IETF Logo Mail Archive

Re: [Pearg] Comments on draft-rao-pitfol-01

Sandeep Rao <sandeeprao.ietf@gmail.com> Thu, 18 June 2020 18:11 UTC

Return-Path: <sandeeprao.ietf@gmail.com>
X-Original-To: pearg@ietfa.amsl.com
Delivered-To: pearg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6F8163A0DD3 for <pearg@ietfa.amsl.com>; Thu, 18 Jun 2020 11:11:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BdUX6Hr326N7 for <pearg@ietfa.amsl.com>; Thu, 18 Jun 2020 11:11:04 -0700 (PDT)
Received: from mail-io1-xd32.google.com (mail-io1-xd32.google.com [IPv6:2607:f8b0:4864:20::d32]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 093163A0DD7 for <pearg@irtf.org>; Thu, 18 Jun 2020 11:11:04 -0700 (PDT)
Received: by mail-io1-xd32.google.com with SMTP id y5so8064127iob.12 for <pearg@irtf.org>; Thu, 18 Jun 2020 11:11:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=bOsp58RWLzDNARwMacijYwACs/1rApZ151lFSe2jnHc=; b=ZD5scNRCKnV0dwTyTLG5GBj82vC7n0a1TVHMnPBnTCCoQgkFkxSAWp5hVRfjvnCyie oCVK/gDEfiqf9uqq5xNMlb7SM6zxli9Y6FYK0Vai+KHk5j+b+VFmGlRLlMaCVxgJEsSN O1oWyJgyX25k1/t646gUMmKDQNgSLwHwJ47YpFQYOPFVahglaq81VA3x8rH35K+FxOmw SE4qcWCvuLiQ8ATy3K9ZHxaDDZbhDNdavsefRdxSTAq7vHBPWBstL7kIuCMhqk/8bVIv fUv4h/PmvO+mSDFVnvwQvgKi7EtQIP09Zhx08fCK8IqgBMsLEQXHUDcgnhVOcCHqI0l9 eRDw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=bOsp58RWLzDNARwMacijYwACs/1rApZ151lFSe2jnHc=; b=DBEOptbu26jeGZbgIAX7AFHhAjJyYN4Bq1HsHMK7WGfs5hmRPPnzExqwdcEf1WVLt0 WCy+vCovya2rtxwDPUMghOeXKqsGrRDRo/sIcakP7lC3PAz67SIagJCaS1f23kv7LNXK uIKdyg/TEakTOgRj/lOI2TzIXEwlMrsDhoCJqpcd5zYomblIddcOLYqZU8Z+n1djJdGk B8NbgSUjykYGTnxnDlicFDlg0tI0yCN7sXe7PIvgqn9o7fh9DjZexLpjtt4yX1n962XI tWh8BD84Kkp8sHuE04IB0sVYpvgp4nHSK6vDeKZ0zWr2qenCs7kSLXvVUSgl4BgPoYdC Thdw==
X-Gm-Message-State: AOAM531el76IK6DOBLJ0Rirlc0krNHu0jn+8BhIVL5yeFjTAVmNoeNs6 0F3n5OBOHropF63dxt64xt+GZMQFpUig8zOb99w=
X-Google-Smtp-Source: ABdhPJzZwSxWf9JE8CWyUfX/avR7Vltk6grRTOEl2/V9aUh2fircrkxWBOw7Ni97AhW4hofFFHL56LNf5EHPUkqO7ZQ=
X-Received: by 2002:a5d:9dd2:: with SMTP id 18mr6341427ioo.196.1592503863354; Thu, 18 Jun 2020 11:11:03 -0700 (PDT)
MIME-Version: 1.0
References: <CAOgPGoB8KzQFs3x8wnaE4_Qa_wvmsCJz7=2j5vfstYDBw4vXbA@mail.gmail.com>
In-Reply-To: <CAOgPGoB8KzQFs3x8wnaE4_Qa_wvmsCJz7=2j5vfstYDBw4vXbA@mail.gmail.com>
From: Sandeep Rao <sandeeprao.ietf@gmail.com>
Date: Thu, 18 Jun 2020 23:40:51 +0530
Message-ID: <CAAeK7PuNOB1JTbQvZxkGNtJxRZGC8oBF51nz2gAN=e+4CLMfhQ@mail.gmail.com>
To: Joseph Salowey <joe@salowey.net>
Cc: pearg@irtf.org
Content-Type: multipart/alternative; boundary="00000000000014284305a85fb3c0"
Archived-At: <https://mailarchive.ietf.org/arch/msg/pearg/MPjCrR167W-ty2PmQZPfB7-42dw>
Subject: Re: [Pearg] Comments on draft-rao-pitfol-01
X-BeenThere: pearg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Privacy Enhancements and Assessment Proposed RG <pearg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/pearg>, <mailto:pearg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pearg/>
List-Post: <mailto:pearg@irtf.org>
List-Help: <mailto:pearg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/pearg>, <mailto:pearg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Jun 2020 18:11:07 -0000

Hi Joe,

Apologies for the delayed response.

