Secure Information Sharing Modelsfor CommunityCyber Security Ravi Sandra
Agenda1. Overview2. SIS Major Challenges3. CommunityCyber Security4. The Current Status…5. Requirements6. Life-Cycle of a Cyber Incident7. Privacy Consent State of Mind8. National Strategy Could Nudge SIS Forward9. Goals
1. Overview• “Share but protect”• Saltzer-Schroeder1 identified the desirability and difficulty of maintaining:• “some control over the user of the information even after it has been released”
2. SIS Major Challenges• Policy Challenge• Modeling, specifying and enforcing SIS policies• Need intuitive yet formal models, guaranteed security properties, etc.• Containment Challenge• Ensure that protected information is accessible to users as permitted by the policy• Security mechanisms such as authentication, cryptography, trusted hardware, etc.
3. Community Cyber Security• Community refers to a geographical area• E.g. county or a city with demarcated boundary• The Center for Infrastructure Assurance and Security at UTSA conducts nation-wide cyber security preparedness exercises and training• communication• incident response• disaster recovery• business continuity• security awareness, etc.
4.The Current Status…• Exchange of business cards• No process exists for information sharing• Technology is not the bottleneck• Resistance due to political/competitive reasons• Also want to avoid embarrassment• E.g. by sharing attack data• Participants have no clue as to what to share and how to effectively specify what toshare
5. Requirements• Need abstract models• With rigorous mathematical foundations• Should ease administration• Classic models are limited• DiscretionaryAccess Control• Too low-level to configure• Lattice-BasedAccess Control (E.g. Bell LaPadula)• Rigid• One directional info flow is not the primary concern• Lot of work on Dynamic Coalitions• Many times heavy-weight• Mainly focus on technological/infrastructural integration
6. Life-Cycle of a Cyber IncidentSecure Sharing in a CommunityCoreGroupIncidentGroupOpenGroupConditionalMembershipAutomaticMembershipFiltered RWAdministeredMembershipAdministeredMembership
7. Privacy Consent State of Mind• The space of Privacy Consent is full of trepidation. I would like to show thatalthough there are complexity, there is also simplicity. The complexitycomes in fine-details.The fundamentals, and the technology, are simple• Privacy Consent can be viewed as a "State Diagram", that is by showingwhat the current state of a patients consent, we can show the changes instate.This is the modeling tool I will use here.
Privacy Consent State of Mind• I will focus on how Privacy Consent relates to the access to HealthInformation, that is shared through some form of Health InformationExchange (HIE).• The architecture of this HIE doesnt matter, it could be PUSH or PULL oranything else. The concepts I show can apply anywhere, but for simplicitythink only about the broad use of healthcare informationsharing across organizations.
Privacy Consent of OPT-OUT• At the right is the diagram for an OPT-OUTenvironment. One where the patient has thechoice to OPT-OUT, that is to stop the use oftheir data. This means that there is apresumption that when there is no evidence ofa choice by the patient, that the data can beused.
Privacy Consent of OPT-IN• At the right is the diagram for an OPT-INenvironment. In an OPT-IN environment thepatient is given the opportunity to ALLOWsharing of their information. This means thatthere is a presumption that the patient doesnot want their health information shared. Iwould view it more as a respect for the patientto make the decision.
Privacy Consent:YES vs NO• The reality of privacy consent is that there will be anumber of patients that will change their mind.This is just human nature, and there are manyreally good reasons they might change their mind.A patient that has given OPT-IN authorizationmight revoke their authorization. A patient thathas indicated they dont want their data to beshared might decide that they now do want toshare their data.
Privacy Consent of Maybe• There are those that have specialcircumstances that really require specialhandling.• This state is an indicator, just like "YES" or"NO", but in this case the indicator indicatesthat there are patient-specific rules. Thesepatient-specific rules likely start with a "YES"or a "NO" and then apply additional rules.
Privacy Consent of Maybe• These additional rules might be to block a specific time-period, block aspecific report, block a specific person from access, allow a specific personaccess, etc.• These special rules are applied against each access.Note that the statediagram shows transitions between all three states. It is possible that onegoes into the "MAYBE" state forever, or just a while.
8. National Strategy Could Nudge SISForward• In the early days of the Obama administration, the president declaredcyberspace a critical asset. Since then, little more than lip service has beenpaid on a policy level to the security of the country’s critical infrastructure,despite increasing public awareness of the problem and high-profile attackson business and government alike.
National Strategy Could Nudge SIS Forward• In December 2013, there was more movement. The White House releasedthe National Strategy for Information Sharing and Safeguarding which is aframework for government agencies to share attack data to repel terroristthreats, cyberattacks and more.
National Strategy Could Nudge SIS Forward• The strategy stresses that information must be treated as a national assetand such data must be made available to support national security, it states.It also urges agencies to work together to identify and reduce risks, ratherthan not share at all. Information, the document states, must underlie alldecisions.
9. GoalsThe president hopes the strategy achieves five goals:• Drive collective action through collaboration and accountability: Usingmodels to build trust and simplify the processes for sharing• Improve information discovery and access through common standards:Doing so paves the way for less ambiguous policies. To achieve this, secureaccess via authentication and authorization controls, data classification andsharing standards is vital.
Goals• Optimize mission effectiveness through shared services andinteroperability: Bettering the efficacy of how information is acquired andshared is key here.• Strengthen information safeguarding through structural reform, policy andtechnical solutions: This calls for controls on data, monitoring for insider andexternal attacks to better stave off threats to systems and information.
Goals• Protect privacy, civil rights and civil liberties through consistency andcompliance: Public trust must be a key consideration here, the documentstresses. Privacy and civil protections must be built into any sharingmechanism.