Grand Challenges for Enterprise
Security Policies +
Nondisclosure policies
for distributed computations
Arnon Rosenthal
MITRE (visiting IBM Almaden)
1
Outline of Challenges Talk
• Four big challenges
– Security model for multi-model DBMSs
– Compilation to heterogeneous enforcers
– Mapping from abstract to implementation
policies
– Mapping between organizations’ policies
• Brief comments on policy-related research
in data privacy/security
3
1. How can one DBMS best
support multiple security models?
DBMS Security
SQL
security model
Filter
based on row
labels
XML
sec. model
P3P
RDF
sec. model
OWL
sec.
model
XACML
4
Policy
Policy
Virtual
docs
Virtual
tables
Policy
Polic
y
Virtual
RDF
Virtual
OWL
RDF
OWL
DBMS
Add
Tree
graphic
XML policy
Add
Table
graphic
SQL policy
RDF
policy
OWL
policy
5
How to support multiple security
models?
DBMS Security
SQL
security model
XML
sec. model
RDF
OWL
sec.
sec. model
model
Abstract Data Model Abstract Security Model
Containment,
Derived data, M’data…
(in enough detail to drive
security)
Attach a policy to objects
General security, e.g.,
- Ownership
- Revoke or limit privilege
7
2. Compile to heterogeneous
enforcers
Policy (in one language)
Heterogeneous enforcers
(semantic heterogeneity addressed later)
8
Enforcement Mechanisms
Compile high level policy to heterogeneous enforcers, which include:
•
•
•
User agents (P4P?)
DBMSs, document and image servers (bottom tier)
Middleware (on service/method calls)
–
Cannot act differently on each retrieved object
•
•
Application code
Boundary enforcement, e.g., air gaps, high assurance guards, low assurance
filters on email.
• GUI (user friendly but low assurance)
• Human decisions (expensive, slow, error-prone)
Each of these is separately administered, today!
•
•
Imagine Documents with a consistent schema (for subparts and
m’data), but accessed thru content managers, DBMSs, services.
Compile a policy to all of them.
Next, assume m’data is in DBMS, text in content manager, versioning
via service. Compile policies down.
9
Challenge 2: The Official Policy is not
in terms of implementation artifacts
Individually identified medical data shall be
available only to professionals
treating the patient,
(with confidence profile P3)
?
Lab message:
Blood type
Firewalls
Physical DB schemas
10
2. Compile “business” policies to
physical implementation
Individually identified medical data shall be
available only to professionals
treating the patient,
(with confidence profile P3)
What data is
“medical”,
“individually identified”
Metadata,
ontologies
Who are
“professionals
treating this patient”
Install policies
on tables,
documents
User
m’data
Confidence needed in:
•Technical measures
• Metadata admin
• Partners
Suitable
• Data allocation
• Execution plan
System
m’data
12
Translate and transfer policy across
organizations and systems
Aetna Travel Insurance
Enforcement: Application server
Policy applied: US (NY)
Roles: HiPAA spec (Aetna version)
Who are
What data is
• Medical
• Indiv identified
?
• Professionals
• Treating this patient
Insurance approver
role only in US
Confidence in
• Technical measures
• Metadata admin
• Partners
Paris Hospital
Enforcement: DBMS
Policy applied: France
Roles: Hospital (Emergency Care)
13
Employing a research idea:
Inference control
• You have a full description of what the attacker knows
• No collusion between requests from different User IDs
• Administrators have identified all sensitive fields
– Or it’s worthwhile to protect just a few
• Efficiency – extra factor of 5 is OK
• No updates
Black bullets limit applicability.
Not to zero, but is it a good place to invest scarce talent?
1-2 probably can’t be removed by more research!
Spend $$$$ for high certainty (locally), but partial solutions
won’t give a large factor of protection
14
What’s different about privacy?
• Millions of administrators, opting in and out
• Human (Corporate? Animal? ) right
15
Privacy and Nondisclosure
• Equating privacy with nondisclosure
makes both terms less useful
• Privacy involves
– Rights
– Notification, correctness, minimal collection
and retention, …
• Nondisclosure also applies to
– Military plans, investigative reports
– Lion King Video
16
An easily-applied categorization
• Ask what stakeholder a policy protects
– Privacy: The person (or entity) described
– Enterprise secrecy: The entity controlling the
database
– Intellectual property: The provider of the info
• Security usually adds integrity and availability
(under attack)
– Contrast with data quality, system availability which
try to protect against Murphy’s Law
17