T I H I / SAW / TID
A Point-of-failure in Protecting Information
Gio Wiederhold
Stanford University
August 2000
TIHI IFIP WG Schoorl Gio Wiederhold 4/12/2020 1

• NSF-HPCC / SRI -sharing information in healthcare
• DARPA / SRI -sharing information in manufacturing
• NSF-NIH -protecting information concealed in images
• Incyte / SST -protecting genomic information
Participants -Staff and students
Michel Billelo, PhD, MD Stanford Maggie Johnson, PhD, Stanford & SST
Shelley Qian, PhD , Vitria ex SRI International, Latanya Sweeney, PhD, CMU
Jahnavi Akella, MS Stanford Jerry Cain, Stanford BS & SST
Andrea Chavez, JD, MS Stanford Chris Donahue. BS Stanford & SST
Antoine Picard, MS Stanford &SST Vatsala Sarathy, MS Stanford
James Wang, PhD, now Penn State
4/12/2020 TIHI IFIP WG Schoorl Gio Wiederhold 2

Security : protection and assurance
Crucial progress in protection is being made:
Remote Transmission
Authentication
Firewalls around domains protect against enemies .
Much research based on Cryptography
4/12/2020 TIHI IFIP WG Schoorl Gio Wiederhold 3

Remaining Issue:
Assuring Secure Collaboration
Not versus enemies
, but among colleagues,
4/12/2020 who need to share some, but not all information
TIHI IFIP WG Schoorl Gio Wiederhold 4

4/12/2020
Medical Records  Insurance Company
Medical Records  Medical Researchers
Manufacturer’s Specs  Subcontractor
Operational Data  Logistics Provider
Intelligence Data  Front-line soldier
Strategic Data  Allied Forces
TIHI IFIP WG Schoorl Gio Wiederhold 5

• Authenticate Customer in Firewall
• Validate query against database schema
• If both O.K., process query and ship results firewall result customer query authentication database access & authorization agent
TIHI IFIP WG Schoorl Gio Wiederhold sources
6 4/12/2020

The Gap: Assumption that
Access right = Retrievable data
• Access rights assume a certain partitioning of data
• Domain data are partitioned accord to internal needs
• They only match in simple cases / artificial examples firewall customer result
4/12/2020 query authentication database access & authorization agent
TIHI IFIP WG Schoorl Gio Wiederhold data sources are rarely perfectly matched to all access rights
7

Data in the files of an enterprise are organized according to external access rights
Inefficient and risky for an enterprise which uses information mainly internally and then must serve external needs
4/12/2020 TIHI IFIP WG Schoorl Gio Wiederhold 8

Accounting
Laboratory staff
Insurance Carriers
Patient
Physician
4/12/2020
Ward staff
CDC
TIHI IFIP WG Schoorl Gio Wiederhold
Etc..
Gio Wiederhold TIHI Oct96 9
9

Healthcare
Objects (N) cannot be organized according to all possible access classifications (a) = (N a
)
Nursing hierarchy by bed and ward
Infectious disease hierarchy by risk
Query do not specify object precisely
Relevant history for low-weight births
(helpful database gets extra stuff)
Some objects cover multiple classes
Patient with stroke and HIV
Some objects are misfiled (happens easily to others) , costly/impossible to guarantee avoidance
Psychiatric data in patient with alcoholism
4/12/2020 TIHI IFIP WG Schoorl Gio Wiederhold 10

Check the content of the result before it leaves the firewall result
Security mediator :
Human & software agent module firewall query
TIHI IFIP WG Schoorl Gio Wiederhold 4/12/2020 11

is understood and performed today in non-computerized settings:
• Briefcases are inspected when leaving secure meetings
• Computers, tapes,disks, etc. cannot be taken out of highly secure facilities
• Trucks are inspected on exiting a factory
Computer security system requirements have been modeled poorly wrt practice
4/12/2020 TIHI IFIP WG Schoorl Gio Wiederhold 12

Firewall
Security
Officer's
Mediator
System
Database
External
Customer
4/12/2020
Network
TIHI IFIP WG Schoorl Gio Wiederhold
Internal
Customer
13

• Software module, intermediate between
"customers" and databases within firewall
• Resides on security's officer's machine
(may have to be multi-level secure); accessed via firewall protection by customers
• Under control of security officer, via simple security-specific rules
• Performs bidirectional screening
(queries and results )
4/12/2020 TIHI IFIP WG Schoorl Gio Wiederhold 14

• Profile
– Human responsible for database security/privacy policies
– Must balance data availability vs. data security/privacy
• Tasks (current)
– Advises staff on how to try to follow policy
– Investigates violations to find & correct staff failures
– Has currently no computer-aided tools
• Tasks (with mediators)
– Defines and enters policy rules in security mediator
– Monitors exceptions, especially violations
– Monitors operation, to obtain feedback for improvements
4/12/2020 TIHI IFIP WG Schoorl Gio Wiederhold 15

