This presentation describes the results of a project (SPIDER) that has developed a proof-of-concept for fine-grained information access control, and communication of controls using a concept derived from Creative Commons called Protective Commons.
Self-Protecting Information for De-Perimiterised Electronic Relationships
1. Self Protecting Information for De-
perimeterised Electronic Relationships
(SPIDER)
Jeremy Hilton & Pete Burnap
{Jeremy.hilton}{p.burnap}@cs.cardiff.ac.uk
2. The way people work is changing
Web 2.0 technology and Cloud computing is
supporting/driving a collaborative, on-demand
culture
Virtual Organisations are frequently used to
support collaborative, distributed working
Government Services (Transformational
Government)
Medical (Patient Records)
Research (e-Research)
Inter-disciplinary organisations contribute
content, others have access to the content
3. With the change to UK Data Protection laws
meaning Government Data Controllers face civil
action as well as financial penalties following a
data breach, what is the impact of current
information security limitations?
Information needs to be shared to support
collaborative working but the risk of sharing
information appears very high considering the
latest data losses (UK HRMC 25 million records)
As a result HMRC have completely locked down
their systems when it comes to taking data
outside the perimeter 3
4. “In relation to rights, the Government believes
piracy of intellectual property for profit is theft and
will be pursued as such through the criminal law.
The civil infringement of taking someone else’s
intellectual property or passing it on to others
through file-sharing without any compensating
payment is, in plain English, wrong. However, the
Government also believes, and the evidence
suggests, that most people, given a reasonable
choice would much prefer not to do wrong or break
the law…”
4
5. “Personal data is the new currency of the
digital world. Privacy and security of that
data is an increasingly critical issue. The
Information Commissioner is developing a
new Code of Practice “Personal Information
Online” for publication later this year. The
Prime Minister has appointed Sir Tim
Berners-Lee to form a panel of experts to
deliver better use of public data. Effective
self-regulation is also vital…”
5
13. Developed to control information sharing between G8
countries, Business Impact levels added.
14. External Secured Secured
This zone is similar to the secured zone but is owned and operated by a business
partner. The trust relationship between the Org X and the business partner is stronger
This zone is the most
than in the restricted zones. Information Assets: Distributed to named individuals only.
secured area within the
External Restricted Restricted architecture.
Similar to Restricted Zone but owned /operated by a The restricted Zone is the
business partner. The trust relationship is stronger that next higher level of security Access should be limited to
that in the External Controlled Zone. Information Access above Controlled. Access highly trusted principals.
limited to Groups of authenticated principals is Restricted to
authenticated users or
External Controlled Controlled processes.
Information Access limited
Similar to Controlled Zone This is where the lowest to named principals only.
Most data processing and
but owned /operated by an levels of control are applied storage occurs here.
external organisation. to manage Information
Information Access limited
Assets with the prime goals
Uncontrolled (Public) of managing Availability
to pre-defined groups
The uncontrolled made up of authenticated
and Compliance
environment outside the principals.
control of Org X.
Managed
Belongs to IT and is used to administer servers, network devices and other managed devices. May be implemented
with secure sessions (SSH) separate out of band networks or greater controls on Admin devices.
16. Traditional access control applied:
At or within a network perimeter
To the entire resource
Information often required to be shared outside of the perimeter (in
VOs) for collaboration
Information resources often made up on content with varying access
control requirements
What are the issues?
Persistent control of information
Changes/Differences in Access Control Requirements
Intellectual Property (Research Data)
Data in the cloud
Changes/Differences in Data Protection Requirements
Confidentiality (Medical Record)
Commercial Data (Financial Report)
17. Encryption can be used but once keys are shared, data
controller loses persistent control of shared information using
the traditional model
Entire resource protection means all information is controlled in
accordance with the highest level requirement and with an
individual label
Both reduce the potential for information sharing and
collaboration
18. SPIDER is concerned with the accurate, distributed,
auditable and persistent control of information in
collaborative working environments (VOs)
Considers the following issues:
How can you protect shared information to the
required level of granularity and in such as way as you
can modify access privileges at any time even after it
has left the perimeter?
How can you provide information related to access
controls granted and people in possession of
information at any point in time following a data
breach?
How can you make a case for prosecution against a
malicious individual who has misused your
information?
