Intelligent Information Systems
9. Security Mediation
Gio Wiederhold
EPFL,
April-June 2000, at 14:15 - 15:15, room INJ 218
Schedule
Presentations in English -- but I'll try to manage discussions in French and/or German.
1. 13/4 Historical background, enabling technology:ARPA, Internet, DB, OO, AI., IR
2. 27/4 Search engines and methods (recall, precision, overload, semantic problems).
3. 4/5 Digital libraries, information resources. Value of services, copyright.
4. 11/5 E-commerce. Client-servers. Portals. Payment mechanisms, dynamic pricing.
5. 19/5 Mediated systems. Functions, interfaces, and standards. Intelligence in
processing. Role of humans and automation, maintenance.
6. 26/5 Software composition. Distribution of functions. Parallelism. [ww D.Beringer]
7. 31/5 Application to Bioinformatics.
8. 15/6 Semantic Interoperation
9. 22/6 Privacy protection and security. Security mediation.
10.29/6 Educational challenges. Expected changes in teaching and learning.
Summary and projection for the future.
• Feedback and comments are appreciated.
7/26/2016
EPFL9security - Gio spring 2000
2
Components
• Reliability
– crucial base, but never perfect
Focus here
• Security
– definition of owners, objects, rights, boundaries
• Privacy protection
– prevention from public view of personal data*
* as deemed by the owner
– assurance of availability of public data*
7/26/2016
EPFL9security - Gio spring 2000
3
Assurance of availability
An essential aspect of an open society
• permits false information to be distributed
– readers must be wary
– not everything on a computer screen is truth
– libel is hard, perhaps impossible to prevent legally
• Good stuff should be known to others
– defense against libel
• make your information at least as accessible as
libelous information -- perhaps use same terms
We should all live equally good/bad lives
7/26/2016
EPFL9security - Gio spring 2000
4
FTC financial privacy [www.ftc.gov]
• Ontology: a common security language
– ISO 15408 June 1999
• international
– 13 countries – common, helpful for vendors
• Components
– functional reqs,
– assurance req (7 levels SSC like)
– protection profiles – user need,
security targets
7/26/2016
EPFL9security - Gio spring 2000
5
Security: protection and assurance
Crucial progress in protection is being made:
Remote Transmission
Authentication
Firewalls around domains
protect against enemies.
Much research based on Cryptography
Dominant approach for Data
• Authenticate Customer
• Validate query against database schema
• If both O.K., process query and ship results
firewall
customer
result
query
sources
authentication
7/26/2016
database access &
authorization agent
EPFL9security - Gio spring 2000
7
Remaining Issue:
Assuring Secure Collaboration
Not versus enemies,
but among colleagues and payers
who need to share some,
but not all information
7/26/2016
EPFL9security - Gio spring 2000
8
Collaboration Needs:
Medical Records Insurance Company
Medical Records Medical Researchers
Manufacturer’s Specs Subcontractor
Intelligence Data Front-line soldier
7/26/2016
EPFL9security - Gio spring 2000
9
The Gap: Assumption that
Access right = Retrievable data
• Access rights assume a certain partitioning of data
• Domain data are partitioned accord to internal needs
• They only match in simple cases / artificial examples
firewall
customer
result
query
authentication
database access &
authorization agent
7/26/2016
EPFL9security - Gio spring 2000
data sources are
rarely perfectly
matched to all
access rights
10
False Assumption
Data in the files of an enterprise
are organized according
to external access rights
Inefficient and risky for
an enterprise
which uses information
mainly internally
and then
must serve external needs
7/26/2016
EPFL9security - Gio spring 2000
11
Laboratory staff
Clinics
Laboratory
Accounting
Accreditation
Access Patterns versus Data:
Patient
Physician
Pharmacy
Inpatient
Billing
Insurance Carriers
Ward
staff
Etc..