 Database Administrator
– Can create views limiting access in RDMSs
– Prime role is to assure convenient data access
 Network Administrator
– Can restrict incoming and outgoing IP addresses
– Prime role is to keep network up and connected to the Internet
 Specialist Security Officer
– Prime responsibility is security & privacy protection
– Implements security policy
– Interacts with database & network administrators
4/12/2020 TIHI IFIP WG Schoorl Gio Wiederhold 16

oo
Security officer manages security policy, not a computer specialist or database administrator.
Computer specialist provides tools agent workstation program for security mediation
Enterprise / institution defines policies its security officer (SO) uses the program as the tool
4/12/2020
Tool formalizes system practices rules, managed by the SO define the practice
TIHI IFIP WG Schoorl Gio Wiederhold 17

• Security officer’s focus is security
– not for a computer system designer,
– nor database or network administrator,
– nor for management .
• SO has hardware&software ownership
• Having a tool enables the role
• Security mediator provides logging for
– focused audit trail
– system improvements
– accountability
4/12/2020 TIHI IFIP WG Schoorl Gio Wiederhold 18

• Computer workstation
– UNIX and NT implementation
– external access through firewall
? firewall can provide authentication
– internal access to database(s) that contain releasable information
? multi (two)-level security provision
– internal storage, inside firewall:
• rules defining cliques - external roles
• log of accepted and denied requests
• mediator software
4/12/2020 TIHI IFIP WG Schoorl Gio Wiederhold 19

service
• Rule interpreter
• Primitives to support rule execution maintenance support
• Rule maintenance tools
• Log analysis tool
• Firewall interface
• Domain database interface
• Logger
4/12/2020 TIHI IFIP WG Schoorl Gio Wiederhold 20

• Optional: without rules every interaction goes to the security officer (in & out)
• Creates efficiency: routine requests will be covered by rules:
80%instances / 20%types
• Gives control to Security officer: rules can be incrementally added/deleted/analyzed
• Primitives simplify rule specification: source, transmit date/time, prior request, ...
4/12/2020 TIHI IFIP WG Schoorl Gio Wiederhold 21

External
Data
Requestors
Query
Results
authenticated ID
Parse Query failure
Query
Checking success edits ancillary requests else error rule customer advice
Execute Query in DBMS ( s )
SO authenticated ID cleared results results
Result checking ancillary results else edits
4/12/2020 TIHI IFIP WG Schoorl Gio Wiederhold 22

Features:
• Paranoia: Every applicable rule must be enforced for a query to be successful or a result to be releasable, else delegated to the security officer (SO)
• Default: If no rule applies rules then delgate to SO
• SO can pass, reject, or edit queries and results
• SO may inform customer, mediator software will not
• All queries and results, successful or not, are logged for audit
• Rules are stored within the mediator, with exclusive security access by the SO
4/12/2020 TIHI IFIP WG Schoorl Gio Wiederhold Gio Wiederhold TIHI Oct96 23 23

Goals:
• Simple and easy to formulate by the SO
• Easy to enter and observe into the system
• Employs a collection of primitive functions to provide comprehensive and adequate security
• Functions can exploit views in RDBMS
• Some rule functions provide text validation
• Some functions may need domain knowledge
– Functions to process manufacturing designs
– Functions to extract text from images
4/12/2020 TIHI IFIP WG Schoorl Gio Wiederhold 24

• Rules are categorized as:
– SET-UP (Maintenance)
– PRE-QUERY
– POST-PROCESSING
• External, authenticated users are grouped into Cliques to simplify rule management
• Tables and their columns are grouped into segments to simplify access managment
• Rules use primitives supplied by specialists
4/12/2020 TIHI IFIP WG Schoorl Gio Wiederhold 25

Selected by rules for various clique roles
• Allow / disallow values
• Allow / disallow value ranges
• Limit results to approved good-word lists
• Disallow output containing bad words
• Limit output to specified times, places
• Limit number of queries per period
• Can augment queries for better result filtering
• Transform results
(de-identification, randomize),
• ….
4/12/2020 TIHI IFIP WG Schoorl Gio Wiederhold 26

Primitives must be secure!
• careful validation
– enabled by small size and
– narrow functionality
• break the DBMS transaction model
– use log to count prior access requests
– check for inference potential
– access requestor descriptions and history
4/12/2020 TIHI IFIP WG Schoorl Gio Wiederhold 27

TIHI is Paranoid
• Result filtering primarily based on Good-word lists
– Created by processing examples of O.K. responses
– Augmented dynamically by terms found objectionable by system, but approved by security officer
• Current work
– Image filtering, to omit and extract text from images
• Possible future work
– use nounphrases to increase specificity
4/12/2020 TIHI IFIP WG Schoorl Gio Wiederhold 28

