110 likes | 264 Views
Protecting Data in a Collaborative Environment. Willa Pickering, Ph.D. CDM Responsibilities for Data Protection. Identify what data must be protected Shared data in collaborative environments Intellectual property Personal and private National security
E N D
Protecting Data in a Collaborative Environment Willa Pickering, Ph.D.
CDM Responsibilities for Data Protection • Identify what data must be protected • Shared data in collaborative environments • Intellectual property • Personal and private • National security • Identify why the data must be protected • Threats • Federal and state regulations • Identify who can access the data • Communities of interest • Identify how the data can be protected • Security Plan • Data risk management
Collaborative Data Warehouse Environment (What Data Needs Protection) • Integration of data from multiple sources • Health data, banking data, knowledge discovery in business intelligence systems • Users may access data that they don’t have permission to access in the source system • Data Mining • On the fly queries • Aggregation of data • Inference issues - construct new groupings and extract information based on derived patterns Data Collection/Provider Controls Warehouse Server Controls Data Access/Mining Server Control Inference Controls Query/Union Checks Raw Data Protection Data Sanitization
Collaborative Net-Centric Environment (What Data Needs Protection) • Visible to the right people or systems • Need to know vs. need to share challenge Global Connectivity (Cloud Computing, SOA, Post/Pull) Enterprise Services (Collaboration, Content Delivery & Discovery, Metadata Discovery) Authoritative Data (Relevant, Sufficient) Common Platform (Portal, Integration, Interoperability) Consolidated Infrastructure (Architectures, Standards)
Data Protection Threats (Why Data Needs Protection) • Threat to Data • All forms of electronic data (printouts, photocopies, data in documents, spreadsheets, email, graphics, databases) • Theft or misuse by unauthorized users • Threat to Physical Assets • Loss of physical data (mainframes, servers, workstations, laptops, networks) • Intentional or accidental destruction • Natural forces (electrical or magnetic disturbances) • Control by inside or outside forces • Threat to Business • Denial of service attack • Unauthorized access to sensitive data • Threat to Networks • Terrorists • Disgruntled employees • Hackers • Competitors • Criminals • Information brokers
Increasing Regulations (Why Data Needs Protection) • Non-US Regulations • UK Data Protection Act of 1998 • European Union Data Protection Directive • Canada Personal Information Protection and Electronic Documents Act • Russia Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data • Federal • Gramm-Leach-Bliley Financial Services Modernization Act • Health Insurance Portability and Accountability Act • Health Information Technology for Economic and Clinical Health Act • States • California Data Security Breach Notification Act • Minnesota Consumer Card Data Protection • Nevada Data Encryption Policy
Communities (Who Can Access the Data) Identify the appropriate groups of people to share data • Establish charters and governance structure • Identify data assets to share • Understand data sharing constraints • Promote trust by identifying authoritative sources and associating trust discovery metadata • Manage feedback mechanisms by identifying and establishing processes to evaluate and refine the quality of the data
IT Security Mechanisms (How Can Data Be Protected) Authentication • User ID and password • Physical security device, ATM card, computer chip • Biometric identification, voice, eye, thumbprint • Authorization • Level of access • Controls • Database attribute/column, row/object, table/class • Application • Host/geographic • Security Strategies • Check points to validate users • Error handling if viewers seek to view without permissions • Roles • Limited view of only what viewer has permission to see • Roles • Secure Access Layer/Firewall Protection • Session Content - logging • Single Access Point - no back doors • Cross-Domain Guards
Data Risk Management (How Can Data Be Protected) • Audits • Liability exposures • Compliance risks • Unmet data security requirements • End-to-end security checks • Risk Mitigation • Data replication/versions • Altered data • Logs • Exception monitoring • Event alerts
References • Data Warehouse • Inmon, W., Security in the data warehouse: data privatization, Enterprise Systems Journal, 11, n3, p.76, March 1996 • Mack, D. & Cain, M., The Essential Guide to Security and The Data Warehouse, 2010 • Zhang, N. & Zhao, W., Privacy-preserving data mining systems, IEEE Computer Society, 2007 • Zhang, N. & Zhao, W., Privacy-preserving OLAM: An information-theoretic approach, IEEE Computer Society, 2009 • Net-Centric Environments/Communities • DoD Net-Centric Data Strategy, 2003 • DoD Metadata Discovery Specification, 2003 • Security Access Controls • Ambler, S., Agile Database Techniques, 2003 • Security Plan • Kimball, R., “Hackers, Crackers, and Spooks,” DBMS 10, n4, p.14, April 1997 • Data Risk Management • Winn, J. & Wrathall, J. Who Owns the Customer? The emerging law of commercial transactions in electronic customer data, http.//www.law.washington.edu/Profile.aspx?ID=103&vw=pubs