Self-Protecting Information for De-Perimiterised Electronic Relationships


Published on

This presentation describes the results of a project (SPIDER) that has developed a proof-of-concept for fine-grained information access control, and communication of controls using a concept derived from Creative Commons called Protective Commons.

Published in: Business, Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Self-Protecting Information for De-Perimiterised Electronic Relationships

  1. 1. Self Protecting Information for De- perimeterised Electronic Relationships (SPIDER) Jeremy Hilton & Pete Burnap {Jeremy.hilton}{p.burnap}
  2. 2.   The way people work is changing   Web 2.0 technology and Cloud computing is supporting/driving a collaborative, on-demand culture   Virtual Organisations are frequently used to support collaborative, distributed working   Government Services (Transformational Government)   Medical (Patient Records)   Research (e-Research)   Inter-disciplinary organisations contribute content, others have access to the content
  3. 3.   With the change to UK Data Protection laws meaning Government Data Controllers face civil action as well as financial penalties following a data breach, what is the impact of current information security limitations?   Information needs to be shared to support collaborative working but the risk of sharing information appears very high considering the latest data losses (UK HRMC 25 million records)   As a result HMRC have completely locked down their systems when it comes to taking data outside the perimeter 3
  4. 4. “In relation to rights, the Government believes piracy of intellectual property for profit is theft and will be pursued as such through the criminal law. The civil infringement of taking someone else’s intellectual property or passing it on to others through file-sharing without any compensating payment is, in plain English, wrong. However, the Government also believes, and the evidence suggests, that most people, given a reasonable choice would much prefer not to do wrong or break the law…” 4
  5. 5. “Personal data is the new currency of the digital world. Privacy and security of that data is an increasingly critical issue. The Information Commissioner is developing a new Code of Practice “Personal Information Online” for publication later this year. The Prime Minister has appointed Sir Tim Berners-Lee to form a panel of experts to deliver better use of public data. Effective self-regulation is also vital…” 5
  6. 6.   #2 Define the information architecture
  7. 7. Developed to control information sharing between G8 countries, Business Impact levels added.
  8. 8. External Secured Secured This zone is similar to the secured zone but is owned and operated by a business partner. The trust relationship between the Org X and the business partner is stronger This zone is the most than in the restricted zones. Information Assets: Distributed to named individuals only. secured area within the External Restricted Restricted architecture. Similar to Restricted Zone but owned /operated by a The restricted Zone is the business partner. The trust relationship is stronger that next higher level of security Access should be limited to that in the External Controlled Zone. Information Access above Controlled. Access highly trusted principals. limited to Groups of authenticated principals is Restricted to authenticated users or External Controlled Controlled processes. Information Access limited Similar to Controlled Zone This is where the lowest to named principals only. Most data processing and but owned /operated by an levels of control are applied storage occurs here. external organisation. to manage Information Information Access limited Assets with the prime goals Uncontrolled (Public) of managing Availability to pre-defined groups The uncontrolled made up of authenticated and Compliance environment outside the principals. control of Org X. Managed Belongs to IT and is used to administer servers, network devices and other managed devices. May be implemented with secure sessions (SSH) separate out of band networks or greater controls on Admin devices.
  9. 9. Attribution: The Open Group
  10. 10.   Traditional access control applied:   At or within a network perimeter   To the entire resource   Information often required to be shared outside of the perimeter (in VOs) for collaboration   Information resources often made up on content with varying access control requirements   What are the issues?   Persistent control of information   Changes/Differences in Access Control Requirements   Intellectual Property (Research Data)   Data in the cloud   Changes/Differences in Data Protection Requirements   Confidentiality (Medical Record)   Commercial Data (Financial Report)
  11. 11.   Encryption can be used but once keys are shared, data controller loses persistent control of shared information using the traditional model   Entire resource protection means all information is controlled in accordance with the highest level requirement and with an individual label   Both reduce the potential for information sharing and collaboration
  12. 12.   SPIDER is concerned with the accurate, distributed, auditable and persistent control of information in collaborative working environments (VOs)   Considers the following issues:   How can you protect shared information to the required level of granularity and in such as way as you can modify access privileges at any time even after it has left the perimeter?   How can you provide information related to access controls granted and people in possession of information at any point in time following a data breach?   How can you make a case for prosecution against a malicious individual who has misused your information?
  13. 13.   SPIDER aims to break down information content within a single resource and classify the content based on protection requirements, and communicate the control requirements:   Icon-based labelling   Human- and machine-readable controls   Security labels based on the classification added to the content as metadata   Labels bound to a centralised access control policy for the resource   Content encrypted and distributed   Information accessed using an on-demand secure access client   Access privileges and current information holders auditable
