Gio CS Forum Oct01-1 Gio Wiederhold 1.Stanford University CSD (mostly) 2.Symmetric Security...

Gio CS Forum Oct01-1

Gio Wiederhold1. Stanford University CSD (mostly)

www-db.stanford.edu/people/gio.html

2. Symmetric Security Technologieswww.2ST.com

TIHI: Protecting Information when Access is Granted for Collaboration


Information for Collaboration

Strategic Data Strategic Data Allied ForcesAllied Forces Strategic Data Strategic Data Allied ForcesAllied Forces

Intelligence Data Intelligence Data Front-line soldierFront-line soldier Intelligence Data Intelligence Data Front-line soldierFront-line soldier

Operational Data Operational Data Logistics ProviderLogistics Provider Operational Data Operational Data Logistics ProviderLogistics Provider

Business Vendor Content Business Vendor Content Customer Customer Business Vendor Content Business Vendor Content Customer Customer

Medical Records Medical Records Medical Researchers Medical Researchers

Medical Records Medical Records Insurance Company Insurance Company

Manufacturer’s Specs Manufacturer’s Specs Subcontractor Subcontractor Manufacturer’s Specs Manufacturer’s Specs Subcontractor Subcontractor


Access Patterns versus Data:

Gio Wiederhold TIHI Oct96 3

Lab

ora

tory

Bill

ing

Patient

Accounting

Physician

Insurance Carriers Insurance Carriers

Clin

ics

Laboratory staff

Ward staff

Medical

Medical

Research

Research

Ph

arm

acy

Inp

atie

nt

Etc..

A

ccre

dit

atio

nA

ccre

dit

atio

nCDC


Primitive and Safe: Isolation

airgaps

Discretionary security

Mandatory security

• No communication among disjoint systems• All sharing of information by data re-entry


Automation of Sharing• Multi-level secure (MLS) system

– Involves OS and DBMS– Programmed read up – write down permitted– Complex – hard and lenghty (1y+) to validate


MLS problem: inconsistency

SecretSecret|

• Information at each level is incomplete – Make up cover stories ?

• Ok for enemies• Not acceptable for our own staff/soldiers


Multi-computer system approach• Uses more computers – are cheap now

• Secure communication– typically manually monitored

• Avoids complexity, lags of MLS systems– Validation in communication portals


Security and Cryptography

• Encryption is essential– Hides information from enemies– Isolates layers from each other– Allows shared use of communication paths

• Encryption is not the solution, only a tool– Isolated data do not provide information– Software processes clear data– Software is too large, dynamic to validate timely– 95% of failures are people failures

No obvious solution: new thinking needed


False Assumption

Data in the files of an enterprise are organized according

to external access rights

Inefficient and risky for

an enterprise

which uses information

mainly internally and thenmust serve external needs


The Gap: Assumption that Access right = Retrievable data

• Access rights assume a certain partitioning of data• Enterprise data are partitioned for internal needs• Partitions only match in simple cases/artificial examples

database access &database access &authorization agentauthorization agent

data sources aredata sources arerarely perfectlyrarely perfectlymatched to allmatched to allaccess rightsaccess rights

customercustomer resultresult

queryquery

authenticationauthentication

firewallfirewall


Technical Access Problems: Military

More direct connectivity creates risksMore direct connectivity creates risks`disintermediation’`disintermediation’

Query can not specify object preciselyQuery can not specify object precisely `̀Causes for low unit readiness?’Causes for low unit readiness?’ (helpful database gets extra stuff) (helpful database gets extra stuff)

Objects (Objects (NN) are not organized according to all ) are not organized according to all possible access classifications (possible access classifications (aa) = () = (NNaa)) `̀Problems with ship propulsion, but not propellersProblems with ship propulsion, but not propellers

Some objects cover multiple classesSome objects cover multiple classes `̀Units in Persian GulfUnits in Persian Gulf?’?’

