This wiki has undergone a migration to Confluence found Here
<meta name="googlebot" content="noindex">

May 11th, 2010 Security Conference Call

From HL7Wiki
Jump to navigation Jump to search

Security Working Group Meeting

Back to Security Main Page

Attendees

Agenda

  1. (05 min) Roll Call, Approve minutes 4 May 2010, Call for additional agenda items & Accept Agenda
  2. (55 min) Security and Privacy Ontology Project
  • New Use Case Review and Acceptance

Minutes

1. Action Items

  • Team: please review the use cases posted on the Security & Privacy Ontology wiki site. Come prepared to provide your input as to which use cases in scope and out of scope so that we can take a vote on this during an up coming meeting.

2. Resolutions - none

3. Updates/Discussion

Rio Working Group Meeting Announcement

  • Ballot reconciliation will commence at the Rio WGM – Tues Q3, starting at 12:45 PM EDT.
    • A GoToMeeting Link has been established for those who wish to dial in:
  1. Please join my meeting.
  2. Join the conference call:
    • Meeting ID: 803-352-145

Security and Privacy Ontology Project

The focus of today's discussion was on the purpose of use cases in the process of defining an ontology for Security & Privacy

Steve reviewed two additional use cases posted to the S&P Ontology project wiki. These use cases are based on ISO 10181-3 - Security frameworks for open systems: Access control framework

  • Use Case #1: Enable Design of Access Control System
  • Use Case #2: Facilitate an Automated Decision Function
  • ISO 10181 refers to a process that states a Security Policy is written in natural language and it uses broad terminology to express. It goes through a process in which a Security Domain Administrator (SDA) takes the policy and interprets that policy into rules that are then entered into an access control system.
  • Use case #1 is a manual process – an SDA takes the security policy and converts it into rules that can be entered into the access control decision function.
    • The use case is designed to illustrate how an ontology would be used by that security administrator to assist in that activity.
    • There is an assumption that the SDA is not a clinical documents subject matter expert so the purpose is to provide a categorization scheme that is aligned with the security policy so the administrator can
  1. easily find the object(s) they are interested in so they can
  2. (manually) apply the appropriate security rules to that to be entered into the access control system.
    • The purpose of this use case is to enable the manual process of finding the objects. It is not meant to imply that the categorization scheme is entered into the Access Control Decision function.
    • The Basic Scenario – the objects are divided into two categories: clinical documents and administrative objects. The security policy is very simple. It distinguishes between clinical and administrative objects.
    • The alternative scenario: the only an alphabetical categorization is used. That provides a base level, minimum requirement. We assume that the list of objects (say, 1000 objects), browsing through that list is difficult by categorizing them alphabetically; yet it fulfills the requirements by decreasing the size of the list (alphabetically), and aids the administrator to find the object, but it does not provide any information that are the security requirements for the object. This is applied by the security administrator.
      • The alternative scenario is probably the least disruptive because everyone can agree on an alphabetical scheme, but it does not provide information regarding the security value of those objects.
      • The value of use case #1 is to decrease the size of the list of objects to aide the SDA to discover the objects.

Buid-time versus Run-time use cases

  • Last week, Tony described two different kinds of use cases: build-time versus run-time. Enable Design of Access Control System is an example of a build-time use case; the second, Facilitate an Automated Decision Function is an example of a run-time use case (operational mode).
  • Use case #2 does not use the terminology specified in ISO 10181, but for all intents and purposes, it is the access control decision function (ADF) which is referred to in ISO 10181.
  • After the targets and information requestors have been categorized and the rules applied to the ADF, this use case describes how the ADF responds when an information request is received by the system.
    • Basic Scenario: An MD makes a request to see a patient’s clinical data, and the ADF evaluates that against the rules already populated in the system. Does the request conform to a rule or not? If yes, access is permitted,
    • Alternative Scenario, request does not conform to the rules and access is denied.
  • Although these use cases are simplistic, the point is that the use cases are supposed to describe what the ontology is expected to provide.
  • The two use cases describe functions and how the use cases are going to be used by the system.
  1. Use Case #1 – the minimum requirement – simply used by the SDA to set up the access control system.
  2. Use case #2 – the ontology becomes part of the ADF. The rules in the ADF rely on the ontology to make a decision.
  • Pat: Is the expectation that the ADF goes out to an ontology service or a terminology service to evaluate the rules? I have a hard time understanding real-time reliance on an ontology other than in a very abstract way.
  • Mike: Reiterated the work that OASIS is currently undertaking – where they are investigating the use of an ontology to extend XACML. There is a proposal to create an ontology decision point as part of the XAML specification. Turns out various produces in this space already implement ontologies as their internal structure. But these are proprietary, not standard-based. These are used to more efficiently process rules and are offered as a competitive advantage. Providing a health care ontology facilitates the industry’s efforts to do this.

