Isa 662 information system security
Download
1 / 39

ISA 662 Information System Security - PowerPoint PPT Presentation


  • 143 Views
  • Uploaded on

ISA 662 Information System Security . Hybrid Policies Chapter 6 from Bishop ’ s book. Overview. Chinese Wall Model RBAC ORCON Clinical Information Systems Security Policy. Chinese Wall Model. Chinese wall is a barrier between objects which result in conflicting interests The problem

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'ISA 662 Information System Security' - manju


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Isa 662 information system security l.jpg

ISA 662 Information System Security

Hybrid Policies

Chapter 6 from Bishop’s book


Overview l.jpg
Overview

  • Chinese Wall Model

  • RBAC

  • ORCON

  • Clinical Information Systems Security Policy


Chinese wall model l.jpg
Chinese Wall Model

  • Chinese wall is a barrier between objects which result in conflicting interests

  • The problem

    • An analyst is assigned to advise two competing banks

    • The objectivity of his opinion would be questionable

    • He can help one gain at the expense of the other

  • The solution

    • An analyst can only access non-conflicting objects inside his/her enclosure


Overview4 l.jpg
Overview

  • Explicitly organize objects into conflict of interest (COI) classes

  • Control subject’s read accesses based on COI classes and prior access history

  • Control subject’s write accesses to avoid indirect conflict of interest

  • No control over reading sanitized data (data that cause no conflict of interest whatsoever)


Definitions and notations l.jpg
Definitions and Notations

Company dataset (CD): collection of objects about a single company

  • Conflict of interestclass (COI): a collection of company datasets of companies in competition

    Notation

    • Object: O

    • Company dataset: CD (O)

    • Conflict of interest class: COI (O)

  • Assumption: each object belongs to exactly one CD and each CD to one COI class


Example l.jpg

Texaco

Shell

Sunoco

Mobil

Bank of America

Citibank

object2

object1

……

Bank of the West

Example

Consider a COI class as an industry

CD(object1)=? COI(object1)=?

All Objects

Bank

Gasoline

COI

CD

Object


History based access control l.jpg
History-based Access Control

Rights depend on access history

Initially, a subject can read any CD in any COI

But once the subject has read any CD in the COI, he or she can never read another CD in that COI

  • Possible that information learned earlier may allow him to make decisions later


Sanitized object l.jpg
Sanitized Object

Sanitized object is public information contained within a CD

  • As it is publicly available, no conflicts of interest arises from it

  • So, should not affect read

  • But it does affect write


Cw simple security condition l.jpg
CW-Simple Security Condition

Let PR(s) be the set of objects that s has already read

scan reado iff any of these conditions holds:

  • There is o satisfying oPR (s) and CD (o)=CD (o)

    • { s can read something else in the company dataset o }

  • For all objects o,oPR (s)COI (o)≠COI (o)

    • { s has not read any objects in COI (o) }

  • o is a sanitized object

  • Initially, PR(s) = , so initial read request is always granted


  • What about write l.jpg

    Texaco

    Shell

    Sunoco

    Mobil

    Alice

    Bob

    Bank of America

    Bank

    Gasoline

    Citibank

    Bank of the West

    What About Write?

    • Alice reads Citibank’s and Shell’ CD

    • Bob reads Bank of America’s and Shell’s CD

      • So Bob must not read Citibank’s CD

        If Alice writes what she read from Citibank’s to Shell’ CD; Bob can then read what Alice wrote


    Cw property like bell lapadula l.jpg

    Texaco

    Shell

    Sunoco

    Mobil

    Neither Alice nor bob can write

    Alice

    Bob

    Bank of America

    Bank

    Gasoline

    Citibank

    Bank of the West

    CW-*-Property {Like Bell LaPadula}

    s can write to o iff both of the following hold:

    • The CW-simple condition permits s to read o

    • For all unsanitized objects o, if s can read o, then CD (o) = CD (o)

    • All s can read are either within the same CD, or sanitized


    How does information flow l.jpg
    How Does Information Flow?

    • With the two conditions (CW simple security condition and CW *-property) in place, how can information flow around the system?

