SlideShare a Scribd company logo

Self-Protecting Information for De-Perimiterised Electronic Relationships

J
Jeremy Hilton

This presentation describes the results of a project (SPIDER) that has developed a proof-of-concept for fine-grained information access control, and communication of controls using a concept derived from Creative Commons called Protective Commons.

BusinessTechnology
1 of 48
Download to read offline
Self Protecting Information for De- perimeterised Electronic Relationships (SPIDER) Jeremy Hilton & Pete Burnap {Jeremy.hilton}{p.burnap}@cs.cardiff.ac.uk
  The way people work is changing   Web 2.0 technology and Cloud computing is supporting/driving a collaborative, on-demand culture   Virtual Organisations are frequently used to support collaborative, distributed working   Government Services (Transformational Government)   Medical (Patient Records)   Research (e-Research)   Inter-disciplinary organisations contribute content, others have access to the content
  With the change to UK Data Protection laws meaning Government Data Controllers face civil action as well as financial penalties following a data breach, what is the impact of current information security limitations?   Information needs to be shared to support collaborative working but the risk of sharing information appears very high considering the latest data losses (UK HRMC 25 million records)   As a result HMRC have completely locked down their systems when it comes to taking data outside the perimeter 3
“In relation to rights, the Government believes piracy of intellectual property for profit is theft and will be pursued as such through the criminal law. The civil infringement of taking someone else’s intellectual property or passing it on to others through file-sharing without any compensating payment is, in plain English, wrong. However, the Government also believes, and the evidence suggests, that most people, given a reasonable choice would much prefer not to do wrong or break the law…” 4
“Personal data is the new currency of the digital world. Privacy and security of that data is an increasingly critical issue. The Information Commissioner is developing a new Code of Practice “Personal Information Online” for publication later this year. The Prime Minister has appointed Sir Tim Berners-Lee to form a panel of experts to deliver better use of public data. Effective self-regulation is also vital…” 5
  #2 Define the information architecture
Developed to control information sharing between G8 countries, Business Impact levels added.
External Secured Secured This zone is similar to the secured zone but is owned and operated by a business partner. The trust relationship between the Org X and the business partner is stronger This zone is the most than in the restricted zones. Information Assets: Distributed to named individuals only. secured area within the External Restricted Restricted architecture. Similar to Restricted Zone but owned /operated by a The restricted Zone is the business partner. The trust relationship is stronger that next higher level of security Access should be limited to that in the External Controlled Zone. Information Access above Controlled. Access highly trusted principals. limited to Groups of authenticated principals is Restricted to authenticated users or External Controlled Controlled processes. Information Access limited Similar to Controlled Zone This is where the lowest to named principals only. Most data processing and but owned /operated by an levels of control are applied storage occurs here. external organisation. to manage Information Information Access limited Assets with the prime goals Uncontrolled (Public) of managing Availability to pre-defined groups The uncontrolled made up of authenticated and Compliance environment outside the principals. control of Org X. Managed Belongs to IT and is used to administer servers, network devices and other managed devices. May be implemented with secure sessions (SSH) separate out of band networks or greater controls on Admin devices.
Attribution: The Open Group
  Traditional access control applied:   At or within a network perimeter   To the entire resource   Information often required to be shared outside of the perimeter (in VOs) for collaboration   Information resources often made up on content with varying access control requirements   What are the issues?   Persistent control of information   Changes/Differences in Access Control Requirements   Intellectual Property (Research Data)   Data in the cloud   Changes/Differences in Data Protection Requirements   Confidentiality (Medical Record)   Commercial Data (Financial Report)
  Encryption can be used but once keys are shared, data controller loses persistent control of shared information using the traditional model   Entire resource protection means all information is controlled in accordance with the highest level requirement and with an individual label   Both reduce the potential for information sharing and collaboration
  SPIDER is concerned with the accurate, distributed, auditable and persistent control of information in collaborative working environments (VOs)   Considers the following issues:   How can you protect shared information to the required level of granularity and in such as way as you can modify access privileges at any time even after it has left the perimeter?   How can you provide information related to access controls granted and people in possession of information at any point in time following a data breach?   How can you make a case for prosecution against a malicious individual who has misused your information?
  SPIDER aims to break down information content within a single resource and classify the content based on protection requirements, and communicate the control requirements:   Icon-based labelling   Human- and machine-readable controls   Security labels based on the classification added to the content as metadata   Labels bound to a centralised access control policy for the resource   Content encrypted and distributed   Information accessed using an on-demand secure access client   Access privileges and current information holders auditable
Adapting the creative commons approach for information classification and control
•  A set of licenses that are flexible enough to let you add as much or as little restrictions on you work as you like •  Expressed in 3 different formats: •  Lawyer-readable •  Human-readable •  Machine-readable •  www.creativecommons.org
  A set of classifications that are flexible enough to enable to define and communicate the controls to be applied to your information   May be combined with creative commons licenses   Expressed in 3 different formats:   Security Officer-readable   Human-readable   Machine readable
  Confidentiality   Use RA – Restricted Access PI – Personal Information OO – Organisation Only ND – Non-Disclosure CA – Community Access CG – Corporate Governance OA – Open Access SD – Safe Disposal CU – Controlled Until   Authentication AD – Approved for Disclosure BY – Attribution cc   Integrity AB – Authorised By ccND – Non-Derivatives
Restricted Access   The information is restricted to the nominated recipients   The owner of the information will nominate the authorised recipients   The owner may delegate responsibility for nominating authorised recipients
Personal Information   The information contains personal information and consideration must be made before sharing the information   This classification is likely to be used in conjunction with other labels such as cc
Binding Policy to data and technical implementation
<Document Identifier> Unencrypted <serverLocation> Web address of Access Request Web Service <content label=“Classification-X”> Each section of classified content will be wrapped in an XML nest with its own parent element (the <content> bit). Each parent element has a “label” attribute, with a value representing the classification label assigned to that section </content> <content label=“Classification-Y”> The access control tables in the access control database, located Encrypted on the “server-side” (the information controller) contain user identity details alongside a list of classification labels the user is permitted to access </content> <content label=“Classification-Z”> Because of the structured nature of the document, all content held between the <content>…</content> elements can only be accessed by a user if their document-specific access privileges contain the label representing the content classification
Encrypted Content <Classification Level X> Identity Details < /Classification Level X> <Classification Level Y> Medical History < /Classification Level Y> <Classification Level Z> Current Medication < /Classification Level Z> .....
Information Controller Client SPIDER Application Access Shared Request Document Identifier Content Content Web (Encrypted) Service User ID Details Crypto Access Key DB Control PKI User Certificate DB
Information Controller Access Control DB Document Identifier User ID Details Doc-Specific Access Privileges Document Identifier Document Access Doc-Specific Crypto Key Access Control Tables Request Web Service User ID Details Doc-Specific Doc-Specific Table Crypto Key If User Verification = TRUE Doc-Specific Access Privileges Cryptography Document Identifier Key DB
Client SPIDER Application •  Apply Doc-Specific crypto key (Decrypt) Doc-Specific Access Privileges Content Doc-Specific Key •  Parse information for content tagged with labels contained in the Access Privileges •  Display unrestricted content to user
Collaborator Encrypted Decrypt key Content & access privileges e.g. Access to: Classification X & Z <Classification Level X> Identity Details < /Classification Level X> Information Displayed <Classification Level Y> Identity Details Medical History < /Classification Level Y> Current Medication <Classification Level Z> Current Medication < /Classification Level Z> .....
  Very similar to DRM model, except that content can be controlled at different levels of restriction and the policy is bound to a central point of control and can be modified at a later date   DRM is quite often seen as a “disabler”. This approach is positioned very much as an “enabler”, but a transparent one. A model that supports secure information sharing through audit-ability and transparency of action   The persistent link to a central point of control allows audit to determine who had access privileges at the point of information misuse.   In addition, this allows modifications to be recorded
  Absolute security is arguably impossible to achieve   This approach supports modifiable controls on distributed information and transparent capture of information modification action   It is positioned in the collaborative, distributed working domain to assist organisations such as Government departments to work securely and collaboratively   Data misuse can be traced, reported and dealt with. Arguably more “appropriate technical and organisational measures” than currently exist   Makes it viable for data controllers to share information
37
38 Developed by Shada Al-Salamah as part of an MSc Project
39 Developed by Shada Al-Salamah as part of an MSc Project
40 Developed by Shada Al-Salamah as part of an MSc Project
41 Developed by Shada Al-Salamah as part of an MSc Project
Avon & Somerset Criminal Justice Board - PRIMADS 42
  Multi-Agency environment   Police   Courts Service   Probation Service   Lawyers   Social Services   Health, etc   Offender management   Privacy issues in data shared during arrest, prosecution and detention   Release under licence 43
  Changing individuals’ behaviour such that:   the need for safe handling of information is understood & accepted; and   controls agreed and applied   Because the individuals choose to, not because they are told to. 44
45
46
  ASCJS workshops confirmed the usefulness of the scenario-based risk assessment and icon- based approach for communicating controls   Identified a number of additional benefits that contributed to an increased understanding of the distributed community and the need for controls   In addition, they expressed an interest in the ability to implement a technical solution to provide fine-grained assess to data-sharing in a collaborative, distributed environment 47
48