Some objects are misfiled Some objects are misfiled (happens easily to others)(happens easily to others), , costly/impossible to guarantee avoidance costly/impossible to guarantee avoidance Intel data in operational mission fileIntel data in operational mission file


Technical Access Problems: Health Care

Query do not specify object preciselyQuery do not specify object precisely Relevant history for low-weight birthsRelevant history for low-weight births (helpful database gets extra stuff) (helpful database gets extra stuff)

Objects (Objects (NN) are not organized according to all ) are not organized according to all

possible access classifications (possible access classifications (aa) = () = (NNaa)) Nursing hierarchy by bed and wardNursing hierarchy by bed and ward Infectious disease hierarchy by riskInfectious disease hierarchy by risk

Some objects cover multiple classesSome objects cover multiple classes Patient with stroke and HIVPatient with stroke and HIV

Some objects are misfiled Some objects are misfiled (happens easily to others)(happens easily to others), , costly/impossible to guarantee avoidance costly/impossible to guarantee avoidance Psychiatric data in patient with alcoholismPsychiatric data in patient with alcoholism


Access Rights/Needs Overlap

Logistics

Warfighters

In-tel

PRAllies

NCACOTS

JC


Security Objective in Collaboration?

Prevent Inappropriate Disclosure of Information!

differs from preventing access to computers and information, as is needed to protect from invaders and hackers

ACCESS CONTROL is based on Metadata

Descriptions and labels, set a priori, are checked

RELEASE CONTROL also sees contents

Works also when metadata cannot / does not adequately describe content information


Dominant approach for Data

• Authenticate Customer in Firewall• Validate query against database schema• If both O.K., process query and ship results


sourcessources


queryquery


firewallfirewall


Today: Many Coalitions

Foreign: NATO, +, British, French, Kosovo IFOR, ...

• Each has its own, intersecting requirement• Discretionary access at lower levels

– Policies for dozens of countriescontrolling release of Data and Metadata

• Many duplicated systems– High rate of information transfer among them– Excessive load creates high error rates– Difficult to protect from hackers and enemies


Changing Security Protection Yesterday TodayInternal Focus External FocusAccess is granted to Payors, suppliers, customers and trusted

employees only prospects all need some form of access

Centralized assetsApplications and data are

centralized in fortified IT bunkers

Prevent lossesThe goal of security is to protectagainst confidentiality breaches

Local controlFunctional units need the authority to grant access

Generate revenueThe goal of security is to enable

e-Commerce & collaboration

Distributed assetsApplications and data aredistributed across servers,

locations, and business units

IT controlDB/Network manager decides who gets access


Access right = Retrievable data

• Access rights assume a certain partitioning of data• Domain data are partitioned accord to internal needs• They only match in simple cases / artificial examples


data sources aredata sources arerarely perfectlyrarely perfectlymatched to allmatched to allaccess rightsaccess rights


queryquery


firewallfirewall


Symmetric Solution

Symmetric checking both access to data and the subsequent release of data

• Access Control with authentication and authorization of collaborators upon entry

• Content-based release filtering of data when exiting the secure parameter


Filling the Gap

resultresult

queryquery

firewallfirewall Check the content of the result beforeit leaves the firewall

Security mediator : Human & software agent module


Security Mediator

• Dedicated hardware plus software module, intermediate between "customers" and

databases within firewall

• A modern tool for the security officer accessed via firewall protection by customers

(or collaborators) with assigned roles

• Managed by the security officer,via simple security-specific rules

that match filters to roles• Performs symmetric screening (queries and results)


Result Checking

is understood and performed today in many non-computerized settings:

• Briefcases are inspected when leaving secure facilities

• Computers can not be taken (in nor) out of SCIFs

• Vehicles are inspected also on exiting warehouses with valuable contents

Computer security system requirements have been modeled poorly wrt such practice


Overall Schematic

ExternalExternalCustomerCustomer

SecuritySecurityOfficer's Officer's MediatorMediatorSystemSystem

DatabaseDatabase

NetworkNetwork

Firewall

InternalInternalCustomerCustomer


Hardware

• Computer workstation– UNIX and NT implementation

– external access through firewall? firewall can provide authentication

– internal access to database(s) that contain releasable information

? multi (two)-level security provision– internal storage, inside firewall:

