Gio CS Forum Oct01-1 Gio Wiederhold 1.Stanford University CSD (mostly) 2.Symmetric Security...
-
date post
21-Dec-2015 -
Category
Documents
-
view
214 -
download
0
Transcript of Gio CS Forum Oct01-1 Gio Wiederhold 1.Stanford University CSD (mostly) 2.Symmetric Security...
Gio CS Forum Oct01-1
Gio Wiederhold1. Stanford University CSD (mostly)
www-db.stanford.edu/people/gio.html
2. Symmetric Security Technologieswww.2ST.com
TIHI: Protecting Information when Access is Granted for Collaboration
Gio CS Forum Oct01-2
Information for Collaboration
Strategic Data Strategic Data Allied ForcesAllied Forces Strategic Data Strategic Data Allied ForcesAllied Forces
Intelligence Data Intelligence Data Front-line soldierFront-line soldier Intelligence Data Intelligence Data Front-line soldierFront-line soldier
Operational Data Operational Data Logistics ProviderLogistics Provider Operational Data Operational Data Logistics ProviderLogistics Provider
Business Vendor Content Business Vendor Content Customer Customer Business Vendor Content Business Vendor Content Customer Customer
Medical Records Medical Records Medical Researchers Medical Researchers
Medical Records Medical Records Insurance Company Insurance Company
Manufacturer’s Specs Manufacturer’s Specs Subcontractor Subcontractor Manufacturer’s Specs Manufacturer’s Specs Subcontractor Subcontractor
Gio CS Forum Oct01-3
Access Patterns versus Data:
Gio Wiederhold TIHI Oct96 3
Lab
ora
tory
Bill
ing
Patient
Accounting
Physician
Insurance Carriers Insurance Carriers
Clin
ics
Laboratory staff
Ward staff
Medical
Medical
Research
Research
Ph
arm
acy
Inp
atie
nt
Etc..
A
ccre
dit
atio
nA
ccre
dit
atio
nCDC
Gio CS Forum Oct01-4
Primitive and Safe: Isolation
airgaps
Discretionary security
Mandatory security
• No communication among disjoint systems• All sharing of information by data re-entry
Gio CS Forum Oct01-5
Automation of Sharing• Multi-level secure (MLS) system
– Involves OS and DBMS– Programmed read up – write down permitted– Complex – hard and lenghty (1y+) to validate
Gio CS Forum Oct01-6
MLS problem: inconsistency
SecretSecret|
• Information at each level is incomplete – Make up cover stories ?
• Ok for enemies• Not acceptable for our own staff/soldiers
Gio CS Forum Oct01-7
Multi-computer system approach• Uses more computers – are cheap now
• Secure communication– typically manually monitored
• Avoids complexity, lags of MLS systems– Validation in communication portals
Gio CS Forum Oct01-8
Security and Cryptography
• Encryption is essential– Hides information from enemies– Isolates layers from each other– Allows shared use of communication paths
• Encryption is not the solution, only a tool– Isolated data do not provide information– Software processes clear data– Software is too large, dynamic to validate timely– 95% of failures are people failures
No obvious solution: new thinking needed
Gio CS Forum Oct01-9
False Assumption
Data in the files of an enterprise are organized according
to external access rights
Inefficient and risky for
an enterprise
which uses information
mainly internally and thenmust serve external needs
Gio CS Forum Oct01-10
The Gap: Assumption that Access right = Retrievable data
• Access rights assume a certain partitioning of data• Enterprise data are partitioned for internal needs• Partitions only match in simple cases/artificial examples
database access &database access &authorization agentauthorization agent
data sources aredata sources arerarely perfectlyrarely perfectlymatched to allmatched to allaccess rightsaccess rights
customercustomer resultresult
queryquery
authenticationauthentication
firewallfirewall
Gio CS Forum Oct01-11
Technical Access Problems: Military
More direct connectivity creates risksMore direct connectivity creates risks`disintermediation’`disintermediation’
Query can not specify object preciselyQuery can not specify object precisely `̀Causes for low unit readiness?’Causes for low unit readiness?’ (helpful database gets extra stuff) (helpful database gets extra stuff)
Objects (Objects (NN) are not organized according to all ) are not organized according to all possible access classifications (possible access classifications (aa) = () = (NNaa)) `̀Problems with ship propulsion, but not propellersProblems with ship propulsion, but not propellers
Some objects cover multiple classesSome objects cover multiple classes `̀Units in Persian GulfUnits in Persian Gulf?’?’
