Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Palantir Access Control

3,344 views

Published on

Published in: Design
  • Be the first to comment

Palantir Access Control

  1. 1. Palantir Access Control Bob McGrew Director of Engineering © 2008 Palantir Technologies Inc. All rights reserved.
  2. 2. Secure Information Integration  Imagine you have two data sources: – Profiles database • Name, address, e-mail address • Accessible to all analysts – E-mail message database • Accessible only to a small group A of analysts  Goals – Allow all analysts to use profiles information for analysis – Integrate the e-mails with the profiles information for group A – Analysts who cannot access the e-mail database learn no more than what they could find out from the profiles database  Secure Information Integration
  3. 3. Secure Information Discovery  Another scenario: – Profiles database • Name, address, e-mail address • Accessible to all analysts – E-mail message database • Accessible only to a small group A of analysts  Goals – Want to allow analysts not in A access to the e-mail data only if they can show that they need to know it – Analysts not in A can learn that there is additional information available for a particular profile, but no details  Secure Information Discovery
  4. 4. Overview  Palantir Access Control – Guarantees confidentiality, integrity, and auditing – Enables secure information integration and discovery  In this talk – Security and Data Models – Security Guarantees – Two applications of our guarantees • Confidentiality Under Resolution (CUR) • Confidentiality Under Discovery (CUD)
  5. 5. Overview  Palantir Access Control – Guarantees confidentiality, integrity, and auditing – Enables secure information integration and discovery  In this talk – Security and Data Models – Security Guarantees – Two applications of our guarantees • Confidentiality Under Resolution (CUR) • Confidentiality Under Discovery (CUD)
  6. 6. Security Definitions  Group: – Set of users ACL 1 – User can belong to multiple groups  Permissions (ordered) – Discovery (d) ACI 101: (Group A, dr) ACI 102: (Group B, drw) – Read (r) – Write (w) Group A Group B – Ownership (o)  Access Control Item (ACI) – (Group, Permissions) pair Alice Bob Carol  Access Control List (ACL) – Set of ACIs
  7. 7. Object Model Object  Data Source Type = Entity – Single source of data to Palantir – Examples: documents, Excel files, Property Property databases Name = Age =  Object “Mike Fikri” 32 – Single entity, event, or document  Property DSR DSR DSR – Piece of information about an Object ACL 1 ACL 2 ACL 2  Data Source Record (DSR) – Ties a Propertyto a Data Source – Each Propertyhas one or more DSRs Data Data – Each DSRhas an ACL, derived from its Source Source Data Source profiles.xls email.msg
  8. 8. Security & Data Model Object Type = Entity  DSR-centric, not Object-centric  All sensitive data on Properties Property Property  A Property can be read if any of its DSRs Name = Age = can be read “Mike Fikri” 32 DSR DSR DSR ACL 1 ACL 2 ACL 2 Data Data Source Source profiles.xls email.msg
  9. 9. Discovery  An organization may want to make sensitive data available only to those who can show that they need to know about it.  Searches can yield discovery results with only data source name and discovery message  Objects viewed in the Browser also may have discovery messages
  10. 10. Discovery  Each data source has a discovery message – e.g., “To acquire permission to data from profiles.xls, please contact John Doe.”  Object load – Removes all DSRs for which the user has only discoverypermissions – For each removed DSR, returns instead the Discovery Message for its Data Source  Search – Returns a Discovery Messages if the query would have matched if the user had read instead of discoverypermissions
  11. 11. Overview  Palantir Access Control – Guarantees confidentiality, integrity, and auditing – Enables secure information integration and discovery  In this talk – Security and Data Models – Security Guarantees – Two applications of our guarantees • Confidentiality Under Resolution (CUR) • Confidentiality Under Discovery (CUD)
  12. 12. Security Guarantees  Confidentiality – Cannot read a Property without readpermissions to a DSR – Cannot read a DSR without readpermissions – Cannot discover the existence of a Property without discoverypermissions to a DSR  Integrity – Cannot edit a Property without writepermissions to a DSR – Cannot change the ACL on a DSR without ownershippermissions  Auditing – Every action is logged and attributed to the user who performed it
  13. 13. Untrusted Client  Palantir Security Model makes no assumptions about the client  Security guarantees hold under: – Normal operation of Palantir Workspace – Abnormal operation of Palantir Workspace – Arbitrary calls against our public API  Assumptions: – Attacker cannot directly connect to database – Attacker does not have physical access to server
  14. 14. Access control by data sources  Access control is based on data sources – Tied to objects and properties through DSRs  Suppose access controls were per-object – No fine-grained control – Cannot perform resolution across data sources