Thanks for your review and comments. Appreciate your time on this.  Please
find replies inline ...

I had a chance to review draft-rao-pitfol-01.  Sensitive information in
> logs is a constant problem for many security and privacy organizations so I
> am very happy to see this draft.  Below are some thoughts on the draft.
>
> 1.  While PII information is super important, the problem extends to all
> types of sensitive information in logs.  One common example is service
> credentials written to logs or data that is confidential to an organization
> and not an individual.  I don't see anything that would limit this approach
> to just PII, but it may extend the use cases a bit.
>

[sandeep]:  Agree that the mechanism can be generalized to annotate
anything that is deemed sensitive in logs. While the draft specifically
discusses and illustrates tagging of PII data, we will
think about extending this to mark other sensitive data.


> 2.  Log data is incredibly useful for troubleshooting,  analytics and
> other purposes.   To meet these use cases the log data may be propagated,
> extracted, transformed and stored in multiple places.  This creates some
> challenges:
>
> A. The data may be transformed into other data models and formats may not
> preserve any privacy marking
> B.  If the privacy marking changes on a field it's unclear what should be
> done to historical data.
>
>
[sandeep]:

Great points!

(A) Privacy marking preservation across log/data transformations is
critical as it flows through the log pipeline into various systems.  While
privacy marking and privacy preservation are discrete, we can
emphasize that it is necessary to carry forward any privacy markings across
format transformations without being prescriptive about it.

(B) Agreed, I think retrospective change can be challenging.  We will think
through this and provide some guidance on this in the draft.



> 3.  Often when a sensitive value is written to a log it has gone
> undetected for a period of time.  The values have now propagated to
> multiple systems and the task of the team responding to the incident is to:
>
>    - stop the logging or mis-identification of the data
>    - determine where the sensitive data has propagated to
>    - purge (or other action) the sensitive date from where it now lives
>    - perform remedial actions and notifications (for example to rotate
>    credentials)
>
> I would like a system that helps to automate this.  I think the draft
> provides part of the solution, but it seems there should be more to the
> solution:
>
>    1. Information and data models for sensitivity/privacy tagging of data
>    2. Ways of attaching that sensitivity/privacy tagging to the data
>    itself (similar to current draft)
>    3. Interface to systems to control
>       - actions based on tagging
>       - changes to tagging/classification
>       - communication of tagging/classification "out-of-band"
>
> I'm not really up on the state of the art here.  I know there exists
> proprietary protocols that do similar, but I'm not aware of any standards
> work in this area.
>

[sandeep]: Carrying privacy annotations as you illustrated below can
potentially help in automation of certain incident remediation actions.
This can be a good requirement / use case to think through on the lines of
'Course of Action" for Sensitive data detection incident response, will
think of addressing this as an addendum or in another write up. we can
discuss further on this.


> As an illustration a JSON message could contain a field descriptor to
> match on a field and an action to take when you match on the field.
>
> {
>    "dataFieldDescriptor": {
>          "LogStream": "AuthenticationService",
>          "eventType": "Login",
>          "jsonField": "sessionID",
>         "startDate": "None",
>         "endDate": "Now"
>     },
>     "action": {
>              "SensitivityLevelTag": "4",
>              "NotificationType": "SummaryReport",
>              "Action": "FullAnonymization",
>     }
> }
>
> This message would be sent to one or more systems.  It may result in the
> inline tagging described in the draft, but the message could be propagated
> in other ways.   ETL systems that transform the data could transform the
> request for the systems that consume their data.  The actions can be
> optional and derived from the default for the sensitivity level.
>  Notification and reporting is an essential piece of the puzzle.  The
> interface could be provided by log aggregators, endpoints, and ETL
> systems.
>
> This provides a standard interface to different places that store data
> derived from logs to remediate problems in their existing data.  It could
> potentially be used to service deletion requests and maybe information
> requests.  This obviously needs refinement.  A higher level abstraction
> could decouple the request from the logging format and allow the request go
> through stages.  For example the request says "delete user x@y.com" and
> then intermediate systems fill out how to fulfil the request.
>

[sandeep]:  We are experimenting various annotation formats, the above is a
good illustration, we will more update on this soon.

Thanks so much, great inputs, will follow up on this soon.

Regards,
-Sandeep


> Cheers,
>
> Joe
>
>
>
> --
> Pearg mailing list
> Pearg@irtf.org
> https://www.irtf.org/mailman/listinfo/pearg
>

v2.23.0 | Report a Bug | By Email