Some objects are misfiled Some objects are misfiled (happens easily to others)(happens easily to others), , costly/impossible to guarantee avoidance costly/impossible to guarantee avoidance Intel data in operational mission fileIntel data in operational mission file
Gio CS Forum Oct01-12
Technical Access Problems: Health Care
Query do not specify object preciselyQuery do not specify object precisely Relevant history for low-weight birthsRelevant history for low-weight births (helpful database gets extra stuff) (helpful database gets extra stuff)
Objects (Objects (NN) are not organized according to all ) are not organized according to all
possible access classifications (possible access classifications (aa) = () = (NNaa)) Nursing hierarchy by bed and wardNursing hierarchy by bed and ward Infectious disease hierarchy by riskInfectious disease hierarchy by risk
Some objects cover multiple classesSome objects cover multiple classes Patient with stroke and HIVPatient with stroke and HIV
Some objects are misfiled Some objects are misfiled (happens easily to others)(happens easily to others), , costly/impossible to guarantee avoidance costly/impossible to guarantee avoidance Psychiatric data in patient with alcoholismPsychiatric data in patient with alcoholism
Gio CS Forum Oct01-13
Access Rights/Needs Overlap
Logistics
Warfighters
In-tel
PRAllies
NCACOTS
JC
Gio CS Forum Oct01-14
Security Objective in Collaboration?
Prevent Inappropriate Disclosure of Information!
differs from preventing access to computers and information, as is needed to protect from invaders and hackers
ACCESS CONTROL is based on Metadata
Descriptions and labels, set a priori, are checked
RELEASE CONTROL also sees contents
Works also when metadata cannot / does not adequately describe content information
Gio CS Forum Oct01-15
Dominant approach for Data
• Authenticate Customer in Firewall• Validate query against database schema• If both O.K., process query and ship results
database access &database access &authorization agentauthorization agent
sourcessources
customercustomer resultresult
queryquery
authenticationauthentication
firewallfirewall
Gio CS Forum Oct01-16
Today: Many Coalitions
Foreign: NATO, +, British, French, Kosovo IFOR, ...
• Each has its own, intersecting requirement• Discretionary access at lower levels
– Policies for dozens of countriescontrolling release of Data and Metadata
• Many duplicated systems– High rate of information transfer among them– Excessive load creates high error rates– Difficult to protect from hackers and enemies
Gio CS Forum Oct01-17
Changing Security Protection Yesterday TodayInternal Focus External FocusAccess is granted to Payors, suppliers, customers and trusted
employees only prospects all need some form of access
Centralized assetsApplications and data are
centralized in fortified IT bunkers
Prevent lossesThe goal of security is to protectagainst confidentiality breaches
Local controlFunctional units need the authority to grant access
Generate revenueThe goal of security is to enable
e-Commerce & collaboration
Distributed assetsApplications and data aredistributed across servers,
locations, and business units
IT controlDB/Network manager decides who gets access
Gio CS Forum Oct01-18
Access right = Retrievable data
• Access rights assume a certain partitioning of data• Domain data are partitioned accord to internal needs• They only match in simple cases / artificial examples
database access &database access &authorization agentauthorization agent
data sources aredata sources arerarely perfectlyrarely perfectlymatched to allmatched to allaccess rightsaccess rights
customercustomer resultresult
queryquery
authenticationauthentication
firewallfirewall
Gio CS Forum Oct01-19
Symmetric Solution
Symmetric checking both access to data and the subsequent release of data
