Palantir Access Control

  • 1,429 views
Uploaded on

 

More in: Design
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
1,429
On Slideshare
0
From Embeds
0
Number of Embeds
1

Actions

Shares
Downloads
101
Comments
0
Likes
3

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide
  • Mention that it is possible to have no access; gesture at picture
  • Mention note, media, link; pimp white video; mention that we only need to consider properties as representative component from now on`
  • Transition: “Suppose Bob, who has full access to the database, resolves these two objects”
  • Note that the discovery message does not mention Age

Transcript

  • 1. Palantir Access Control Bob McGrew Director of Engineering © 2008 Palantir Technologies Inc. All rights reserved.
  • 2. Secure Information Integration  Imagine you have two data sources: – Profiles database • Name, address, e-mail address • Accessible to all analysts – E-mail message database • Accessible only to a small group A of analysts  Goals – Allow all analysts to use profiles information for analysis – Integrate the e-mails with the profiles information for group A – Analysts who cannot access the e-mail database learn no more than what they could find out from the profiles database  Secure Information Integration
  • 3. Secure Information Discovery  Another scenario: – Profiles database • Name, address, e-mail address • Accessible to all analysts – E-mail message database • Accessible only to a small group A of analysts  Goals – Want to allow analysts not in A access to the e-mail data only if they can show that they need to know it – Analysts not in A can learn that there is additional information available for a particular profile, but no details  Secure Information Discovery
  • 4. Overview  Palantir Access Control – Guarantees confidentiality, integrity, and auditing – Enables secure information integration and discovery  In this talk – Security and Data Models – Security Guarantees – Two applications of our guarantees • Confidentiality Under Resolution (CUR) • Confidentiality Under Discovery (CUD)
  • 5. Overview  Palantir Access Control – Guarantees confidentiality, integrity, and auditing – Enables secure information integration and discovery  In this talk – Security and Data Models – Security Guarantees – Two applications of our guarantees • Confidentiality Under Resolution (CUR) • Confidentiality Under Discovery (CUD)
  • 6. Security Definitions  Group: – Set of users ACL 1 – User can belong to multiple groups  Permissions (ordered) – Discovery (d) ACI 101: (Group A, dr) ACI 102: (Group B, drw) – Read (r) – Write (w) Group A Group B – Ownership (o)  Access Control Item (ACI) – (Group, Permissions) pair Alice Bob Carol  Access Control List (ACL) – Set of ACIs
  • 7. Object Model Object  Data Source Type = Entity – Single source of data to Palantir – Examples: documents, Excel files, Property Property databases Name = Age =  Object “Mike Fikri” 32 – Single entity, event, or document  Property DSR DSR DSR – Piece of information about an Object ACL 1 ACL 2 ACL 2  Data Source Record (DSR) – Ties a Propertyto a Data Source – Each Propertyhas one or more DSRs Data Data – Each DSRhas an ACL, derived from its Source Source Data Source profiles.xls email.msg
  • 8. Security & Data Model Object Type = Entity  DSR-centric, not Object-centric  All sensitive data on Properties Property Property  A Property can be read if any of its DSRs Name = Age = can be read “Mike Fikri” 32 DSR DSR DSR ACL 1 ACL 2 ACL 2 Data Data Source Source profiles.xls email.msg
  • 9. Discovery  An organization may want to make sensitive data available only to those who can show that they need to know about it.  Searches can yield discovery results with only data source name and discovery message  Objects viewed in the Browser also may have discovery messages
  • 10. Discovery  Each data source has a discovery message – e.g., “To acquire permission to data from profiles.xls, please contact John Doe.”  Object load – Removes all DSRs for which the user has only discoverypermissions – For each removed DSR, returns instead the Discovery Message for its Data Source  Search – Returns a Discovery Messages if the query would have matched if the user had read instead of discoverypermissions
  • 11. Overview  Palantir Access Control – Guarantees confidentiality, integrity, and auditing – Enables secure information integration and discovery  In this talk – Security and Data Models – Security Guarantees – Two applications of our guarantees • Confidentiality Under Resolution (CUR) • Confidentiality Under Discovery (CUD)
  • 12. Security Guarantees  Confidentiality – Cannot read a Property without readpermissions to a DSR – Cannot read a DSR without readpermissions – Cannot discover the existence of a Property without discoverypermissions to a DSR  Integrity – Cannot edit a Property without writepermissions to a DSR – Cannot change the ACL on a DSR without ownershippermissions  Auditing – Every action is logged and attributed to the user who performed it
  • 13. Untrusted Client  Palantir Security Model makes no assumptions about the client  Security guarantees hold under: – Normal operation of Palantir Workspace – Abnormal operation of Palantir Workspace – Arbitrary calls against our public API  Assumptions: – Attacker cannot directly connect to database – Attacker does not have physical access to server
