the secure policy deployment scenario of this case, a changed policy needs to be examined and co-signed by 2 authorised persons before deployment. Policy for Secure Deployment of Configurations in a Smart Grid D/R system Fig. 6. Encryption scheme for secure deployment of security configurations The anonymisation specification consists of a default DENY policy, without declassifying any information, which means that a resource authorisation policy will not be necessary. The security level declaration defines one security level, and the security level encryption key is split into two parts as shown in part b) of Fig. 4, and Fig. 6. The authorisation map defines the two users/roles: a field engineer who has access to the first key share 𝐾1,1 , and a test manager who has access to the other key share 𝐾1,2 . This means that the field engineer and test manager must collaborate on deploying a given system configuration, which reduces the risk of accidentally or maliciously deploying the wrong system configuration. It is necessary that the system configuration file is signed, so that the application installing it can verify and enforce that only trusted system configurations are installed. The signing can either be done explicitly, or one can use the inner signature created by the Anonymiser PEP, which contains a signature of the original document before anonymisation (not shown in the figures). This adds another layer of security in case the field engineer attempts to install the wrong system configuration, or even worse, that a malicious field engineer attempts to install a fake system configuration using a forged digital signature. This is not only a theoretical assumption, since RSA signature forgery attacks based on implementation weaknesses have been demonstrated [8]. Fig. 4b, and Fig. 6 shows how the encryption scheme works. The field engineer first needs to decrypt his ephemeral key 𝐸𝐾1 using his secret key 𝑆𝐾1 . 𝐸𝐾1 is then used to decrypt the first key share 𝐾1,1 . The test manager unlocks her key share in a similar way by decrypting 𝐾1,2 using 𝐸𝐾2 decrypted with 𝑆𝐾2 . The deanonymiser will now add the two keys modulo the key size using the Karnin, Greene and Hellman scheme [9], in order to retrieve the encryption key for security level 𝑙1 which stores the encrypted parts of the system configuration file. The deanonymiser then decrypts security level 1, and replaces the anonymised text with the decrypted text. It then verifies that the inner signature of the system configuration is OK and deploys the system configuration. This allows for policy controlled secure deployment of system configurations, in order to reduce the risk of insider threats. This shows one of the simplest key sharing schemes. More elaborate schemes are possible, involving more stakeholders, more key shares, several security levels and more complex policies. 3.3 Experiments Fig. 7. Anonymiser test scenario We have implemented and tested the privacy-enhanced IDS scenario using the policy in Fig. 5. ViSPE can generate policies for both use cases, but the reversible anonymiser needs some extensions to handle deployment of configuration files. This will be implemented as future work in the SEMIAH project. Fig. 7 shows an alarm triggered by the policy from the IDS case, running in the Reversible anonymiser and presented by the PreludeIDS/Prewikka SIEM console. ViSPE is implemented in the Pharo Smalltalk environment. We have previously shown that it has sufficient performance for advanced policy scenarios [4]. The performance of the reversible anonymiser is satisfactory for small to medium-size IDS deployments, as discussed in [3]. 4 Discussion This article illustrates how privacy requirements identified during a privacy impact assessment can be implemented as XACML policies using the Visual Policy Editor (ViSPE). Our graphical editor provides a high-level user interface for designing authorisation and anonymisation policies. This approach works better than existing general purpose XML editors or specialised XACML editors by providing an overview picture of the policy which includes all necessary information required to understand the policy, while hiding much of the syntactic verbosity and complexity of XACML. Another reason why this approach works better can be drawn from analogies in Design Science Research, where users have been shown to be notoriously bad at following deep information, for example hyperlinks, even though they have been explicitly instructed to do so [10]. Providing an overview picture of the entire policy, while hiding unnecessary details therefore provides users with a better understanding of how the underlying policy works. This is also consistent with cognitive load theory, which predicts better learning from leaner presentations [11]. It also avoids defining a high-level policy language which is substantially different from XACML, like several other projects have done, for example the Axiomatics Language for Authorisation (ALFA) [12]–[14] or Ponder2 XACML integration [15]. We believe our approach achieves much of the same goal in terms of usability by providing a simplified graphical representation of XACML, with support for higher level abstractions. It also supports active user feedback on which blocks that fit together in order to reduce the risk for ill formed policies. Definition of obligations is an optional part of XACML, since the content of the obligation depends on the implementation of the PEP. This makes it difficult to support obligations in general, since these typical are vendor specific extensions. We have however added support for the obligation format of the Reversible anonymiser to ViSPE. This is a clearly defined obligation protocol for anonymising XML documents. As shown in Fig. 5, the use of a graphical editor for building policies simplifies the policy creation process and clarifies the purpose of the policy significantly for the reader. 