Fraunhofer Institute for Experimental Software Engineering IESE
Fraunhofer Institute for Experimental Software Engineering IESE

IND²UCE Framework

The IND²UCE (Integrated Distributed Data Usage Control Enforcement) Framework consists of three layers:

  • Enforcement of security policies (“Enforce”),
  • Decision-making (“Decide”) and
  • Management of the framework as well as of the security policies (“Manage”).

At the center of the framework is a generic decision-making component (Policy Decision Point, PDP), which determines the legitimacy of security-relevant events (such as data operations) on the basis of security policies. These security policies are based on the Event-Condition-Action paradigm and additionally allow using the Obligation Specification Language (OSL). With the help of OSL, future obligations can be specified (e.g., “Personal data must be deleted within 14 days” or “Only 10 files may be opened per hour without the approval of the supervisor”).

Enforcement components, so-called Policy Enforcement Points (PEPs), are control points that are integrated into existing systems to control information flows in accordance with the specified security policies. PEPs intercept relevant events on different system levels and allow them, modify them, or reject them, depending on the respective security requirement. Modifications, such as anonymization or aggregation of data, can be controlled in a very fine-grained manner and dependent on the situation. The minimal configuration of the IND²UCE Framework for the enforcement of security policies requires one PDP for making decisions and one PEP for enforcing decisions.

In addition to the PEP, a Policy Execution Point (PXP) can perform compensatory actions such as deleting data, recording operations, or sending notifications.

The job of the Policy Management Point (PMP) is to manage (store, distribute, etc.) the specified security policies. Management of the security policies also includes the deployment and revocation of security policies in the PDP. The Policy Retrieval Point (PRP) offers a secure memory for security policies. It must be protected against malicious or unintentional modification. The only component that has access to this memory is the associated PMP.

The Policy Administration Point (PAP) is the framework’s human-machine interface, which serves to specify and manage the security policies in a user-friendly way. In addition, the administration of the framework is done via the PAP. One instance of our framework can provide various PAPs for different user groups. For this purpose, we adapt the PAPs to the authorizations and skill levels of the end users;  moreover, we adjust their specification possibilities for security policies to the security needs of the application domain.

The final component is the Policy Information Point (PIP). This component provides information that is needed for making decisions in the PDP but which is not available in the intercepted system event itself. Additional information may include data about information flows or context-dependent data, such as the current location or the Wi-Fi connectivity of a device. Context sensitivity permits activating security mechanisms only if they are appropriate in the situation at hand. Using context-sensitive policies, a company may loosen general prohibitions that it would otherwise be forced to impose incessantly. The general prohibition “Smartphones are prohibited in the company since pictures could be taken of secret documents” can thus be turned into a context-sensitive security policy such as “Pictures taken with a smartphone on the company premises may only be looked at in that location”.

IND²UCE Usage Examples

The IND²UCE Framework has already been tested in various use cases. Here you will find further descriptions and videos.

IND²UCE for an Enterprise Service Bus

When it comes to cooperation with international Cloud providers, the protection of sensitive data poses new challenges for software service providers with regard to compliance with legal obligations or domain-specific regulations, such as the Federal Data Protection Act.

In this video, the enforcement of security policies for controlling sensitive data in a distributed system is demonstrated using an ordering process. In this example, the customers can order a personalized product (in this case, an identity document) from an intermediate vendor, who contracts a suitable production site depending on the product requirements. Control over the exchanged data is the duty of the customers, who can specify their requirements on security using appropriate security policies. They can, for example, anonymize their names or email addresses for the production site in order to prevent undesired dissemination of contact data. In addition, they can regulate the production of their order, which only allows the vendor to send the order to a production site one single time in order to prevent plagiarism. Depending on which security policy has been selected, the order data are deleted at the production site directly after production or the latest after a defined maximum period.

To enforce the selected security policies, a Policy Enforcement Point monitors all messages on the Enterprise Service Bus and can allow, modify, or reject these depending on the decision made by the Policy Decision Point. One central idea is the integration of IND²UCE components with the smallest possible modifications to the software system.

IND²UCE for Android

The increasing popularity of mobile devices such as smartphones or tablets, initiatives such as “Bring your own device”, and the increasing overlap between private and business usage pose new challenges in the area of data security and protection of business-critical data.

This video shows the enforcement of data usage control on an Android smartphone and illustrates how data stored on the device can be protected from undesired use and dissemination. Data usage can be restricted, for instance, so that data cannot be opened ad infinitum or can only be opened within a certain period of time. After that, access is denied or confidential attributes of the data are anonymized. Since the entire information flow on the smartphone is tracked, these security policies also apply to copies of the data. In addition, apps can be blocked depending on the current location (e.g., inside the company premises or outside) and various functions of the smartphone can be limited.

IND²UCE in an Ambient Assisted Living Scenario

Ambient Assisted Living (AAL) systems support elderly people in their home environment by monitoring behavior, health status, and environmental information without actively interfering with their customary way of life. The data elicited during such monitoring are stored and aggregated into higher-value, medically relevant results that allow medical staff to recognize deterioration of the patient’s health status.

It is immediately apparent that many personal data are stored, aggregated, and used by various stakeholders, such as doctors, nursing staff, or relatives, in this context. To date, only few security mechanisms have been implemented in such systems. Fraunhofer IESE integrates data usage control into real-life AAL systems in order to prevent misuse of personal information.

In the scenario demonstrated in the video, nursing staff can access health monitoring data inside the home with the help of an Android smartphone. Once they leave the patient’s home, only critical health information can be processed. All other data are anonymized.

IND²UCE with Context-Sensitive Policy Evaluation on Android-based Devices

A company’s staff often work in a variety of different work situations, such as in meetings, on business trips via public transportation, in their own office, at a customer’s site, or in similar environments. When smartphones are used in a company, it is therefore beneficial to always adapt security policies to the current situation. The use of the camera might be prohibited in sensitive areas of the company premises, for example. And audio files recorded in meeting rooms may only be played back on the company premises, but may not be disseminated.

In this regard, IND²UCE for Android supports automated aggregation of sensor values into a superordinate usage context, such as “The employee is in a meeting”. This context evaluation allows flexible policy adjustment to the current situation and considerably simplifies the specification of security policies.

 

 

Further information

Security Overview
Security Engineering
Data Usage Control