  15. 15. Overview  Palantir Access Control – Guarantees confidentiality, integrity, and auditing – Enables secure information integration and discovery  In this talk – Security and Data Models – Security Guarantees – Two applications of our guarantees • Confidentiality Under Resolution (CUR) • Confidentiality Under Discovery (CUD)
  16. 16. Confidentiality Under Resolution (CUR)  Two Data Sources: A and B  Analyst has read access to Data Source A  Analyst has no access to Data Source B  The following two cases must be indistinguishable 1. Data Source A imported 2. Data Sources A and B imported and resolved together
  17. 17. CUR Example: Pre-Resolution Object Object Alice’s Type = Entity Type = Entity Permissions ACL 1: read ACL 2: none Property Property Property Name = Name = Age = “Mike Fikri” “Mike Fikri” 32 DSR DSR DSR ACL 1 ACL 2 ACL 2 Data Data Source Source profiles.xls email.msg
  18. 18. CUR Example: Post-Resolution Object Type = Entity Property Property Name = Age = “Mike Fikri” 32 DSR DSR DSR ACL 1 ACL 2 ACL 2 Data Data Source Source profiles.xls email.msg
  19. 19. CUR Example: Post-Resolution Object Alice’s Type = Entity Permissions ACL 1: read ACL 2: none Property Property Name = Age = “Mike Fikri” 32 DSR DSR DSR ACL 1 ACL 2 ACL 2 Data Data Source Source profiles.xls email.msg
  20. 20. Object-Load Satisfies CUR Object  Returns readable Type = Entity projection of Object  No sensitive data directly Property Property Name = Age = on the Object (e.g., “Mike Fikri” 32 creation time)  Randomized IDs DSR DSR DSR ACL 1 ACL 2 ACL 2 Data Data Source Source profiles.xls email.msg
  21. 21. Search Satisfies CUR Object  Search terms are indexed with Type = Entity ACLs – Mike (ACL 1, ACL 2) Property Property – Fikri (ACL 1, ACL 2) Name = Age = “Mike Fikri” 32 – 32 (ACL 2)  Relevance is computed only over readable fields DSR DSR DSR ACL 1 ACL 2 ACL 2 Data Data Source Source profiles.xls email.msg
  22. 22. Overview  Palantir Access Control – Guarantees confidentiality, integrity, and auditing – Enables secure information integration and discovery  In this talk – Security and Data Models – Security Guarantees – Two applications of our guarantees • Confidentiality Under Resolution (CUR) • Confidentiality Under Discovery (CUD)
  23. 23. Confidentiality Under Discovery (CUD)  Searching for a phone number – Search reveals a discovery-only property matching that query – No information revealed about what object has that phone number  Viewing the owner of the phone number – Load reveals a discovery-only property for that object – No information revealed about the value of the property  Intuition: cannot tie the value of a discovery-only property to the object it is associated with
  24. 24. Confidentiality Under Discovery (CUD)  Setting below should be indistinguishable to Alice from the same setting with ages reversed Alice’s Permissions ACL 1: read Object1 Object2 ACL 2: discovery Type = Entity Type = Entity Property Property Property Property Name = Name = Age = 33 Age = 44 “John” “James” DSR DSR DSR DSR ACL 1 ACL 2 ACL 2 ACL 1 Data Data Data Source Source Source profiles.xls email.msg profiles.xls
  25. 25. Confidentiality Under Discovery (CUD)  Setting below should be indistinguishable to Alice from the same setting with ages reversed Alice’s Permissions ACL 1: read Object1 Object2 ACL 2: discovery Type = Entity Type = Entity Property Property Property Property Name = Name = Age = 44 Age = 33 “John” “James” DSR DSR DSR DSR ACL 1 ACL 2 ACL 2 ACL 1 Data Data Data Source Source Source profiles.xls email.msg profiles.xls
  26. 26. Object-Load Satisfies CUD  Same results in both cases  No information is leaked! Discovery Object1 Object2 Discovery Message Type = Entity Type = Entity Message for for email.msg email.msg Property Property Name = Name = “John” “James” DSR DSR ACL 1 ACL 1 Data Source profiles.xls
  27. 27. Search Satisfies CUD  Search for “Age=33” yields discovery message for email.msg  Search for “Age=44” yields the same  No information is leaked! Alice’s Permissions Object1 Object2 ACL 1: read Type = Entity Type = Entity ACL 2: discovery Property Property Property Property Name = Age = 33 Age = 44 Name = “John” “James” DSR DSR DSR DSR ACL 1 ACL 2 ACL 2 ACL 1 Data Data Data Source Source Source profiles.xls email.msg profiles.xls
  28. 28. Conjunctive Searches Do Not Satisfy CUD  Search for “Age=33 AND Name=John”  Cannot answer without knowing which age is associated with Object1  No discovery results returned for conjunctive searches Alice’s Permissions Object1 Object2 ACL 1: read Type = Entity Type = Entity ACL 2: discovery Property Property Property Property Name = Age = 33 Age = 44 Name = “John” “James” DSR DSR DSR DSR ACL 1 ACL 2 ACL 2 ACL 1 Data Data Data Source Source Source profiles.xls email.msg profiles.xls
  29. 29. Conclusion  Security and Data Models  Security Guarantees  Two applications of our guarantees – Confidentiality Under Resolution (CUR) – Confidentiality Under Discovery (CUD) For more details, see the “Palantir Access Control Model” whitepaper
  30. 30. Palantir Access Control Bob McGrew Director of Engineering © 2008 Palantir Technologies Inc. All rights reserved.

×