Not perfect:
• Words out-of-context can pass the filter
• ophtamology: don’t pass names: Iris Smith
– Risk reduces rapidly with multiple words
• Can never have all good-words in list
– Load for security officer -- seek a balance
• Cost: all of contents must be processed
– Good technology from spell checkers
– Domain-specific word-lists are modest in size
4/12/2020 TIHI IFIP WG Schoorl Gio Wiederhold 29

• Tight security policy:
– simple rules
– many requests/responses referred to security officer
– much information output denied by security officer
– low risk
– poor public and community physician relations
• Liberal but careful security policy
– complex rules
– few requests/responses referred to security officer
– of remainder, much information output denied by security officer
– low risk
– good public and community physician relations
• Sloppy security policy
– simple rules
– few requests/responses referred to security officer
– little information output denied by security officer
– high risk
– unpredictable public and community physician relations
4/12/2020 TIHI IFIP WG Schoorl Gio Wiederhold 30

Security officer
Authentication based good / bad good guy control prior use validated to be O.K.
history security needs
Security Mediator
Database administrator oo good query DB schemabased
O.K. control processable query ancillary information performance, function requests
4/12/2020 TIHI IFIP WG Schoorl Gio Wiederhold result is likely O.K.
31

A security mediator
• can handle multiple roles
– each role is defined by its set of rules
– rules and primitives are selected from a common base
• be replicated for distinct accessor types
– provide multiple ports in one firewall
– allows specialization in security officers
– can handle major policy distinctions
4/12/2020 TIHI IFIP WG Schoorl Gio Wiederhold 32

• Dedicated to security task (may be multi-level secure)
• Uses only its rules and relevant function, all directly, avoids interaction with DB views and procedures
• Maintained by responsible authority: the security officer
• Policy setting independent of database(s) and DBA(s)
• Logs just those transactions that penetrate the firewall, records attempted violations independent of DB logs*
• Systems behind firewall need not be multi-level secure
• Databases behind firewall need not be perfect
* also used for replication, recovery, warehousing
4/12/2020 TIHI IFIP WG Schoorl Gio Wiederhold
Gio Wiederhold TIHI Oct96 33
33

• UNIX prototype
• UNIX - Java at Incyte Corporation [SST]
– protect medical & genomic information
• NT - Java development system
• Primitives for Drawings, as Aircraft Specs
• Trusted Image Dissemination
• wavelet-based decomposition to locate texts,
• extract for OCR
• blank text frequency if not found in good rules
4/12/2020 TIHI IFIP WG Schoorl Gio Wiederhold 34

Integration bypasses DBA protection
Firewall
S.O.
NwA
DBA
External Requestors original request
Security Mediator certified query
Integrating Mediator certified result partially filtered results
Internal
Requestors
4/12/2020
Protected, Shared Databases
TIHI IFIP WG Schoorl Gio Wiederhold 35

for SecMed
• External access is a modest fraction of total use collaboration, government oversight, safety monitoring
• Restructuring internal partitioning would induce significant inefficiencies for example: Hospital: MD/patients vs. research/insurance
• Errors are seriously embarrassing in practice 2-5% of data are misfiled, doing better is costly
• Locus of control is needed
Security officer cannot trust/control DB / network admin’s
4/12/2020 TIHI IFIP WG Schoorl Gio Wiederhold 36

Collaboration is an underemphasized issue beyond encrypted transmits, firewalls, passwords, authentication
There is a need for flexible, selective access to data without the risk of exposing related information in an enterprise
In TIHI service is provided by the Security Mediator: a rule-based gateway processor of queries and results under control of a security officer who implements enterprise policies
Our solution has been applied to Healthcare also relevant to Collaborating (virtual) enterprises and in many Military situations.
4/12/2020 TIHI IFIP WG Schoorl Gio Wiederhold Gio Wiederhold TIHI Oct96 37 37

Backup slides
TIHI processing
4/12/2020 TIHI IFIP WG Schoorl Gio Wiederhold Gio Wiederhold TIHI Oct96 38 38

Check for traps
• Insert distinct password into password file, check for it being reported out.
4/12/2020 TIHI IFIP WG Schoorl Gio Wiederhold 39

General mediation approach: isolate value-added processing
User interface
Service interface
Mediator owner and maintainer
Resource access interface
Human-computer
Interaction
Applicationspecific code
MEDIATION
Domainspecific code
Sourcespecific code
Real-world interface
4/12/2020 TIHI IFIP WG Schoorl Gio Wiederhold Gio Wiederhold TIHI Oct96 40 40

