Policies as Code within Gaia-X

Transcript

1. None

2. Basics Our Policies Implementation Policies in General Policy as Code

   Gaia-X and Policies What policies do we want and can have in our ecosystem? A look into how policies can be implemented in GXFS. What I will talk about Today

3. Policy “A set of ideas or a plan of what

   to do in particular situation that has been agreed to officially by a group of people, a business organization, a government, or a political party” – Cambridge Dictionary

4. Context of Policies • Who? • Example: 16 partners of

   the EuProGigant project that run a data and service ecosystem! • Goals: What are the general ideas behind the policy? • Smart and sovereign use of data • Objectives: What is the policy going to address? • Transparency, controllability, portability and interoperability across data and services • Setting: What are the environmental nuances where the policy is going to be applied? • Manufacturing • Europe

5. Instrument Logic of Policies • Coercive • Enforcement • Authorization

   • Suasion • Nudging • Incentives • Statistical • Data presented in digestible form • Financial • Bonus • Subsidies

6. Policy Taxonomy Policy Level Program Level Measurement Level Goal Policy

   goals What are the ideas governing policy development? (Smart and sovereign use of data in manufacturing) Program objectives What does the policy address? (Data transfer observable, interoperable, control stays with data producer, …) Operational settings What are the specifications? (Manufacturing companies know and can deploy smart solutions based on sovereign data usage) Tools Instrument logic What are the preferred instruments? (Suasion, authorization, subsidies) Program mechanisms What specific instruments are going to be used? (encryption, pki,authorization mechanisms, monitoring services, …) Tool calibration Are there any specifics for the instruments? (Standards, regulations, certifications, provided software, …) Adapted from Ricardo Ferreira: Policy Design in the Age of Digital Adoption, 2022

7. Good Policies • 3C • Coherent (goals/objectives of polices are

   aligned) • Consistent (instruments are aligned) • Congruent (instruments are aligned with goals) • Practical/Operational: • Monitoring/Auditing: What plan has actually been executed in which situation? • Development: See how a new policy would work before implementing it. • Testing to ensure changes in one policy doesn’t alter another. • …

8. Policy as Code “Policy-as-code is an approach to policy management

   in which policies are defined, updated, shared, and enforced using code.” – paloaltonetworks.com/cyberpedia

9. Open Policy Agent (OPA) Open policy agent decouples policy decision-making

   from policy enforcement. When your software needs to make policy decisions it queries OPA and supplies structured data (e.g., JSON) as input. - OPA docs

10. Policy as Code: Rego Example play.openpolicyagent.org/p/sbyuiZn2hm

11. Policy as Code vs Policy in Code • Both are

    code • Decoupling allows for quicker and easy policy changes. • Independently deployable • One language for policies, even if microservices use different programming languages • Policies become reusable blocks. • Useful in microservice architectures (looking at GXFS) https://gitlab.com/gaia-x/lab/compliance/gx-compliance/-/blob/development/src/service-offering/services/content-validation.service.ts#L94

12. • Open Digital Rights Language • More a data model/schema

    than a programming language ODRL (IDS) https://www.w3.org/TR/odrl-model/

13. • Editor right based on MYDATA ODRL (IDS) odrl-pap.mydata-control.de/#/policy/ComplexPolicyForm

14. gaia-x Gaia-X is an initiative that develops, based on European

    values, a digital governance that can be applied to any existing cloud/edge technology stack to obtain transparency, controllability, portability and interoperability across data and services. - gaia-x.eu

15. Policies in gaia-x • 97. Policy Statement of objectives, rules,

    practices, or regulations governing the activities of Participants within Gaia-X. From a technical perspective Policies are statements, rules or assertions that specify the correct or expected behaviour of an entity. • 129. Usage Policy Usage Policies constrains the Consumer‘s use of a Resource. • 11. Consumer Policy Consumer Policy describes a Consumer‘s restrictions of a requested Resource. Trust Framework Architecture Document gaia-x.gitlab.io/glossary/

16. Aside: Trust Framework can be seen as “Policy as Code”

    gitlab.com/gaia-x/lab/compliance/gx-registry/-/blob/main/src/static/shapes/latest/trustframework.ttl#L109

17. Where to Store Policies? • Service Offering • a list

    of policies expressed using a DSL (e.g., Rego or ODRL) • For • Access control • Throttling • Usage • Retention gaia-x.gitlab.io/policy-rules-committee/trust-framework/service_and_subclasses/

18. Where to Store Policies? • Virtual Resource • InstantiatedVirtualResource •

    SoftwareResource • DataResource

19. • Where to put Consumer Policies? • Where, when, and

    how are this policies evaluated? • What functionalities are available for writing policies? • How can policies access data, other services? Open Questions

20. Our Policies What policies do we want and can have

    for our ecosystem? Just to give you an idea.

