Jeremy Hilton & Pete Burnap {Jeremy.hilton}{p.burnap}@cs.cardiff.ac.uk
Self Protecting Information for De-perimeterised Electronic Relationships
(SPIDER)
The way people work is changing Web 2.0 technology and Cloud computing is
supporting/driving a collaborative, on-demand culture
Virtual Organisations are frequently used to support collaborative, distributed working Government Services (Transformational
Government) Medical (Patient Records) Research (e-Research)
Inter-disciplinary organisations contribute content, others have access to the content
With the change to UK Data Protection laws meaning Government Data Controllers face civil action as well as financial penalties following a data breach, what is the impact of current information security limitations?
Information needs to be shared to support collaborative working but the risk of sharing information appears very high considering the latest data losses (UK HRMC 25 million records)
As a result HMRC have completely locked down their systems when it comes to taking data outside the perimeter
3
“In relation to rights, the Government believes piracy of intellectual property for profit is theft and will be pursued as such through the criminal law. The civil infringement of taking someone else’s intellectual property or passing it on to others through file-sharing without any compensating payment is, in plain English, wrong. However, the Government also believes, and the evidence suggests, that most people, given a reasonable choice would much prefer not to do wrong or break the law…”
4
“Personal data is the new currency of the digital world. Privacy and security of that data is an increasingly critical issue. The Information Commissioner is developing a new Code of Practice “Personal Information Online” for publication later this year. The Prime Minister has appointed Sir Tim Berners-Lee to form a panel of experts to deliver better use of public data. Effective self-regulation is also vital…”
5
#2 Define the information architecture
Developed to control information sharing between G8 countries, Business Impact levels added.
External Secured This zone is similar to the secured zone but is owned and operated by a business partner. The trust relationship between the Org X and the business partner is stronger than in the restricted zones. Information Assets: Distributed to named individuals only.
Secured
This zone is the most secured area within the architecture.
Access should be limited to highly trusted principals.
Information Access limited to named principals only.
External Restricted Similar to Restricted Zone but owned /operated by a business partner. The trust relationship is stronger that that in the External Controlled Zone. Information Access limited to Groups of authenticated principals
Restricted The restricted Zone is the next higher level of security above Controlled. Access is Restricted to authenticated users or processes. Most data processing and storage occurs here. Information Access limited to pre-defined groups made up of authenticated principals.
External Controlled Similar to Controlled Zone but owned /operated by an external organisation.
Controlled This is where the lowest levels of control are applied to manage Information Assets with the prime goals of managing Availability and Compliance
Uncontrolled (Public) The uncontrolled environment outside the control of Org X.
Managed Belongs to IT and is used to administer servers, network devices and other managed devices. May be implemented with secure sessions (SSH) separate out of band networks or greater controls on Admin devices.
Attribution: The Open Group
Traditional access control applied: At or within a network perimeter To the entire resource
Information often required to be shared outside of the perimeter (in VOs) for collaboration
Information resources often made up on content with varying access control requirements
What are the issues? Persistent control of information
Changes/Differences in Access Control Requirements Intellectual Property (Research Data) Data in the cloud
Changes/Differences in Data Protection Requirements Confidentiality (Medical Record) Commercial Data (Financial Report)
Encryption can be used but once keys are shared, data controller loses persistent control of shared information using the traditional model
Entire resource protection means all information is controlled in accordance with the highest level requirement and with an individual label
Both reduce the potential for information sharing and collaboration
SPIDER is concerned with the accurate, distributed, auditable and persistent control of information in collaborative working environments (VOs)
Considers the following issues: How can you protect shared information to the
required level of granularity and in such as way as you can modify access privileges at any time even after it has left the perimeter?
How can you provide information related to access controls granted and people in possession of information at any point in time following a data breach?
How can you make a case for prosecution against a malicious individual who has misused your information?
