Why provenance needs its own security model Uri Braun PASS Team Harvard University Workshop on Principles of Provenance November 19-20, ‘07 Provenance needs security Many provenance applications involve sensitive data: Regulatory Compliance Electronic Medical Records National Security Intelligence January 8, '07 Slide 2 (of 22) National Intelligence Estimate Data v. Provenance Sensitivity Vice Chair Chair Special Advisor cp vice.txt /shared/ cp chair.txt /shared/ cp advisor.txt /shared/ Public: cannot read Public: cannot read Public: cannot read National Intelligence Estimate cat /shared/*.txt | uniq Public: cannot read January 8, '07 Slide 3 (of 22) Outline Motivation Provenance needs its own security model Related Work Recap January 8, '07 Slide 4 (of 22) Provenance needs its own security model Sensitivity(Provenance) ≠ Sensitivity(Data) Can have cases where sensitivity of: Data > Provenance Provenance > Data January 8, '07 Slide 5 (of 22) Performance Review Data v. Provenance Sensitivity Manager’s email Employee: cannot read mail –s “Joe’s Review” peer1, peer2 Employee: cannot read Employee: cannot read Email to Peer1 Email to Peer2 mail –s “RE: Joe’s Review” manager mail –s “RE: Joe’s Review” manager Employee: cannot read Employee: cannot read Email from Peer1 Email from Peer2 X X cp peer1 & 2’s emails and edit Employee: can read January 8, '07 Slide 6 (of 22) National Intelligence Estimate Data v. Provenance Sensitivity Vice Chair Chair Special Advisor cp vice.txt /shared/ cp chair.txt /shared/ cp advisor.txt /shared/ Public: cannot read Public: cannot read Public: cannot read National Intelligence Estimate cat /shared/*.txt | uniq Public: cannot read January 8, '07 Slide 7 (of 22) Different from traditional security models Requires attributes different from existing security models Relationships fundamentally different Leak information differently January 8, '07 Slide 8 (of 22) Performance Review Relationship Leak Manager’s email Employee: cannot read mail –s “Joe’s Review” peer1, peer2 Employee: cannot read Employee: cannot read Email to Peer1 Email to Peer2 mail –s “RE: Joe’s Review” manager mail –s “RE: Joe’s Review” manager Employee: cannot read Employee: cannot read Email from Peer1 Email from Peer2 X X cp peer1 & 2’s emails and edit Employee: can read January 8, '07 Slide 9 (of 22) Relationships leak information in combination with Seemingly unrelated other relationships World knowledge Mere existence of a relationship January 8, '07 Slide 10 (of 22) Outline Motivation Provenance needs its own security model Related Work Provenance Projects Aggregation Applications Recap January 8, '07 Slide 11 (of 22) PASOA Does Ensure non-repudiation Federate identity Obscure portions of records Does not Consider relationships Provide fine grained access control [Groth, et. al. D3.1.1: An Architecture for Provenance Systems] January 8, '07 Slide 12 (of 22) myGrid Does Authentication Access Control per repository Does not Consider relationships Fine grained access control [Miles: myGrid Security Issues] [Egglestone: Security in the myGrid project] January 8, '07 Slide 13 (of 22) Aggregate queries May help understand interaction among relationships Does not have a model for relationships No answers for: Existence providing data Combining with world knowledge January 8, '07 Slide 14 (of 22) Information Flow Similar to aggregate queries in applicability How do we model: Relationships World knowledge Existence January 8, '07 Slide 15 (of 22) Audit logs Audit logs useful for security Security also useful for audit logs Current security is still binary Total access No access [Radack: NIST SP 800-92: Guide to Computer Log Management] January 8, '07 Slide 16 (of 22) Metadata security Metadata embedded in documents Word change history has lead to many unintentional well publicized leaks Current solution is to remove metadata before publishing externally January 8, '07 Slide 17 (of 22) Compliance Increasing interest in tightening financial oversight Growing focus on tracking the history of decisions [Johnson: Intersections of Law and Technology in Balancing Privacy Rights with Free Information Flow] January 8, '07 Slide 18 (of 22) Electronic Medical Records Medical records include provenance HIPAA laws mandates access controls [Agrawal: Hippocratic Databases] January 8, '07 Slide 19 (of 22) Outline Motivation Provenance needs its own security model Related Work Recap January 8, '07 Slide 20 (of 22) Recap Provenance needs security Security needs are different No known directly applicable model January 8, '07 Slide 21 (of 22) Questions?