Intelligent Information Systems
9. Security Mediation
Gio Wiederhold
EPFL,
April-June 2000, at 14:15 - 15:15, room INJ 211
Schedule
Presentations in English -- but I'll try to manage discussions in French and/or German.
• I plan to cover the material in an integrating fashion, drawing from concepts in
databases, artificial intelligence, software engineering, and business principles.
1. 13/4 Historical background, enabling technology:ARPA, Internet, DB, OO, AI., IR
2. 27/4 Search engines and methods (recall, precision, overload, semantic problems).
3. 4/5 Digital libraries, information resources. Value of services, copyright.
4. 11/5 E-commerce. Client-servers. Portals. Payment mechanisms, dynamic pricing.
5. 19/5 Mediated systems. Functions, interfaces, and standards. Intelligence in
processing. Role of humans and automation, maintenance.
6. 26/5 Software composition. Distribution of functions. Parallelism. [ww D.Beringer]
7. 31/5 Application to Bioinformatics.
8. 15/6 Educational challenges. Expected changes in teaching and learning.
9. 22/6 Privacy protection and security. Security mediation.
10.29/6 Summary and projection for the future.
• Feedback and comments are appreciated.
7/26/2016
EPFL10F - Gio spring 2000
2
Security: protection and assurance
Crucial progress in protection is being made:
:
Remote Transmission
Authentication
Firewalls around domains
protect against enemies.
Much research based on Cryptography
Gio Wiederhold TIHI Oct96 3
Dominant approach for Data
•
•
•
Authenticate Customer
Validate query against database schema
If both O.K., process query and ship results
firewall
customer
result
query
sources
authentication
database access &
authorization agent
4
Remaining Issue:
Assuring Secure Collaboration
Not versus enemies,
but among colleagues and payers
who need to share some,
but not all information
Gio Wiederhold TIHI Oct96 5
Collaboration Needs:
Medical Records Insurance Company
Medical Records Medical Researchers
Manufacturer’s Specs Subcontractor
Intelligence Data Front-line soldier
Gio Wiederhold TIHI Oct96 6
The Gap: Assumption that
Access right = Retrievable data
•
•
•
Access rights assume a certain partitioning of data
Domain data are partitioned accord to internal needs
They only match in simple cases / artificial examples
firewall
customer
result
query
authentication
database access &
authorization agent
data sources are
rarely perfectly
matched to all
access rights
7
False Assumption
Data in the files of an enterprise is
organized according
to external
access rights
Inefficient and risky for
an enterprise
which uses information
mainly internally
Laboratory staff
Clinics
Laboratory
Accounting
Accreditation
Access Patterns versus Data:
Patient
Physician
Pharmacy
Inpatient
Billing
Insurance Carriers
Ward
staff
Etc..
CDC
Gio Wiederhold TIHI Oct96 9
Healthcare
Expected Problems
Query can not specify object precisely
Relevant history for low-weight births
(helpful database gets extra stuff)
Objects (N) are not organized according to all
possible access classifications (a) = (Na)
Patients with heart problems, but not HIV
Some objects cover multiple classes
Patient with stroke and HIV
Some objects are misfiled (happens easily to others),
costly/impossible to guarantee avoidance
Psychiatric data in patient with alcoholism
Gio Wiederhold TIHI Oct96 10
Filling the Gap
Check the content
of the result before
it leaves the firewall
result
Security mediator :
Human & software
agent module
query
firewall
Security Mediator
•
Software module, intermediate between "customers" and
databases within firewall
•
Resides on security's officer's machine
(may have to be
multi-level secure);
accessed via firewall protection by
customers
•
Under control of security officer,
via simple security-specific rules
•
Performs bidirectional screening
(queries and results)
Gio Wiederhold TIHI Oct96 12
Agents and Privacy
Agents help customers obtain information
We also need agents to protect information
customers must be authenticated
customers must be authorized to
receive specific information
information returned must satisfy rules
customer
result
security
officer
query
firewall
source
access agent
Gio Wiederhold TIHI Oct96 13
:-(
Security Officer
• Profile
– Human responsible for database security/privacy policies
– Must balance data availability vs. data security/privacy
• Tasks (current)
– Advises staff on how to try to follow policy
– Investigates violations to find & correct staff failures
– Has currently no tools
• Tasks (with mediators)
– Defines and enters policy rules in security mediator
– Monitors exceptions, especially violations
– Monitors operation, to obtain feedback for improvements
Gio Wiederhold TIHI Oct96 14
Assigning the Responsibility
• Database Administrator
:-)
– Can create views limiting access in RDMSs
– Prime role is to assure convenient data access
• Network Administrator
connected to
:-|
– Can restrict incoming and outgoing IP addresses
– Prime role is to keep network up and
the Internet
• Specialist Security Officer
:-(
– Prime responsibility is security & privacy protection
– Implements security policy
– Interacts with database & network administrators
Gio Wiederhold TIHI Oct96 15
Example: Mediation for Privacy
Public Health Application
• Needs valid statistical data
• No access to private data
Security Mediator
• Owned by hospital security officer
• Screens query and result
• Default is Manual operation
• Evolves by adding rules
Physicians’ Databases
• Valuable resources
• Need to be aggregated
significance
CDC
source
query
certified
result
Security
Mediator
certified
for
query
Logs
unfiltered
result
Private Patient Data
Gio Wiederhold TIHI Oct96 16
Roles
:-(
•
Security officer manages security policy,
not a computer specialist or database administrator.