CDC
7/26/2016
EPFL9security - Gio spring 2000
12
Healthcare
Expected Problems
Query can not specify object precisely
Relevant history for low-weight births
(helpful database gets extra stuff)
Objects (N) are not organized according to all
possible access classifications (a) = (Na)
Patients with heart problems, but not HIV
Some objects cover multiple classes
Patient with stroke and HIV
Some objects are misfiled (happens easily to others),
costly/impossible to guarantee avoidance
Psychiatric data in patient with alcoholism
7/26/2016
EPFL9security - Gio spring 2000
13
Securing Collaboration
Collaborator
source query
certified result
Security Filter
certified query
Logs
unfiltered result
Private Patient Data
7/26/2016
EPFL9security - Gio spring 2000
14
Filling the Gap
Check the content
of the result before
it leaves the firewall
firewall
result
Security mediator :
Human & software
agent module
query
7/26/2016
EPFL9security - Gio spring 2000
15
Security Mediator
• Software module, intermediate between
"customers" and databases within firewall
• Resides on security's officer's machine
(may have to be multi-level secure);
accessed via firewall protection by customers
• Under control of security officer,
via simple security-specific rules
• Performs bidirectional screening
(queries and results)
7/26/2016
EPFL9security - Gio spring 2000
16
Agents and Privacy
Agents help customers obtain information,
but their help can create leaks
We also need agents to protect information
results returned must still satisfy rules
customer
result
protective
agent
query
firewall
source
helpful access agent
7/26/2016
EPFL9security - Gio spring 2000
17
:-(
Security Officer
• Profile
– Human responsible for database security/privacy policies
– Must balance data availability vs. data security/privacy
• Tasks (current)
– Advises staff on how to try to follow policy
– Investigates violations to find & correct staff failures
– Has currently no tools
• Tasks (with mediators)
– Defines and enters policy rules in security mediator
– Monitors exceptions, especially violations
– Monitors operation, to obtain feedback for improvements
7/26/2016
EPFL9security - Gio spring 2000
18
Assigning the Responsibility
:-)
• Database Administrator
– Can create views limiting access in RDMSs
– Prime role is to assure convenient data access
– Can restrict incoming and outgoing IP addresses
– Prime role is to keep network up and
connected to the Internet
– Prime responsibility is security & privacy protection
– Implements security policy
– Interacts with database & network administrators
7/26/2016
EPFL9security - Gio spring 2000
:-(
• Specialist Security Officer
:-|
• Network Administrator
19
Example: Mediation for Privacy
Public Health Application
CDC
• Needs valid statistical data
• No access to private data
source
certified
query
Security Mediator
result
• Owned by hospital security officer
Security
Logs
• Screens query and result
Mediator
• Default is Manual operation
• Evolves by adding rules
certified
unfiltered
query
Physicians’ Databases
result
• Valuable resources
Private Patient Data
• Need to be aggregated
for significance
7/26/2016
EPFL9security - Gio spring 2000
20
Roles must be distinct
:-(
•
Security officer manages security policy,
not a computer specialist or database administrator.
-)
oo•
Computer specialist provides tools
agent workstation program for security mediation
•
Healthcare institution defines policies
its security officer uses the program as the tool
• Tool provides logging for
– system improvements
– audit trail
– accountability
• Formalizes ad-hoc practices
7/26/2016
EPFL9security - Gio spring 2000
21
Overall Schematic
Firewall
External
Customer
7/26/2016
Security
Officer's
Mediator
System
Database
Internal
Customer
Network
EPFL9security - Gio spring 2000
22
Security Officer Functions
:-(
Security Officer
• defines rules for pass-through of requests
• any request not covered by a rule is shown
• shown requests can be edited and passed
(Passed requests are moved to the base for execution)
• defines rules for pass-through of results
• any result not covered by a rule is shown
• shown results can be edited and passed
(Passed results are moved to the top and made available)
All actions are logged for periodic review
Gio Wiederhold TIHI Oct96 23
7/26/2016
EPFL9security - Gio spring 2000
23
Rules implement policy
• Tight security policy:
–
–
–
–
–
simple rules
many requests/responses referred to security officer
much information output denied by security officer
low risk
poor public and community physician relations
• Liberal but careful security policy
–
–
–
–
–
complex rules
few requests/responses referred to security officer
of remainder, much information output denied by security officer
low risk
good public and community physician relations
• Sloppy security policy
–
–
–
–
–
simple rules
few requests/responses referred to security officer
little information output denied by security officer
high risk
unpredictable public and community physician relations
7/26/2016
EPFL9security - Gio spring 2000
24
Coverage of Access Paths
Security officer
:-(
Authentication
based
good/bad control
prior use
good guy
Security Mediator
security
needs
-)
Database oo
administrator
good
query DB schemabased
O.K.
control
ancillary
information
validated
to be O.K.
history
result is
likely O.K.