• rules defining cliques - external roles• log of accepted and denied requests• mediator software


• Rule interpreter

• Primitives to support rule execution

• Rule maintenance tools• Log analysis tool

• Firewall interface• Domain database interface• Logger

Software Components

support

service

maintenance

C++ and Java implementations


Rule Processing

Features:• Paranoia: Every applicable rule must be enforced

for a query to be successful or a result to be releasable, else process by the security officer (SO)

• Default: If no rule applies rules then process by SO• SO can pass, reject, or edit queries and results• SO may inform customer, mediator software will not• All queries and results, successful or not, are

logged for audit• Rules are stored within the mediator, with exclusive

security access by the SOGio Wiederhold TIHI Oct96 26


The Rule Language

Goals:• Simple and easy to formulate by the SO• Easy to enter and observe into the system

• Employs a collection of primitive functions to provide comprehensive and adequate security• Functions can exploit views in RDBMS• Some rule functions provide text validation• Some functions may need domain knowledge

– Functions to process manufacturing designs– Functions to extract text from images


Rule Organization

• Rules are categorized as:– SET-UP (Maintenance)– PRE-QUERY– POST-PROCESSING

• External, authenticated users are grouped into Cliques to simplify rule management

• Tables and their columns are grouped into segments to simplify access mgmnt

• Rules use primitives supplied by specialists


Primitives -

Selected by rule for various clique roles • Allow / disallow values• Allow / disallow value ranges• Limit results to approved good-word lists• Disallow output containing bad words• Limit output to specified times, places• Limit number of queries per period• Can augment queries for result filtering• Etc.


Content primitives tested in TIHI*

• Check against good-word dictionary– dictionary created by processing ok records

• Check against a bad word dictionary– less paranoid, less secure, used by Net-nanny etc.

• Check for seeded entries in high value files– password files,

• Check for patterns in personal data– credit cards, email addresses

• Check cell count in statistical results– at query time append COUNT request

• Extraction of text from images– for further filtering

*NSF/NIH funded HPCC projects


Creating Wordlists

TIHI is Paranoid

• Result filtering primarily based on Good-word lists

– Created by processing examples of O.K. responses

– Augmented dynamically by terms found objectionable by system, but approved by security officer

• Current work

– Image filtering, to omit and extract text from images

• Possible future work

– use nounphrases to increase specificity


Filtering of text

Not perfect:• Words out-of-context can pass the filter

• ophtamology: don’t pass names: Iris Smith

– Risk reduces rapidly with multiple words

• Can never have all good-words in list– Load for security officer -- seek a balance

• Cost: all of contents must be processed– Good technology from spell checkers– Domain-specific word-lists are modest in size


Rules implement policy

• Tight security policy:– simple rules– many requests/responses referred to security officer– much information output denied by security officer– low risk– poor public and community physician relations

• Liberal but careful security policy– complex rules– few requests/responses referred to security officer– of remainder, much information output denied by security officer– low risk– good public and community physician relations

• Sloppy security policy– simple rules– few requests/responses referred to security officer– little information output denied by security officer– high risk– unpredictable public and community physician relations


Security requires attention

• Security officer’s focus is security– not for a computer system designer,– nor database or network administrator,– nor for management.

• Having and owning the tool enables the role

• Security mediator provides logging for – focused audit trail– system improvements

– accountability • Must be able to deal effectively with exceptions,

else encourages bypassing security without logging.

:-(


Responsibility Assignment

• Database administrator– Primary task: assure availability of data– Provides helpful services – broaden search: risk

• Network administrator– Primary task: keep network running: transparent

• System administrator– Buys glossy product to escape responsibility

• Security officer– Not in loop, no tools– Investigates violations, takes blame for failures

Needs tools as well

:-(:-|

:-):-(

:-|


Database

Coverage of Access Paths

DB schema- based control

Authentication based controlgood/bad

Security officer

Databaseadminis-trator

performance,function requests

securityneeds

result islikely ok

validatedto be ok

ancillaryinformation

prior use

Security Mediator

good guy

good query

processable query

his-tory

:-(

ok

-)oooo



Rule system

• Optional: without rules every interaction goes to the security officer (in & out)

• Creates efficiency: routine requests will be covered by rules: 80%instances / 20%types

• Gives control to Security officer: rules can be incrementally added/deleted/analyzed

• Primitives simplify rule specification: source, transmit date/time, prior request, ...