    • Main Results

      • Theorem 7-1: in each COI class (e.g. Bank), a subject can only read objects in a single CD (e.g. Citibank)

      • Theorem 7-2: at least n subjects are required to access all objects in a COI class with totally n CDs


    How does information flow cont d l.jpg

    Texaco

    Shell

    Sunoco

    Mobil

    Bank of America

    Citibank

    o2

    o1

    o3

    o2

    o1

    o3

    o3

    Bank of the West

    sanitized

    unsanitized

    How Does Information Flow? (Cont’d)

    Information flows from o to o’ if s reads o and writes o’

    Theorem 7-3: information in an unsanitized object can only flow inside that CD; information in sanitized objects can flow freely


    Compare cw to bell lapadula l.jpg
    Compare CW to Bell-LaPadula

    Fundamentally different

    • CW is based on access history, BLP is history-less

    • (This is important)

      BLP can capture CW state at any time, but cannot track changes over time

    • BLP security levels would need to be updated each time an access is allowed

    • (This does not make sense)


    Overview15 l.jpg
    Overview

    • Chinese Wall Model

    • RBAC

    • ORCON

    • Clinical Information Systems Security Policy


    Background l.jpg
    Background

    A policy-neutral model

    • Can be used to express DAC (role as identity),MAC (role as clearance)…

    • A standard (http://csrc.nist.gov/rbac/)

      Why role? Because rights usually depend on role (job function) but not identity

    • Example:

      • Alice, a bookkeeper, has access to financial records.

      • If Bob replaces Alice as the new bookkeeper, Bob must have the same accesses

    • The role ‘Bookkeeper’ is as a bridge between subjects and rights to objects (permissions)


    Background cont d l.jpg
    Background (Cont’d)

    • Why role?

      • As an intermediate layer, it simplifies the administration of access control

      • A transition from client-server model to 3+-tier model in transaction processing

        • n clients m servers n*m connections

        • With intermediate application servers, n+m connections

          Client  subject, server  permission, application server  role


    Definitions l.jpg
    Definitions

    • Trans (r): authorized transactions; all transactions that role r can execute

    • Actr (s): active role that sis currently playing

    • Authr (s): authorized roles; all roles that scan play

    • Canexec (s, t): s can execute transaction t

    • Let S be the set of subjects and T the set of transactions.


    Axioms l.jpg
    Axioms

    Rule of role assignment:

    (s  S)(t  T) [canexec (s, t)  actr (s) ≠ ].

    • To execute a transaction, s must be playing some role

      Rule of role authorization:

      (s  S) [actr (s)  authr (s)].

    • s can only play an authorized role

      Rule of transaction authorization:

      (s  S)(t  T) [canexec (s, t)  t  trans (actr (s))].

    • A subject can only execute a transaction if the transaction is authorized for the active role


    Containment of roles role hierarchy l.jpg
    Containment of Roles (Role Hierarchy)

    Instructor can do all transactions that TA can do (and maybe more). Thus an instructor role contains a TA role where (instructor > TA).

    (sS)[ r authr (s) r > rrauthr (s) ]

    (tT)[ ttrans (r) r > rttrans (r’) ]

    All roles form a partial order


    Separation of duties l.jpg
    Separation of Duties

    Let predicate meauth (r) be the set of roles a subject scannot play if scan playr, because of a separation of duty requirement.

    • r is cashier, meauth (r) may include sales assistant

      Add a constraint:

      (r1, r2  R) [ r2meauth (r1) 

      [ (sS) [ r1authr (s) r2authr (s) ] ] ]

    • If anyone works as a cashier, he/she must not work as a sales assistant.


    Overview22 l.jpg
    Overview

    • Chinese Wall Model

    • RBAC

    • ORCON

    • Clinical Information Systems Security Policy


    Or iginator con trol l.jpg
    ORiginator CONtrol

    Problem: organization creating document wants to control its dissemination

    • Example: Secretary of Agriculture writes a memo for distribution to her immediate subordinates, and she must give permission for it to be disseminated to anyone else.


    Requirements l.jpg
    Requirements

    Subject sS marks object oO as ORCON (in organization X).

    X allows o to be disclosed to subjects acting on behalf of another organization Y with the restrictions:

    • o cannot be released to a subject in another organization without X ’s permission; and

    • Any copy of o must have the same restrictions placed on it.


    Different between dac and mac l.jpg
    Different between DAC and MAC

    DAC allows owner to set any permission

    MAC depends on centralized control

    ORCON is inherently decentralized (important)


    Combine mac and dac l.jpg
    Combine MAC and DAC

    • Owner does not control access after the object is copied ; access control restrictions are copied with the object

      • This is not DAC (owner can’t control them)

      • Is it MAC?