processable query
performance,
function requests
7/26/2016
Database
EPFL9security - Gio spring 2000
25
Hardware
• Computer workstation
– UNIX and NT implementation
– external access through firewall
? firewall can provide authentication
– internal access to database(s) that contain
releasable information
? multi (two)-level security provision
– internal storage, inside firewall:
• rules defining cliques - external roles
• log of accepted and denied requests
• mediator software
7/26/2016
EPFL9security - Gio spring 2000
26
Software Components
service
maintenance
support
7/26/2016
• Rule interpreter
• Primitives to support rule execution
•
•
•
•
•
Rule maintenance tools
Log analysis tool
Firewall interface
Domain database interface
Logger
EPFL9security - Gio spring 2000
27
Rule system
• Optional: without rules every interaction
goes to the security officer (in & out)
• Creates efficiency: routine requests will be
covered by rules: 80%instances / 20%types
• Assures Security officer of control: rules
can be incrementally added/deleted/analyzed
• Primitives simplify rule specification:
source, transmit date/time, prior request, ...
7/26/2016
EPFL9security - Gio spring 2000
28
Primitives
Selected by rule for various clique roles
• Allow / disallow values
• Allow / disallow value ranges
• Limit results to approved vocabulary
• Disallow output containing bad words
• Limit output to times, places
• Limit number of queries per period
• Extract words from images
• Etc.
• not yet: Noun phrase extraction and matching
7/26/2016
EPFL9security - Gio spring 2000
29
Creating Wordlists
TIHI is Paranoid
• Text filtering primarily based on Good-word lists
– Created by processing examples of O.K.
responses
– augmented by terms found objectionable by
system but approved by security officer
• Future work
– use nounphrases to increase specificity
– image filtering
7/26/2016
EPFL9security - Gio spring 2000
30
Application of Rules
authenticated ID
Query
Checking
Query
Parse Query
External
Data
Requestor
Firewall
failure
error
rule
customer advice
7/26/2016
edits
ancillary
information
Execute
Query
SO
results
authenticated ID
cleared results
Results
success
else
else
Result
checking
EPFL9security - Gio spring 2000
edits
Gio Wiederhold TIHI Oct96 31
31
Rule Type Examples
•
•
•
•
•
•
•
add_user user_name clique_name
(Set-up)
del_user user_name clique_name
(Set-up)
add_segment table.column
segment_name (Set-up)
del_segment
table.column
segment_name (Set-up)
set_stat_only clique_name
true/false
(Pre)
limit_queries_per_session x
clique_name
(Pre)
limit_clique_to_segment clique_name segment_name (Pre)
•
•
•
•
•
limit_min_rows_retrieved x clique_name
limit_num_queries
x segment_name
validate_text
table.column x good_words
set_randomize_clique
clique_name true/false
set_randomize_segment segment_name true/false
7/26/2016
EPFL9security - Gio spring 2000
(Post)
(Post)
(Post)
(Post)
(Post)
32
Agent System Differences DBA/SO
-)
 Be helpful to customer  Be helpful to security off.
 Tell cust. re problems,  Tell sec.off. re problems,
sec.off. may contact cust.
oo
query may be fixed
 Exploit customer inform.
 Exploit DB meta-data
 Use history of usage
 Isolate transactions
 Ship result to sec.off.
 Ship result to customer with result description
(source, cardinality)
:-(
Finding: the differences are greater
than we imagined initially
7/26/2016
EPFL9security - Gio spring 2000
33
A mediator is not just
static software
Application
Interface
Changes of
user needs
Software & People
Models, programs,
rules, caches, . . .