5 Conclusion The paper illustrates designing policy-maker-friendly XACML authorisation and anonymisation policies for XML documents or messages using the ViSPE policy editor. The editor implements a novel blocks-based anonymisation language implemented in Smalltalk, and is based on the visual programming language Scratch. The policy editor has been adapted to support the PEP interface of the reversible anonymiser, amongst others by adding specific blocks for anonymising and deanonymising information. The policies can subsequently be enforced using the Reversible anonymiser [3]. This allows for complying with identified security and privacy requirements in order to control access to private or confidential information. 6 Future Work Future work includes adapting the reversible anonymiser and ViSPE to XACML 3.0 which offers better support for target matching, and obligations. We also plan to extend the reversible anonymiser with logging functionality so that policy makers can give polices different logging obligations, accessible only having correct authorisation. Furthermore, we plan to enhance ViSPE to support GeoXACML, in order to enable location based policies [16], as well as location-aware role-based access control [17], [18]. ViSPE is still an early prototype. We have therefore left usability testing as future work. Acknowledgements The project has been sponsored by the FP7 EU projects: SEMIAH - Scalable Energy Management Infrastructure for Aggregation of Households, ICT-2013.6.1-619560 (http://semiah.eu). PRECYSE - Protection, prevention and reaction to cyberattacks to critical infrastructures, FP7-SEC-2012-1-285181 (http://www.precyse.eu); References [1] [2] [3] [4] T. (ed) Moses, OASIS eXtensible Access Control Markup Language (XACML) Version 2.0. 2005. N. Ulltveit-Moe and V. Oleshchuk, ‘Decision-cache based XACML authorisation and anonymisation for XML documents’, Comput Stand Interfaces, vol. 34, no. 6, pp. 527–534, Nov. 2012. N. Ulltveit-Moe and V. Oleshchuk, ‘A novel policy-driven reversible anonymisation scheme for XML-based services’, Inf. Syst., 2014. H. Nergaard, N. Ulltveit-Moe, and T. Gjøsæter, ‘A Scratch-based Graphical Policy Editor for XACML’, in ICISSP 2015 Proceedings of the 1st International [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16] [17] [18] Conference on Information Systems Security and Privacy ESEO, Angers, Loire Valley, France, 2015, pp. 182–191. D. J. Malan and H. H. Leitner, ‘Scratch for Budding Computer Scientists’, in Proceedings of the 38th SIGCSE Technical Symposium on Computer Science Education, New York, NY, USA, 2007, pp. 223–227. M. Resnick, J. Maloney, A. Monroy-Hernández, N. Rusk, E. Eastmond, K. Brennan, A. Millner, E. Rosenbaum, J. Silver, B. Silverman, and Y. Kafai, ‘Scratch: Programming for All’, Commun ACM, vol. 52, no. 11, pp. 60–67, Nov. 2009. A. Cavoukian, S. Taylor, and M. E. Abrams, ‘Privacy by Design - Essential for Organizational Accountability and Strong Business Practices’, Identity Inf. Soc., vol. 3, no. 2, pp. 405–413, 2010. Intel Security, ‘BERserk Vulnerability Part 1: RSA signature forgery attack due to incorrect parsing of ASN.1 encoded DigestInfo in PKCS#1 v1.5’. Intel, 2014. J. G. E. Karnin and M. Hellman, ‘On Secret Sharing System’, IEEE Trans Info Theory, vol. IT-29, pp. 35–41, Jan. 1983. B. Kuechler and V. Vaishnavi, ‘On theory development in design science research: anatomy of a research project’, Eur. J. Inf. Syst., vol. 17, no. 5, pp. 489– 504, 2008. R. E. Mayer and J. Jackson, ‘The Case for Coherence in Scientific Explanations: Quantitative Details Can Hurt Qualitative Understanding’, J. Exp. Psychol. Appl., vol. 11, no. 1, pp. 13–18, 2005. B. Stepien, S. Matwin, and A. Felty, ‘Advantages of a non-technical XACML notation in role-based models’, in 2011 Ninth Annual International Conference on Privacy, Security and Trust (PST), 2011, pp. 193–200. B. Stepien, A. Felty, and S. Matwin, ‘A Non-technical User-Oriented Display Notation for XACML Conditions’, in E-Technologies: Innovation in an Open World, vol. 26, Springer Berlin Heidelberg, 2009, pp. 53–64. B. Stepien, A. Felty, and S. Matwin, ‘A Non-Technical XACML Target Editor for Dynamic Access Control Systems’, IEEE, pp. 150–157, 2014. H. Zhao, J. Lobo, and S. M. Bellovin, ‘An Algebra for Integration and Analysis of Ponder2 Policies’, in IEEE Workshop on Policies for Distributed Systems and Networks, 2008. POLICY 2008, 2008, pp. 74–77. A. M. (ed), OGC 07-026r2 Geospatial eXtensible Access Control Markup Language (GeoXACML) version 1.0. Open Geospatial Consortium, Inc., 2007. N. Ulltveit-Moe and V. Oleshchuk, ‘Enforcing mobile security with locationaware role-based access control’, Secur. Commun. Netw., p. n/a–n/a, 2013. N. Ulltveit-Moe and V. Oleshchuk, ‘Mobile Security with Location-Aware RoleBased Access Control’, in Security and Privacy in Mobile Information and Communication Systems, vol. 94, R. Prasad, K. Farkas, A. U. Schmidt, A. Lioy, G. Russello, F. L. Luccio, O. Akan, P. Bellavista, J. Cao, F. Dressler, D. Ferrari, M. Gerla, H. Kobayashi, S. Palazzo, S. Sahni, X. (Sherman) Shen, M. Stan, J. Xiaohua, A. Zomaya, and G. Coulson, Eds. Springer Berlin Heidelberg, 2012, pp. 172–183.
© Copyright 2024