Isa 662 information system security
1 / 39

ISA 662 Information System Security - PowerPoint PPT Presentation

  • Uploaded on

ISA 662 Information System Security . Hybrid Policies Chapter 6 from Bishop ’ s book. Overview. Chinese Wall Model RBAC ORCON Clinical Information Systems Security Policy. Chinese Wall Model. Chinese wall is a barrier between objects which result in conflicting interests The problem

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'ISA 662 Information System Security' - manju

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Isa 662 information system security l.jpg

ISA 662 Information System Security

Hybrid Policies

Chapter 6 from Bishop’s book

Overview l.jpg

  • Chinese Wall Model

  • RBAC


  • Clinical Information Systems Security Policy

Chinese wall model l.jpg
Chinese Wall Model

  • Chinese wall is a barrier between objects which result in conflicting interests

  • The problem

    • An analyst is assigned to advise two competing banks

    • The objectivity of his opinion would be questionable

    • He can help one gain at the expense of the other

  • The solution

    • An analyst can only access non-conflicting objects inside his/her enclosure

Overview4 l.jpg

  • Explicitly organize objects into conflict of interest (COI) classes

  • Control subject’s read accesses based on COI classes and prior access history

  • Control subject’s write accesses to avoid indirect conflict of interest

  • No control over reading sanitized data (data that cause no conflict of interest whatsoever)

Definitions and notations l.jpg
Definitions and Notations

Company dataset (CD): collection of objects about a single company

  • Conflict of interestclass (COI): a collection of company datasets of companies in competition


    • Object: O

    • Company dataset: CD (O)

    • Conflict of interest class: COI (O)

  • Assumption: each object belongs to exactly one CD and each CD to one COI class

Example l.jpg





Bank of America





Bank of the West


Consider a COI class as an industry

CD(object1)=? COI(object1)=?

All Objects






History based access control l.jpg
History-based Access Control

Rights depend on access history

Initially, a subject can read any CD in any COI

But once the subject has read any CD in the COI, he or she can never read another CD in that COI

  • Possible that information learned earlier may allow him to make decisions later

Sanitized object l.jpg
Sanitized Object

Sanitized object is public information contained within a CD

  • As it is publicly available, no conflicts of interest arises from it

  • So, should not affect read

  • But it does affect write

Cw simple security condition l.jpg
CW-Simple Security Condition

Let PR(s) be the set of objects that s has already read

scan reado iff any of these conditions holds:

  • There is o satisfying oPR (s) and CD (o)=CD (o)

    • { s can read something else in the company dataset o }

  • For all objects o,oPR (s)COI (o)≠COI (o)

    • { s has not read any objects in COI (o) }

  • o is a sanitized object

  • Initially, PR(s) = , so initial read request is always granted

  • What about write l.jpg







    Bank of America




    Bank of the West

    What About Write?

    • Alice reads Citibank’s and Shell’ CD

    • Bob reads Bank of America’s and Shell’s CD

      • So Bob must not read Citibank’s CD

        If Alice writes what she read from Citibank’s to Shell’ CD; Bob can then read what Alice wrote

    Cw property like bell lapadula l.jpg





    Neither Alice nor bob can write



    Bank of America




    Bank of the West

    CW-*-Property {Like Bell LaPadula}

    s can write to o iff both of the following hold:

    • The CW-simple condition permits s to read o

    • For all unsanitized objects o, if s can read o, then CD (o) = CD (o)

    • All s can read are either within the same CD, or sanitized

    How does information flow l.jpg
    How Does Information Flow?

    • With the two conditions (CW simple security condition and CW *-property) in place, how can information flow around the system?