  14. 14. Adapting the creative commons approach for information classification and control
  15. 15. •  A set of licenses that are flexible enough to let you add as much or as little restrictions on you work as you like •  Expressed in 3 different formats: •  Lawyer-readable •  Human-readable •  Machine-readable •
  16. 16.   A set of classifications that are flexible enough to enable to define and communicate the controls to be applied to your information   May be combined with creative commons licenses   Expressed in 3 different formats:   Security Officer-readable   Human-readable   Machine readable
  17. 17.   Confidentiality   Use RA – Restricted Access PI – Personal Information OO – Organisation Only ND – Non-Disclosure CA – Community Access CG – Corporate Governance OA – Open Access SD – Safe Disposal CU – Controlled Until   Authentication AD – Approved for Disclosure BY – Attribution cc   Integrity AB – Authorised By ccND – Non-Derivatives
  18. 18. Restricted Access   The information is restricted to the nominated recipients   The owner of the information will nominate the authorised recipients   The owner may delegate responsibility for nominating authorised recipients
  19. 19. Personal Information   The information contains personal information and consideration must be made before sharing the information   This classification is likely to be used in conjunction with other labels such as cc
  20. 20. Binding Policy to data and technical implementation
  21. 21. <Document Identifier> Unencrypted <serverLocation> Web address of Access Request Web Service <content label=“Classification-X”> Each section of classified content will be wrapped in an XML nest with its own parent element (the <content> bit). Each parent element has a “label” attribute, with a value representing the classification label assigned to that section </content> <content label=“Classification-Y”> The access control tables in the access control database, located Encrypted on the “server-side” (the information controller) contain user identity details alongside a list of classification labels the user is permitted to access </content> <content label=“Classification-Z”> Because of the structured nature of the document, all content held between the <content>…</content> elements can only be accessed by a user if their document-specific access privileges contain the label representing the content classification
  22. 22. Encrypted Content <Classification Level X> Identity Details < /Classification Level X> <Classification Level Y> Medical History < /Classification Level Y> <Classification Level Z> Current Medication < /Classification Level Z> .....
  23. 23. Information Controller Client SPIDER Application Access Shared Request Document Identifier Content Content Web (Encrypted) Service User ID Details Crypto Access Key DB Control PKI User Certificate DB
  24. 24. Information Controller Access Control DB Document Identifier User ID Details Doc-Specific Access Privileges Document Identifier Document Access Doc-Specific Crypto Key Access Control Tables Request Web Service User ID Details Doc-Specific Doc-Specific Table Crypto Key If User Verification = TRUE Doc-Specific Access Privileges Cryptography Document Identifier Key DB
  25. 25. Client SPIDER Application •  Apply Doc-Specific crypto key (Decrypt) Doc-Specific Access Privileges Content Doc-Specific Key •  Parse information for content tagged with labels contained in the Access Privileges •  Display unrestricted content to user
  26. 26. Collaborator Encrypted Decrypt key Content & access privileges e.g. Access to: Classification X & Z <Classification Level X> Identity Details < /Classification Level X> Information Displayed <Classification Level Y> Identity Details Medical History < /Classification Level Y> Current Medication <Classification Level Z> Current Medication < /Classification Level Z> .....
  27. 27.   Very similar to DRM model, except that content can be controlled at different levels of restriction and the policy is bound to a central point of control and can be modified at a later date   DRM is quite often seen as a “disabler”. This approach is positioned very much as an “enabler”, but a transparent one. A model that supports secure information sharing through audit-ability and transparency of action   The persistent link to a central point of control allows audit to determine who had access privileges at the point of information misuse.   In addition, this allows modifications to be recorded
  28. 28.   Absolute security is arguably impossible to achieve   This approach supports modifiable controls on distributed information and transparent capture of information modification action   It is positioned in the collaborative, distributed working domain to assist organisations such as Government departments to work securely and collaboratively   Data misuse can be traced, reported and dealt with. Arguably more “appropriate technical and organisational measures” than currently exist   Makes it viable for data controllers to share information
  29. 29. 37
  30. 30. 38 Developed by Shada Al-Salamah as part of an MSc Project
  31. 31. 39 Developed by Shada Al-Salamah as part of an MSc Project
  32. 32. 40 Developed by Shada Al-Salamah as part of an MSc Project
  33. 33. 41 Developed by Shada Al-Salamah as part of an MSc Project
  34. 34. Avon & Somerset Criminal Justice Board - PRIMADS 42
  35. 35.   Multi-Agency environment   Police   Courts Service   Probation Service   Lawyers   Social Services   Health, etc   Offender management   Privacy issues in data shared during arrest, prosecution and detention   Release under licence 43
  36. 36.   Changing individuals’ behaviour such that:   the need for safe handling of information is understood & accepted; and   controls agreed and applied   Because the individuals choose to, not because they are told to. 44
  37. 37. 45
  38. 38. 46
  39. 39.   ASCJS workshops confirmed the usefulness of the scenario-based risk assessment and icon- based approach for communicating controls   Identified a number of additional benefits that contributed to an increased understanding of the distributed community and the need for controls   In addition, they expressed an interest in the ability to implement a technical solution to provide fine-grained assess to data-sharing in a collaborative, distributed environment 47
  40. 40. 48