220 likes | 329 Views
A Formal Security Model for Collaboration in Multi-agency Networks. Salem Aljareh Newcastle University, UK Nick Rossiter & Michael Heather Northumbria University, UK nick.rossiter@unn.ac.uk. Outline. Motivation. Security Requirements. UK Security Regulations. Task-based Perspective
E N D
A Formal Security Model for Collaboration in Multi-agency Networks Salem Aljareh Newcastle University, UK Nick Rossiter & Michael Heather Northumbria University, UK nick.rossiter@unn.ac.uk
Outline • Motivation. • Security Requirements. • UK Security Regulations. • Task-based Perspective • The CTCP/CTRP model. • Categorical Representation. • Discussion. • Current work. • References. 2nd WSIS, Porto
Motivation Vulnerabilities Model Polices Mechanisms Threats 2nd WSIS, Porto
Security Requirements • The origin of security requirements. • Rhetoric. • Concept. • Regulations. • Security Policy. 2nd WSIS, Porto
UK Security Regulations • Personal Data in General: • Data Protection Act. • Patient Record: • Caldicott Principles and Recommendations 2nd WSIS, Porto
The CTCP/CTRP model Requirements Policy Material Collaboration Task Creation Protocol CTCP Collaboration task Collaboration Task Runtime Protocol CTRP 2nd WSIS, Porto
General Principles of our Model • Relationship. • Ownership. • Authorization. • Responsibilities 2nd WSIS, Porto
Task-based Perspective as: • There is no collaboration without a task. • Can address the need-to-know problem. • The collaboration task forms the common object between the collaborators. • Shared information ownership can be granted to the collaboration task. • Tasks are scalable, flexible and dynamic. • Explicit responsibility is recognized in the task-based approach. 2nd WSIS, Porto
Collaboration Task Creation Protocol Introduction Dismiss Rethinking Negotiation Decision CTCP Discard Agreement Create Task 2nd WSIS, Porto
Collaboration Task Runtime Protocol Preparation Init Process Task Process CTRP Log Assessment Abort Update End CTCP 2nd WSIS, Porto
Exceptions -- Three Main Types • 1. The task can still continue to its normal end. • Exceptions of this type are handled within CTRP protocol by task update component. • 2. The task must be terminated and another task is required to complete the function. • The task in such cases is aborted in CTRP • The task history is used by the CTCP protocol to create another task to redo the function. • 3. The task must be terminated and there is no need for any further actions. • Handled within the CTRP protocol through ABORT 2nd WSIS, Porto
Coverage of Data Protection Act. • Principle 1: Personal data shall be processed fairly and lawfully. • Principle 2: Personal data shall be obtained only for one or more specified and lawful purposes. • Principle 3: Personal data shall be adequate. • Principle 4: Personal data shall be accurate and, where necessary, kept up to date. • Principle 5: Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes. • Principle 6: Personal data shall be processed in accordance with the rights of data subjects under this Act. • Principle 7: Appropriate measures shall be taken against unauthorised processing of personal data. • Principle 8: Personal data shall not be transferred to a country or territory outside the European Economic Area. 2nd WSIS, Porto
Correspondence of DPA Principles and CTCP/CTRP Components 2nd WSIS, Porto
Coverage of Caldicott Principles • Principle 1:Justify the purpose(s) • Principle 2: Don't use person-identifiable information unless it is absolutely necessary • Principle 3:Use the minimum necessary person-identifiable information • Principle 4:Access to person-identifiable information should be on a strict need-to-know basis • Principle 5:Everyone with access to person-identifiable information should be aware of their responsibilities. • Principle 6:Understand and comply with the law. 2nd WSIS, Porto
Correspondence of Caldicott Principles and CTCP/CTRP Components 2nd WSIS, Porto
Categorical Model of Security System 2nd WSIS, Porto
Correspondence -- categorical: CTCP/CTRP model • corresponds to the protocol CTCP whereby a limit C XB A is selected for a particular purpose C/B through negotiation. • Existential functor is a type constraint: there must exist for all policy rules in C XB A an entry in the system C/B. • Universal quantifier functor corresponds to the protocol CTRP: all the rules held in the negotiated policy are applied. 2nd WSIS, Porto
Use of Petri Net Notation • Increasingly used in security area • Suitable for situations with: • concurrency, • asynchronicity, • distribution, • parallelism • non-determinism. • Model states and transitions 2nd WSIS, Porto
Types of Petri Nets • Simple ones may not be adequate • More complex examples: • Timed Petri-Nets • Stochastic Petri-Nets • Coloured Petri Nets 2nd WSIS, Porto
Discussion • Sources of the security requirements sources. • Coverage of general security regulation and medical security regulation. • Software engineering principles are met (Maximal cohesion, low coupling and efficient execution). • Balance between Category Theory and Petri Nets 2nd WSIS, Porto
Case Studies • Case study multi-agency security requirements in the Electronic Health Record. • Testing our model against the EHR security requirements. 2nd WSIS, Porto
References • Aljareh, S., J. Dobson and Rossiter N. Satisfaction of Health Record Security Principles through Collaborative Protocols, 8th International Congress in Nursing Informatics. Brazil 20-25 June 2003. • Aljareh, S., & Rossiter N., 2001, Toward security in multi-agency clinical information services, Proceedings Workshop on Dependability in Healthcare Informatics, Edinburgh, 22nd-23rd March 2001, 33-41. • Aljareh S., Rossiter N. A Task-based Security Model to facilitate Collaboration in Trusted Multi-agency Networks.In proceedings of ACM-SAC2002, Symposium on Applied Computing, 10–14 March 2002, Madrid pp 744-749. 2nd WSIS, Porto