Resource Interfaces
Owner/ Creator
Maintainer
Lessor - Seller
Advertiser
Domain
changes
Resource
changes
Gio Wiederhold TIHI Oct96 34
7/26/2016
EPFL9security - Gio spring 2000
34
Assigning the Responsibility
 Database Administrator
:-)
– Can create views limiting access in RDMSs
– Prime role is to assure convenient data access
 Network Administrator
– Prime responsibility is security & privacy protection
– Implements security policy
– Interacts with database & network administrators
7/26/2016
EPFL9security - Gio spring 2000
:-(
 Specialist Security Officer
:-|
– Can restrict incoming and outgoing IP addresses
– Prime role is to keep network up and
connected to the Internet
35
Scalability
A security mediator
• Can handle multiple roles
– each role is defined by its set of rules
– rules and primitives are selected from a
common base
• Be replicated for distinct access types
specialization of S.O.s, in same firewall
– provide multiple ports in one firewall
– allows specialization in security officers
– can handle major policy distinctions
7/26/2016
EPFL9security - Gio spring 2000
36
Security Mediator Benefits
• Dedicated to security task (may be multi-level secure)
• Uses only its rules and relevant function, all directly,
avoids interaction with DB views and procedures
• Maintained by responsible authority: the security officer
• Policy setting independent of database(s) and DBA(s)
• Logs just those transactions that penetrate the firewall,
records attempted violations independent of DB logs*
• Systems behind firewall need not be multi-level secure
• Databases behind firewall need not be perfect
*
7/26/2016
also used for replication, recovery, warehousing
EPFL9security - Gio spring 2000
37
Implementations
• UNIX prototype
• UNIX - Java at Incyte Corporation [SST]
– protect medical & genomic information
• NT - Java development system
• partially completed; in process
– Work on Drawings, as Aircraft Specs
– Trusted Image Dissemination
• wavelet-based decomposition to locate texts,
then blank text frequency or
extract for OCR
7/26/2016
EPFL9security - Gio spring 2000
38
Effective Settings
•
External access is a modest fraction of total use
•
Restructuring internal partitioning would induce
significant inefficiencies
collaboration, government oversight, safety monitoring
for example: Hospital: MD/patients vs. research/insurance
•
•
Errors are seriously embarrassing
in practice 2-5% of data are misfiled, doing better is costly
Locus of control is needed
Security officer cannot trust/control DB / network admin’s
7/26/2016
EPFL9security - Gio spring 2000
39
Paying for Security?
Nobody wants to pay much for something they
don’t expect to need and don’t understand !
– Security software is bought by system administrators to protect their position
– They do not try to understand security in depth
– They hence buy whatever is promised and cheap
– If there is a violation they can blame the vendor
• Effect: quality is not valued in the market
– poor environment for profiting from research
7/26/2016
EPFL9security - Gio spring 2000
40
TIHI Summary
Collaboration is an underemphasized issue
beyond encrypted transmits, firewalls, passwords, authentication
There is a need for flexible, selective access to data
without the risk of exposing related information in an enterprise
In TIHI service is provided by the Security Mediator:
a rule-based gateway processor of queries and results
under control of a security officer who implements enterprise policies
Our solution applies not only to Healthcare
but equally to Collaborating (virtual) enterprises
in many
Military situations.
7/26/2016
EPFL9security - Gio spring 2000
and
41
Backup slides
TIHI processing
Gio Wiederhold TIHI Oct96 42
Rules for Security Mediators
•
Stored in a database within the mediating processor
•
Simple but comprehensive
•
Default is paranoid
•
Every query is checked against every query rule (pre-processing)
•
Every result is checked against every result rule (post-processing)
•
Rules can be modified at all times by security officer (by experience,
looking at patterns:
importance of logs)
Gio Wiederhold TIHI Oct96 43
7/26/2016
EPFL9security - Gio spring 2000
43
Rule Processing
Features:
• Paranoia: Every applicable rule must be enforced for a query to be
successful or a result to be releasable, else process by the security
officer (SO)
• Default: If no rule applies rules then process by SO
• SO can pass, reject, or edit queries and results
• SO may inform customer, mediator will not
• All queries and results, successful or not, will be logged for audit
• Rules are stored in the mediator, with exclusive security access by
the SO
7/26/2016
EPFL9security - Gio spring 2000
Gio Wiederhold TIHI Oct96 44
44
The Rule Language
Goals:
• Simple and easy to formulate by the SO
• Easy to enter and observe into the system
• Employs a collection of functions to provide comprehensive and
adequate security
• Functions can exploit views
• Some functions provide text validation
• Some functions may need domain knowledge
7/26/2016
EPFL9security - Gio spring 2000
Gio Wiederhold TIHI Oct96 45
45
The Rule Language - Features...