• Access Control with authentication and authorization of collaborators upon entry
• Content-based release filtering of data when exiting the secure parameter
Gio CS Forum Oct01-20
Filling the Gap
resultresult
queryquery
firewallfirewall Check the content of the result beforeit leaves the firewall
Security mediator : Human & software agent module
Gio CS Forum Oct01-21
Security Mediator
• Dedicated hardware plus software module, intermediate between "customers" and
databases within firewall
• A modern tool for the security officer accessed via firewall protection by customers
(or collaborators) with assigned roles
• Managed by the security officer,via simple security-specific rules
that match filters to roles• Performs symmetric screening (queries and results)
Gio CS Forum Oct01-22
Result Checking
is understood and performed today in many non-computerized settings:
• Briefcases are inspected when leaving secure facilities
• Computers can not be taken (in nor) out of SCIFs
• Vehicles are inspected also on exiting warehouses with valuable contents
Computer security system requirements have been modeled poorly wrt such practice
Gio CS Forum Oct01-23
Overall Schematic
ExternalExternalCustomerCustomer
SecuritySecurityOfficer's Officer's MediatorMediatorSystemSystem
DatabaseDatabase
NetworkNetwork
Firewall
InternalInternalCustomerCustomer
Gio CS Forum Oct01-24
Hardware
• Computer workstation– UNIX and NT implementation
– external access through firewall? firewall can provide authentication
– internal access to database(s) that contain releasable information
? multi (two)-level security provision– internal storage, inside firewall:
• rules defining cliques - external roles• log of accepted and denied requests• mediator software
Gio CS Forum Oct01-25
• Rule interpreter
• Primitives to support rule execution
• Rule maintenance tools• Log analysis tool
• Firewall interface• Domain database interface• Logger
Software Components
support
service
mainte- nance
C++ and Java implementations
Gio CS Forum Oct01-26
Rule Processing
Features:• Paranoia: Every applicable rule must be enforced
for a query to be successful or a result to be releasable, else process by the security officer (SO)
• Default: If no rule applies rules then process by SO• SO can pass, reject, or edit queries and results• SO may inform customer, mediator software will not• All queries and results, successful or not, are
logged for audit• Rules are stored within the mediator, with exclusive
security access by the SOGio Wiederhold TIHI Oct96 26
Gio CS Forum Oct01-27
The Rule Language
Goals:• Simple and easy to formulate by the SO• Easy to enter and observe into the system
• Employs a collection of primitive functions to provide comprehensive and adequate security• Functions can exploit views in RDBMS• Some rule functions provide text validation• Some functions may need domain knowledge
– Functions to process manufacturing designs– Functions to extract text from images
Gio CS Forum Oct01-28
Rule Organization
• Rules are categorized as:– SET-UP (Maintenance)– PRE-QUERY– POST-PROCESSING
• External, authenticated users are grouped into Cliques to simplify rule management
• Tables and their columns are grouped into segments to simplify access mgmnt
• Rules use primitives supplied by specialists
Gio CS Forum Oct01-29
Primitives -
Selected by rule for various clique roles • Allow / disallow values• Allow / disallow value ranges• Limit results to approved good-word lists• Disallow output containing bad words• Limit output to specified times, places• Limit number of queries per period• Can augment queries for result filtering• Etc.
Gio CS Forum Oct01-30
Content primitives tested in TIHI*
• Check against good-word dictionary– dictionary created by processing ok records
• Check against a bad word dictionary– less paranoid, less secure, used by Net-nanny etc.