Benign and ID areas in an X-ray

Benign is defined positively

a, value range

b. good-word list

else it is potentially bad

Paranoid:{ }

Integrated IDs are crucial for practice (40% of X-rays are lost)


Application of Rules

SOSO

QueryQueryParse QueryParse Query

Query Query CheckingChecking

Execute Execute QueryQuery

ResultResultcheckingchecking

elseelse

successsuccess

resultsresults

authenticated IDauthenticated ID

Fir

ewal

lF

irew

all

authenticated IDauthenticated ID

editsedits

errorerrorrulerule

failurefailure

customer advicecustomer advice

ResultsResultseditsedits

elseelse

cleared resultscleared results

ancillaryancillaryinformationinformationExter-Exter-

nalnal

DataData Re-Re- ques-ques- tortor


Security Officer

• Profile– Human responsible for database security/privacy policies– Must balance data availability vs. data security/privacy

• Tasks (current)– Advises staff on how to try to follow policy– Investigates violations to find & correct staff failures– Has currently no computer-aided tools

• Tasks (with mediators)– Defines and enters policy rules in security mediator– Monitors exceptions, especially violations– Monitors operation, to obtain feedback for improvements

:-(


Roles

Security officer manages security policy,

not a computer specialist or database administrator.

Computer specialist provides tools agent workstation program for security mediation

Enterprise / institution defines policies

its security officer (SO) uses the program as the tool

Tool formalizes system practices

rules, managed by the SO define the practice

:-( -)oooo


Assigning the Responsibility

Database Administrator– Can create views limiting access in RDMSs– Prime role is to assure convenient data access

Network Administrator– Can restrict incoming and outgoing IP addresses– Prime role is to keep network up and

connected to the Internet

Specialist Security Officer– Prime responsibility is security & privacy protection– Implements security policy – Interacts with database & network administrators

:-(:-|

:-)


Hypothetical benefits: Prevents

1. Secure data are inadvertently shipped to insecure backup by trusted user

2. HIV symptoms shown to cardiac researcher

3. US managers obtains EU-restricted personnel data

4. Misclassified data are released at low level

5. Credit card numbers were released when false customer appears to get an MP3 song

6. Passwords transmitted to hacker when access control failed

External RequestorsExternal Requestors

IntegratingIntegrating MediatorMediator

Protected, Shared DatabasesProtected, Shared Databases

certified certified query query

originaloriginal requestrequest

certifiedcertified result result

unfiltered unfiltered result result

LogsLogsSecurity MediatorSecurity Mediator

Internal Internal RequestorsRequestors

S.O.

Firewall

Multiple Internal sources are covered


Implementations

• UNIX prototype• UNIX - Java at Incyte Corporation [SST]

– protect medical & genomic information

• NT - Java development system• Primitives for Drawings, as Aircraft Specs• Trusted Image Dissemination

• wavelet-based decomposition to locate texts,

• extract for OCR • blank text frequency if not found in good rules


Effective Settings

• External access is a modest fraction of total use collaboration, government oversight, safety monitoring

• Restructuring internal partitioning would induce significant inefficiencies

for example: Hospital: MD/patients vs. research/insurance

• Errors are seriously embarrassingin practice 2-5% of data are misfiled, doing better is costly

• Locus of control is neededSecurity officer cannot trust/control DB / network admin’s


Stream of information

Intrusion detection – two-level

Model ofnormal behavior

Observations,

initial, continuingEv-entsCompare

Stop

Monitor

Assess


TIHI Summary

Avoids the -- often false -- assumption that access rights match data organization

Collaboration is an underemphasized issuebeyond encrypted transmits, firewalls, passwords,

authentication

There is a need for flexible, selective access to datawithout the risk of exposing related information in an enterprise

In TIHI service is provided by the Security Mediator: a rule-based gateway processor of queries and results under control of a security officer who implements enterprise policies

Our solution has been applied to Healthcare also relevant to Collaborating (virtual) enterprises and

in many Military situations.