• add_user user_name clique_name (Set-up)
• del_user user_name clique_name (Set-up)
• add_segment table.column segment_name (Set-up)
• del_segment table.column segment_name (Set-up)
• set_stat_only clique_name true/false (Pre)
• limit_queries_per_session x clique_name (Pre)
• limit_clique_to_segment clique_name segment_name (Pre)
• limit_min_rows_retrieved x clique_name (Post)
• limit_num_queries x segment_name (Post)
• validate_text table.column x good_words (Post)
• set_randomize_clique clique_name true/false (Post)
• set_randomize_segment segment_name true/false (Post)
4/12/2020 TIHI IFIP WG Schoorl Gio Wiederhold Gio Wiederhold TIHI Oct96 41 41

• limit_query_intersection_clique x clique_name (Post)
• limit_query_intersection_segment x segment_name (Post)
• secure_keyword_clique keyword clique_name (Post)
• secure_keyword_segment keyword segment_name (Post)
• limit_session_time x clique_name (Pre/Post)
• limit_user_hours_end x clique_name (Post)
• limit_segment_hours_start x segment_name (Pre)
• limit_user_hours_start x clique_name (Pre)
• limit_segment_hours_end x segment_name (Post)
• limit_function function_name clique_name (Pre/Post)
4/12/2020 TIHI IFIP WG Schoorl Gio Wiederhold Gio Wiederhold TIHI Oct96 42 42

CREATE TABLE security_rules ( security_function char(32) NOT NULL, object_name char(32) NOT NULL, object_value char(32) NOT NULL);
Security Function Object Name Object Value
Limit_User clique_name user_name
Limit_Segment segment_name table.column
Stat_Only ALL/clique true/false
Queries_Per_Session ALL/clique integer
Limit_Clique_To_Segment ALL/clique segment_name
Randomize_clique ALL/clique true/false
Randomize_Segment ALL/segment true/false
4/12/2020 TIHI IFIP WG Schoorl Gio Wiederhold Gio Wiederhold TIHI Oct96 43 43

(continued)
Security Function Object Name Object Value
Validate_text table.column
invalid_words
Min_Rows_Retrieved ALL/clique integer
Num_Queries_Segment ALL/segment integer
Query_Intersection_Clique ALL/clique integer
Query_Intersection_Segment ALL/segment integer
Secure_Keyword_Clique ALL/clique keyword
Secure_Keyword_Segment ALL/segment keyword
Session_Time ALL/clique TIME
User_Hours_Start ALL/clique start_time
User_Hours_End ALL/clique end_time
Segment_Hours_Start ALL/segment start_time
Segment_Hours_End ALL/segment end_time
Limit_Function_Clique ALL/clique function_name
4/12/2020 TIHI IFIP WG Schoorl Gio Wiederhold Gio Wiederhold TIHI Oct96 44 44

• Does customer belong to a clique? If yes, switch to it
• Does the customer clique satisfy all pre-query rules?
(e.g., Session_Start, Stat_Only, Queries_Per_session)
• Do the columns and tables belong to a segment?
• Does the query satisfy all pre-query rules?
(e.g., valid segments)
• Does query need re-phrasing or augmentation?
(e.g., Stat_Only to detailed Select)
• Send Query to appropriate Database (or mediator)
• Does query result satisfy all post-query rules?
(e.g. Min_Rows_Retrieved, Secure_Keyword_Clique)
• Apply any result transformation rules
(e.g. random falsification of data, aggregation)
• Update log and internal statistics
4/12/2020 TIHI IFIP WG Schoorl Gio Wiederhold Gio Wiederhold TIHI Oct96 45 45

Set-up
• Security Officer enters rules into a file
• Rule file is parsed to generated SQL script to insert rows into the security_rules table
• SQL script is executed against the database
4/12/2020 TIHI IFIP WG Schoorl Gio Wiederhold Gio Wiederhold TIHI Oct96 46 46

Customer Session Loop
• Security Mediator Workstation accepts the customer query, logs it, and passes control to the Security Mediator Software (SMS)
• SMS reads the security_rules table and calls many different modules (sub-routines) to validate the query (pre-query checks)
• If okay, SMS executes the query (Embedded SQL calls)
• Mediator Workstation gets results from the database and calls other SMS modules to perform the post-query checks
• If all checks are passed, the Mediator Workstation logs and returns results; awaits another invocation
• Result is accepted by customer and used or displayed
4/12/2020 TIHI IFIP WG Schoorl Gio Wiederhold Gio Wiederhold TIHI Oct96 47 47

• Customer connects remotely, via firewall for authentication, to security officer's machine
• Clique membership is assessed
• System prompts customer for query
• Query is parsed and validated against rules
• Validated query is sent to database system
• Results are retrieved and validated against rules
• Validated results are made available to customer
4/12/2020 TIHI IFIP WG Schoorl Gio Wiederhold Gio Wiederhold TIHI Oct96 48 48