Recommended

Solutions for privacy, disclosure and encryption
Solutions for privacy, disclosure and encryptionSolutions for privacy, disclosure and encryption
Solutions for privacy, disclosure and encryptionTrend Micro
 
Dynamic access control sbc12 - thuan nguyen
Dynamic access control sbc12 - thuan nguyenDynamic access control sbc12 - thuan nguyen
Dynamic access control sbc12 - thuan nguyenThuan Ng
 
Internet Security Threat Report (ISTR) Vol. 16
Internet Security Threat Report (ISTR) Vol. 16Internet Security Threat Report (ISTR) Vol. 16
Internet Security Threat Report (ISTR) Vol. 16Symantec APJ
 
Electronic data & record management
Electronic data & record managementElectronic data & record management
Electronic data & record managementGreenLeafInst
 
An Enterprise Guide to Understanding Key Management
An Enterprise Guide to Understanding Key ManagementAn Enterprise Guide to Understanding Key Management
An Enterprise Guide to Understanding Key ManagementSafeNet
 
Security Built Upon a Foundation of Trust
Security Built Upon a Foundation of TrustSecurity Built Upon a Foundation of Trust
Security Built Upon a Foundation of Trustlmgangi
 
Perspec sys knowledge_series__solving_privacy_residency_and_security
Perspec sys knowledge_series__solving_privacy_residency_and_securityPerspec sys knowledge_series__solving_privacy_residency_and_security
Perspec sys knowledge_series__solving_privacy_residency_and_securityAccenture
 
Symantec Enterprise Mobility Enhancements
Symantec Enterprise Mobility EnhancementsSymantec Enterprise Mobility Enhancements
Symantec Enterprise Mobility EnhancementsSymantec
 

Recommended

Solutions for privacy, disclosure and encryption
Solutions for privacy, disclosure and encryptionSolutions for privacy, disclosure and encryption
Solutions for privacy, disclosure and encryptionTrend Micro
 
Dynamic access control sbc12 - thuan nguyen
Dynamic access control sbc12 - thuan nguyenDynamic access control sbc12 - thuan nguyen
Dynamic access control sbc12 - thuan nguyenThuan Ng
 
Internet Security Threat Report (ISTR) Vol. 16
Internet Security Threat Report (ISTR) Vol. 16Internet Security Threat Report (ISTR) Vol. 16
Internet Security Threat Report (ISTR) Vol. 16Symantec APJ
 
Electronic data & record management
Electronic data & record managementElectronic data & record management
Electronic data & record managementGreenLeafInst
 
An Enterprise Guide to Understanding Key Management
An Enterprise Guide to Understanding Key ManagementAn Enterprise Guide to Understanding Key Management
An Enterprise Guide to Understanding Key ManagementSafeNet
 
Security Built Upon a Foundation of Trust
Security Built Upon a Foundation of TrustSecurity Built Upon a Foundation of Trust
Security Built Upon a Foundation of Trustlmgangi
 
Perspec sys knowledge_series__solving_privacy_residency_and_security
Perspec sys knowledge_series__solving_privacy_residency_and_securityPerspec sys knowledge_series__solving_privacy_residency_and_security
Perspec sys knowledge_series__solving_privacy_residency_and_securityAccenture
 
Symantec Enterprise Mobility Enhancements
Symantec Enterprise Mobility EnhancementsSymantec Enterprise Mobility Enhancements
Symantec Enterprise Mobility EnhancementsSymantec
 
Enterprise Collaboration For The Legal Community
Enterprise Collaboration For The Legal CommunityEnterprise Collaboration For The Legal Community
Enterprise Collaboration For The Legal CommunityAlasdair Kilgour
 
IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...
IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...
IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...IJERD Editor
 
Data Security
Data SecurityData Security
Data Securityankita_kashyap
 
Microsoft India - Forefront Value Of Identity And Security Offerings Presenta...
Microsoft India - Forefront Value Of Identity And Security Offerings Presenta...Microsoft India - Forefront Value Of Identity And Security Offerings Presenta...
Microsoft India - Forefront Value Of Identity And Security Offerings Presenta...Microsoft Private Cloud
 
Taxonomy Management, Automatic Metadata Tagging & Auto Classification in Shar...
Taxonomy Management, Automatic Metadata Tagging & Auto Classification in Shar...Taxonomy Management, Automatic Metadata Tagging & Auto Classification in Shar...
Taxonomy Management, Automatic Metadata Tagging & Auto Classification in Shar...William LaPorte
 
"NSTIC Pilots on the trust network" Webinar Slides 10-12-2012
"NSTIC Pilots on the trust network" Webinar Slides 10-12-2012"NSTIC Pilots on the trust network" Webinar Slides 10-12-2012
"NSTIC Pilots on the trust network" Webinar Slides 10-12-2012Collaborative Health Consortium
 
