Palantir Access Control

2,477 views
2,377 views

Published on

Published in: Design
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,477
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
202
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide
  • Mention that it is possible to have no access; gesture at picture
  • Mention note, media, link; pimp white video; mention that we only need to consider properties as representative component from now on`
  • Transition: “Suppose Bob, who has full access to the database, resolves these two objects”
  • Note that the discovery message does not mention Age
  • Palantir Access Control

    1. 1. Palantir Access Control Bob McGrew Director of Engineering © 2008 Palantir Technologies Inc. All rights reserved.
    2. 2. Secure Information Integration  Imagine you have two data sources: – Profiles database • Name, address, e-mail address • Accessible to all analysts – E-mail message database • Accessible only to a small group A of analysts  Goals – Allow all analysts to use profiles information for analysis – Integrate the e-mails with the profiles information for group A – Analysts who cannot access the e-mail database learn no more than what they could find out from the profiles database  Secure Information Integration
    3. 3. Secure Information Discovery  Another scenario: – Profiles database • Name, address, e-mail address • Accessible to all analysts – E-mail message database • Accessible only to a small group A of analysts  Goals – Want to allow analysts not in A access to the e-mail data only if they can show that they need to know it – Analysts not in A can learn that there is additional information available for a particular profile, but no details  Secure Information Discovery
    4. 4. Overview  Palantir Access Control – Guarantees confidentiality, integrity, and auditing – Enables secure information integration and discovery  In this talk – Security and Data Models – Security Guarantees – Two applications of our guarantees • Confidentiality Under Resolution (CUR) • Confidentiality Under Discovery (CUD)
    5. 5. Overview  Palantir Access Control – Guarantees confidentiality, integrity, and auditing – Enables secure information integration and discovery  In this talk – Security and Data Models – Security Guarantees – Two applications of our guarantees • Confidentiality Under Resolution (CUR) • Confidentiality Under Discovery (CUD)
    6. 6. Security Definitions  Group: – Set of users ACL 1 – User can belong to multiple groups  Permissions (ordered) – Discovery (d) ACI 101: (Group A, dr) ACI 102: (Group B, drw) – Read (r) – Write (w) Group A Group B – Ownership (o)  Access Control Item (ACI) – (Group, Permissions) pair Alice Bob Carol  Access Control List (ACL) – Set of ACIs
    7. 7. Object Model Object  Data Source Type = Entity – Single source of data to Palantir – Examples: documents, Excel files, Property Property databases Name = Age =  Object “Mike Fikri” 32 – Single entity, event, or document  Property DSR DSR DSR – Piece of information about an Object ACL 1 ACL 2 ACL 2  Data Source Record (DSR) – Ties a Propertyto a Data Source – Each Propertyhas one or more DSRs Data Data – Each DSRhas an ACL, derived from its Source Source Data Source profiles.xls email.msg
    8. 8. Security & Data Model Object Type = Entity  DSR-centric, not Object-centric  All sensitive data on Properties Property Property  A Property can be read if any of its DSRs Name = Age = can be read “Mike Fikri” 32 DSR DSR DSR ACL 1 ACL 2 ACL 2 Data Data Source Source profiles.xls email.msg
    9. 9. Discovery  An organization may want to make sensitive data available only to those who can show that they need to know about it.  Searches can yield discovery results with only data source name and discovery message  Objects viewed in the Browser also may have discovery messages
    10. 10. Discovery  Each data source has a discovery message – e.g., “To acquire permission to data from profiles.xls, please contact John Doe.”  Object load – Removes all DSRs for which the user has only discoverypermissions – For each removed DSR, returns instead the Discovery Message for its Data Source  Search – Returns a Discovery Messages if the query would have matched if the user had read instead of discoverypermissions
    11. 11. Overview  Palantir Access Control – Guarantees confidentiality, integrity, and auditing – Enables secure information integration and discovery  In this talk – Security and Data Models – Security Guarantees – Two applications of our guarantees • Confidentiality Under Resolution (CUR) • Confidentiality Under Discovery (CUD)
    12. 12. Security Guarantees  Confidentiality – Cannot read a Property without readpermissions to a DSR – Cannot read a DSR without readpermissions – Cannot discover the existence of a Property without discoverypermissions to a DSR  Integrity – Cannot edit a Property without writepermissions to a DSR – Cannot change the ACL on a DSR without ownershippermissions  Auditing – Every action is logged and attributed to the user who performed it
    13. 13. Untrusted Client  Palantir Security Model makes no assumptions about the client  Security guarantees hold under: – Normal operation of Palantir Workspace – Abnormal operation of Palantir Workspace – Arbitrary calls against our public API  Assumptions: – Attacker cannot directly connect to database – Attacker does not have physical access to server
