390 likes | 467 Views
ISA 662 Information System Security. Hybrid Policies Chapter 6 from Bishop ’ s book. Overview. Chinese Wall Model RBAC ORCON Clinical Information Systems Security Policy. Chinese Wall Model. Chinese wall is a barrier between objects which result in conflicting interests The problem
E N D
ISA 662 Information System Security Hybrid Policies Chapter 6 from Bishop’s book
Overview • Chinese Wall Model • RBAC • ORCON • Clinical Information Systems Security Policy
Chinese Wall Model • Chinese wall is a barrier between objects which result in conflicting interests • The problem • An analyst is assigned to advise two competing banks • The objectivity of his opinion would be questionable • He can help one gain at the expense of the other • The solution • An analyst can only access non-conflicting objects inside his/her enclosure
Overview • Explicitly organize objects into conflict of interest (COI) classes • Control subject’s read accesses based on COI classes and prior access history • Control subject’s write accesses to avoid indirect conflict of interest • No control over reading sanitized data (data that cause no conflict of interest whatsoever)
Definitions and Notations Company dataset (CD): collection of objects about a single company • Conflict of interestclass (COI): a collection of company datasets of companies in competition Notation • Object: O • Company dataset: CD (O) • Conflict of interest class: COI (O) • Assumption: each object belongs to exactly one CD and each CD to one COI class
Texaco Shell Sunoco Mobil Bank of America Citibank object2 object1 …… Bank of the West Example Consider a COI class as an industry CD(object1)=? COI(object1)=? All Objects Bank Gasoline COI CD Object
History-based Access Control Rights depend on access history Initially, a subject can read any CD in any COI But once the subject has read any CD in the COI, he or she can never read another CD in that COI • Possible that information learned earlier may allow him to make decisions later
Sanitized Object Sanitized object is public information contained within a CD • As it is publicly available, no conflicts of interest arises from it • So, should not affect read • But it does affect write
CW-Simple Security Condition Let PR(s) be the set of objects that s has already read scan reado iff any of these conditions holds: • There is o satisfying oPR (s) and CD (o)=CD (o) • { s can read something else in the company dataset o } • For all objects o,oPR (s)COI (o)≠COI (o) • { s has not read any objects in COI (o) } • o is a sanitized object • Initially, PR(s) = , so initial read request is always granted
Texaco Shell Sunoco Mobil Alice Bob Bank of America Bank Gasoline Citibank Bank of the West What About Write? • Alice reads Citibank’s and Shell’ CD • Bob reads Bank of America’s and Shell’s CD • So Bob must not read Citibank’s CD If Alice writes what she read from Citibank’s to Shell’ CD; Bob can then read what Alice wrote
Texaco Shell Sunoco Mobil Neither Alice nor bob can write Alice Bob Bank of America Bank Gasoline Citibank Bank of the West CW-*-Property {Like Bell LaPadula} s can write to o iff both of the following hold: • The CW-simple condition permits s to read o • For all unsanitized objects o, if s can read o, then CD (o) = CD (o) • All s can read are either within the same CD, or sanitized
How Does Information Flow? • With the two conditions (CW simple security condition and CW *-property) in place, how can information flow around the system? • Main Results • Theorem 7-1: in each COI class (e.g. Bank), a subject can only read objects in a single CD (e.g. Citibank) • Theorem 7-2: at least n subjects are required to access all objects in a COI class with totally n CDs
Texaco Shell Sunoco Mobil Bank of America Citibank o2 o1 o3 o2 o1 o3 o3 Bank of the West sanitized unsanitized How Does Information Flow? (Cont’d) Information flows from o to o’ if s reads o and writes o’ Theorem 7-3: information in an unsanitized object can only flow inside that CD; information in sanitized objects can flow freely
Compare CW to Bell-LaPadula Fundamentally different • CW is based on access history, BLP is history-less • (This is important) BLP can capture CW state at any time, but cannot track changes over time • BLP security levels would need to be updated each time an access is allowed • (This does not make sense)
Overview • Chinese Wall Model • RBAC • ORCON • Clinical Information Systems Security Policy
Background A policy-neutral model • Can be used to express DAC (role as identity),MAC (role as clearance)… • A standard (http://csrc.nist.gov/rbac/) Why role? Because rights usually depend on role (job function) but not identity • Example: • Alice, a bookkeeper, has access to financial records. • If Bob replaces Alice as the new bookkeeper, Bob must have the same accesses • The role ‘Bookkeeper’ is as a bridge between subjects and rights to objects (permissions)
Background (Cont’d) • Why role? • As an intermediate layer, it simplifies the administration of access control • A transition from client-server model to 3+-tier model in transaction processing • n clients m servers n*m connections • With intermediate application servers, n+m connections Client subject, server permission, application server role
Definitions • Trans (r): authorized transactions; all transactions that role r can execute • Actr (s): active role that sis currently playing • Authr (s): authorized roles; all roles that scan play • Canexec (s, t): s can execute transaction t • Let S be the set of subjects and T the set of transactions.
