480 likes | 487 Views
This research paper explores the challenges in protecting information when access is granted for collaboration, highlighting the need for secure collaboration among colleagues. The paper discusses the dominant approaches for data protection and the gap in assuming that access rights equal retrievable data. It also proposes a security mediator system to address the issues.
E N D
T I H I / SAW / TID Protecting Information when Access is Granted for Collaboration A Point-of-failure in Protecting Information Gio Wiederhold Stanford University August 2000 TIHI IFIP WG Schoorl Gio Wiederhold
Research Support • NSF-HPCC / SRI -- sharing information in healthcare • DARPA / SRI -- sharing information in manufacturing • NSF-NIH -- protecting information concealed in images • Incyte / SST -- protecting genomic information Participants -- Staff and students Michel Billelo, PhD, MD Stanford Maggie Johnson, PhD, Stanford & SST Shelley Qian, PhD , Vitria ex SRI International, Latanya Sweeney, PhD, CMU Jahnavi Akella, MS Stanford Jerry Cain, Stanford BS & SST Andrea Chavez, JD, MS Stanford Chris Donahue. BS Stanford & SST Antoine Picard, MS Stanford &SST Vatsala Sarathy, MS Stanford James Wang, PhD, now Penn State TIHI IFIP WG Schoorl Gio Wiederhold
Security: protection and assurance : Crucial progress in protection is being made:Remote TransmissionAuthenticationFirewalls around domains protect against enemies.Much research based on Cryptography TIHI IFIP WG Schoorl Gio Wiederhold
Remaining Issue: Assuring Secure Collaboration Not versus enemies, but among colleagues, who need to share some, but not all information TIHI IFIP WG Schoorl Gio Wiederhold
Medical Records è Insurance Company Medical Records è Medical Researchers Collaboration Needs: Manufacturer’s Specs è Subcontractor Operational Data è Logistics Provider Intelligence Data è Front-line soldier Strategic Data è Allied Forces TIHI IFIP WG Schoorl Gio Wiederhold
Dominant approach for Data • Authenticate Customer in Firewall • Validate query against database schema • If both O.K., process query and ship results firewall result customer query sources authentication database access & authorization agent TIHI IFIP WG Schoorl Gio Wiederhold
The Gap: Assumption that Access right = Retrievable data • Access rights assume a certain partitioning of data • Domain data are partitioned accord to internal needs • They only match in simple cases / artificial examples firewall result customer query data sources are rarely perfectly matched to all access rights authentication database access & authorization agent TIHI IFIP WG Schoorl Gio Wiederhold
False Assumption Data in the files of an enterprise are organized according to external access rights Inefficient and risky for an enterprise which uses information mainly internally and then must serve external needs TIHI IFIP WG Schoorl Gio Wiederhold
Access Patterns versus Data: Accounting Accreditation Laboratory Laboratory staff Medical Research Clinics Insurance Carriers Ward staff Billing Pharmacy Inpatient Patient Physician Etc.. CDC Gio Wiederhold TIHI Oct96 9 TIHI IFIP WG Schoorl Gio Wiederhold
Problems Seen Healthcare Objects (N) cannot be organized according to all possible access classifications (a) = (Na) Nursing hierarchy by bed and ward Infectious disease hierarchy by risk Query do not specify object precisely Relevant history for low-weight births (helpful database gets extra stuff) Some objects cover multiple classes Patient with stroke and HIV Some objects are misfiled (happens easily to others), costly/impossible to guarantee avoidance Psychiatric data in patient with alcoholism TIHI IFIP WG Schoorl Gio Wiederhold
Check the content of the result before it leaves the firewall Security mediator : Human & software agent module Filling the Gap firewall result query TIHI IFIP WG Schoorl Gio Wiederhold
Result Checking is understoodand performed today in non-computerized settings: • Briefcases are inspected when leaving secure meetings • Computers, tapes,disks, etc. cannot be taken out of highly secure facilities • Trucks are inspected on exiting a factory Computer security system requirements have been modeled poorly wrt practice TIHI IFIP WG Schoorl Gio Wiederhold
External Customer Overall Schematic Security Officer's Mediator System Database Firewall Internal Customer Network TIHI IFIP WG Schoorl Gio Wiederhold
Security Mediator • Software module, intermediate between "customers" and databases within firewall • Resides on security's officer's machine (may have to be multi-level secure); accessed via firewall protection by customers • Under control of security officer, via simple security-specific rules • Performs bidirectional screening (queries and results ) TIHI IFIP WG Schoorl Gio Wiederhold
