{"id":239,"date":"2007-09-21T14:06:36","date_gmt":"2007-09-21T21:06:36","guid":{"rendered":"http:\/\/www.laurenwood.org\/anyway\/archives\/2007\/09\/21\/suns-openid-idp-data-governance\/"},"modified":"2007-09-30T11:33:48","modified_gmt":"2007-09-30T18:33:48","slug":"suns-openid-idp-data-governance","status":"publish","type":"post","link":"https:\/\/www.laurenwood.org\/anyway\/2007\/09\/suns-openid-idp-data-governance\/","title":{"rendered":"Sun\u2019s OpenID IdP: Data Governance"},"content":{"rendered":"<p>Part of a series on Sun\u00ad\u2019s OpenID@Work ini\u00adti\u00adat\u00adive; see the <a href=\"http:\/\/www.laurenwood.org\/anyway\/2007\/09\/suns-openid-idp-introduction\/\">intro\u00adduc\u00adtion<\/a> for more context.<\/p>\n<p>Data gov\u00adernance is the term used for know\u00ading what hap\u00adpens to the data that is stored, par\u00adtic\u00adu\u00adlarly when that data has any <abbr title=\"Personally Identifiable Information\"><span class=\"caps\">PII<\/span><\/abbr> (per\u00adson\u00adally iden\u00adti\u00adfi\u00adable inform\u00ada\u00adtion), which the Open\u00adID IdP does. Using Open\u00adID isn\u2019t the reas\u00adon we  keep this inform\u00ada\u00adtion; any regis\u00adtra\u00adtion sys\u00adtem keeps at least some inform\u00ada\u00adtion about the people who have accounts on it, even if it\u2019s only a name, email, and pass\u00adword (or open\u00adid iden\u00adti\u00adfi\u00ader). I thought it might be use\u00adful to oth\u00aders to see some of the basic steps that we went through when dis\u00adcuss\u00ading how to pro\u00adtect that <span class=\"caps\">PII<\/span>, and some of the decisions we made on what data to keep and what not. If you\u2019re set\u00adting up a regis\u00adtra\u00adtion sys\u00adtem your\u00adself, you may make com\u00adpletely dif\u00adfer\u00adent decisions, depend\u00ading on what inform\u00ada\u00adtion you\u2019re keep\u00ading and what your regis\u00adtra\u00adtion sys\u00adtem is being used&nbsp;for.<\/p>\n<p>Obvi\u00adously, step 1 is to make someone respons\u00adible for fig\u00adur\u00ading it out. In our case, that per\u00adson was me, with the grand title of \u201cData Stew\u00adard\u201d in Sun\u00ad\u2019s pro\u00adcess. Yes, there\u2019s a pro\u00adcess to be fol\u00adlowed and check\u00adlists to be filled out, and people whose job it is to help us fig\u00adure it all out (the Chief Pri\u00advacy Office with <a href=\"http:\/\/blogs.sun.com\/suncpo\/\">Michelle Dennedy<\/a> and her team). What you need to do&nbsp;is:<\/p>\n<ol>\n<li>fig\u00adure out what data you need to have, wheth\u00ader for tech\u00adnic\u00adal or policy reasons<\/li>\n<li>fig\u00adure out who will need access to the&nbsp;data<\/li>\n<li>fig\u00adure out how to pre\u00advent people access\u00ading the data who don\u2019t need access<\/li>\n<li>fig\u00adure out when you can des\u00adtroy the&nbsp;data<\/li>\n<li>write the decisions up and make the inform\u00ada\u00adtion available<\/li>\n<\/ol>\n<dl>\n<dt>What data needs to be&nbsp;kept?<\/dt>\n<dd>\n<p>In this ser\u00advice, people can use fake names, but often choose to use their real ones. For com\u00adpli\u00adance reas\u00adons, in case there needs to be an invest\u00adig\u00ada\u00adtion into an alleg\u00ada\u00adtion of wrong-doing by a user, we need to keep the employ\u00adee <span class=\"caps\">ID<\/span> that was used to sign up for the open\u00adid iden\u00adti\u00adfi\u00ader. Even after the open\u00adid account is closed, the inform\u00ada\u00adtion is kept for a set peri\u00adod of time to allow any prob\u00adlems to sur\u00adface. Yes, the users are warned about this dur\u00ading the regis\u00adtra\u00adtion process.