Friday, January 28, 2011

Privacy Day» Developer Tools» IGF

It's privacy day, and it seems like a good time to re-introduce folks on the long-running Identity Governance Framework project.

For a few years now, Oracle has been working hard on laying some privacy groundwork for developers. This project initially started with the development of a standard specification called the Identity Governance Framework. The objective of IGF was simple: define some declarations that define:
  • What personal information applications are using
  • What operations are performed against that data
  • What are the constraints on its use?
Additionally we fed important data into the XACML standards process to ensure that XACML access control systems could be used to fine-grained access control to data and resources (especially personal attributes).

Oracle also initiated two open source projects called ArisID and OpenAz to implement these standards. Check them out. It seems simple, and it is. But what these tools do is enable a powerful attribute service platform that stands to improve the privacy capabilities that developers can include in new applications.

Oracle has begun to incorporate this technology into its Fusion products (see Oracle Reference Security Architecture here)bringing further validation to the technology. The good news? It is available to any developer to use under Apache 2.0 License. Check these projects out.

I'll also point you over to Ian Glazer's recent article in his continuing series on privacy called "I 'like' you, but I hate your apps".

WHAT ISN’T OUT THERE

Unfortunately, your needs and the needs of the app developers aren’t addressed by both UMA and personal data stores. In order to meet these needs, device and platform makers must build “concern for the other” into their products. This is a big “D” design problem that requires not just user-experience intelligence but also classically trained design expertise. Baking “concern for the other” into products can be used to gain a competitive advantage in a market. By acknowledging that referencing information and pulling it from the source when needed, is superior to copying it, app developers have an opportunity to both mitigate their risks as well as provide better controls.

Ian makes an important point here about "concern for the other". Whenever personal information needs to be shared or used, it is important that underlying data systems know the what, where, when, and why it will be used. ArisID and OpenAz help to do just that.

Work on IGF is still ongoing. At present we are looking at improved Java language support for developers including annotations, security integration, etc. Stay tuned for more info!

No comments:

Post a Comment