• Check for seeded entries in high value files– password files,
• Check for patterns in personal data– credit cards, email addresses
• Check cell count in statistical results– at query time append COUNT request
• Extraction of text from images– for further filtering
*NSF/NIH funded HPCC projects
Gio CS Forum Oct01-31
Creating Wordlists
TIHI is Paranoid
• Result filtering primarily based on Good-word lists
– Created by processing examples of O.K. responses
– Augmented dynamically by terms found objectionable by system, but approved by security officer
• Current work
– Image filtering, to omit and extract text from images
• Possible future work
– use nounphrases to increase specificity
Gio CS Forum Oct01-32
Filtering of text
Not perfect:• Words out-of-context can pass the filter
• ophtamology: don’t pass names: Iris Smith
– Risk reduces rapidly with multiple words
• Can never have all good-words in list– Load for security officer -- seek a balance
• Cost: all of contents must be processed– Good technology from spell checkers– Domain-specific word-lists are modest in size
Gio CS Forum Oct01-33
Rules implement policy
• Tight security policy:– simple rules– many requests/responses referred to security officer– much information output denied by security officer– low risk– poor public and community physician relations
• Liberal but careful security policy– complex rules– few requests/responses referred to security officer– of remainder, much information output denied by security officer– low risk– good public and community physician relations
• Sloppy security policy– simple rules– few requests/responses referred to security officer– little information output denied by security officer– high risk– unpredictable public and community physician relations
Gio CS Forum Oct01-34
Security requires attention
• Security officer’s focus is security– not for a computer system designer,– nor database or network administrator,– nor for management.
• Having and owning the tool enables the role
• Security mediator provides logging for – focused audit trail– system improvements
– accountability • Must be able to deal effectively with exceptions,
else encourages bypassing security without logging.
:-(
Gio CS Forum Oct01-35
Responsibility Assignment
• Database administrator– Primary task: assure availability of data– Provides helpful services – broaden search: risk
• Network administrator– Primary task: keep network running: transparent
• System administrator– Buys glossy product to escape responsibility
• Security officer– Not in loop, no tools– Investigates violations, takes blame for failures
Needs tools as well
:-(:-|
:-):-(
:-|
Gio CS Forum Oct01-36
Database
Coverage of Access Paths
DB schema- based control
Authentication based controlgood/bad
Security officer
Databaseadminis-trator
performance,function requests
securityneeds
result islikely ok
validatedto be ok
ancillaryinformation
prior use
Security Mediator
good guy
good query
processable query
his-tory
:-(
ok
-)oooo
Gio Wiederhold TIHI Oct96 36
Gio CS Forum Oct01-37
Rule system
• Optional: without rules every interaction goes to the security officer (in & out)
• Creates efficiency: routine requests will be covered by rules: 80%instances / 20%types
• Gives control to Security officer: rules can be incrementally added/deleted/analyzed
• Primitives simplify rule specification: source, transmit date/time, prior request, ...
Gio CS Forum Oct01-38
Benign and ID areas in an X-ray
Benign is defined positively
a, value range
b. good-word list
else it is potentially bad
Paranoid:{ }
Integrated IDs are crucial for practice (40% of X-rays are lost)
Gio CS Forum Oct01-39
Application of Rules
SOSO
QueryQueryParse QueryParse Query
Query Query CheckingChecking
Execute Execute QueryQuery
ResultResultcheckingchecking
elseelse
successsuccess
resultsresults
authenticated IDauthenticated ID
Fir
ewal
lF
irew
all
authenticated IDauthenticated ID
editsedits
errorerrorrulerule
failurefailure
customer advicecustomer advice
ResultsResultseditsedits
elseelse
cleared resultscleared results
ancillaryancillaryinformationinformationExter-Exter-
nalnal
DataData Re-Re- ques-ques- tortor
Gio CS Forum Oct01-40
Security Officer
• Profile– Human responsible for database security/privacy policies– Must balance data availability vs. data security/privacy
• Tasks (current)– Advises staff on how to try to follow policy– Investigates violations to find & correct staff failures– Has currently no computer-aided tools
• Tasks (with mediators)– Defines and enters policy rules in security mediator– Monitors exceptions, especially violations– Monitors operation, to obtain feedback for improvements
:-(
Gio CS Forum Oct01-41
Roles
Security officer manages security policy,
not a computer specialist or database administrator.