-)
oo•
•
Computer specialist provides tools
agent workstation program for security mediation
Healthcare institution defines policies
its security officer uses the program as the tool
•
Tool provides logging for
– system improvements
– audit trail
– accountability
•
Formalizes ad-hoc practices
Gio Wiederhold TIHI Oct96 17
Overall Schematic
Firewall
Database
Security
Officer's
Mediator
Customer
Internet
Gio Wiederhold TIHI Oct96 18
Security Officer Functions
:-(
Security Officer
• defines rules for pass-through of requests
• any request not covered by a rule is shown
• shown requests can be edited and passed
(Passed requests are moved to the base for execution)
• defines rules for pass-through of results
• any result not covered by a rule is shown
• shown results can be edited and passed
(Passed results are moved to the top and made available)
All actions are logged for periodic review
Gio Wiederhold TIHI Oct96 19
Rules implement policy
•
•
•
Tight security policy:
–
–
–
–
–
simple rules
many requests/responses referred to security officer
much information output denied by security officer
low risk
poor public and community physician relations
Liberal but careful security policy
–
–
–
–
–
complex rules
few requests/responses referred to security officer
of remainder, much information output denied by security officer
low risk
good public and community physician relations
Sloppy security policy
–
–
–
–
–
simple rules
few requests/responses referred to security officer
little information output denied by security officer
high risk
unpredictable public and community physician relations
Gio Wiederhold TIHI Oct96 20
Creating Wordlists
TIHI is Paranoid
• Text filtering primarily based on Good-word lists
– Created by processing examples of O.K. responses
– augmented by terms found objectionable by system but
approved by security officer
• Future work
– use nounphrases to increase specificity
– image filtering
Coverage of Access Paths
Security officer
:-(
Authentication
based
good/bad control
prior use
good guy
Security Mediator
security
needs
-)
Database oo
administrator
good
query DB schemabased
O.K.
control
ancillary
information
validated
to be O.K.
history
result is
likely O.K.
processable query
performance,
function requests
Database
Gio Wiederhold TIHI Oct96 22
A mediator is not just
static software
Application
Interface
Changes of
user needs
Software & People
Models, programs,
rules, caches, . . .
Resource Interfaces
Owner/ Creator
Maintainer
Lessor - Seller
Advertiser
Domain
changes
Resource
changes
Gio Wiederhold TIHI Oct96 23
Software Components
•
service •
•
mainte- •
nance •
•
•
support
Rule interpreter
Primitives to support rule execution
Rule maintenance tools
Log analysis tool
Firewall interface
Domain database interface
Logger
Primitives
Selected by rule for various clique roles
• Allow / disallow values
• Allow / disallow value ranges
• Limit results to approved vocabulary
• Disallow output containing bad words
• Limit output to times, places
• Limit number of queries per period
• Etc.
7/26/2016
EPFL10F - Gio spring 2000
25
Rule system
• Optional: without rules every interaction goes to the
security officer (in & out)
• Creates efficiency: routine requests will be covered by
rules: 80%instances / 20%types
• Assures Security officer of control: rules can be
incrementally added/deleted/analyzed
• Primitives simplify rule specification: source, transmit
date/time, prior request, ...
