The security framework IND²UCE makes data usage control usable for you as a practical application
You can control the desired data usage in a precise and fine-granular manner by using security policies. This enables you to deal with data in a sovereign way. You can set which of your data may be read, changed, copied, or passed on under which conditions and how often.
These are the options:
Anonymize special (personal) data in an automated manner
Permit usage only on particular devices or device classes (e.g., business devices of the data owner)
Limit the locality of the data usage (e.g., only inside a particular building or within the country’s borders)
In addition, you can have selected data deleted, resp. made unusable after a specifically defined number of days. Our distributed data usage control allows you to control the dissemination and usage of your data beyond the first access, thereby providing added value in the area of privacy and security.
At the center of the framework is a generic decision-making component (Policy Decision Point, PDP), which determines the legitimacy of security-relevant events (such as data operations) on the basis of security policies. These security policies are based on the Event-Condition-Action paradigm and additionally allow using the Obligation Specification Language (OSL). With the help of OSL, future obligations can be specified (e.g., “Personal data must be deleted within 14 days” or “Only 10 files may be opened per hour without the approval of the supervisor”).
Enforcement components, so-called Policy Enforcement Points (PEPs), are control points that are integrated into existing systems to control information flows in accordance with the specified security policies. PEPs intercept relevant events on different system levels and allow them, modify them, or reject them, depending on the respective security requirement. Modifications, such as anonymization or aggregation of data, can be controlled in a very fine-grained manner and dependent on the situation. The minimal configuration of the IND²UCE Framework for the enforcement of security policies requires one PDP for making decisions and one PEP for enforcing decisions.
In addition to the PEP, a Policy Execution Point (PXP) can perform compensatory actions such as deleting data, recording operations, or sending notifications.
Structure and function
The IND²UCE (Integrated Distributed Data Usage Control Enforcement) Framework consists of three layers:
Enforcement of security policies (“Enforce”),
Decision-making (“Decide”) and
Management of the framework as well as of the security policies (“Manage”).
The job of the Policy Management Point (PMP) is to manage (store, distribute, etc.) the specified security policies. Management of the security policies also includes the deployment and revocation of security policies in the PDP. The Policy Retrieval Point (PRP) offers a secure memory for security policies. It must be protected against malicious or unintentional modification. The only component that has access to this memory is the associated PMP.
The Policy Administration Point (PAP) is the framework’s human-machine interface, which serves to specify and manage the security policies in a user-friendly way. In addition, the administration of the framework is done via the PAP. One instance of our framework can provide various PAPs for different user groups. For this purpose, we adapt the PAPs to the authorizations and skill levels of the end users; moreover, we adjust their specification possibilities for security policies to the security needs of the application domain.
The final component is the Policy Information Point (PIP). This component provides information that is needed for making decisions in the PDP but which is not available in the intercepted system event itself. Additional information may include data about information flows or context-dependent data, such as the current location or the Wi-Fi connectivity of a device. Context sensitivity permits activating security mechanisms only if they are appropriate in the situation at hand. Using context-sensitive policies, a company may loosen general prohibitions that it would otherwise be forced to impose incessantly. The general prohibition “Smartphones are prohibited in the company since pictures could be taken of secret documents” can thus be turned into a context-sensitive security policy such as “Pictures taken with a smartphone on the company premises may only be looked at in that location”.