Security Mediator Benefits

• Dedicated to security task (may be multi-level secure)

• Uses only its rules and relevant function, all directly, avoids interaction with DB views and procedures

• Maintained by responsible authority: the security officer

• Policy setting independent of database(s) and DBA(s)

• Logs just those transactions that penetrate the firewall, records attempted violations independent of DB logs*

• Systems behind firewall need not be multi-level secure

• Databases behind firewall need not be perfect * also used for replication, recovery, warehousing


Backup


Security officer screen


Patient's own data screen


part of Patient result


Disallowed result


Security officer reaction

Choices:1. Reject result2. Edit result3. Pass result(& Update the list of good-words, making approval persistent )

Gio CS Forum Oct01-56Security Table Definition...

(continued)

Security Function Object Name Object ValueValidate_text table.column invalid_wordsMin_Rows_Retrieved ALL/clique integerNum_Queries_Segment ALL/segment integerQuery_Intersection_Clique ALL/clique integerQuery_Intersection_Segment ALL/segment integerSecure_Keyword_Clique ALL/clique keywordSecure_Keyword_Segment ALL/segment keywordSession_Time ALL/clique TIMEUser_Hours_Start ALL/clique start_timeUser_Hours_End ALL/clique end_timeSegment_Hours_Start ALL/segment start_timeSegment_Hours_End ALL/segment end_timeLimit_Function_Clique ALL/clique function_name



Rule application - Overview

• Does customer belong to a clique? If yes, switch to it• Does the customer clique satisfy all pre-query rules?

(e.g., Session_Start, Stat_Only, Queries_Per_session)• Do the columns and tables belong to a segment?• Does the query satisfy all pre-query rules? (e.g.,

valid segments)• Does query need re-phrasing or augmentation?

(e.g., Stat_Only to detailed Select)• Send Query to appropriate Database (or mediator)• Does query result satisfy all post-query rules?

(e.g. Min_Rows_Retrieved, Secure_Keyword_Clique)• Apply any result transformation rules

(e.g. random falsification of data, aggregation)• Update log and internal statistics



Implementation

Set-up• Security Officer enters rules into a file• Rule file is parsed to generated SQL script to insert rows

into the security_rules table• SQL script is executed against the database



Implementation... (continued)

Customer Session Loop• Security Mediator Workstation accepts the customer query, logs

it, and passes control to the Security Mediator Software (SMS)

• SMS reads the security_rules table and calls many different modules (sub-routines) to validate the query (pre-query checks)

• If okay, SMS executes the query (Embedded SQL calls)

• Mediator Workstation gets results from the database and calls other SMS modules to perform the post-query checks

• If all checks are passed, the Mediator Workstation logs and returns results; awaits another invocation

• Result is accepted by customer and used or displayed



System Operations

• Customer connects remotely, via firewall for authentication, to security officer's machine

• Clique membership is assessed

• System prompts customer for query

• Query is parsed and validated against rules

• Validated query is sent to database system

• Results are retrieved and validated against rules

• Validated results are made available to customer



Benign and ID areas in an X-ray

Benign is defined positively

a, value range

b. good-word list

else it is potentially bad

Paranoid:{ }

Integrated IDs are crucial for practice (40% of X-rays are lost)


Processing Flow


Source X-ray image

Whitened to protect privacy for this presentation


Wavelet decomposition


Candidate Text areas


Extracted textual fields

Blackened to protect privacy for this presentation


OCR conversion & analysis

NameNot in good-listNot approved

Error in OCRNot in good-listNot approved


Reconstituted image

Identificationarea blurredby removinghigh frequencycomponents


Removal of Ident’s from an MRI Image


Chest X-ray

Gio CS Forum Oct01-1 Gio Wiederhold 1.Stanford University CSD (mostly) 2.Symmetric Security...

Documents

Transcript of Gio CS Forum Oct01-1 Gio Wiederhold 1.Stanford University CSD (mostly) 2.Symmetric Security...