140 likes | 269 Views
Grand Challenges for Enterprise Security Policies +. Nondisclosure policies for distributed computations. Arnon Rosenthal MITRE (visiting IBM Almaden). Outline of Challenges Talk. Four big challenges Security model for multi-model DBMSs Compilation to heterogeneous enforcers
E N D
Grand Challenges for Enterprise Security Policies + Nondisclosure policies for distributed computations Arnon Rosenthal MITRE (visiting IBM Almaden)
Outline of Challenges Talk • Four big challenges • Security model for multi-model DBMSs • Compilation to heterogeneous enforcers • Mapping from abstract to implementation policies • Mapping between organizations’ policies • Brief comments on policy-related research in data privacy/security
1. How can one DBMS best support multiple security models? DBMS Security SQL security model XMLsec. model RDFsec. model OWL sec. model Filter based on rowlabels P3P XACML
Policy Policy Policy Policy Virtual OWL Virtualtables Virtual RDF Virtual docs DBMS RDF OWL AddTree graphic AddTable graphic XML policy OWL policy RDFpolicy SQL policy
How to support multiple security models? DBMS Security SQL security model OWLsec. model XMLsec. model RDFsec. model Abstract Data Model Containment, Derived data, M’data… (in enough detail to drive security) Abstract Security Model Attach a policy to objects General security, e.g., - Ownership - Revoke or limit privilege
2. Compile to heterogeneous enforcers Policy (in one language) Heterogeneous enforcers (semantic heterogeneity addressed later)
Enforcement Mechanisms Compile high level policy to heterogeneous enforcers, which include: • User agents (P4P?) • DBMSs, document and image servers (bottom tier) • Middleware (on service/method calls) • Cannot act differently on each retrieved object • Application code • Boundary enforcement, e.g., air gaps, high assurance guards, low assurance filters on email. • GUI (user friendly but low assurance) • Human decisions (expensive, slow, error-prone) Each of these is separately administered, today! • Imagine Documents with a consistent schema (for subparts and m’data), but accessed thru content managers, DBMSs, services. Compile a policy to all of them. • Next, assume m’data is in DBMS, text in content manager, versioning via service. Compile policies down.
Challenge 2: The Official Policy is not in terms of implementation artifacts Individually identified medical data shall be available only to professionals treating the patient, (with confidence profile P3) ? Lab message: Blood type Firewalls Physical DB schemas
2. Compile “business” policies to physical implementation Individually identified medical data shall be available only to professionals treating the patient, (with confidence profile P3) What data is “medical”, “individually identified” Who are “professionals treating this patient” • Confidence needed in: • Technical measures • Metadata admin • Partners Metadata, ontologies Userm’data Systemm’data Install policies on tables, documents • Suitable • Data allocation • Execution plan
Translate and transfer policy across organizations and systems Aetna Travel Insurance Enforcement: Application server Policy applied: US (NY) Roles: HiPAA spec (Aetna version) ? • What data is • Medical • Indiv identified • Who are • Professionals • Treating this patient • Insurance approver • role only in US • Confidence in • Technical measures • Metadata admin • Partners Paris Hospital Enforcement: DBMS Policy applied: France Roles: Hospital (Emergency Care)
Employing a research idea: Inference control • You have a full description of what the attacker knows • No collusion between requests from different User IDs • Administrators have identified all sensitive fields • Or it’s worthwhile to protect just a few • Efficiency – extra factor of 5 is OK • No updates Black bullets limit applicability. Not to zero, but is it a good place to invest scarce talent? 1-2 probably can’t be removed by more research! Spend $$$$ for high certainty (locally), but partial solutions won’t give a large factor of protection
What’s different about privacy? • Millions of administrators, opting in and out • Human (Corporate? Animal? ) right
Privacy and Nondisclosure • Equating privacy with nondisclosure makes both terms less useful • Privacy involves • Rights • Notification, correctness, minimal collection and retention, … • Nondisclosure also applies to • Military plans, investigative reports • Lion King Video
An easily-applied categorization • Ask what stakeholder a policy protects • Privacy: The person (or entity) described • Enterprise secrecy: The entity controlling the database • Intellectual property: The provider of the info • Security usually adds integrity and availability (under attack) • Contrast with data quality, system availability which try to protect against Murphy’s Law