Application of Rules
authenticated ID
Query
Checking
Query
Parse Query
External
Data
Requestor
Firewall
failure
error
rule
customer advice
edits
ancillary
information
Execute
Query
SO
results
authenticated ID
cleared results
Results
success
else
else
Result
checking
edits
Gio Wiederhold TIHI Oct96 27
Rule Type Examples
•
•
•
•
•
•
•
•
•
add_user user_name clique_name
(Set-up)
del_user user_name clique_name
(Set-up)
add_segment table.column
segment_name (Set-up)
del_segment
table.column
segment_name (Set-up)
set_stat_only clique_name
true/false
(Pre)
limit_queries_per_session x
clique_name
(Pre)
limit_clique_to_segment clique_name segment_name (Pre)
limit_min_rows_retrieved x clique_name
(Post)
limit_num_queries
x segment_name
(Post)
•
validate_text
•
•
set_randomize_clique
clique_name true/false
(Post)
set_randomize_segment segment_name true/false (Post)
table.column
x good_words
(Post)
Gio Wiederhold TIHI Oct96 28
Agent System Differences DBA/SO
-)
 Be helpful to customer
 Tell cust. re problems, query
may be fixed
oo  Exploit DB meta-data
 Isolate transactions
 Ship result to customer
Finding: the differences are greater
than we imagined initially
:-(
 Be helpful to security off.
 Tell sec.off. re problems,
sec.off. may contact cust.
 Exploit customer inform.
 Use history of usage
 Ship result to sec.off.
with result description
(source, cardinality)
Gio Wiederhold TIHI Oct96 29
Scalability
A security mediator
• Can handle multiple roles
– each role is defined by its set of rules
– rules and primitives are selected from a common base
• Be replicated for distinct access types
– provide multiple ports in one firewall
– allows specialization in security officers
– can handle major policy distinctions
Security Mediator Benefits
•
Dedicated to security task (may be multi-level secure)
•
Uses only its rules and relevant function, all directly,
interaction with DB views and procedures
•
Maintained by responsible authority: the security officer
•
Policy setting independent of database(s) and DBA(s)
•
Logs just those transactions that penetrate the firewall, records attempted
violations independent of DB logs*
•
Systems behind firewall need not be multi-level secure
•
Databases behind firewall need not be perfect
*
avoids
also used for replication, recovery, warehousing
Gio Wiederhold TIHI Oct96 31
Implementations
• UNIX prototype
• UNIX - Java at Incyte Corporation [SST]
– protect medical & genomic information
• NT - Java development system
• in process
– Work on Drawings, as Aircraft Specs
– Trusted Image Dissemination
• wavelet-based decomposition to locate texts,
then blank text frequency or
extract for OCR
32
Effective Settings
• External access is a modest fraction of total use
collaboration, government oversight, safety monitoring
• Restructuring internal partitioning would induce significant
inefficiencies
for example: Hospital: MD/patients vs. research/insurance
• Errors are seriously embarrassing
in practice 2-5% of data are misfired, doing better is costly
• Locus of control is needed
Security officer cannot trust/control DB / network admin’s
33
TIHI Summary
Collaboration is an underemphasized issue
beyond
encrypted transmits, firewalls, passwords, authentication
There is a need for flexible, selective access to data
without the risk of exposing related information in an enterprise
In TIHI service is provided by the Security Mediator:
a rule-based gateway processor of queries and results
under control of a security officer who implements enterprise policies
Our solution applies not only to Healthcare
but equally to Collaborating (virtual) enterprises
in many
Military situations.
and
Gio Wiederhold TIHI Oct96 34
Backup slides
TIHI processing
Gio Wiederhold TIHI Oct96 35
Rules for Security Mediators
•
Stored in a database within the mediating processor
•
Simple but comprehensive
•
Default is paranoid
•
Every query is checked against every query rule (pre-processing)
•
Every result is checked against every result rule (post-processing)
•
Rules can be modified at all times by security officer (by experience,
looking at patterns:
importance of logs)
Gio Wiederhold TIHI Oct96 36
Rule Processing
Features:
• Paranoia: Every applicable rule must be enforced for a query to be
successful or a result to be releasable, else process by the security
officer (SO)
• Default: If no rule applies rules then process by SO
• SO can pass, reject, or edit queries and results
• SO may inform customer, mediator will not
• All queries and results, successful or not, will be logged for audit
• Rules are stored in the mediator, with exclusive security access by
the SO
Gio Wiederhold TIHI Oct96 37
The Rule Language
Goals:
• Simple and easy to formulate by the SO
• Easy to enter and observe into the system
• Employs a collection of functions to provide comprehensive and
adequate security
• Functions can exploit views
• Some functions provide text validation
• Some functions may need domain knowledge
Gio Wiederhold TIHI Oct96 38
The Rule Language - Features...