    14. 14. Access control by data sources  Access control is based on data sources – Tied to objects and properties through DSRs  Suppose access controls were per-object – No fine-grained control – Cannot perform resolution across data sources
    15. 15. Overview  Palantir Access Control – Guarantees confidentiality, integrity, and auditing – Enables secure information integration and discovery  In this talk – Security and Data Models – Security Guarantees – Two applications of our guarantees • Confidentiality Under Resolution (CUR) • Confidentiality Under Discovery (CUD)
    16. 16. Confidentiality Under Resolution (CUR)  Two Data Sources: A and B  Analyst has read access to Data Source A  Analyst has no access to Data Source B  The following two cases must be indistinguishable 1. Data Source A imported 2. Data Sources A and B imported and resolved together
    17. 17. CUR Example: Pre-Resolution Object Object Alice’s Type = Entity Type = Entity Permissions ACL 1: read ACL 2: none Property Property Property Name = Name = Age = “Mike Fikri” “Mike Fikri” 32 DSR DSR DSR ACL 1 ACL 2 ACL 2 Data Data Source Source profiles.xls email.msg
    18. 18. CUR Example: Post-Resolution Object Type = Entity Property Property Name = Age = “Mike Fikri” 32 DSR DSR DSR ACL 1 ACL 2 ACL 2 Data Data Source Source profiles.xls email.msg
    19. 19. CUR Example: Post-Resolution Object Alice’s Type = Entity Permissions ACL 1: read ACL 2: none Property Property Name = Age = “Mike Fikri” 32 DSR DSR DSR ACL 1 ACL 2 ACL 2 Data Data Source Source profiles.xls email.msg
    20. 20. Object-Load Satisfies CUR Object  Returns readable Type = Entity projection of Object  No sensitive data directly Property Property Name = Age = on the Object (e.g., “Mike Fikri” 32 creation time)  Randomized IDs DSR DSR DSR ACL 1 ACL 2 ACL 2 Data Data Source Source profiles.xls email.msg
    21. 21. Search Satisfies CUR Object  Search terms are indexed with Type = Entity ACLs – Mike (ACL 1, ACL 2) Property Property – Fikri (ACL 1, ACL 2) Name = Age = “Mike Fikri” 32 – 32 (ACL 2)  Relevance is computed only over readable fields DSR DSR DSR ACL 1 ACL 2 ACL 2 Data Data Source Source profiles.xls email.msg
    22. 22. Overview  Palantir Access Control – Guarantees confidentiality, integrity, and auditing – Enables secure information integration and discovery  In this talk – Security and Data Models – Security Guarantees – Two applications of our guarantees • Confidentiality Under Resolution (CUR) • Confidentiality Under Discovery (CUD)
    23. 23. Confidentiality Under Discovery (CUD)  Searching for a phone number – Search reveals a discovery-only property matching that query – No information revealed about what object has that phone number  Viewing the owner of the phone number – Load reveals a discovery-only property for that object – No information revealed about the value of the property  Intuition: cannot tie the value of a discovery-only property to the object it is associated with
    24. 24. Confidentiality Under Discovery (CUD)  Setting below should be indistinguishable to Alice from the same setting with ages reversed Alice’s Permissions ACL 1: read Object1 Object2 ACL 2: discovery Type = Entity Type = Entity Property Property Property Property Name = Name = Age = 33 Age = 44 “John” “James” DSR DSR DSR DSR ACL 1 ACL 2 ACL 2 ACL 1 Data Data Data Source Source Source profiles.xls email.msg profiles.xls
    25. 25. Confidentiality Under Discovery (CUD)  Setting below should be indistinguishable to Alice from the same setting with ages reversed Alice’s Permissions ACL 1: read Object1 Object2 ACL 2: discovery Type = Entity Type = Entity Property Property Property Property Name = Name = Age = 44 Age = 33 “John” “James” DSR DSR DSR DSR ACL 1 ACL 2 ACL 2 ACL 1 Data Data Data Source Source Source profiles.xls email.msg profiles.xls
    26. 26. Object-Load Satisfies CUD  Same results in both cases  No information is leaked! Discovery Object1 Object2 Discovery Message Type = Entity Type = Entity Message for for email.msg email.msg Property Property Name = Name = “John” “James” DSR DSR ACL 1 ACL 1 Data Source profiles.xls
    27. 27. Search Satisfies CUD  Search for “Age=33” yields discovery message for email.msg  Search for “Age=44” yields the same  No information is leaked! Alice’s Permissions Object1 Object2 ACL 1: read Type = Entity Type = Entity ACL 2: discovery Property Property Property Property Name = Age = 33 Age = 44 Name = “John” “James” DSR DSR DSR DSR ACL 1 ACL 2 ACL 2 ACL 1 Data Data Data Source Source Source profiles.xls email.msg profiles.xls
    28. 28. Conjunctive Searches Do Not Satisfy CUD  Search for “Age=33 AND Name=John”  Cannot answer without knowing which age is associated with Object1  No discovery results returned for conjunctive searches Alice’s Permissions Object1 Object2 ACL 1: read Type = Entity Type = Entity ACL 2: discovery Property Property Property Property Name = Age = 33 Age = 44 Name = “John” “James” DSR DSR DSR DSR ACL 1 ACL 2 ACL 2 ACL 1 Data Data Data Source Source Source profiles.xls email.msg profiles.xls
    29. 29. Conclusion  Security and Data Models  Security Guarantees  Two applications of our guarantees – Confidentiality Under Resolution (CUR) – Confidentiality Under Discovery (CUD) For more details, see the “Palantir Access Control Model” whitepaper
    30. 30. Palantir Access Control Bob McGrew Director of Engineering © 2008 Palantir Technologies Inc. All rights reserved.

    ×