19. SPIDER aims to break down information content within a
single resource and classify the content based on
protection requirements, and communicate the control
requirements:
Icon-based labelling
Human- and machine-readable controls
Security labels based on the classification added to the
content as metadata
Labels bound to a centralised access control policy for the
resource
Content encrypted and distributed
Information accessed using an on-demand secure access
client
Access privileges and current information holders auditable
23. • A set of licenses that are flexible enough to let
you add as much or as little restrictions on you
work as you like
• Expressed in 3 different formats:
• Lawyer-readable
• Human-readable
• Machine-readable
• www.creativecommons.org
24. A set of classifications that are flexible
enough to enable to define and
communicate the controls to be applied
to your information
May be combined with creative
commons licenses
Expressed in 3 different formats:
Security Officer-readable
Human-readable
Machine readable
25. Confidentiality Use
RA – Restricted Access PI – Personal Information
OO – Organisation Only ND – Non-Disclosure
CA – Community Access CG – Corporate Governance
OA – Open Access SD – Safe Disposal
CU – Controlled Until
Authentication
AD – Approved for Disclosure
BY – Attribution
cc Integrity
AB – Authorised By
ccND – Non-Derivatives
26. Restricted Access
The information is restricted to the
nominated recipients
The owner of the information will
nominate the authorised recipients
The owner may delegate responsibility
for nominating authorised recipients
27. Personal Information
The information contains personal
information and consideration must be
made before sharing the information
This classification is likely to be used in
conjunction with other labels such as
cc
29. <Document Identifier>
Unencrypted
<serverLocation> Web address of Access Request Web Service
<content label=“Classification-X”>
Each section of classified content will be wrapped in an XML
nest with its own parent element (the <content> bit). Each
parent element has a “label” attribute, with a value representing
the classification label assigned to that section
</content>
<content label=“Classification-Y”>
The access control tables in the access control database, located
Encrypted on the “server-side” (the information controller) contain user
identity details alongside a list of classification labels the user is
permitted to access
</content>
<content label=“Classification-Z”>
Because of the structured nature of the document, all content
held between the <content>…</content> elements can only be
accessed by a user if their document-specific access privileges
contain the label representing the content classification
31. Information Controller Client
SPIDER
Application
Access Shared
Request Document Identifier
Content Content
Web (Encrypted)
Service User ID Details
Crypto Access
Key DB Control PKI User Certificate
DB
32. Information Controller
Access Control DB
Document Identifier
User ID Details
Doc-Specific Access Privileges
Document Identifier Document Access
Doc-Specific Crypto Key
Access Control Tables
Request
Web
Service
User ID Details Doc-Specific
Doc-Specific Table
Crypto Key If User Verification = TRUE
Doc-Specific Access Privileges
Cryptography Document Identifier
Key DB
33. Client
SPIDER
Application
• Apply Doc-Specific crypto key (Decrypt)
Doc-Specific Access Privileges
Content
Doc-Specific Key • Parse information for content tagged with
labels contained in the Access Privileges
• Display unrestricted content to user
34. Collaborator
Encrypted
Decrypt key Content
& access privileges
e.g.
Access to:
Classification X & Z
<Classification Level X>
Identity Details
< /Classification Level X>
Information Displayed
<Classification Level Y>
Identity Details Medical History
< /Classification Level Y>
Current
Medication <Classification Level Z>
Current Medication
< /Classification Level Z>
.....
35. Very similar to DRM model, except that content can be
controlled at different levels of restriction and the policy is
bound to a central point of control and can be modified at
a later date
DRM is quite often seen as a “disabler”. This approach is
positioned very much as an “enabler”, but a transparent
one. A model that supports secure information sharing
through audit-ability and transparency of action
The persistent link to a central point of control allows
audit to determine who had access privileges at the point
of information misuse.
In addition, this allows modifications to be recorded
36. Absolute security is arguably impossible to achieve
This approach supports modifiable controls on
distributed information and transparent capture of
information modification action
It is positioned in the collaborative, distributed
working domain to assist organisations such as
Government departments to work securely and
collaboratively
Data misuse can be traced, reported and dealt
with. Arguably more “appropriate technical and
organisational measures” than currently exist
Makes it viable for data controllers to share
information
43. Multi-Agency environment
Police
Courts Service
Probation Service
Lawyers
Social Services
Health, etc
Offender management
Privacy issues in data shared during arrest,
prosecution and detention
Release under licence
43
44. Changing individuals’ behaviour such
that:
the need for safe handling of information
is understood & accepted; and
controls agreed and applied
Because the individuals choose to, not
because they are told to.
44
47. ASCJS workshops confirmed the usefulness of
the scenario-based risk assessment and icon-
based approach for communicating controls
Identified a number of additional benefits that
contributed to an increased understanding of
the distributed community and the need for
controls
In addition, they expressed an interest in the
ability to implement a technical solution to
provide fine-grained assess to data-sharing in a
collaborative, distributed environment
47