    • Creator (Originator) can alter access control restrictions on a per-subject and per-object basis.

      • This is DAC (owner can control it)


    Key points l.jpg
    Key Points

    • Chinese wall policy focuses on conflict of interest

      • Information flows inside each CD

    • RBAC is a policy-neutral model

      • Uses role to simplify administration of access control

    • ORCON is different from DAC and MAC

      • Enforcement is a much bigger issue


    Overview28 l.jpg
    Overview

    • Chinese Wall Model

    • RBAC

    • ORCON

    • Clinical Information Systems Security Policy


    Clinical information systems security l.jpg
    Clinical Information Systems Security

    Prototypical HIPAA

    Intended for medical records

    • Conflict of interest not critical problem

    • Patient confidentiality, authentication of records and annotators, and data integrity are critical

      Subjects and objects:

    • Patient: subject of medical records

    • Clinician: health-care professional with access to personal health information ONLY while doing job

    • Personal health information: data about patient’s health or treatment having identification of patient


    Principles l.jpg
    Principles

    Originated in medical ethics (e.g.Hippocratic Oath)

    Principles

    • Access

    • Creation

    • Deletion

    • Confinement

    • Aggregation

    • Enforcement


    Access 1 l.jpg
    Access 1

    • Principle 1: Each medical record has an access control list naming the individuals or groups who may read and append information to the record. The system must restrict access to those identified on the access control list.

      • Clinicians need access, but no-one else does.

      • Auditors have access to copies, but they cannot alter records


    Access 2 and 3 l.jpg
    Access 2 and 3

    • Principle 2: One of the clinicians on the ACL must have the right to add other clinicians to it.

      • The responsible clinician

    • Principle 3: This clinician must notify the patient of the names on the ACL whenever the patient’s medical record is opened. Except for situations given in statutes, or a state of emergency, the clinician must obtain the patient’s consent.

      • Patient must consent to all treatment, and must be informed of any violation of security


    Access 4 l.jpg
    Access 4

    • Principle 4: The name of the clinician, the date, and the time of the access of a medical record must be recorded. Similar information must be kept for deletions.

      This is for auditing.

      • Don’t delete information; update it

        • (deletion of records only after death or when required by law).

      • Record information about all accesses.


    Creation l.jpg
    Creation

    A clinician may open a record, if the clinician and the patient are on the ACL. If a record is opened as a result of a referral, the referring clinician may also be placed on the ACL.

    • Creating clinician needs access, and patient should have access.

    • If created from a referral, referring clinician needs access to get results.


    Deletion l.jpg
    Deletion

    Clinical information must not be deleted from a medical record until the appropriate time has passed.

    • During patient lifetime

    • May vary with circumstances (8 years or longer)


    Confinement l.jpg
    Confinement

    Information from one medical record may be appended to a different medical record iff the ACL of the second record is a subset of the ACL of the first.

    • This keeps information from leaking to unauthorized users. All users have to be on the access control list.


    Aggregation l.jpg
    Aggregation

    Measures for preventing aggregation of patient data must be effective. In particular, a patient must be notified if anyone is to be added to the ACL of his or her record and if that person has access to a large number of medical records.

    • Fear that a corrupt investigator may obtain access to a large number of records, correlate them, and discover private information about individuals which can then be used for nefarious purposes (such as blackmail)


    Enforcement l.jpg
    Enforcement

    Any computer system that handles medical records must have a subsystem that enforces the rules.

    The effectiveness of enforcement must be evaluated by independent auditors.

    • This policy has to be enforced, and the enforcement mechanisms must be auditable (and audited)


    Comparison l.jpg
    Comparison

    • BLP: imposes lattice structure on subjects/objects

    • Clark-Wilson provides a framework

      • CDIs are medical records

      • TPs are functions updating records, access control lists

      • IVPs certify:

        • A person identified as a clinician is one;

        • A clinician validates, or has validated, information in the medical record;

        • When someone is to be notified of an event, the notification occurs; and

        • When someone must give consent, the operation cannot proceed until the it is obtained

      • Auditing (CR4) requirement: make all records append-only, notify patient when access control list changed


    ad