• Rules are categorized as:
– SET-UP (Maintenance)
– PRE-QUERY
– POST-QUERY
• Users are grouped into Cliques to simplify rule
management
• Tables and their columns are grouped into segments to
simplify access mgmnt
Gio Wiederhold TIHI Oct96 39
Rules... (continued)
•
•
•
•
•
•
•
•
•
•
limit_query_intersection_clique x clique_name
(Post)
limit_query_intersection_segment x segment_name (Post)
secure_keyword_clique
keyword clique_name
(Post)
secure_keyword_segment keyword segment_name (Post)
limit_session_time x
clique_name
(Pre/Post)
limit_user_hours_end
x clique_name
(Post)
limit_segment_hours_start x segment_name
(Pre)
limit_user_hours_start
x clique_name
(Pre)
limit_segment_hours_end x segment_name
(Post)
limit_function function_name clique_name
(Pre/Post)
Gio Wiederhold TIHI Oct96 40
Security Table Definition
CREATE TABLE security_rules (
security_function char(32) NOT NULL,
object_name
char(32) NOT NULL,
object_value
char(32) NOT NULL);
Security Function
Object Name
Object Value
Limit_User
clique_name
user_name
Limit_Segment
segment_name table.column
Stat_Only
ALL/clique
true/false
Queries_Per_Session
ALL/clique
integer
Limit_Clique_To_Segment ALL/clique
segment_name
Randomize_clique
ALL/clique
true/false
Randomize_Segment
ALL/segment
true/false
Gio Wiederhold TIHI Oct96 41
Security Table Definition... (continued)
Security Function
Validate_text
Object Name
table.column
Min_Rows_Retrieved
ALL/clique
Num_Queries_Segment
ALL/segment
Query_Intersection_Clique ALL/clique
Query_Intersection_Segment ALL/segment
Secure_Keyword_Clique
ALL/clique
Secure_Keyword_Segment ALL/segment
Session_Time
ALL/clique
User_Hours_Start
ALL/clique
User_Hours_End
ALL/clique
Segment_Hours_Start
ALL/segment
Segment_Hours_End
ALL/segment
Limit_Function_Clique
ALL/clique
Object Value
invalid_words
integer
integer
integer
integer
keyword
keyword
TIME
start_time
end_time
start_time
end_time
function_name
Gio Wiederhold TIHI Oct96 42
Rule application - Overview
•
•
•
•
•
•
•
•
•
Does customer belong to a clique? If yes, switch to it
Does the customer clique satisfy all pre-query rules? (e.g.,
Session_Start, Stat_Only, Queries_Per_session)
Do the columns and tables belong to a segment?
Does the query satisfy all pre-query rules?
(e.g., valid
segments)
Does query need re-phrasing or augmentation?
(e.g.,
Stat_Only to detailed Select)
Send Query to appropriate Database (or mediator)
Does query result satisfy all post-query rules?
(e.g.
Min_Rows_Retrieved, Secure_Keyword_Clique)
Apply any result transformation rules
(e.g.
random falsification of data, aggregation)
Update log and internal statistics
Gio Wiederhold TIHI Oct96 43
Implementation
Set-up
•
•
•
Security Officer enters rules into a file
Rule file is parsed to generated SQL script to insert rows into the
security_rules table
SQL script is executed against the database
Gio Wiederhold TIHI Oct96 44
Implementation... (continued)
Customer Session Loop
•
•
•
•
•
•
Security Mediator Workstation accepts the customer query, logs it, and passes
control to the Security Mediator Software (SMS)
SMS reads the security_rules table and calls many different modules (sub-routines) to
validate the query (pre-query checks)
If okay, SMS executes the query (Embedded SQL calls)
Mediator Workstation gets results from the database and calls other SMS modules to
perform the post-query checks
If all checks are passed, the Mediator Workstation logs and returns results; awaits
another invocation
Result is accepted by customer and used or displayed
Gio Wiederhold TIHI Oct96 45
System Operations
•
Customer connects remotely, via firewall for authentication, to
security officer's machine
•
Clique membership is assessed
•
System prompts customer for query
•
Query is parsed and validated against rules
•
Validated query is sent to database system
•
Results are retrieved and validated against rules
•
Validated results are made available to customer
Gio Wiederhold TIHI Oct96 46