    • Main Results

      • Theorem 7-1: in each COI class (e.g. Bank), a subject can only read objects in a single CD (e.g. Citibank)

      • Theorem 7-2: at least n subjects are required to access all objects in a COI class with totally n CDs

    How does information flow cont d l.jpg





    Bank of America









    Bank of the West



    How Does Information Flow? (Cont’d)

    Information flows from o to o’ if s reads o and writes o’

    Theorem 7-3: information in an unsanitized object can only flow inside that CD; information in sanitized objects can flow freely

    Compare cw to bell lapadula l.jpg
    Compare CW to Bell-LaPadula

    Fundamentally different

    • CW is based on access history, BLP is history-less

    • (This is important)

      BLP can capture CW state at any time, but cannot track changes over time

    • BLP security levels would need to be updated each time an access is allowed

    • (This does not make sense)

    Overview15 l.jpg

    • Chinese Wall Model

    • RBAC

    • ORCON

    • Clinical Information Systems Security Policy

    Background l.jpg

    A policy-neutral model

    • Can be used to express DAC (role as identity),MAC (role as clearance)…

    • A standard (

      Why role? Because rights usually depend on role (job function) but not identity

    • Example:

      • Alice, a bookkeeper, has access to financial records.

      • If Bob replaces Alice as the new bookkeeper, Bob must have the same accesses

    • The role ‘Bookkeeper’ is as a bridge between subjects and rights to objects (permissions)

    Background cont d l.jpg
    Background (Cont’d)

    • Why role?

      • As an intermediate layer, it simplifies the administration of access control

      • A transition from client-server model to 3+-tier model in transaction processing

        • n clients m servers n*m connections

        • With intermediate application servers, n+m connections

          Client  subject, server  permission, application server  role

    Definitions l.jpg

    • Trans (r): authorized transactions; all transactions that role r can execute

    • Actr (s): active role that sis currently playing

    • Authr (s): authorized roles; all roles that scan play

    • Canexec (s, t): s can execute transaction t

    • Let S be the set of subjects and T the set of transactions.

    Axioms l.jpg

    Rule of role assignment:

    (s  S)(t  T) [canexec (s, t)  actr (s) ≠ ].

    • To execute a transaction, s must be playing some role

      Rule of role authorization:

      (s  S) [actr (s)  authr (s)].

    • s can only play an authorized role

      Rule of transaction authorization:

      (s  S)(t  T) [canexec (s, t)  t  trans (actr (s))].

    • A subject can only execute a transaction if the transaction is authorized for the active role

    Containment of roles role hierarchy l.jpg
    Containment of Roles (Role Hierarchy)

    Instructor can do all transactions that TA can do (and maybe more). Thus an instructor role contains a TA role where (instructor > TA).

    (sS)[ r authr (s) r > rrauthr (s) ]

    (tT)[ ttrans (r) r > rttrans (r’) ]

    All roles form a partial order

    Separation of duties l.jpg
    Separation of Duties

    Let predicate meauth (r) be the set of roles a subject scannot play if scan playr, because of a separation of duty requirement.

    • r is cashier, meauth (r) may include sales assistant

      Add a constraint:

      (r1, r2  R) [ r2meauth (r1) 

      [ (sS) [ r1authr (s) r2authr (s) ] ] ]

    • If anyone works as a cashier, he/she must not work as a sales assistant.

    Overview22 l.jpg

    • Chinese Wall Model

    • RBAC

    • ORCON

    • Clinical Information Systems Security Policy

    Or iginator con trol l.jpg
    ORiginator CONtrol

    Problem: organization creating document wants to control its dissemination

    • Example: Secretary of Agriculture writes a memo for distribution to her immediate subordinates, and she must give permission for it to be disseminated to anyone else.

    Requirements l.jpg

    Subject sS marks object oO as ORCON (in organization X).

    X allows o to be disclosed to subjects acting on behalf of another organization Y with the restrictions:

    • o cannot be released to a subject in another organization without X ’s permission; and

    • Any copy of o must have the same restrictions placed on it.

    Different between dac and mac l.jpg
    Different between DAC and MAC

    DAC allows owner to set any permission

    MAC depends on centralized control

    ORCON is inherently decentralized (important)

    Combine mac and dac l.jpg
    Combine MAC and DAC

    • Owner does not control access after the object is copied ; access control restrictions are copied with the object

      • This is not DAC (owner can’t control them)

      • Is it MAC?