21. Our (simplified) Ecosystem Federator Identity & Authentication Service Catalog Shapes

    & Trust Anchors Participants & Services & Resources Consumer C Service Offering SO Producer P Resource A Resource B

22. Onboarding / Offboarding? • Who can participate? • Participant (legal,

    natural person) • Attributes • leiCode, vatID, … • Operational Limitations • Not too many new participants in a timeframe? • Blacklisting of some registrationNumbers? Federator Identity & Authentication Participants Producer P

23. Manage Service Offering • What attributes need to be set?

    • Data protection regime • Allowed licenses • At least one resource • When? • Create • Update • Regular checks by federator • Delete • Publish / Unpublish • Search / Visibility • Who do you want to see your service offering / resources? Federator Service Catalog Participants & Services & Resources Consumer C Service Offering SO Producer P Resource A Resource B

24. Service Usage: File storage • Access (Authorization) • Read files

    (with sensitive information) • Store files (with sensitive information) • Logging and Auditing • Access to logs • Retention (life cycle) • Quotas Resource A Instantiated Resource A Service Offering SO Producer P data.json Consumer C

25. Service Usage: API • Similar as file storage, plus •

    What if the service calls other services with input data from consumer? Resource B Instantiated Resource A Service Offering SO Producer P API Consumer C Other service API

26. Other services • Row level security in SQL databases? •

    Who can read/write to which topic? Resource C Instantiated Resource A Service Offering SO Producer P DB Consumer C Resource D Instantiated Resource A Service Offering SO Producer P Message Queue

27. • What additional Shapes are needed for our ecosystem? •

    Who attests information in them? Add Trust Anchors. Trust Anchors and Shapes Trust Framework Federator Shapes & Trust Anchors

28. What makes sense for our use cases? • What instruments

    fits? • Authorization • Filter for catalog • When and at what points should that policies be enforced? • What information is needed to make policy decisions • Who do you trust to provide/attest that information? • Maybe we need some additional data sources?

29. GXFS DE How are policies implemented in Federated Services? gitlab.com/gaia-x/data-infrastructure-federation-services

    Disclaimer: Not a developer of any of this services.

30. • Not like OPA agent (does more than providing policy

    decisions) • aas: Authentication and Authorization Service Microservice in Trust Service API (TSA) tsa/policy db tsa/policy- sync Reads Policy from git repo and stores them in db tsa/cache tsa/signer tsa/did- resolver ocm/proof- manager portal/did- management tsa/infohub tsa/task aas/aas OPA based with extended functionality

31. Policy Examples gitlab.com/gaia-x/data-infrastructure-federation-services/tsa/policies/-/tree/main/example

32. User Login with SSI • GetLoginInvitation • GetLoginProof • At

    the end you get access, with an id_token and access_token. https://docs.gaia-x.eu/technical- committee/identity-credential-access- management/22.10/system_features/

33. Client registration • GetIatInvitation • GetIatProof • At the end

    you get an access token. https://docs.gaia-x.eu/technical- committee/identity-credential-access- management/22.10/system_features/

34. GXFS FR The services found under gitlab.com/gaia-x/data-infrastructure-federation-services/deployment-scenario Disclaimer: Not a

    developer of any of this services.

35. Microservices in Development • Policy-rule-provider • Open Policy Agent with

    a set of rules • Rules-checker-service • Basic API to send VC’s to and have them checked against rules • Used by compliance, see documentation: • data-infrastructure-federation-services/deployment- scenario/scenario-22.11/components.md

36. Compliance evaluates Rules Rule checker

37. Next steps I’d like to talk to you and see

    what policies makes sense for our use cases. Based on that, develop a concept for policies for our project (one of the goals of AP14/6 EuPG) See how far we get with implementing it.

38. Paul Weißenbach +43 660 5779433 [email protected] Posedio GmbH Seilerstätte 17,

    1010 Wien Millenium Park 4, 6980 Lustenau www.posedio.com