Ecommerce Chap 10
Ecommerce Chap 10Ecommerce Chap 10
Ecommerce Chap 10Pimsat University
 
Contractor Exposed Manufacturer's Sensitive Data
Contractor Exposed Manufacturer's Sensitive DataContractor Exposed Manufacturer's Sensitive Data
Contractor Exposed Manufacturer's Sensitive DataDigital Shadows
 
Data Integrity Protection
Data Integrity ProtectionData Integrity Protection
Data Integrity Protectionproitsolutions
 
Advisory April Showers 02.19.2009
Advisory April Showers 02.19.2009Advisory April Showers 02.19.2009
Advisory April Showers 02.19.2009Davis Wright Tremaine LLP
 
Vormetric data security complying with pci dss encryption rules
Vormetric data security complying with pci dss encryption rulesVormetric data security complying with pci dss encryption rules
Vormetric data security complying with pci dss encryption rulesVormetric Inc
 
Gdpr questions for compliance difficulties
Gdpr questions for compliance difficultiesGdpr questions for compliance difficulties
Gdpr questions for compliance difficultiesSteven Meister
 
Simple cloud security explanation
Simple cloud security explanationSimple cloud security explanation
Simple cloud security explanationindianadvisory
 
Privacy Management System: Protect Data or Perish
Privacy Management System: Protect Data or PerishPrivacy Management System: Protect Data or Perish
Privacy Management System: Protect Data or PerishRSIS International
 
GTB DLP - Content Aware Security Suite
GTB DLP - Content Aware Security SuiteGTB DLP - Content Aware Security Suite
GTB DLP - Content Aware Security SuiteVCW Security Ltd
 
Wk White Paper
Wk White PaperWk White Paper
Wk White PaperCreus Moreira Carlos
 
Martine Lapierre - Security in Cloud computing: sharing more than resources
Martine Lapierre - Security in Cloud computing: sharing more than resourcesMartine Lapierre - Security in Cloud computing: sharing more than resources
Martine Lapierre - Security in Cloud computing: sharing more than resourcesServiceWave 2010
 
Cloud Webinar Neiditz Weitz Mitchell Goodman
Cloud Webinar Neiditz Weitz Mitchell GoodmanCloud Webinar Neiditz Weitz Mitchell Goodman
Cloud Webinar Neiditz Weitz Mitchell Goodmanjonneiditz
 
Law firms keep sensitive client data secure with CloudMask
Law firms keep sensitive client data secure with CloudMaskLaw firms keep sensitive client data secure with CloudMask
Law firms keep sensitive client data secure with CloudMaskCloudMask inc.
 
GTB IRM - Business Use Cases - 2013
GTB IRM - Business Use Cases - 2013GTB IRM - Business Use Cases - 2013
GTB IRM - Business Use Cases - 2013Ravindran Vasu
 
Waterstone Master Deck / July 2010
Waterstone Master Deck / July 2010Waterstone Master Deck / July 2010
Waterstone Master Deck / July 2010robertrichards
 
API - That was Then, This is Now
API - That was Then, This is NowAPI - That was Then, This is Now
API - That was Then, This is Nowjamesty
 

More Related Content

What's hot

Enterprise Collaboration For The Legal Community
Enterprise Collaboration For The Legal CommunityEnterprise Collaboration For The Legal Community
Enterprise Collaboration For The Legal CommunityAlasdair Kilgour
 
IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...
IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...
IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...IJERD Editor
 
Microsoft India - Forefront Value Of Identity And Security Offerings Presenta...
Microsoft India - Forefront Value Of Identity And Security Offerings Presenta...Microsoft India - Forefront Value Of Identity And Security Offerings Presenta...
Microsoft India - Forefront Value Of Identity And Security Offerings Presenta...Microsoft Private Cloud
 
Taxonomy Management, Automatic Metadata Tagging & Auto Classification in Shar...
Taxonomy Management, Automatic Metadata Tagging & Auto Classification in Shar...Taxonomy Management, Automatic Metadata Tagging & Auto Classification in Shar...
Taxonomy Management, Automatic Metadata Tagging & Auto Classification in Shar...William LaPorte
 
"NSTIC Pilots on the trust network" Webinar Slides 10-12-2012
"NSTIC Pilots on the trust network" Webinar Slides 10-12-2012"NSTIC Pilots on the trust network" Webinar Slides 10-12-2012
"NSTIC Pilots on the trust network" Webinar Slides 10-12-2012Collaborative Health Consortium
 
Contractor Exposed Manufacturer's Sensitive Data
Contractor Exposed Manufacturer's Sensitive DataContractor Exposed Manufacturer's Sensitive Data
Contractor Exposed Manufacturer's Sensitive DataDigital Shadows
 
Data Integrity Protection
Data Integrity ProtectionData Integrity Protection
Data Integrity Protectionproitsolutions
 
Vormetric data security complying with pci dss encryption rules
Vormetric data security complying with pci dss encryption rulesVormetric data security complying with pci dss encryption rules
Vormetric data security complying with pci dss encryption rulesVormetric Inc
 
Gdpr questions for compliance difficulties
Gdpr questions for compliance difficultiesGdpr questions for compliance difficulties
Gdpr questions for compliance difficultiesSteven Meister
 
Simple cloud security explanation
Simple cloud security explanationSimple cloud security explanation
Simple cloud security explanationindianadvisory
 
Privacy Management System: Protect Data or Perish
Privacy Management System: Protect Data or PerishPrivacy Management System: Protect Data or Perish
Privacy Management System: Protect Data or PerishRSIS International
 
GTB DLP - Content Aware Security Suite
GTB DLP - Content Aware Security SuiteGTB DLP - Content Aware Security Suite
GTB DLP - Content Aware Security SuiteVCW Security Ltd
 
Martine Lapierre - Security in Cloud computing: sharing more than resources
Martine Lapierre - Security in Cloud computing: sharing more than resourcesMartine Lapierre - Security in Cloud computing: sharing more than resources
Martine Lapierre - Security in Cloud computing: sharing more than resourcesServiceWave 2010
 
Cloud Webinar Neiditz Weitz Mitchell Goodman
Cloud Webinar Neiditz Weitz Mitchell GoodmanCloud Webinar Neiditz Weitz Mitchell Goodman
Cloud Webinar Neiditz Weitz Mitchell Goodmanjonneiditz
 
Law firms keep sensitive client data secure with CloudMask
Law firms keep sensitive client data secure with CloudMaskLaw firms keep sensitive client data secure with CloudMask
Law firms keep sensitive client data secure with CloudMaskCloudMask inc.
 
GTB IRM - Business Use Cases - 2013
GTB IRM - Business Use Cases - 2013GTB IRM - Business Use Cases - 2013
GTB IRM - Business Use Cases - 2013Ravindran Vasu
 

What's hot (20)

Enterprise Collaboration For The Legal Community
Enterprise Collaboration For The Legal CommunityEnterprise Collaboration For The Legal Community
Enterprise Collaboration For The Legal Community
 
IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...
IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...
IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...
 