    • Creator (Originator) can alter access control restrictions on a per-subject and per-object basis.

      • This is DAC (owner can control it)

    Key points l.jpg
    Key Points

    • Chinese wall policy focuses on conflict of interest

      • Information flows inside each CD

    • RBAC is a policy-neutral model

      • Uses role to simplify administration of access control

    • ORCON is different from DAC and MAC

      • Enforcement is a much bigger issue

    Overview28 l.jpg

    • Chinese Wall Model

    • RBAC

    • ORCON

    • Clinical Information Systems Security Policy

    Clinical information systems security l.jpg
    Clinical Information Systems Security

    Prototypical HIPAA

    Intended for medical records

    • Conflict of interest not critical problem

    • Patient confidentiality, authentication of records and annotators, and data integrity are critical

      Subjects and objects:

    • Patient: subject of medical records

    • Clinician: health-care professional with access to personal health information ONLY while doing job

    • Personal health information: data about patient’s health or treatment having identification of patient

    Principles l.jpg

    Originated in medical ethics (e.g.Hippocratic Oath)


    • Access

    • Creation

    • Deletion

    • Confinement

    • Aggregation

    • Enforcement

    Access 1 l.jpg
    Access 1

    • Principle 1: Each medical record has an access control list naming the individuals or groups who may read and append information to the record. The system must restrict access to those identified on the access control list.

      • Clinicians need access, but no-one else does.

      • Auditors have access to copies, but they cannot alter records

    Access 2 and 3 l.jpg
    Access 2 and 3

    • Principle 2: One of the clinicians on the ACL must have the right to add other clinicians to it.

      • The responsible clinician

    • Principle 3: This clinician must notify the patient of the names on the ACL whenever the patient’s medical record is opened. Except for situations given in statutes, or a state of emergency, the clinician must obtain the patient’s consent.

      • Patient must consent to all treatment, and must be informed of any violation of security

    Access 4 l.jpg
    Access 4

    • Principle 4: The name of the clinician, the date, and the time of the access of a medical record must be recorded. Similar information must be kept for deletions.

      This is for auditing.

      • Don’t delete information; update it

        • (deletion of records only after death or when required by law).

      • Record information about all accesses.

    Creation l.jpg

    A clinician may open a record, if the clinician and the patient are on the ACL. If a record is opened as a result of a referral, the referring clinician may also be placed on the ACL.

    • Creating clinician needs access, and patient should have access.

    • If created from a referral, referring clinician needs access to get results.

    Deletion l.jpg

    Clinical information must not be deleted from a medical record until the appropriate time has passed.

    • During patient lifetime

    • May vary with circumstances (8 years or longer)

    Confinement l.jpg

    Information from one medical record may be appended to a different medical record iff the ACL of the second record is a subset of the ACL of the first.

    • This keeps information from leaking to unauthorized users. All users have to be on the access control list.

    Aggregation l.jpg

    Measures for preventing aggregation of patient data must be effective. In particular, a patient must be notified if anyone is to be added to the ACL of his or her record and if that person has access to a large number of medical records.

    • Fear that a corrupt investigator may obtain access to a large number of records, correlate them, and discover private information about individuals which can then be used for nefarious purposes (such as blackmail)

    Enforcement l.jpg

    Any computer system that handles medical records must have a subsystem that enforces the rules.

    The effectiveness of enforcement must be evaluated by independent auditors.

    • This policy has to be enforced, and the enforcement mechanisms must be auditable (and audited)

    Comparison l.jpg

    • BLP: imposes lattice structure on subjects/objects

    • Clark-Wilson provides a framework

      • CDIs are medical records

      • TPs are functions updating records, access control lists

      • IVPs certify:

        • A person identified as a clinician is one;

        • A clinician validates, or has validated, information in the medical record;

        • When someone is to be notified of an event, the notification occurs; and

        • When someone must give consent, the operation cannot proceed until the it is obtained

      • Auditing (CR4) requirement: make all records append-only, notify patient when access control list changed