Access & Usage Policies and Enforcement: Challenges and Solutions

Transcript

1. 10/31/24

2. 2 Consulting, Workshops and Reviews What we do? Software Modernization

   We develop cloud software solutions: We increase the efficiency of your IT-department: Cloud-native Software Development Data insights Platform Engineering Cloud Infrastructure

3. 3 POSEDIO’S TOOLSTACK

4. 4 Product Carbon Footprint Estimation for Plastic Injection Molding Project

   with four use cases from the production domain • Component matching • Validation platform • Mobile processing machines • Carbon footprint in production engineering and manufacturing

5. 5 MAIN CHALLENGES • Give participants control over and understanding

   of what can happen to their data. • Maturity and specialization of tools. • Main Requirements • Protect data and the know-how/value it includes. • Maintainable system that can be adapted to the changing needs of participants. • Understandable and maintainable by non-programmers! • Reusable across multiple data ecosystems. • Non-Functional: • Authorization checks needs to be fast.

6. 6 POTENTIAL SOLUTIONS We looked at • Own know-how (Rego/OPA)

   • Gaia-X (participation, blog, academy) • GXFS-DE (XFSC) implementation • EDC Connector implementation • FIWARE implementation (XACML) • Rego and Open Policy Agent • Mature but no Gaia-X (or JsonLD, VC/VP) support • Trust Server API (GXFS-DE) is based on OPA • ODRL: Open Digital Rights Language (later chosen by Gaia-X as standard) • Specification without a reference implementation • Supports customization through profiles like Gaia-X’s OVC • Multiple implementations • Gaia-X “Policy Reasoning Engine” • Uses Graph Database – not fast enough for our needs • EDC Connector implementation • Complex to use: See Access Policies Tutorial – therefore hard to get right. • FIWARE: Keyrock, Wilma PEP Proxy, and Authzforce • XACML (eXtensible Access Control Markup Language) • IMHO: Unpleasant to create and maintain as text. See Example from Docs. It makes it hard to get policies right.

7. 7 OUR APPROACH: REGO BASED SOLUTION • It started before

   Gaia-X settled on ODRL • Added extensions to OPA: vc.verify() • Provide building blocks to work with Gaia-X and Data Spaces • Presented at Gaia-X Tech-X 2024

8. 8 OUR APPROACH: REGO BASED SOLUTION • Integrate ODRL as

   OPA Extension: gxi.odrl_evaluate() function • Work in progress

9. 9 EMBEDDABLE ODRL ENGINE 1. Look at existing ODRL engines

   • EDC-Connector: Java – needs a runtime. • Gaia-X Policy Reasoning engine – needs a database for reasoning. • Announced Gaia-X ODRL Library: Risk it comes too late for our project • Other ODRL implementations we found are either outdated or private 2. Started our own embeddable ODRL engine with support for Gaia-X OVC profile • https://gitlab.euprogigant.kube.a1.digital/ paul.weissenbach/ohdrl/-/tree/main • To use ODRL within our framework, we need it to be embeddable.

10. 10 OUR ODRL ENGINE / LIBRARY • More info about

    our solution and why it‘s good • Developed in Rust • Early days • Doesn’t implement the full ODRL spec • Follows ODRL’s formal semantics draft relatively closely • Support for Gaia-X OVC Profile • Code architecture and the ability to extend it is similar to the EDC’s implementation

11. 11 NEXT STEPS People with domain and contractional knowledge are

    rarely also software developers. • Improvements • Templates and building blocks for policy development • Tooling (for ODRL): • linter, • debugger, • audit trail (replay), • UIs, • etc. • Work on simplifying policy languages. • We are looking for cooperation opportunities! • Continue developing our ODRL engine/library. • Research how policies, their creation, and maintenance can be made simpler.

12. THANK YOU! Paul Weißenbach [email protected] POSEDIO GMBH Weyringergasse 1-3, 1040

    Wien, Austria Millenium Park 4, 6980 Lustenau, Austria www.posedio.com THANK YOU!