Data Security
Data SecurityData Security
Data Security
 
Microsoft India - Forefront Value Of Identity And Security Offerings Presenta...
Microsoft India - Forefront Value Of Identity And Security Offerings Presenta...Microsoft India - Forefront Value Of Identity And Security Offerings Presenta...
Microsoft India - Forefront Value Of Identity And Security Offerings Presenta...
 
Taxonomy Management, Automatic Metadata Tagging & Auto Classification in Shar...
Taxonomy Management, Automatic Metadata Tagging & Auto Classification in Shar...Taxonomy Management, Automatic Metadata Tagging & Auto Classification in Shar...
Taxonomy Management, Automatic Metadata Tagging & Auto Classification in Shar...
 
"NSTIC Pilots on the trust network" Webinar Slides 10-12-2012
"NSTIC Pilots on the trust network" Webinar Slides 10-12-2012"NSTIC Pilots on the trust network" Webinar Slides 10-12-2012
"NSTIC Pilots on the trust network" Webinar Slides 10-12-2012
 
Ecommerce Chap 10
Ecommerce Chap 10Ecommerce Chap 10
Ecommerce Chap 10
 
Contractor Exposed Manufacturer's Sensitive Data
Contractor Exposed Manufacturer's Sensitive DataContractor Exposed Manufacturer's Sensitive Data
Contractor Exposed Manufacturer's Sensitive Data
 
Data Integrity Protection
Data Integrity ProtectionData Integrity Protection
Data Integrity Protection
 
Advisory April Showers 02.19.2009
Advisory April Showers 02.19.2009Advisory April Showers 02.19.2009
Advisory April Showers 02.19.2009
 
Vormetric data security complying with pci dss encryption rules
Vormetric data security complying with pci dss encryption rulesVormetric data security complying with pci dss encryption rules
Vormetric data security complying with pci dss encryption rules
 
Gdpr questions for compliance difficulties
Gdpr questions for compliance difficultiesGdpr questions for compliance difficulties
Gdpr questions for compliance difficulties
 
Simple cloud security explanation
Simple cloud security explanationSimple cloud security explanation
Simple cloud security explanation
 
Privacy Management System: Protect Data or Perish
Privacy Management System: Protect Data or PerishPrivacy Management System: Protect Data or Perish
Privacy Management System: Protect Data or Perish
 
GTB DLP - Content Aware Security Suite
GTB DLP - Content Aware Security SuiteGTB DLP - Content Aware Security Suite
GTB DLP - Content Aware Security Suite
 
Wk White Paper
Wk White PaperWk White Paper
Wk White Paper
 
Martine Lapierre - Security in Cloud computing: sharing more than resources
Martine Lapierre - Security in Cloud computing: sharing more than resourcesMartine Lapierre - Security in Cloud computing: sharing more than resources
Martine Lapierre - Security in Cloud computing: sharing more than resources
 
Cloud Webinar Neiditz Weitz Mitchell Goodman
Cloud Webinar Neiditz Weitz Mitchell GoodmanCloud Webinar Neiditz Weitz Mitchell Goodman
Cloud Webinar Neiditz Weitz Mitchell Goodman
 
Law firms keep sensitive client data secure with CloudMask
Law firms keep sensitive client data secure with CloudMaskLaw firms keep sensitive client data secure with CloudMask
Law firms keep sensitive client data secure with CloudMask
 
GTB IRM - Business Use Cases - 2013
GTB IRM - Business Use Cases - 2013GTB IRM - Business Use Cases - 2013
GTB IRM - Business Use Cases - 2013
 

Viewers also liked

Waterstone Master Deck / July 2010
Waterstone Master Deck / July 2010Waterstone Master Deck / July 2010
Waterstone Master Deck / July 2010robertrichards
 
API - That was Then, This is Now
API - That was Then, This is NowAPI - That was Then, This is Now
API - That was Then, This is Nowjamesty
 
Observation lab edison acuna santiago chile
Observation lab edison acuna santiago chileObservation lab edison acuna santiago chile
Observation lab edison acuna santiago chileEdison Acuna
 
2010 Portfolio - Doug Zweigoron
2010 Portfolio - Doug Zweigoron2010 Portfolio - Doug Zweigoron
2010 Portfolio - Doug ZweigoronDoug Zweigoron
 
D Ell Computer Gs
D Ell Computer GsD Ell Computer Gs
D Ell Computer Gsgshyam817
 
DEFICIT ATENCION IRMA REYES RICRA
DEFICIT ATENCION IRMA REYES RICRADEFICIT ATENCION IRMA REYES RICRA
DEFICIT ATENCION IRMA REYES RICRAIRMA REYES RICRA
 
Cartel de modificaciòn de conductappt
Cartel de modificaciòn de conductapptCartel de modificaciòn de conductappt
Cartel de modificaciòn de conductapptIRMA REYES RICRA
 
Cartel de modificaciòn de conductappt
Cartel de modificaciòn de conductapptCartel de modificaciòn de conductappt
Cartel de modificaciòn de conductapptIRMA REYES RICRA
 
DIVERSIDAD EDUCATIVA - Comprensiva
DIVERSIDAD EDUCATIVA - ComprensivaDIVERSIDAD EDUCATIVA - Comprensiva
DIVERSIDAD EDUCATIVA - ComprensivaIRMA REYES RICRA
 
Cartel de modificaciòn de conduct appt2
Cartel de modificaciòn de conduct appt2Cartel de modificaciòn de conduct appt2
Cartel de modificaciòn de conduct appt2IRMA REYES RICRA
 
ESTIMULACIÓN INTEGRAL(IrmaReyesRicra)
ESTIMULACIÓN INTEGRAL(IrmaReyesRicra)ESTIMULACIÓN INTEGRAL(IrmaReyesRicra)
ESTIMULACIÓN INTEGRAL(IrmaReyesRicra)IRMA REYES RICRA
 

Viewers also liked (16)

Waterstone Master Deck / July 2010
Waterstone Master Deck / July 2010Waterstone Master Deck / July 2010
Waterstone Master Deck / July 2010
 
API - That was Then, This is Now
API - That was Then, This is NowAPI - That was Then, This is Now
API - That was Then, This is Now
 
Observation lab edison acuna santiago chile
Observation lab edison acuna santiago chileObservation lab edison acuna santiago chile
Observation lab edison acuna santiago chile
 
2010 Portfolio - Doug Zweigoron
2010 Portfolio - Doug Zweigoron2010 Portfolio - Doug Zweigoron
2010 Portfolio - Doug Zweigoron
 
LAS VERDADES
LAS VERDADESLAS VERDADES
LAS VERDADES
 
Honda
HondaHonda
Honda
 
D Ell Computer Gs
D Ell Computer GsD Ell Computer Gs
D Ell Computer Gs
 
Agar
AgarAgar
Agar
 
Ib Presentation
Ib PresentationIb Presentation
Ib Presentation
 
E-LERNING
E-LERNINGE-LERNING
E-LERNING
 
DEFICIT ATENCION IRMA REYES RICRA
DEFICIT ATENCION IRMA REYES RICRADEFICIT ATENCION IRMA REYES RICRA
DEFICIT ATENCION IRMA REYES RICRA
 