Security Officer :-( • Profile • Human responsible for database security/privacy policies • Must balance data availability vs. data security/privacy • Tasks (current) • Advises staff on how to try to follow policy • Investigates violations to find & correct staff failures • Has currently no computer-aided tools • Tasks (with mediators) • Defines and enters policy rules in security mediator • Monitors exceptions, especially violations • Monitors operation, to obtain feedback for improvements TIHI IFIP WG Schoorl Gio Wiederhold
Assigning the Responsibility • Database Administrator • Can create views limiting access in RDMSs • Prime role is to assure convenient data access • Network Administrator • Can restrict incoming and outgoing IP addresses • Prime role is to keep network up and connected to the Internet • Specialist Security Officer • Prime responsibility is security & privacy protection • Implements security policy • Interacts with database & network administrators :-) :-| :-( TIHI IFIP WG Schoorl Gio Wiederhold
Roles :-( Security officer manages security policy, not a computer specialist or database administrator. Computer specialistprovidestools agent workstation program for security mediation Enterprise / institution defines policies its security officer (SO) uses the program as the tool Tool formalizes system practices rules, managed by the SO define the practice oo -) TIHI IFIP WG Schoorl Gio Wiederhold
Security requires attention :-( • Security officer’s focus is security • not for a computer system designer, • nor database or network administrator, • nor for management. • SO has hardware&software ownership • Having a tool enables the role • Security mediator provides logging for • focused audit trail • system improvements • accountability TIHI IFIP WG Schoorl Gio Wiederhold
Hardware • Computer workstation • UNIX and NT implementation • external access through firewall • firewall can provide authentication • internal access to database(s) that contain releasable information • multi (two)-level security provision • internal storage, inside firewall: • rules defining cliques - external roles • log of accepted and denied requests • mediator software TIHI IFIP WG Schoorl Gio Wiederhold
Software Components • Rule interpreter • Primitives to support rule execution • Rule maintenance tools • Log analysis tool • Firewall interface • Domain database interface • Logger service mainte- nance support TIHI IFIP WG Schoorl Gio Wiederhold
Rule system • Optional: without rules every interaction goes to the security officer (in & out) • Creates efficiency: routine requests will be covered by rules: 80%instances / 20%types • Gives control to Security officer: rules can be incrementally added/deleted/analyzed • Primitives simplify rule specification: source, transmit date/time, prior request, ... TIHI IFIP WG Schoorl Gio Wiederhold
Application of Rules authenticated ID Query Checking else Query Parse Query edits success ancillary requests failure SO Exter- nal Data Re- ques- tors error rule Firewall Execute Query in DBMS (s) customer advice results ancillary results authenticated ID Result checking cleared results else edits Results TIHI IFIP WG Schoorl Gio Wiederhold
Rule Processing Features: • Paranoia: Every applicable rule must be enforced for a query to be successful or a result to be releasable, else delegated to the security officer (SO) • Default: If no rule applies rules then delgate to SO • SO can pass, reject, or edit queries and results • SO may inform customer, mediator software will not • All queries and results, successful or not, are logged for audit • Rules are stored within the mediator, with exclusive security access by the SO Gio Wiederhold TIHI Oct96 23 TIHI IFIP WG Schoorl Gio Wiederhold
The Rule Language Goals: • Simple and easy to formulate by the SO • Easy to enter and observe into the system • Employs a collection of primitive functions to provide comprehensive and adequate security • Functions can exploit views in RDBMS • Some rule functions provide text validation • Some functions may need domain knowledge • Functions to process manufacturing designs • Functions to extract text from images TIHI IFIP WG Schoorl Gio Wiederhold
Rule Organization • Rules are categorized as: • SET-UP (Maintenance) • PRE-QUERY • POST-PROCESSING • External, authenticated users are grouped into Cliques to simplify rule management • Tables and their columns are grouped into segments to simplify access managment • Rules use primitives supplied by specialists TIHI IFIP WG Schoorl Gio Wiederhold
Primitives - open-ended Selected by rules for various clique roles • Allow / disallow values • Allow / disallow value ranges • Limit results to approved good-word lists • Disallow output containing bad words • Limit output to specified times, places • Limit number of queries per period • Can augment queries for better result filtering • Transform results (de-identification, randomize), • …. TIHI IFIP WG Schoorl Gio Wiederhold
Writing Primitives Primitives must be secure! • careful validation • enabled by small size and • narrow functionality • break the DBMS transaction model • use log to count prior access requests • check for inference potential • access requestor descriptions and history TIHI IFIP WG Schoorl Gio Wiederhold