  • 14. Access control by data sources  Access control is based on data sources – Tied to objects and properties through DSRs  Suppose access controls were per-object – No fine-grained control – Cannot perform resolution across data sources
  • 15. Overview  Palantir Access Control – Guarantees confidentiality, integrity, and auditing – Enables secure information integration and discovery  In this talk – Security and Data Models – Security Guarantees – Two applications of our guarantees • Confidentiality Under Resolution (CUR) • Confidentiality Under Discovery (CUD)
  • 16. Confidentiality Under Resolution (CUR)  Two Data Sources: A and B  Analyst has read access to Data Source A  Analyst has no access to Data Source B  The following two cases must be indistinguishable 1. Data Source A imported 2. Data Sources A and B imported and resolved together
  • 17. CUR Example: Pre-Resolution Object Object Alice’s Type = Entity Type = Entity Permissions ACL 1: read ACL 2: none Property Property Property Name = Name = Age = “Mike Fikri” “Mike Fikri” 32 DSR DSR DSR ACL 1 ACL 2 ACL 2 Data Data Source Source profiles.xls email.msg
  • 18. CUR Example: Post-Resolution Object Type = Entity Property Property Name = Age = “Mike Fikri” 32 DSR DSR DSR ACL 1 ACL 2 ACL 2 Data Data Source Source profiles.xls email.msg
  • 19. CUR Example: Post-Resolution Object Alice’s Type = Entity Permissions ACL 1: read ACL 2: none Property Property Name = Age = “Mike Fikri” 32 DSR DSR DSR ACL 1 ACL 2 ACL 2 Data Data Source Source profiles.xls email.msg
  • 20. Object-Load Satisfies CUR Object  Returns readable Type = Entity projection of Object  No sensitive data directly Property Property Name = Age = on the Object (e.g., “Mike Fikri” 32 creation time)  Randomized IDs DSR DSR DSR ACL 1 ACL 2 ACL 2 Data Data Source Source profiles.xls email.msg
  • 21. Search Satisfies CUR Object  Search terms are indexed with Type = Entity ACLs – Mike (ACL 1, ACL 2) Property Property – Fikri (ACL 1, ACL 2) Name = Age = “Mike Fikri” 32 – 32 (ACL 2)  Relevance is computed only over readable fields DSR DSR DSR ACL 1 ACL 2 ACL 2 Data Data Source Source profiles.xls email.msg
  • 22. Overview  Palantir Access Control – Guarantees confidentiality, integrity, and auditing – Enables secure information integration and discovery  In this talk – Security and Data Models – Security Guarantees – Two applications of our guarantees • Confidentiality Under Resolution (CUR) • Confidentiality Under Discovery (CUD)
  • 23. Confidentiality Under Discovery (CUD)  Searching for a phone number – Search reveals a discovery-only property matching that query – No information revealed about what object has that phone number  Viewing the owner of the phone number – Load reveals a discovery-only property for that object – No information revealed about the value of the property  Intuition: cannot tie the value of a discovery-only property to the object it is associated with
  • 24. Confidentiality Under Discovery (CUD)  Setting below should be indistinguishable to Alice from the same setting with ages reversed Alice’s Permissions ACL 1: read Object1 Object2 ACL 2: discovery Type = Entity Type = Entity Property Property Property Property Name = Name = Age = 33 Age = 44 “John” “James” DSR DSR DSR DSR ACL 1 ACL 2 ACL 2 ACL 1 Data Data Data Source Source Source profiles.xls email.msg profiles.xls
  • 25. Confidentiality Under Discovery (CUD)  Setting below should be indistinguishable to Alice from the same setting with ages reversed Alice’s Permissions ACL 1: read Object1 Object2 ACL 2: discovery Type = Entity Type = Entity Property Property Property Property Name = Name = Age = 44 Age = 33 “John” “James” DSR DSR DSR DSR ACL 1 ACL 2 ACL 2 ACL 1 Data Data Data Source Source Source profiles.xls email.msg profiles.xls
  • 26. Object-Load Satisfies CUD  Same results in both cases  No information is leaked! Discovery Object1 Object2 Discovery Message Type = Entity Type = Entity Message for for email.msg email.msg Property Property Name = Name = “John” “James” DSR DSR ACL 1 ACL 1 Data Source profiles.xls
  • 27. Search Satisfies CUD  Search for “Age=33” yields discovery message for email.msg  Search for “Age=44” yields the same  No information is leaked! Alice’s Permissions Object1 Object2 ACL 1: read Type = Entity Type = Entity ACL 2: discovery Property Property Property Property Name = Age = 33 Age = 44 Name = “John” “James” DSR DSR DSR DSR ACL 1 ACL 2 ACL 2 ACL 1 Data Data Data Source Source Source profiles.xls email.msg profiles.xls
  • 28. Conjunctive Searches Do Not Satisfy CUD  Search for “Age=33 AND Name=John”  Cannot answer without knowing which age is associated with Object1  No discovery results returned for conjunctive searches Alice’s Permissions Object1 Object2 ACL 1: read Type = Entity Type = Entity ACL 2: discovery Property Property Property Property Name = Age = 33 Age = 44 Name = “John” “James” DSR DSR DSR DSR ACL 1 ACL 2 ACL 2 ACL 1 Data Data Data Source Source Source profiles.xls email.msg profiles.xls
  • 29. Conclusion  Security and Data Models  Security Guarantees  Two applications of our guarantees – Confidentiality Under Resolution (CUR) – Confidentiality Under Discovery (CUD) For more details, see the “Palantir Access Control Model” whitepaper
  • 30. Palantir Access Control Bob McGrew Director of Engineering © 2008 Palantir Technologies Inc. All rights reserved.