Cartel de modificaciòn de conductappt
Cartel de modificaciòn de conductapptCartel de modificaciòn de conductappt
Cartel de modificaciòn de conductappt
 
Cartel de modificaciòn de conductappt
Cartel de modificaciòn de conductapptCartel de modificaciòn de conductappt
Cartel de modificaciòn de conductappt
 
DIVERSIDAD EDUCATIVA - Comprensiva
DIVERSIDAD EDUCATIVA - ComprensivaDIVERSIDAD EDUCATIVA - Comprensiva
DIVERSIDAD EDUCATIVA - Comprensiva
 
Cartel de modificaciòn de conduct appt2
Cartel de modificaciòn de conduct appt2Cartel de modificaciòn de conduct appt2
Cartel de modificaciòn de conduct appt2
 
ESTIMULACIÓN INTEGRAL(IrmaReyesRicra)
ESTIMULACIÓN INTEGRAL(IrmaReyesRicra)ESTIMULACIÓN INTEGRAL(IrmaReyesRicra)
ESTIMULACIÓN INTEGRAL(IrmaReyesRicra)
 

Similar to Self-Protecting Information for De-Perimiterised Electronic Relationships

Ieeepro techno solutions 2011 ieee dotnet project -secure role based data
Ieeepro techno solutions 2011 ieee dotnet project -secure role based dataIeeepro techno solutions 2011 ieee dotnet project -secure role based data
Ieeepro techno solutions 2011 ieee dotnet project -secure role based dataASAITHAMBIRAJAA
 
Ieeepro techno solutions 2011 ieee java project -secure role based data
Ieeepro techno solutions 2011 ieee java project -secure role based dataIeeepro techno solutions 2011 ieee java project -secure role based data
Ieeepro techno solutions 2011 ieee java project -secure role based datahemanthbbc
 
Achieving Secure, sclable and finegrained Cloud computing report
Achieving Secure, sclable and finegrained Cloud computing reportAchieving Secure, sclable and finegrained Cloud computing report
Achieving Secure, sclable and finegrained Cloud computing reportKiran Girase
 
A Survey on Different Techniques Used in Decentralized Cloud Computing
A Survey on Different Techniques Used in Decentralized Cloud ComputingA Survey on Different Techniques Used in Decentralized Cloud Computing
A Survey on Different Techniques Used in Decentralized Cloud ComputingEditor IJCATR
 
Whitepaper: Security of the Cloud
Whitepaper: Security of the CloudWhitepaper: Security of the Cloud
Whitepaper: Security of the CloudCloudSmartz
 
A robust and verifiable threshold multi authority access control system in pu...
A robust and verifiable threshold multi authority access control system in pu...A robust and verifiable threshold multi authority access control system in pu...
A robust and verifiable threshold multi authority access control system in pu...IJARIIT
 
Accountability in Distributed Environment For Data Sharing in the Cloud
Accountability in Distributed Environment For Data Sharing in the CloudAccountability in Distributed Environment For Data Sharing in the Cloud
Accountability in Distributed Environment For Data Sharing in the CloudEditor IJCATR
 
Hipaa auditing in cloud computing enviroment
Hipaa auditing in cloud computing enviromentHipaa auditing in cloud computing enviroment
Hipaa auditing in cloud computing enviromentParshant Tyagi
 
Simplifying Data Governance and Security with a Logical Data Fabric (ASEAN)
Simplifying Data Governance and Security with a Logical Data Fabric (ASEAN)Simplifying Data Governance and Security with a Logical Data Fabric (ASEAN)
Simplifying Data Governance and Security with a Logical Data Fabric (ASEAN)Denodo
 
The Federal Information Security Management Act
The Federal Information Security Management ActThe Federal Information Security Management Act
The Federal Information Security Management ActMichelle Singh
 
Target Unncryption Case Study
Target Unncryption Case StudyTarget Unncryption Case Study
Target Unncryption Case StudyEvelyn Donaldson
 
Iaetsd scalable and secure sharing of personal health
Iaetsd scalable and secure sharing of personal healthIaetsd scalable and secure sharing of personal health
Iaetsd scalable and secure sharing of personal healthIaetsd Iaetsd
 
Data Security And The Security
Data Security And The SecurityData Security And The Security
Data Security And The SecurityRachel Phillips
 
Blockchain Defined Perimeter (BDP) - Experience the power of Software Defined...
Blockchain Defined Perimeter (BDP) - Experience the power of Software Defined...Blockchain Defined Perimeter (BDP) - Experience the power of Software Defined...
Blockchain Defined Perimeter (BDP) - Experience the power of Software Defined...Block Armour
 
Block Armour Blockchain Defined Perimeter Brochure
Block Armour Blockchain Defined Perimeter BrochureBlock Armour Blockchain Defined Perimeter Brochure
Block Armour Blockchain Defined Perimeter BrochureBlock Armour
 
Understanding Database Encryption & Protecting Against the Insider Threat wit...
Understanding Database Encryption & Protecting Against the Insider Threat wit...Understanding Database Encryption & Protecting Against the Insider Threat wit...
Understanding Database Encryption & Protecting Against the Insider Threat wit...MongoDB
 
Extending security in the cloud network box - v4
Extending security in the cloud network box - v4Extending security in the cloud network box - v4
Extending security in the cloud network box - v4Valencell, Inc.
 

Similar to Self-Protecting Information for De-Perimiterised Electronic Relationships (20)

Ieeepro techno solutions 2011 ieee dotnet project -secure role based data
Ieeepro techno solutions 2011 ieee dotnet project -secure role based dataIeeepro techno solutions 2011 ieee dotnet project -secure role based data
Ieeepro techno solutions 2011 ieee dotnet project -secure role based data
 
Ieeepro techno solutions 2011 ieee java project -secure role based data
Ieeepro techno solutions 2011 ieee java project -secure role based dataIeeepro techno solutions 2011 ieee java project -secure role based data
Ieeepro techno solutions 2011 ieee java project -secure role based data
 
Achieving Secure, sclable and finegrained Cloud computing report
Achieving Secure, sclable and finegrained Cloud computing reportAchieving Secure, sclable and finegrained Cloud computing report
Achieving Secure, sclable and finegrained Cloud computing report
 
A Survey on Different Techniques Used in Decentralized Cloud Computing
A Survey on Different Techniques Used in Decentralized Cloud ComputingA Survey on Different Techniques Used in Decentralized Cloud Computing
A Survey on Different Techniques Used in Decentralized Cloud Computing
 
Whitepaper: Security of the Cloud
Whitepaper: Security of the CloudWhitepaper: Security of the Cloud
Whitepaper: Security of the Cloud
 
Security of the Cloud
Security of the CloudSecurity of the Cloud
Security of the Cloud
 
A robust and verifiable threshold multi authority access control system in pu...
A robust and verifiable threshold multi authority access control system in pu...A robust and verifiable threshold multi authority access control system in pu...
A robust and verifiable threshold multi authority access control system in pu...
 