Creating Wordlists TIHI is Paranoid • Result filtering primarily based on Good-word lists • Created by processing examples of O.K. responses • Augmented dynamically by terms found objectionable by system, but approved by security officer • Current work • Image filtering, to omit and extract text from images • Possible future work • use nounphrases to increase specificity TIHI IFIP WG Schoorl Gio Wiederhold
Filtering of text Not perfect: • Words out-of-context can pass the filter • ophtamology: don’t pass names: Iris Smith • Risk reduces rapidly with multiple words • Can never have all good-words in list • Load for security officer -- seek a balance • Cost: all of contents must be processed • Good technology from spell checkers • Domain-specific word-lists are modest in size TIHI IFIP WG Schoorl Gio Wiederhold
Rules implement policy • Tight security policy: • simple rules • many requests/responses referred to security officer • much information output denied by security officer • low risk • poor public and community physician relations • Liberal but careful security policy • complex rules • few requests/responses referred to security officer • of remainder, much information output denied by security officer • low risk • good public and community physician relations • Sloppy security policy • simple rules • few requests/responses referred to security officer • little information output denied by security officer • high risk • unpredictable public and community physician relations TIHI IFIP WG Schoorl Gio Wiederhold
Security Mediator oo -) Coverage of Access Paths Security officer Authentication based control :-( validated to be O.K. good/ bad prior use good guy history security needs good query DB schema- based control Database adminis- trator result is likely O.K. ancillary information O.K. processable query performance, function requests Database TIHI IFIP WG Schoorl Gio Wiederhold
Scalability A security mediator • can handle multiple roles • each role is defined by its set of rules • rules and primitives are selected from a common base • be replicated for distinct accessor types • provide multiple ports in one firewall • allows specialization in security officers • can handle major policy distinctions TIHI IFIP WG Schoorl Gio Wiederhold
Security Mediator Benefits • Dedicated to security task (may be multi-level secure) • Uses only its rules and relevant function, all directly, avoids interaction with DB views and procedures • Maintained by responsible authority: the security officer • Policy setting independent of database(s) and DBA(s) • Logs just those transactions that penetrate the firewall, records attempted violations independent of DB logs* • Systems behind firewall need not be multi-level secure • Databases behind firewall need not be perfect *also used for replication, recovery, warehousing Gio Wiederhold TIHI Oct96 33 TIHI IFIP WG Schoorl Gio Wiederhold
Implementations • UNIX prototype • UNIX - Java at Incyte Corporation [SST] • protect medical & genomic information • NT - Java development system • Primitives for Drawings, as Aircraft Specs • Trusted Image Dissemination • wavelet-based decomposition to locate texts, • extract for OCR • blank text frequency if not found in good rules TIHI IFIP WG Schoorl Gio Wiederhold
External Requestors IntegratingMediator Protected, Shared Databases Integration bypasses DBA protection certified result original request Firewall S.O. Security Mediator certified query partially filtered results NwA DBA Internal Requestors TIHI IFIP WG Schoorl Gio Wiederhold
Effective Settings for SecMed • External access is a modest fraction of total use collaboration, government oversight, safety monitoring • Restructuring internal partitioning would induce significant inefficiencies for example: Hospital: MD/patients vs. research/insurance • Errors are seriously embarrassing in practice 2-5% of data are misfiled, doing better is costly • Locus of control is needed Security officer cannot trust/control DB / network admin’s TIHI IFIP WG Schoorl Gio Wiederhold
TIHI Summary Collaboration is an underemphasized issuebeyond encrypted transmits, firewalls, passwords, authentication There is a need for flexible, selective access to data without the risk of exposing related information in an enterprise In TIHI service is provided by the Security Mediator: a rule-based gateway processor of queries and results under control of a security officer who implements enterprise policies Our solution has been applied to Healthcare also relevant toCollaborating (virtual) enterprises and in manyMilitary situations. Gio Wiederhold TIHI Oct96 37 TIHI IFIP WG Schoorl Gio Wiederhold
Backup slides TIHI processing Gio Wiederhold TIHI Oct96 38 TIHI IFIP WG Schoorl Gio Wiederhold
Idea Check for traps • Insert distinct password into password file, check for it being reported out. TIHI IFIP WG Schoorl Gio Wiederhold