Discussion about the purpose for the use cases as well as the purpose for the Security & Privacy Ontology Project

  • Pat: But how do these use cases help us to build an ontology and to know when we’re done, or that we’ve met a particular business requirement?
    • I would think that how we use the ontology downstream (the OASIS work for instance) is out of scope for our project.
    • How do these use cases drive the content of the ontology? If that isn't the intent of these use cases, I don't understand.
  • Steve: The intent for the use cases is to build the ontolog(ies). What is sufficient for the ontology? Is an alphabetical categorization sufficient? Or on the other end of the spectrum, what is sufficient for an ontology that would be used in an ADF so we can establish rules that would be part of the ADF?
  • Rob Horn: My understanding is that the ontology would not be part of the ADF. I thought the use of the use cases would be to be sure that with the ontology we can say the statement that need to be said.
    • In the use case, you need to make statements such as Dr. Bob makes a request to read Sam’s encounter data. Can I say that using the terms and relationships of the ontology?
  • Mike: Take the OASIS example, the XACML committee produces an architecture and a way of expressing security policy.
    • XACML architecture has mechanical components like a Policy Information Point (PIP) that stores policy attributes. Different business domains provide the vocabulary that are the attributes that go into a PIP.
    • This ontology will provide a hierarchy of health care specific information that an engine would use – it is the gas for the engine.
    • This use case is describing how an ontology would benefit the Policy Decision Point (PDP), the components of a 10183-3 ISO solution, and provides an instance of that.
    • But in terms of what we’ve done so far, we've not specified anything about conformance.
    • We've started with flat terms, now we're attempting put an ontology in place to describe relationships between the terms.
  • Rob Horn: How do you know the ontology work is finished? I thought that when we’re able to express the things that are happening in the use case using the ontology, then we’re finished.
  • Pat: I understand that we want to use an ontology to make access control decisions. I just didn’t think that was the work of this project. That’s the OASIS work.
    • How do we make sure our ontology is correct, that those concepts and terms and relationships are correct? I assumed that we would create use cases to collect the concepts, terms and relationships and from those use cases, make sure there is an equivalent in the ontology.
    • I didn't think that we were identifying use cases that say, this is how we’re going to use the ontology.
  • Mike: It sounds like we’re re-inventing the wheel from your description. I think Steve’s use case is raising things up a level. It is providing a framework. Bu I don’t think we need to go back to raw use case development to define the terms. We have an information model. In terms of an access control system we know all the components.

Security & Privacy Ontology Scope Statement

  • Pat disagreed. The initial concept for the ontology was based on the fact that when we started to harmonize the Privacy DAM with the Security DAM we thought we would end up with impedance mismatch. Disclosure, for instance, is a Privacy term. What does it mean from a Security perspective?
    • We don’t have a mapping for that. I thought the ontology was supposed to correct the impedance mismatch between the domain analysis models as opposed to how the ontology would be used once it’s finished.
  • Steve: The project scope statement specified that we would focus on access control in the near term.
  • Mike: I don’t think the scope statement specified that the purpose was to reconcile Privacy and Security. That may be something that happens, but the scope statement says that we will create an ontology useful for systems making access control decisions. We have a vocabulary through the HL7 Permission Catalog supporting RBAC. We discussed using the Permission Catalog to get started as we create this ontology.
  • Pat: The impression I has was that we were going to start there, but that is not where we were going to end.
    • From this discussion, it sounds like it is access control based on RBAC and the Permission Catalog and that's the end of the story. I could be getting the wrong impression...
  • Mike: The use cases Steve presents are use cases for access control - an investigation into the vocabularies and the creation of an ontology for those use cases?
    • That high-level use case is a way of bounding a problem view. This helps us to determine when we’re done.
    • By working through real-world use cases, we can go back to our Information Model (IM) and apply the IM to one of these use cases.
    • The use cases are the things that we’re interested in doing and the scope is whatever is in the use cases. Hopefully these will be informative and we use the Information Model as the source for the vocabularies, if they exist.
  • Pat: That explanation clarifies it.
  • We don’t have a specific goal at this point, for example to cover every concept in the information model. But the definition of the use cases should establish when we’re done (relatively speaking).
  • Steve: The first five use cases on the wiki were written with the idea that they would be used by an ADF.
    • We create an ontology of actions, an ontology of objects, an ontology of roles that would be used by the access control system to make access control decisions. **After having written those first five use cases, I realize I may have been jumping the gun by assuming these ontologies would be used inside the access control system. There are obviously other places where ontologies could be used as well.
    • That’s why I went back to write these final two use cases so as to set the operating framework. I realize this may be confusing.
    • I think there is another situation that Mike referred to last week, where the ontologies are used to write policy. I haven't yet incorporated a use case for that purpose here, but this is one that could be valuable.
  • Richard: This seems to me to be the most important use case - covering the kinds of choices people want to make.
  • Don: The project scope statement indicates that is the first item to be covered by the ontology.
  • Mike: I agree, we need create use cases to express the policy in addition to fleshing out the use cases to enforce the policy.
  • John: In what way is this ontology similar or different than the Harmonized Security DAM, and why are we not starting with the same use cases?
  • Mike: That’s a good point. We should be using use cases that are derived from the RBAC work and the Security DAM work.
    • I’m viewing the use cases that Steve is presenting here more from setting the work areas that we’re interested in.
    • We have one to cover the notion of an ontology as the means for performing the access control decision function.
    • We also need one that provides an ontology that would be useful for describing privacy policy.
    • We want to take things from the Information Model that would be useful for policy purposes and put those concepts into an ontological framework.
    • For example, a use case describing the creation of a consent directive.
  • Steve: I assumed that the use cases for the Harmonized Security & Privacy DAM are included in this analysis. The intent of these addition use cases is to extend those use cases.
    • Last week when I discussed the multiple role value use case, it was brought up that this functionality is already expressed in the harmonized DAM. I haven't validated this, but if it is true, I agree, that use case would be superfluous.
    • There is no intent to duplicate use cases that are already included in the DAM.

The Ontology project discussion continued in the following CBCC WG hour. A number of issues discussed in this hour were elaborated upon and provide additional commentary on the scope of the project.

Meeting was adjourned at 2:00 PM EDT



Back to Security Main Page

Retrieved from "https://wiki.hl7.org/w/index.php?title=May_11th,_2010_Security_Conference_Call&oldid=36643"