Accountability in Distributed Environment For Data Sharing in the Cloud
Accountability in Distributed Environment For Data Sharing in the CloudAccountability in Distributed Environment For Data Sharing in the Cloud
Accountability in Distributed Environment For Data Sharing in the Cloud
 
Hipaa auditing in cloud computing enviroment
Hipaa auditing in cloud computing enviromentHipaa auditing in cloud computing enviroment
Hipaa auditing in cloud computing enviroment
 
Audit Controls Paper
Audit Controls PaperAudit Controls Paper
Audit Controls Paper
 
Simplifying Data Governance and Security with a Logical Data Fabric (ASEAN)
Simplifying Data Governance and Security with a Logical Data Fabric (ASEAN)Simplifying Data Governance and Security with a Logical Data Fabric (ASEAN)
Simplifying Data Governance and Security with a Logical Data Fabric (ASEAN)
 
The Federal Information Security Management Act
The Federal Information Security Management ActThe Federal Information Security Management Act
The Federal Information Security Management Act
 
Target Unncryption Case Study
Target Unncryption Case StudyTarget Unncryption Case Study
Target Unncryption Case Study
 
Iaetsd scalable and secure sharing of personal health
Iaetsd scalable and secure sharing of personal healthIaetsd scalable and secure sharing of personal health
Iaetsd scalable and secure sharing of personal health
 
Data Security And The Security
Data Security And The SecurityData Security And The Security
Data Security And The Security
 
Blockchain Defined Perimeter (BDP) - Experience the power of Software Defined...
Blockchain Defined Perimeter (BDP) - Experience the power of Software Defined...Blockchain Defined Perimeter (BDP) - Experience the power of Software Defined...
Blockchain Defined Perimeter (BDP) - Experience the power of Software Defined...
 
Block Armour Blockchain Defined Perimeter Brochure
Block Armour Blockchain Defined Perimeter BrochureBlock Armour Blockchain Defined Perimeter Brochure
Block Armour Blockchain Defined Perimeter Brochure
 
Understanding Database Encryption & Protecting Against the Insider Threat wit...
Understanding Database Encryption & Protecting Against the Insider Threat wit...Understanding Database Encryption & Protecting Against the Insider Threat wit...
Understanding Database Encryption & Protecting Against the Insider Threat wit...
 
Extending security in the cloud network box - v4
Extending security in the cloud network box - v4Extending security in the cloud network box - v4
Extending security in the cloud network box - v4
 
Shadow Data Exposed
Shadow Data ExposedShadow Data Exposed
Shadow Data Exposed
 

Recently uploaded

Innovation Conference 5th March 2024.pdf
Innovation Conference 5th March 2024.pdfInnovation Conference 5th March 2024.pdf
Innovation Conference 5th March 2024.pdfrichard876048
 
NewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdf
NewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdfNewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdf
NewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdfKhaled Al Awadi
 
Kenya Coconut Production Presentation by Dr. Lalith Perera
Kenya Coconut Production Presentation by Dr. Lalith PereraKenya Coconut Production Presentation by Dr. Lalith Perera
Kenya Coconut Production Presentation by Dr. Lalith Pereraictsugar
 
PSCC - Capability Statement Presentation
PSCC - Capability Statement PresentationPSCC - Capability Statement Presentation
PSCC - Capability Statement PresentationAnamaria Contreras
 
Guide Complete Set of Residential Architectural Drawings PDF
Guide Complete Set of Residential Architectural Drawings PDFGuide Complete Set of Residential Architectural Drawings PDF
Guide Complete Set of Residential Architectural Drawings PDFChandresh Chudasama
 
8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR
8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR
8447779800, Low rate Call girls in New Ashok Nagar Delhi NCRashishs7044
 
Buy gmail accounts.pdf Buy Old Gmail Accounts
Buy gmail accounts.pdf Buy Old Gmail AccountsBuy gmail accounts.pdf Buy Old Gmail Accounts
Buy gmail accounts.pdf Buy Old Gmail AccountsBuy Verified Accounts
 
Call US-88OO1O2216 Call Girls In Mahipalpur Female Escort Service
Call US-88OO1O2216 Call Girls In Mahipalpur Female Escort ServiceCall US-88OO1O2216 Call Girls In Mahipalpur Female Escort Service
Call US-88OO1O2216 Call Girls In Mahipalpur Female Escort Servicecallgirls2057
 
8447779800, Low rate Call girls in Rohini Delhi NCR
8447779800, Low rate Call girls in Rohini Delhi NCR8447779800, Low rate Call girls in Rohini Delhi NCR
8447779800, Low rate Call girls in Rohini Delhi NCRashishs7044
 
Unlocking the Future: Explore Web 3.0 Workshop to Start Earning Today!
Unlocking the Future: Explore Web 3.0 Workshop to Start Earning Today!Unlocking the Future: Explore Web 3.0 Workshop to Start Earning Today!
Unlocking the Future: Explore Web 3.0 Workshop to Start Earning Today!Doge Mining Website
 
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCRashishs7044
 
Annual General Meeting Presentation Slides
Annual General Meeting Presentation SlidesAnnual General Meeting Presentation Slides
Annual General Meeting Presentation SlidesKeppelCorporation
 
Independent Call Girls Andheri Nightlaila 9967584737
Independent Call Girls Andheri Nightlaila 9967584737Independent Call Girls Andheri Nightlaila 9967584737
Independent Call Girls Andheri Nightlaila 9967584737Riya Pathan
 
Investment in The Coconut Industry by Nancy Cheruiyot
Investment in The Coconut Industry by Nancy CheruiyotInvestment in The Coconut Industry by Nancy Cheruiyot
Investment in The Coconut Industry by Nancy Cheruiyotictsugar
 
Marketplace and Quality Assurance Presentation - Vincent Chirchir
Marketplace and Quality Assurance Presentation - Vincent ChirchirMarketplace and Quality Assurance Presentation - Vincent Chirchir
Marketplace and Quality Assurance Presentation - Vincent Chirchirictsugar
 
Financial-Statement-Analysis-of-Coca-cola-Company.pptx
Financial-Statement-Analysis-of-Coca-cola-Company.pptxFinancial-Statement-Analysis-of-Coca-cola-Company.pptx
Financial-Statement-Analysis-of-Coca-cola-Company.pptxsaniyaimamuddin
 
8447779800, Low rate Call girls in Tughlakabad Delhi NCR
8447779800, Low rate Call girls in Tughlakabad Delhi NCR8447779800, Low rate Call girls in Tughlakabad Delhi NCR
8447779800, Low rate Call girls in Tughlakabad Delhi NCRashishs7044
 
Market Sizes Sample Report - 2024 Edition
Market Sizes Sample Report - 2024 EditionMarket Sizes Sample Report - 2024 Edition
Market Sizes Sample Report - 2024 EditionMintel Group
 
