The IND²UCE (Integrated Distributed Data Usage Control Enforcement) Framework consists of three layers:
- Enforcement of security policies (“Enforce”),
- Decision-making (“Decide”) and
- Management of the framework as well as of the security policies (“Manage”).
At the center of the framework is a generic decision-making component (Policy Decision Point, PDP), which determines the legitimacy of security-relevant events (such as data operations) on the basis of security policies. These security policies are based on the Event-Condition-Action paradigm and additionally allow using the Obligation Specification Language (OSL). With the help of OSL, future obligations can be specified (e.g., “Personal data must be deleted within 14 days” or “Only 10 files may be opened per hour without the approval of the supervisor”).
Enforcement components, so-called Policy Enforcement Points (PEPs), are control points that are integrated into existing systems to control information flows in accordance with the specified security policies. PEPs intercept relevant events on different system levels and allow them, modify them, or reject them, depending on the respective security requirement. Modifications, such as anonymization or aggregation of data, can be controlled in a very fine-grained manner and dependent on the situation. The minimal configuration of the IND²UCE Framework for the enforcement of security policies requires one PDP for making decisions and one PEP for enforcing decisions.
In addition to the PEP, a Policy Execution Point (PXP) can perform compensatory actions such as deleting data, recording operations, or sending notifications.
The job of the Policy Management Point (PMP) is to manage (store, distribute, etc.) the specified security policies. Management of the security policies also includes the deployment and revocation of security policies in the PDP. The Policy Retrieval Point (PRP) offers a secure memory for security policies. It must be protected against malicious or unintentional modification. The only component that has access to this memory is the associated PMP.
The Policy Administration Point (PAP) is the framework’s human-machine interface, which serves to specify and manage the security policies in a user-friendly way. In addition, the administration of the framework is done via the PAP. One instance of our framework can provide various PAPs for different user groups. For this purpose, we adapt the PAPs to the authorizations and skill levels of the end users; moreover, we adjust their specification possibilities for security policies to the security needs of the application domain.
The final component is the Policy Information Point (PIP). This component provides information that is needed for making decisions in the PDP but which is not available in the intercepted system event itself. Additional information may include data about information flows or context-dependent data, such as the current location or the Wi-Fi connectivity of a device. Context sensitivity permits activating security mechanisms only if they are appropriate in the situation at hand. Using context-sensitive policies, a company may loosen general prohibitions that it would otherwise be forced to impose incessantly. The general prohibition “Smartphones are prohibited in the company since pictures could be taken of secret documents” can thus be turned into a context-sensitive security policy such as “Pictures taken with a smartphone on the company premises may only be looked at in that location”.