Axioms Rule of role assignment: (s S)(t T) [canexec (s, t) actr (s) ≠ ]. • To execute a transaction, s must be playing some role Rule of role authorization: (s S) [actr (s) authr (s)]. • s can only play an authorized role Rule of transaction authorization: (s S)(t T) [canexec (s, t) t trans (actr (s))]. • A subject can only execute a transaction if the transaction is authorized for the active role
Containment of Roles (Role Hierarchy) Instructor can do all transactions that TA can do (and maybe more). Thus an instructor role contains a TA role where (instructor > TA). (sS)[ r authr (s) r > rrauthr (s) ] (tT)[ ttrans (r) r > rttrans (r’) ] All roles form a partial order
Separation of Duties Let predicate meauth (r) be the set of roles a subject scannot play if scan playr, because of a separation of duty requirement. • r is cashier, meauth (r) may include sales assistant Add a constraint: (r1, r2 R) [ r2meauth (r1) [ (sS) [ r1authr (s) r2authr (s) ] ] ] • If anyone works as a cashier, he/she must not work as a sales assistant.
Overview • Chinese Wall Model • RBAC • ORCON • Clinical Information Systems Security Policy
ORiginator CONtrol Problem: organization creating document wants to control its dissemination • Example: Secretary of Agriculture writes a memo for distribution to her immediate subordinates, and she must give permission for it to be disseminated to anyone else.
Requirements Subject sS marks object oO as ORCON (in organization X). X allows o to be disclosed to subjects acting on behalf of another organization Y with the restrictions: • o cannot be released to a subject in another organization without X ’s permission; and • Any copy of o must have the same restrictions placed on it.
Different between DAC and MAC DAC allows owner to set any permission MAC depends on centralized control ORCON is inherently decentralized (important)
Combine MAC and DAC • Owner does not control access after the object is copied ; access control restrictions are copied with the object • This is not DAC (owner can’t control them) • Is it MAC? • Creator (Originator) can alter access control restrictions on a per-subject and per-object basis. • This is DAC (owner can control it)
Key Points • Chinese wall policy focuses on conflict of interest • Information flows inside each CD • RBAC is a policy-neutral model • Uses role to simplify administration of access control • ORCON is different from DAC and MAC • Enforcement is a much bigger issue
Overview • Chinese Wall Model • RBAC • ORCON • Clinical Information Systems Security Policy
Clinical Information Systems Security Prototypical HIPAA Intended for medical records • Conflict of interest not critical problem • Patient confidentiality, authentication of records and annotators, and data integrity are critical Subjects and objects: • Patient: subject of medical records • Clinician: health-care professional with access to personal health information ONLY while doing job • Personal health information: data about patient’s health or treatment having identification of patient
Principles Originated in medical ethics (e.g.Hippocratic Oath) Principles • Access • Creation • Deletion • Confinement • Aggregation • Enforcement
Access 1 • Principle 1: Each medical record has an access control list naming the individuals or groups who may read and append information to the record. The system must restrict access to those identified on the access control list. • Clinicians need access, but no-one else does. • Auditors have access to copies, but they cannot alter records
Access 2 and 3 • Principle 2: One of the clinicians on the ACL must have the right to add other clinicians to it. • The responsible clinician • Principle 3: This clinician must notify the patient of the names on the ACL whenever the patient’s medical record is opened. Except for situations given in statutes, or a state of emergency, the clinician must obtain the patient’s consent. • Patient must consent to all treatment, and must be informed of any violation of security
Access 4 • Principle 4: The name of the clinician, the date, and the time of the access of a medical record must be recorded. Similar information must be kept for deletions. This is for auditing. • Don’t delete information; update it • (deletion of records only after death or when required by law). • Record information about all accesses.
Creation A clinician may open a record, if the clinician and the patient are on the ACL. If a record is opened as a result of a referral, the referring clinician may also be placed on the ACL. • Creating clinician needs access, and patient should have access. • If created from a referral, referring clinician needs access to get results.
Deletion Clinical information must not be deleted from a medical record until the appropriate time has passed. • During patient lifetime • May vary with circumstances (8 years or longer)
Confinement Information from one medical record may be appended to a different medical record iff the ACL of the second record is a subset of the ACL of the first. • This keeps information from leaking to unauthorized users. All users have to be on the access control list.
Aggregation Measures for preventing aggregation of patient data must be effective. In particular, a patient must be notified if anyone is to be added to the ACL of his or her record and if that person has access to a large number of medical records. • Fear that a corrupt investigator may obtain access to a large number of records, correlate them, and discover private information about individuals which can then be used for nefarious purposes (such as blackmail)
Enforcement Any computer system that handles medical records must have a subsystem that enforces the rules. The effectiveness of enforcement must be evaluated by independent auditors. • This policy has to be enforced, and the enforcement mechanisms must be auditable (and audited)
Comparison • BLP: imposes lattice structure on subjects/objects • Clark-Wilson provides a framework • CDIs are medical records • TPs are functions updating records, access control lists • IVPs certify: • A person identified as a clinician is one; • A clinician validates, or has validated, information in the medical record; • When someone is to be notified of an event, the notification occurs; and • When someone must give consent, the operation cannot proceed until the it is obtained • Auditing (CR4) requirement: make all records append-only, notify patient when access control list changed