Cyber Security Training in Office Environment
Cyber Security Training in Office EnvironmentCyber Security Training in Office Environment
Cyber Security Training in Office Environmentelijahj01012
 

Recently uploaded (20)

Innovation Conference 5th March 2024.pdf
Innovation Conference 5th March 2024.pdfInnovation Conference 5th March 2024.pdf
Innovation Conference 5th March 2024.pdf
 
NewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdf
NewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdfNewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdf
NewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdf
 
Kenya Coconut Production Presentation by Dr. Lalith Perera
Kenya Coconut Production Presentation by Dr. Lalith PereraKenya Coconut Production Presentation by Dr. Lalith Perera
Kenya Coconut Production Presentation by Dr. Lalith Perera
 
PSCC - Capability Statement Presentation
PSCC - Capability Statement PresentationPSCC - Capability Statement Presentation
PSCC - Capability Statement Presentation
 
Guide Complete Set of Residential Architectural Drawings PDF
Guide Complete Set of Residential Architectural Drawings PDFGuide Complete Set of Residential Architectural Drawings PDF
Guide Complete Set of Residential Architectural Drawings PDF
 
8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR
8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR
8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR
 
Buy gmail accounts.pdf Buy Old Gmail Accounts
Buy gmail accounts.pdf Buy Old Gmail AccountsBuy gmail accounts.pdf Buy Old Gmail Accounts
Buy gmail accounts.pdf Buy Old Gmail Accounts
 
Call US-88OO1O2216 Call Girls In Mahipalpur Female Escort Service
Call US-88OO1O2216 Call Girls In Mahipalpur Female Escort ServiceCall US-88OO1O2216 Call Girls In Mahipalpur Female Escort Service
Call US-88OO1O2216 Call Girls In Mahipalpur Female Escort Service
 
8447779800, Low rate Call girls in Rohini Delhi NCR
8447779800, Low rate Call girls in Rohini Delhi NCR8447779800, Low rate Call girls in Rohini Delhi NCR
8447779800, Low rate Call girls in Rohini Delhi NCR
 
Unlocking the Future: Explore Web 3.0 Workshop to Start Earning Today!
Unlocking the Future: Explore Web 3.0 Workshop to Start Earning Today!Unlocking the Future: Explore Web 3.0 Workshop to Start Earning Today!
Unlocking the Future: Explore Web 3.0 Workshop to Start Earning Today!
 
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR
 
Annual General Meeting Presentation Slides
Annual General Meeting Presentation SlidesAnnual General Meeting Presentation Slides
Annual General Meeting Presentation Slides
 
Independent Call Girls Andheri Nightlaila 9967584737
Independent Call Girls Andheri Nightlaila 9967584737Independent Call Girls Andheri Nightlaila 9967584737
Independent Call Girls Andheri Nightlaila 9967584737
 
Investment in The Coconut Industry by Nancy Cheruiyot
Investment in The Coconut Industry by Nancy CheruiyotInvestment in The Coconut Industry by Nancy Cheruiyot
Investment in The Coconut Industry by Nancy Cheruiyot
 
Marketplace and Quality Assurance Presentation - Vincent Chirchir
Marketplace and Quality Assurance Presentation - Vincent ChirchirMarketplace and Quality Assurance Presentation - Vincent Chirchir
Marketplace and Quality Assurance Presentation - Vincent Chirchir
 
Financial-Statement-Analysis-of-Coca-cola-Company.pptx
Financial-Statement-Analysis-of-Coca-cola-Company.pptxFinancial-Statement-Analysis-of-Coca-cola-Company.pptx
Financial-Statement-Analysis-of-Coca-cola-Company.pptx
 
8447779800, Low rate Call girls in Tughlakabad Delhi NCR
8447779800, Low rate Call girls in Tughlakabad Delhi NCR8447779800, Low rate Call girls in Tughlakabad Delhi NCR
8447779800, Low rate Call girls in Tughlakabad Delhi NCR
 
Corporate Profile 47Billion Information Technology
Corporate Profile 47Billion Information TechnologyCorporate Profile 47Billion Information Technology
Corporate Profile 47Billion Information Technology
 
Market Sizes Sample Report - 2024 Edition
Market Sizes Sample Report - 2024 EditionMarket Sizes Sample Report - 2024 Edition
Market Sizes Sample Report - 2024 Edition
 
Cyber Security Training in Office Environment
Cyber Security Training in Office EnvironmentCyber Security Training in Office Environment
Cyber Security Training in Office Environment
 