Computer specialist provides tools agent workstation program for security mediation
Enterprise / institution defines policies
its security officer (SO) uses the program as the tool
Tool formalizes system practices
rules, managed by the SO define the practice
:-( -)oooo
Gio CS Forum Oct01-42
Assigning the Responsibility
Database Administrator– Can create views limiting access in RDMSs– Prime role is to assure convenient data access
Network Administrator– Can restrict incoming and outgoing IP addresses– Prime role is to keep network up and
connected to the Internet
Specialist Security Officer– Prime responsibility is security & privacy protection– Implements security policy – Interacts with database & network administrators
:-(:-|
:-)
Gio CS Forum Oct01-43
Hypothetical benefits: Prevents
1. Secure data are inadvertently shipped to insecure backup by trusted user
2. HIV symptoms shown to cardiac researcher
3. US managers obtains EU-restricted personnel data
4. Misclassified data are released at low level
5. Credit card numbers were released when false customer appears to get an MP3 song
6. Passwords transmitted to hacker when access control failed
External RequestorsExternal Requestors
IntegratingIntegrating MediatorMediator
Protected, Shared DatabasesProtected, Shared Databases
certified certified query query
originaloriginal requestrequest
certifiedcertified result result
unfiltered unfiltered result result
LogsLogsSecurity MediatorSecurity Mediator
Internal Internal RequestorsRequestors
S.O.
Firewall
Multiple Internal sources are covered
Gio CS Forum Oct01-45
Implementations
• UNIX prototype• UNIX - Java at Incyte Corporation [SST]
– protect medical & genomic information
• NT - Java development system• Primitives for Drawings, as Aircraft Specs• Trusted Image Dissemination
• wavelet-based decomposition to locate texts,
• extract for OCR • blank text frequency if not found in good rules
Gio CS Forum Oct01-46
Effective Settings
• External access is a modest fraction of total use collaboration, government oversight, safety monitoring
• Restructuring internal partitioning would induce significant inefficiencies
for example: Hospital: MD/patients vs. research/insurance
• Errors are seriously embarrassingin practice 2-5% of data are misfiled, doing better is costly
• Locus of control is neededSecurity officer cannot trust/control DB / network admin’s
Gio CS Forum Oct01-47
Stream of information
Intrusion detection – two-level
Model ofnormal behavior
Observations,
initial, continuingEv-entsCompare
Stop
Monitor
Assess
Gio CS Forum Oct01-48
TIHI Summary
Avoids the -- often false -- assumption that access rights match data organization
Collaboration is an underemphasized issuebeyond encrypted transmits, firewalls, passwords,
authentication
There is a need for flexible, selective access to datawithout the risk of exposing related information in an enterprise
In TIHI service is provided by the Security Mediator: a rule-based gateway processor of queries and results under control of a security officer who implements enterprise policies
Our solution has been applied to Healthcare also relevant to Collaborating (virtual) enterprises and
in many Military situations.
Gio Wiederhold TIHI Oct96 48
Gio CS Forum Oct01-49
Security Mediator Benefits
• Dedicated to security task (may be multi-level secure)
• Uses only its rules and relevant function, all directly, avoids interaction with DB views and procedures
• Maintained by responsible authority: the security officer
• Policy setting independent of database(s) and DBA(s)
• Logs just those transactions that penetrate the firewall, records attempted violations independent of DB logs*
• Systems behind firewall need not be multi-level secure
• Databases behind firewall need not be perfect * also used for replication, recovery, warehousing
Gio CS Forum Oct01-50
Backup
Gio CS Forum Oct01-51
Security officer screen
Gio CS Forum Oct01-52
Patient's own data screen
Gio CS Forum Oct01-53
part of Patient result
Gio CS Forum Oct01-54
Disallowed result
Gio CS Forum Oct01-55
Security officer reaction
Choices:1. Reject result2. Edit result3. Pass result(& Update the list of good-words, making approval persistent )
Gio CS Forum Oct01-56Security Table Definition...