General mediation approach: isolate value-added processing Human-computer Interaction User interface Application- specific code Service interface Domain- specific code Mediator owner and maintainer MEDIATION Resource access interface Source- specific code Real-world interface Gio Wiederhold TIHI Oct96 40 TIHI IFIP WG Schoorl Gio Wiederhold
Rule Type Examples • add_user user_name clique_name (Set-up) • del_user user_name clique_name (Set-up) • add_segment table.column segment_name (Set-up) • del_segment table.column segment_name (Set-up) • set_stat_only clique_name true/false (Pre) • limit_queries_per_session x clique_name (Pre) • limit_clique_to_segment clique_name segment_name (Pre) • limit_min_rows_retrieved x clique_name (Post) • limit_num_queries x segment_name (Post) • validate_text table.column x good_words (Post) • set_randomize_clique clique_name true/false (Post) • set_randomize_segment segment_name true/false (Post) Gio Wiederhold TIHI Oct96 41 TIHI IFIP WG Schoorl Gio Wiederhold
Rules... (continued) • limit_query_intersection_clique x clique_name (Post) • limit_query_intersection_segment x segment_name (Post) • secure_keyword_clique keyword clique_name (Post) • secure_keyword_segment keyword segment_name (Post) • limit_session_time x clique_name (Pre/Post) • limit_user_hours_end x clique_name (Post) • limit_segment_hours_start x segment_name (Pre) • limit_user_hours_start x clique_name (Pre) • limit_segment_hours_end x segment_name (Post) • limit_function function_name clique_name (Pre/Post) Gio Wiederhold TIHI Oct96 42 TIHI IFIP WG Schoorl Gio Wiederhold
Security Table Definition CREATE TABLE security_rules ( security_function char(32) NOT NULL, object_name char(32) NOT NULL, object_value char(32) NOT NULL); Security Function Object Name Object Value Limit_User clique_name user_name Limit_Segment segment_name table.column Stat_Only ALL/clique true/false Queries_Per_Session ALL/clique integer Limit_Clique_To_Segment ALL/clique segment_name Randomize_clique ALL/clique true/false Randomize_Segment ALL/segment true/false Gio Wiederhold TIHI Oct96 43 TIHI IFIP WG Schoorl Gio Wiederhold
Security Table Definition... (continued) Security Function Object Name Object Value Validate_text table.column invalid_words Min_Rows_Retrieved ALL/clique integer Num_Queries_Segment ALL/segment integer Query_Intersection_Clique ALL/clique integer Query_Intersection_Segment ALL/segment integer Secure_Keyword_Clique ALL/clique keyword Secure_Keyword_Segment ALL/segment keyword Session_Time ALL/clique TIME User_Hours_Start ALL/clique start_time User_Hours_End ALL/clique end_time Segment_Hours_Start ALL/segment start_time Segment_Hours_End ALL/segment end_time Limit_Function_Clique ALL/clique function_name Gio Wiederhold TIHI Oct96 44 TIHI IFIP WG Schoorl Gio Wiederhold
Rule application - Overview • Does customer belong to a clique? If yes, switch to it • Does the customer clique satisfy all pre-query rules? (e.g., Session_Start, Stat_Only, Queries_Per_session) • Do the columns and tables belong to a segment? • Does the query satisfy all pre-query rules? (e.g., valid segments) • Does query need re-phrasing or augmentation? (e.g., Stat_Only to detailed Select) • Send Query to appropriate Database (or mediator) • Does query result satisfy all post-query rules? (e.g. Min_Rows_Retrieved, Secure_Keyword_Clique) • Apply any result transformation rules (e.g. random falsification of data, aggregation) • Update log and internal statistics Gio Wiederhold TIHI Oct96 45 TIHI IFIP WG Schoorl Gio Wiederhold
Implementation Set-up • Security Officer enters rules into a file • Rule file is parsed to generated SQL script to insert rows into the security_rules table • SQL script is executed against the database Gio Wiederhold TIHI Oct96 46 TIHI IFIP WG Schoorl Gio Wiederhold
Implementation... (continued) Customer Session Loop • Security Mediator Workstation accepts the customer query, logs it, and passes control to the Security Mediator Software (SMS) • SMS reads the security_rules table and calls many different modules (sub-routines) to validate the query (pre-query checks) • If okay, SMS executes the query (Embedded SQL calls) • Mediator Workstation gets results from the database and calls other SMS modules to perform the post-query checks • If all checks are passed, the Mediator Workstation logs and returns results; awaits another invocation • Result is accepted by customer and used or displayed Gio Wiederhold TIHI Oct96 47 TIHI IFIP WG Schoorl Gio Wiederhold
System Operations • Customer connects remotely, via firewall for authentication, to security officer's machine • Clique membership is assessed • System prompts customer for query • Query is parsed and validated against rules • Validated query is sent to database system • Results are retrieved and validated against rules • Validated results are made available to customer Gio Wiederhold TIHI Oct96 48 TIHI IFIP WG Schoorl Gio Wiederhold