• Rules are categorized as:
– SET-UP (Maintenance)
– PRE-QUERY
– POST-QUERY
• Users are grouped into Cliques to simplify rule
management
• Tables and their columns are grouped into segments to
simplify access mgmnt
7/26/2016
EPFL9security - Gio spring 2000
Gio Wiederhold TIHI Oct96 46
46
Rules... (continued)
•
•
•
•
•
•
•
•
•
•
limit_query_intersection_clique x clique_name
(Post)
limit_query_intersection_segment x segment_name (Post)
secure_keyword_clique
keyword clique_name
(Post)
secure_keyword_segment keyword segment_name (Post)
limit_session_time x
clique_name
(Pre/Post)
limit_user_hours_end
x clique_name
(Post)
limit_segment_hours_start x segment_name
(Pre)
limit_user_hours_start
x clique_name
(Pre)
limit_segment_hours_end x segment_name
(Post)
limit_function function_name clique_name
(Pre/Post)
7/26/2016
EPFL9security - Gio spring 2000
Gio Wiederhold TIHI Oct96 47
47
Security Table Definition
CREATE TABLE security_rules (
security_function char(32) NOT NULL,
object_name
char(32) NOT NULL,
object_value
char(32) NOT NULL);
Security Function
Object Name
Object Value
Limit_User
clique_name
user_name
Limit_Segment
segment_name table.column
Stat_Only
ALL/clique
true/false
Queries_Per_Session
ALL/clique
integer
Limit_Clique_To_Segment ALL/clique
segment_name
Randomize_clique
ALL/clique
true/false
Randomize_Segment
ALL/segment
true/false
7/26/2016
EPFL9security - Gio spring 2000
Gio Wiederhold TIHI Oct96 48
48
Security Table Definition... (continued)
Security Function
Validate_text
Object Name
table.column
Min_Rows_Retrieved
ALL/clique
Num_Queries_Segment
ALL/segment
Query_Intersection_Clique ALL/clique
Query_Intersection_Segment ALL/segment
Secure_Keyword_Clique
ALL/clique
Secure_Keyword_Segment ALL/segment
Session_Time
ALL/clique
User_Hours_Start
ALL/clique
User_Hours_End
ALL/clique
Segment_Hours_Start
ALL/segment
Segment_Hours_End
ALL/segment
Limit_Function_Clique
ALL/clique
7/26/2016
Object Value
invalid_words
integer
integer
integer
integer
keyword
keyword
TIME
start_time
end_time
start_time
end_time
function_name
EPFL9security - Gio spring 2000
Gio Wiederhold TIHI Oct96 49
49
Rule application - Overview
•
•
•
•
•
•
•
•
•
Does customer belong to a clique? If yes, switch to it
Does the customer clique satisfy all pre-query rules? (e.g.,
Session_Start, Stat_Only, Queries_Per_session)
Do the columns and tables belong to a segment?
Does the query satisfy all pre-query rules?
(e.g., valid
segments)
Does query need re-phrasing or augmentation?
(e.g.,
Stat_Only to detailed Select)
Send Query to appropriate Database (or mediator)
Does query result satisfy all post-query rules?
(e.g.
Min_Rows_Retrieved, Secure_Keyword_Clique)
Apply any result transformation rules
(e.g.
random falsification of data, aggregation)
Update log and internal statistics
7/26/2016
EPFL9security - Gio spring 2000
Gio Wiederhold TIHI Oct96 50
50
Implementation
Set-up
•
•
•
Security Officer enters rules into a file
Rule file is parsed to generated SQL script to insert rows into the
security_rules table
SQL script is executed against the database
7/26/2016
EPFL9security - Gio spring 2000
Gio Wiederhold TIHI Oct96 51
51
Implementation... (continued)
Customer Session Loop
•
•
•
•
•
•
Security Mediator Workstation accepts the customer query, logs it, and passes
control to the Security Mediator Software (SMS)
SMS reads the security_rules table and calls many different modules (sub-routines) to
validate the query (pre-query checks)
If okay, SMS executes the query (Embedded SQL calls)
Mediator Workstation gets results from the database and calls other SMS modules to
perform the post-query checks
If all checks are passed, the Mediator Workstation logs and returns results; awaits
another invocation
Result is accepted by customer and used or displayed
7/26/2016
EPFL9security - Gio spring 2000
Gio Wiederhold TIHI Oct96 52
52
System Operations
•
Customer connects remotely, via firewall for authentication, to
security officer's machine
•
Clique membership is assessed
•
System prompts customer for query
•
Query is parsed and validated against rules
•
Validated query is sent to database system
•
Results are retrieved and validated against rules
•
Validated results are made available to customer
7/26/2016
EPFL9security - Gio spring 2000
Gio Wiederhold TIHI Oct96 53
53