SPIDER aims to break down information content within a single resource and classify the content based on protection requirements, and communicate the control requirements: Icon-based labelling Human- and machine-readable controls Security labels based on the classification added to the
content as metadata Labels bound to a centralised access control policy for the
resource Content encrypted and distributed Information accessed using an on-demand secure access
client Access privileges and current information holders auditable
Adapting the creative commons approach for information classification and control
• A set of licenses that are flexible enough to let you add as much or as little restrictions on you work as you like
• Expressed in 3 different formats:
• Lawyer-readable
• Human-readable
• Machine-readable
• www.creativecommons.org
A set of classifications that are flexible enough to enable to define and communicate the controls to be applied to your information
May be combined with creative commons licenses
Expressed in 3 different formats: Security Officer-readable Human-readable Machine readable
Confidentiality
Authentication
Use
Integrity
CA – Community Access
RA – Restricted Access PI – Personal Information
OO – Organisation Only ND – Non-Disclosure
CG – Corporate Governance
SD – Safe Disposal
CU – Controlled Until
AB – Authorised By ND – Non-Derivatives
BY – Attribution cc
cc
AD – Approved for Disclosure
OA – Open Access
The information is restricted to the nominated recipients
The owner of the information will nominate the authorised recipients
The owner may delegate responsibility for nominating authorised recipients
Restricted Access
The information contains personal information and consideration must be made before sharing the information
This classification is likely to be used in conjunction with other labels such as
Personal Information
cc
Binding Policy to data and technical implementation
<Document Identifier>
<serverLocation> Web address of Access Request Web Service
<content label=“Classification-X”> Each section of classified content will be wrapped in an XML nest with its own parent element (the <content> bit). Each parent element has a “label” attribute, with a value representing the classification label assigned to that section </content> <content label=“Classification-Y”> The access control tables in the access control database, located on the “server-side” (the information controller) contain user identity details alongside a list of classification labels the user is permitted to access </content> <content label=“Classification-Z”> Because of the structured nature of the document, all content held between the <content>…</content> elements can only be accessed by a user if their document-specific access privileges contain the label representing the content classification
Encrypted
Unencrypted
Encrypted Content
<Classification Level X> Identity Details
< /Classification Level X>
<Classification Level Y> Medical History
< /Classification Level Y>
<Classification Level Z> Current Medication
< /Classification Level Z> .....
Information Controller
Access Control
DB PKI
Access Request
Web Service
Client
Shared Content
(Encrypted)
SPIDER Application
Content
User Certificate
Document Identifier
User ID Details
Crypto Key DB
Information Controller
Access Request
Web Service
Document Identifier User ID Details
Access Control DB
Document Identifier
Doc-Specific Table
Document Access Control Tables
User ID Details
Doc-Specific Access Privileges
If User Verification = TRUE
Document Identifier
Doc-Specific Crypto Key
Doc-Specific Access Privileges
Doc-Specific Crypto Key
Cryptography Key DB
Client
SPIDER Application
Content Doc-Specific Access Privileges
Doc-Specific Key
• Apply Doc-Specific crypto key (Decrypt)
• Parse information for content tagged with labels contained in the Access Privileges
• Display unrestricted content to user
Collaborator
Encrypted Content
<Classification Level X> Identity Details
< /Classification Level X>
<Classification Level Y> Medical History
< /Classification Level Y>
<Classification Level Z> Current Medication
< /Classification Level Z> .....
Decrypt key & access privileges e.g. Access to: Classification X & Z
Identity Details
Current Medication
Information Displayed
Very similar to DRM model, except that content can be controlled at different levels of restriction and the policy is bound to a central point of control and can be modified at a later date
DRM is quite often seen as a “disabler”. This approach is positioned very much as an “enabler”, but a transparent one. A model that supports secure information sharing through audit-ability and transparency of action
The persistent link to a central point of control allows audit to determine who had access privileges at the point of information misuse.
In addition, this allows modifications to be recorded
Absolute security is arguably impossible to achieve This approach supports modifiable controls on
distributed information and transparent capture of information modification action
It is positioned in the collaborative, distributed working domain to assist organisations such as Government departments to work securely and collaboratively
Data misuse can be traced, reported and dealt with. Arguably more “appropriate technical and organisational measures” than currently exist
Makes it viable for data controllers to share information
37
38 Developed by Shada Al-Salamah as part of an MSc Project
39 Developed by Shada Al-Salamah as part of an MSc Project
40 Developed by Shada Al-Salamah as part of an MSc Project
41 Developed by Shada Al-Salamah as part of an MSc Project
Avon & Somerset Criminal Justice Board - PRIMADS
42
Multi-Agency environment Police Courts Service Probation Service Lawyers Social Services Health, etc
Offender management Privacy issues in data shared during arrest,
prosecution and detention Release under licence
43
Changing individuals’ behaviour such that: the need for safe handling of information
is understood & accepted; and controls agreed and applied
Because the individuals choose to, not because they are told to.
44
45
46
ASCJS workshops confirmed the usefulness of the scenario-based risk assessment and icon-based approach for communicating controls
Identified a number of additional benefits that contributed to an increased understanding of the distributed community and the need for controls
In addition, they expressed an interest in the ability to implement a technical solution to provide fine-grained assess to data-sharing in a collaborative, distributed environment
47
48