<\/p>\n<p>The web serv\u00ader logs are in the Com\u00admon Log Format, which includes a record of the <span class=\"caps\">HTTP<\/span> <span class=\"caps\">GET<\/span> request from the con\u00adsum\u00ading site (rely\u00ading party) ask\u00ading for authen\u00adtic\u00ada\u00adtion of the open\u00adid iden\u00adti\u00adfi\u00ader. This <span class=\"caps\">HTTP<\/span> <span class=\"caps\">GET<\/span> request includes the open\u00adid iden\u00adti\u00adfi\u00ader and the site\u2019s <span class=\"caps\">URL<\/span>, thus allow\u00ading cor\u00adrel\u00ada\u00adtion of who went where (though not what they did after log\u00adging in). This hap\u00adpens with every Open\u00adID Iden\u00adtity Pro\u00advider that has web serv\u00ader logs, which I would guess is basic\u00adally all of them, so it\u2019s cer\u00adtainly not a prob\u00adlem that is spe\u00adcif\u00adic to Sun\u00ad\u2019s ser\u00advice. Every Open\u00adID IdP could per\u00adform such cor\u00adrel\u00ada\u00adtions about their users. This is not neces\u00adsar\u00adily a prob\u00adlem, and some people would say that allow\u00ading people to see that this open\u00adid iden\u00adti\u00adfi\u00ader was used in dif\u00adfer\u00adent places allows repu\u00adta\u00adtions to be built, but it also has pri\u00advacy implic\u00ada\u00adtions. I might not want my employ\u00ader (or any\u00adone else, for that mat\u00adter) know\u00ading what sites I vis\u00adit, how often, and when. So on prin\u00adciple we mask the data, so that we can see how often a site is vis\u00adited, but not who\u2019s doing the visiting.<\/p>\n<\/dd>\n<dt>Who needs access to the&nbsp;data?<\/dt>\n<dd>\n<p>If there is an alleg\u00ada\u00adtion of wrong\u00addo\u00ading on the part of a user, then Cor\u00adpor\u00adate Com\u00adpli\u00adance may need access to the inform\u00ada\u00adtion about whose open\u00adid iden\u00adti\u00adfi\u00ader it is, and access to the web serv\u00ader logs show\u00ading wheth\u00ader the user actu\u00adally did log in to the web site in ques\u00adtion. This data is only passed on after review of the alleg\u00ada\u00adtions by Sun\u00ad\u2019s leg\u00adal&nbsp;team.<\/p>\n<p>Apart from that, sup\u00adport per\u00adson\u00adnel need access to the open\u00adid accounts to help people with things like for\u00adgot\u00adten pass\u00adwords (if they for\u00adgot to set a secret ques\u00adtion), or delet\u00ading the account on a vol\u00adun\u00adtary basis. The user has to file a sup\u00adport request using Sun\u00ad\u2019s intern\u00adal sup\u00adport sys\u00adtem, and the employ\u00adee <span class=\"caps\">ID<\/span> of the per\u00adson fil\u00ading the request has to match that of the own\u00ader of the account.&nbsp;<\/p>\n<p>Engin\u00adeer\u00ading may need access to some of the files for debug\u00adging. There is also a script that runs over the web serv\u00ader logs and extracts records of which sites were vis\u00adited and when, dis\u00adcard\u00ading all inform\u00ada\u00adtion about who the user was who vis\u00adited that&nbsp;site.<\/p>\n<\/dd>\n<dt>Restrict access<\/dt>\n<dd>\n<p>Only a few people have access to the accounts; sup\u00adport, engin\u00adeer\u00ading, and me as data gov\u00adernance stew\u00adard. That access is con\u00adtrolled through oper\u00adat\u00ading-sys\u00adtem access con\u00adtrol. The same applies to the logs and every\u00adone who has access has gone through train\u00ading to ensure they know the pri\u00advacy con\u00addi\u00adtions apply\u00ading to the use of the inform\u00ada\u00adtion (i.e., used only for debug\u00adging or sup\u00adport once the user\u00ad\u2019s iden\u00adtity is veri\u00adfied, as&nbsp;above).<\/p>\n<p>As a side-note, to log in to my account on the machines, I have to log in to Sun\u00ad\u2019s intern\u00adal net\u00adwork, ssh from there to the machine I want to access and then log in with my stand\u00adard Sun cre\u00adden\u00adtials fol\u00adlowed by a one-time pass\u00adword that uses a chal\u00adlenge-response mech\u00adan\u00adism with a secret pass\u00adphrase. Then I need to su to the appro\u00adpri\u00adate user account, using yet anoth\u00ader pass\u00adword (of course).