IDS Policy Enforcement
Last updated
IDS-G
Last updated
At runtime, the usage control enforcement prevents IDS connectors from treating data in an undesired way, for example by forwarding personal data to public endpoints.
For enforcing usage restrictions, data flows need to be monitored and potentially intercepted by control points (i.e., PEPs). These intercepted data flows are given to the decision engine (i.e., the PDP) for requesting permission or denial of the data flow. In addition to just allowing or denying the data flow, the decision can also require a modification of data.
Enforcement Layers
Connector/Container Layer
Route/Interceptor Layer
Application Layer
Use case: The Data App is allowed to use (process, display, etc.) the data
Usage Control tasks:
Check the conditions (Time interval, Data App, Events, etc.)
Condition:
Data App inside a connector
UC app inside a Connector
Use case: The Data App is allowed to use (process, display, etc.) and store the data
Usage Control tasks:
Check the conditions (Time interval, Data App, Events, etc.)
Log usage information
Inform a Party about the usage
Setting up a Delete Data PXP
Condition:
Data App inside a connector
Data sink inside a Connector
UC app inside a Connector
Use case: The Data App is allowed to use (process, display, etc.) the data and distribute it outside the connector
Usage Control tasks:
Check the conditions (Time interval, Data App, Events, etc.)
Log usage information
Inform a Party about the usage
Condition:
Data App inside a connector
System Adapter inside a Connector
UC app inside a Connector
Characteristics:
Data format must be json compatible
Hooking points must be known and implemented
Advantages:
One UC service can be used by many Data Apps (reusable)
Easier Policy Management
Use case: The Data App is restricted to use (process, print, display and store) the data
Usage Control tasks:
Check the conditions (Time interval, Data App, Events, etc.)
Log usage information
Inform a Party about the usage
Hook into the data flow (for fine-grained actions)
Modify in transit
Count usage
Condition:
Data App inside a connector
UC app inside a Connector
JSON data exchange
Use case: The Data App shall read and store the data via System Adapter App
System Adapter App encrypts and decrypts data that is stored/retrieved from a database outside a connector.
Usage Control tasks:
Check the conditions (Time interval, Data App, Events, etc.)
Log usage information
Inform a Party about the usage
Hook into the data flow in the System Adapter App
Modify in transit
Setting up a Delete Data PXP
Condition:
Data App inside a connector
System Adapter inside a Connector
UC app inside a Connector
Data Storage outside a Connector
Characteristics:
It can be MYDATA or any other implementation.
Data format depends on the implementation of the Usage Control technology
Hooking points must be known and implemented
Advantages:
More independent solution (wrt. Programming language, data format, etc.)
Disadvantages:
Higher implementation effort
Higher effort for Policy Management
Use case: The Data App is allowed to use (print and display) the data
Usage Control tasks:
Check the conditions (Time interval, Data App, Events, etc.)
Log usage information
Inform a Party about the usage
Hook into the data flow (for fine-grained actions)
Modify in transit
Count Usage
Condition:
Data App inside a connector
UC app inside a Data App
More information:
