SBIR-STTR Award

This proposal represents a collaborative response by XpressRules and NIST to a two-fold demand from the information security marketplace. The business requirement (for true policy governance) is that asset owners and steward themselves-and not IT—become directly accountable for the life cycles of their rules and policies. The technical requirement (for an adequate data model) is that the policies themselves embody sufficient semantic content so as to enable effective “pre-emptive analytics”—the ability for policy analysts to discover logical leaks and gaps before a policy is deployed. For attributebased access control (ABAC) NIST center-staged the human manager by defining and demonstrating natural language policy (NLP) in its Guide to ABAC (SP 800-162). In addition the NIST standardization and current implementation of Policy Machine/New Generation Access Control (PM/NGAC) provides the semantics-rich graph-based data model required for robust policy analytics. The goal of this proposal is to exploit and commercialize both of these NIST initiatives with XpressRules-PM, a product with (1) an adaptive NL human-computer interface (HCI) that empowers business users—in their own words—to manage policies and the policy authoring environment and (2) a dynamic graph-based policy representation that allows for effective policy analytics.

New Generation Access Control (NGAC)—because of its “neutrality by design”—represents the most effective and scalable approach for deploying “smart” access control and consent solutions in large dynamic scenarios. NGAC however presents with its own problems: (1) it has miniscule recognition and uptake in the workplace, (2) it is unusable by non-technical policy officers and (3) its documentation and wider “infosphere” are very early-stage. XpressRules-PM is a natural language-based NGAC toolkit for (1) equipping non-technical stakeholders—in their own words—to deploy privacy and consent policies, (2) enabling an organization to configure the product to fit their environment instantly, repeatedly and without IT assistance, (3) exposing its policy store to logicchecking and analytics, and (4) applying NGAC’s Decision Algorithm to perform real-time “dispute resolution” in an IoT information blockchain. For healthcare XpressRules-PM facilitates a “longitudinal patient consent™” to accompany a longitudinal patient health record through its migration. NGAC retains the rich semantics of relationships between entities. The NGAC “family of standards” expresses this semantics ly with a directed acyclic graph (DAG). Therefore the most appropriate implementation of NGAC is graph-based, running on a NoSQL platform. Phase II specifies Neo4j initially, but its design will support any NoSQL database product.