Self-Protecting Information for De-Perimiterised Electronic Relationships

  • 1. Self Protecting Information for De- perimeterised Electronic Relationships (SPIDER) Jeremy Hilton & Pete Burnap {Jeremy.hilton}{p.burnap}@cs.cardiff.ac.uk
  • 2.   The way people work is changing   Web 2.0 technology and Cloud computing is supporting/driving a collaborative, on-demand culture   Virtual Organisations are frequently used to support collaborative, distributed working   Government Services (Transformational Government)   Medical (Patient Records)   Research (e-Research)   Inter-disciplinary organisations contribute content, others have access to the content
  • 3.   With the change to UK Data Protection laws meaning Government Data Controllers face civil action as well as financial penalties following a data breach, what is the impact of current information security limitations?   Information needs to be shared to support collaborative working but the risk of sharing information appears very high considering the latest data losses (UK HRMC 25 million records)   As a result HMRC have completely locked down their systems when it comes to taking data outside the perimeter 3
  • 4. “In relation to rights, the Government believes piracy of intellectual property for profit is theft and will be pursued as such through the criminal law. The civil infringement of taking someone else’s intellectual property or passing it on to others through file-sharing without any compensating payment is, in plain English, wrong. However, the Government also believes, and the evidence suggests, that most people, given a reasonable choice would much prefer not to do wrong or break the law…” 4
  • 5. “Personal data is the new currency of the digital world. Privacy and security of that data is an increasingly critical issue. The Information Commissioner is developing a new Code of Practice “Personal Information Online” for publication later this year. The Prime Minister has appointed Sir Tim Berners-Lee to form a panel of experts to deliver better use of public data. Effective self-regulation is also vital…” 5
  • 6.   #2 Define the information architecture
  • 7.
  • 8.
  • 9.
  • 10.
  • 11.
  • 12.
  • 13. Developed to control information sharing between G8 countries, Business Impact levels added.
  • 14. External Secured Secured This zone is similar to the secured zone but is owned and operated by a business partner. The trust relationship between the Org X and the business partner is stronger This zone is the most than in the restricted zones. Information Assets: Distributed to named individuals only. secured area within the External Restricted Restricted architecture. Similar to Restricted Zone but owned /operated by a The restricted Zone is the business partner. The trust relationship is stronger that next higher level of security Access should be limited to that in the External Controlled Zone. Information Access above Controlled. Access highly trusted principals. limited to Groups of authenticated principals is Restricted to authenticated users or External Controlled Controlled processes. Information Access limited Similar to Controlled Zone This is where the lowest to named principals only. Most data processing and but owned /operated by an levels of control are applied storage occurs here. external organisation. to manage Information Information Access limited Assets with the prime goals Uncontrolled (Public) of managing Availability to pre-defined groups The uncontrolled made up of authenticated and Compliance environment outside the principals. control of Org X. Managed Belongs to IT and is used to administer servers, network devices and other managed devices. May be implemented with secure sessions (SSH) separate out of band networks or greater controls on Admin devices.
  • 16.   Traditional access control applied:   At or within a network perimeter   To the entire resource   Information often required to be shared outside of the perimeter (in VOs) for collaboration   Information resources often made up on content with varying access control requirements   What are the issues?   Persistent control of information   Changes/Differences in Access Control Requirements   Intellectual Property (Research Data)   Data in the cloud   Changes/Differences in Data Protection Requirements   Confidentiality (Medical Record)   Commercial Data (Financial Report)
  • 17.   Encryption can be used but once keys are shared, data controller loses persistent control of shared information using the traditional model   Entire resource protection means all information is controlled in accordance with the highest level requirement and with an individual label   Both reduce the potential for information sharing and collaboration
  • 18.   SPIDER is concerned with the accurate, distributed, auditable and persistent control of information in collaborative working environments (VOs)   Considers the following issues:   How can you protect shared information to the required level of granularity and in such as way as you can modify access privileges at any time even after it has left the perimeter?   How can you provide information related to access controls granted and people in possession of information at any point in time following a data breach?   How can you make a case for prosecution against a malicious individual who has misused your information?
  • 19.   SPIDER aims to break down information content within a single resource and classify the content based on protection requirements, and communicate the control requirements:   Icon-based labelling   Human- and machine-readable controls   Security labels based on the classification added to the content as metadata   Labels bound to a centralised access control policy for the resource   Content encrypted and distributed   Information accessed using an on-demand secure access client   Access privileges and current information holders auditable
  • 20. Adapting the creative commons approach for information classification and control
  • 21.
  • 22.
  • 23. •  A set of licenses that are flexible enough to let you add as much or as little restrictions on you work as you like •  Expressed in 3 different formats: •  Lawyer-readable •  Human-readable •  Machine-readable •  www.creativecommons.org
  • 24.   A set of classifications that are flexible enough to enable to define and communicate the controls to be applied to your information   May be combined with creative commons licenses   Expressed in 3 different formats:   Security Officer-readable   Human-readable   Machine readable
  • 25.   Confidentiality   Use RA – Restricted Access PI – Personal Information OO – Organisation Only ND – Non-Disclosure CA – Community Access CG – Corporate Governance OA – Open Access SD – Safe Disposal CU – Controlled Until   Authentication AD – Approved for Disclosure BY – Attribution cc   Integrity AB – Authorised By ccND – Non-Derivatives
  • 26. Restricted Access   The information is restricted to the nominated recipients   The owner of the information will nominate the authorised recipients   The owner may delegate responsibility for nominating authorised recipients
  • 27. Personal Information   The information contains personal information and consideration must be made before sharing the information   This classification is likely to be used in conjunction with other labels such as cc
  • 28. Binding Policy to data and technical implementation
  • 29. <Document Identifier> Unencrypted <serverLocation> Web address of Access Request Web Service <content label=“Classification-X”> Each section of classified content will be wrapped in an XML nest with its own parent element (the <content> bit). Each parent element has a “label” attribute, with a value representing the classification label assigned to that section </content> <content label=“Classification-Y”> The access control tables in the access control database, located Encrypted on the “server-side” (the information controller) contain user identity details alongside a list of classification labels the user is permitted to access </content> <content label=“Classification-Z”> Because of the structured nature of the document, all content held between the <content>…</content> elements can only be accessed by a user if their document-specific access privileges contain the label representing the content classification
  • 30. Encrypted Content <Classification Level X> Identity Details < /Classification Level X> <Classification Level Y> Medical History < /Classification Level Y> <Classification Level Z> Current Medication < /Classification Level Z> .....
  • 31. Information Controller Client SPIDER Application Access Shared Request Document Identifier Content Content Web (Encrypted) Service User ID Details Crypto Access Key DB Control PKI User Certificate DB
  • 32. Information Controller Access Control DB Document Identifier User ID Details Doc-Specific Access Privileges Document Identifier Document Access Doc-Specific Crypto Key Access Control Tables Request Web Service User ID Details Doc-Specific Doc-Specific Table Crypto Key If User Verification = TRUE Doc-Specific Access Privileges Cryptography Document Identifier Key DB
  • 33. Client SPIDER Application •  Apply Doc-Specific crypto key (Decrypt) Doc-Specific Access Privileges Content Doc-Specific Key •  Parse information for content tagged with labels contained in the Access Privileges •  Display unrestricted content to user
  • 34. Collaborator Encrypted Decrypt key Content & access privileges e.g. Access to: Classification X & Z <Classification Level X> Identity Details < /Classification Level X> Information Displayed <Classification Level Y> Identity Details Medical History < /Classification Level Y> Current Medication <Classification Level Z> Current Medication < /Classification Level Z> .....
  • 35.   Very similar to DRM model, except that content can be controlled at different levels of restriction and the policy is bound to a central point of control and can be modified at a later date   DRM is quite often seen as a “disabler”. This approach is positioned very much as an “enabler”, but a transparent one. A model that supports secure information sharing through audit-ability and transparency of action   The persistent link to a central point of control allows audit to determine who had access privileges at the point of information misuse.   In addition, this allows modifications to be recorded
  • 36.   Absolute security is arguably impossible to achieve   This approach supports modifiable controls on distributed information and transparent capture of information modification action   It is positioned in the collaborative, distributed working domain to assist organisations such as Government departments to work securely and collaboratively   Data misuse can be traced, reported and dealt with. Arguably more “appropriate technical and organisational measures” than currently exist   Makes it viable for data controllers to share information
  • 37. 37
  • 38. 38 Developed by Shada Al-Salamah as part of an MSc Project
  • 39. 39 Developed by Shada Al-Salamah as part of an MSc Project
  • 40. 40 Developed by Shada Al-Salamah as part of an MSc Project
  • 41. 41 Developed by Shada Al-Salamah as part of an MSc Project
  • 42. Avon & Somerset Criminal Justice Board - PRIMADS 42
  • 43.   Multi-Agency environment   Police   Courts Service   Probation Service   Lawyers   Social Services   Health, etc   Offender management   Privacy issues in data shared during arrest, prosecution and detention   Release under licence 43
  • 44.   Changing individuals’ behaviour such that:   the need for safe handling of information is understood & accepted; and   controls agreed and applied   Because the individuals choose to, not because they are told to. 44
  • 45. 45
  • 46. 46
  • 47.   ASCJS workshops confirmed the usefulness of the scenario-based risk assessment and icon- based approach for communicating controls   Identified a number of additional benefits that contributed to an increased understanding of the distributed community and the need for controls   In addition, they expressed an interest in the ability to implement a technical solution to provide fine-grained assess to data-sharing in a collaborative, distributed environment 47
  • 48. 48