(continued)
Security Function Object Name Object ValueValidate_text table.column invalid_wordsMin_Rows_Retrieved ALL/clique integerNum_Queries_Segment ALL/segment integerQuery_Intersection_Clique ALL/clique integerQuery_Intersection_Segment ALL/segment integerSecure_Keyword_Clique ALL/clique keywordSecure_Keyword_Segment ALL/segment keywordSession_Time ALL/clique TIMEUser_Hours_Start ALL/clique start_timeUser_Hours_End ALL/clique end_timeSegment_Hours_Start ALL/segment start_timeSegment_Hours_End ALL/segment end_timeLimit_Function_Clique ALL/clique function_name
Gio Wiederhold TIHI Oct96 56
Gio CS Forum Oct01-57
Rule application - Overview
• Does customer belong to a clique? If yes, switch to it• Does the customer clique satisfy all pre-query rules?
(e.g., Session_Start, Stat_Only, Queries_Per_session)• Do the columns and tables belong to a segment?• Does the query satisfy all pre-query rules? (e.g.,
valid segments)• Does query need re-phrasing or augmentation?
(e.g., Stat_Only to detailed Select)• Send Query to appropriate Database (or mediator)• Does query result satisfy all post-query rules?
(e.g. Min_Rows_Retrieved, Secure_Keyword_Clique)• Apply any result transformation rules
(e.g. random falsification of data, aggregation)• Update log and internal statistics
Gio Wiederhold TIHI Oct96 57
Gio CS Forum Oct01-58
Implementation
Set-up• Security Officer enters rules into a file• Rule file is parsed to generated SQL script to insert rows
into the security_rules table• SQL script is executed against the database
Gio Wiederhold TIHI Oct96 58
Gio CS Forum Oct01-59
Implementation... (continued)
Customer Session Loop• Security Mediator Workstation accepts the customer query, logs
it, and passes control to the Security Mediator Software (SMS)
• SMS reads the security_rules table and calls many different modules (sub-routines) to validate the query (pre-query checks)
• If okay, SMS executes the query (Embedded SQL calls)
• Mediator Workstation gets results from the database and calls other SMS modules to perform the post-query checks
• If all checks are passed, the Mediator Workstation logs and returns results; awaits another invocation
• Result is accepted by customer and used or displayed
Gio Wiederhold TIHI Oct96 59
Gio CS Forum Oct01-60
System Operations
• Customer connects remotely, via firewall for authentication, to security officer's machine
• Clique membership is assessed
• System prompts customer for query
• Query is parsed and validated against rules
• Validated query is sent to database system
• Results are retrieved and validated against rules
• Validated results are made available to customer
Gio Wiederhold TIHI Oct96 60
Gio CS Forum Oct01-61
Benign and ID areas in an X-ray
Benign is defined positively
a, value range
b. good-word list
else it is potentially bad
Paranoid:{ }
Integrated IDs are crucial for practice (40% of X-rays are lost)
Gio CS Forum Oct01-62
Processing Flow
Gio CS Forum Oct01-63
Source X-ray image
Whitened to protect privacy for this presentation
Gio CS Forum Oct01-64
Wavelet decomposition
Gio CS Forum Oct01-65
Candidate Text areas
Gio CS Forum Oct01-66
Extracted textual fields
Blackened to protect privacy for this presentation
Gio CS Forum Oct01-67
OCR conversion & analysis
NameNot in good-listNot approved
Error in OCRNot in good-listNot approved
Gio CS Forum Oct01-68
Reconstituted image
Identificationarea blurredby removinghigh frequencycomponents
Gio CS Forum Oct01-69
Removal of Ident’s from an MRI Image
Gio CS Forum Oct01-70
Chest X-ray
Gio CS Forum Oct01-71