<\/p>\n<\/dd>\n<dt>Des\u00adtroy\u00ading&nbsp;Data<\/dt>\n<dd>\n<p>Once an account has been deac\u00adtiv\u00adated, either because the employ\u00adee left Sun, or because they asked for it to be deleted, it remains inact\u00adive for 6 months. Once that time has passed, the account is deleted. The web serv\u00ader logs are deleted auto\u00admat\u00adic\u00adally after 6 months. This time was chosen as it seemed to meet both the pri\u00advacy prin\u00adciples (delete as soon as pos\u00adsible) and the cor\u00adpor\u00adate com\u00adpli\u00adance prin\u00adciples (keep around for a reas\u00adon\u00adable length of time, just in case it\u2019s needed).<\/p>\n<\/dd>\n<dt>Doc\u00adu\u00adment\u00ading<\/dt>\n<dd>\n<p>Once it was all figured out, and reviewed by the pri\u00advacy spe\u00adcial\u00adists in Sun, doc\u00adu\u00adment\u00ading it was the easy part (just like writ\u00ading stand\u00adards, really, com\u00ading to the con\u00adsensus is the dif\u00adfi\u00adcult bit). So we have inform\u00ada\u00adtion in the dis\u00adclaim\u00ader that people need to agree to when they sign up for an account, the user policy, the <span class=\"caps\">FAQ<\/span>, and the more form\u00adal check\u00adlists etc are avail\u00adable from the Sun-intern\u00adal pro\u00adject site. And people can always ask me, or email one of the mail\u00ading lists we have, if they have any questions.<\/p>\n<\/dd>\n<\/dl>\n","protected":false},"excerpt":{"rendered":"<p>Part of a series on Sun\u00ad\u2019s OpenID@Work ini\u00adti\u00adat\u00adive; see the intro\u00adduc\u00adtion for more con\u00adtext. Data gov\u00adernance is the term used for know\u00ading what hap\u00adpens to the data that is stored, par\u00adtic\u00adu\u00adlarly when that data has any <span class=\"caps\">PII<\/span> (per\u00adson\u00adally iden\u00adti\u00adfi\u00adable inform\u00ada\u00adtion), which the Open\u00adID IdP does. Using Open\u00adID isn\u2019t the reas\u00adon we keep this inform\u00ada\u00adtion; any \u2026 <a href=\"https:\/\/www.laurenwood.org\/anyway\/2007\/09\/suns-openid-idp-data-governance\/\" class=\"more-link\">Con\u00adtin\u00adue read\u00ading<span class=\"screen-reader-text\"> \u201cSun\u2019s Open\u00adID IdP: Data Governance\u201d<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"wp_typography_post_enhancements_disabled":false,"activitypub_content_warning":"","activitypub_content_visibility":"","activitypub_max_image_attachments":3,"activitypub_interaction_policy_quote":"","activitypub_status":"","footnotes":""},"categories":[13],"tags":[25,24],"class_list":["post-239","post","type-post","status-publish","format-standard","hentry","category-identity","tag-openid","tag-sunopenid"],"_links":{"self":[{"href":"https:\/\/www.laurenwood.org\/anyway\/wp-json\/wp\/v2\/posts\/239","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.laurenwood.org\/anyway\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.laurenwood.org\/anyway\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.laurenwood.org\/anyway\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.laurenwood.org\/anyway\/wp-json\/wp\/v2\/comments?post=239"}],"version-history":[{"count":1,"href":"https:\/\/www.laurenwood.org\/anyway\/wp-json\/wp\/v2\/posts\/239\/revisions"}],"predecessor-version":[{"id":800,"href":"https:\/\/www.laurenwood.org\/anyway\/wp-json\/wp\/v2\/posts\/239\/revisions\/800"}],"wp:attachment":[{"href":"https:\/\/www.laurenwood.org\/anyway\/wp-json\/wp\/v2\/media?parent=239"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.laurenwood.org\/anyway\/wp-json\/wp\/v2\/categories?post=239"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.laurenwood.org\/anyway\/wp-json\/wp\/v2\/tags?post=239"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}