1 / 21

Lecture 4 – Other Policies, continued

Lecture 4 – Other Policies, continued. Security Computer Science Tripos part 2 Ross Anderson. Secondary Uses. CMO Sir Kenneth Calman set up the Caldicott Committee to study secondary uses

creola
Download Presentation

Lecture 4 – Other Policies, continued

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Lecture 4 – Other Policies, continued Security Computer Science Tripos part 2 Ross Anderson

  2. Secondary Uses • CMO Sir Kenneth Calman set up the Caldicott Committee to study secondary uses • Caldicott documented many illegal information flows; e.g. it’s illegal to share info on VD without consent, yet public health folks did on AIDS • HSCA s60 allowed SS to ‘legalize’ most of these • There remains a serious conflict with European law – ‘sensitive’ data need consent or narrowly-drawn legislation • I v Finland makes this acute! • DoH hopes that ‘anonymisation’ will save the databases…

  3. Secondary Uses (2) • Cost control, clinical audit, research… • Differing approaches: • USA: well-scrubbed incident data for open uses, lightly-scrubbed for controlled uses • Denmark, NZ: lightly scrubbed data kept centrally with strict usage control • Germany: no central collection • UK: Secondary Uses Services has summary data with postcode, date of birth • UK approach appears contrary to law

  4. Inference Control • Also known as “statistical security” or “statistical disclosure control” • Previously only totals and samples were published, e.g. population and income per electoral ward, plus one record out of 1000 with identifiers removed manually • Move to online database system changed the game • Dorothy Denning bet her boss at the US census that she could work out his salary – and won! • US census rule: ‘n-respondent, k%-dominance’

  5. Inference Control (2) • Query set size controls are very common. E.g. New Zealand medical records query must be answered from at least six records • Problem: tracker attacks. Find a set of queries that reveal the target. E.g for Prof Bacon’s salary • “Average salary professors” • “Average salary male professors” • Or even these figures for all “non-professors”! • On reasonable assumptions, trackers exist for almost all sensitive statistics

  6. Inference Control (3) • Cell suppression: e.g. suppose we can’t reveal exam results for two or fewer students

  7. Inference Control (4) • With n-dinemsional data, complementary cell suppression costs 2n cells for each primary suppression

  8. Inference Control (5) • Contextual knowledge is really hard to deal with! For example in the Source Informatics system (sanitised prescribing data)

  9. Inference Control (5) • Perturbation – add random noise (e.g. to mask small values) • Trimming – to remove outliers (else ‘average earnings Swaffham Bulbeck’ might leak Michael Marshall’s income) • Random sampling – answer each query with respect to a subset of records, maybe chosen by hashing the query with a secret key

  10. Inference Control (6) • Big problem in medical databases: context • ‘Show me all 34-yo women with 9-yo daughters where both have psoriasis’ • If you link episodes into longitudonal records, most patients can be reidentified • Add demographic, family data: worse still • Active attacks: worse still • Social-network stuff such as friends, or disease contacts: worse still • Only way to stay legal: consent (offer an opt-out)

  11. NPfIT • NHS National Programme for IT – Blair, 2002 • National services include SUS, SCR, PACS • Local service (5 LSPs in England): DCR • Inquiries by PAC (twice), HC. £20bn failure? May replace LAS as teaching example in part 1b … • Conservative policy: revert to local systems • Documentation: www.nhs-it.info • See also our report ‘Database State’

  12. Bookkeeping, c. 3300 BC

  13. Bookkeeping c. 1100 AD • How do you manage a business that’s become too large to staff with your own family members? • Double-entry bookkeeping – each entry in one ledger is matched by opposite entries in another • E.g. firm sells £100 of goods on credit – credit the sales account, debit the receivables account • Customer pays – credit the receivables account, debit the cash account • So bookkeepers have to collude to commit fraud

  14. From the Genizah Collection

  15. Bank of England, 1870

  16. Banking Security Policy • Threat model: • 1% of staff go bad each year (e.g. Moshoeshoe, Moon) • Mistakes happen – 1 in 500 paper transactions • There are clever fraudsters too • Loss of confidence means ruin • Protection goals: • Deter/prevent the obvious frauds • Detect the rest as soon as possible • Be able to defend the bank’s actions in court

  17. The Clark-Wilson Policy Model • Work by David Clark (MIT) and David Wilson (Ernst & Whinney) in 1986 to model this • In addition to the normal objects in your system, which we call unconstrained data items (UDIs), you add constrained data items (CDIs) • CDIs are acted on by special programs called transformation procedures (TPs) • Mental model: a TP in a bank must increase the balance in one CDI (account) by the same amount that it decrements another

  18. There’s an IVP to validate CDI integrity Applying a TP to a CDI maintains integrity A CDI can only be changed by a TP Subjects can use only certain TPs on certain CDIs Triples (subject, TP, CDI) enforce separation of duty Certain TPs act on UDIs to produce CDI output Each application of a TP writes enough information to an audit-trail CDI to reconstruct its action The system authenticates subjects initiating a TP Only special subjects (security officers) can set up and alter triples Clark-Wilson Framework

  19. Actual Bookkeeping Systems • How do you do separation of duties? • Serial: • Lecturer gets money from EPSRC, charity, … • Lecturer gets Old Schools to register supplier • Gets stores to sign order form and send to supplier • Stores receives goods; Accounts gets invoice • Accounts checks delivery and tell Old Schools to pay • Lecturer gets statement of money left on grant • Audit by grant giver, university, … • Parallel: two signatures (e.g. where transaction large, irreversible, as in bank guarantee)

  20. Internal Control Theory • Employees optimise their own utility, not their employers’ (the ‘agency problem’) • Internal controls should mitigate not just fraud but nepotism, empire-building, … • Corporate governance rules like Sarbanes-Oxley (USA), Cadbury (UK) set the tone • The big accountants drive ‘good practice’ • People talk of ‘risk management’ but the process is basically evolutionary

  21. Internal Control Practice • Mustn’t just audit the finances – McKesson and Robbins collapse, 1938, had fictitious trading partners and a bogus Montreal bank • Enforcement often cyclical; firms centralise then decentralise, ease up then crack down • Systematic analysis: as in software engineering 1b, can trace worst outcomes back along workflow, or look for greatest opportunities for individual staff (ask them!) • Strategy: deter – detect – alarm – delay – response

More Related