1 / 22

Why provenance needs its own security model

Why provenance needs its own security model. Uri Braun PASS Team Harvard University Workshop on Principles of Provenance November 19-20, ‘07. Provenance needs security. Many provenance applications involve sensitive data: Regulatory Compliance Electronic Medical Records

vernon-reese
Download Presentation

Why provenance needs its own security model

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Why provenance needs its own security model Uri Braun PASS Team Harvard University Workshop on Principles of Provenance November 19-20, ‘07

  2. Provenance needs security • Many provenance applications involve sensitive data: • Regulatory Compliance • Electronic Medical Records • National Security Intelligence Slide 2 (of 22)

  3. National Intelligence EstimateData v. Provenance Sensitivity Vice Chair Chair Special Advisor cp vice.txt /shared/ cp chair.txt /shared/ cp advisor.txt /shared/ Public: cannot read Public: cannot read Public: cannot read National Intelligence Estimate cat /shared/*.txt | uniq Public: cannot read Slide 3 (of 22)

  4. Outline • Motivation • Provenance needs its own security model • Related Work • Recap Slide 4 (of 22)

  5. Provenance needs its own security model • Sensitivity(Provenance) ≠ Sensitivity(Data) • Can have cases where sensitivity of: • Data > Provenance • Provenance > Data Slide 5 (of 22)

  6. Performance ReviewData v. Provenance Sensitivity Manager’s email Employee: cannot read mail –s “Joe’s Review” peer1, peer2 Employee: cannot read Employee: cannot read Email to Peer1 Email to Peer2 mail –s “RE: Joe’s Review” manager mail –s “RE: Joe’s Review” manager Employee: cannot read Employee: cannot read Email from Peer1 Email from Peer2 X X cp peer1 & 2’s emails and edit Employee: can read Slide 6 (of 22)

  7. National Intelligence EstimateData v. Provenance Sensitivity Vice Chair Chair Special Advisor cp vice.txt /shared/ cp chair.txt /shared/ cp advisor.txt /shared/ Public: cannot read Public: cannot read Public: cannot read National Intelligence Estimate cat /shared/*.txt | uniq Public: cannot read Slide 7 (of 22)

  8. Different from traditional security models • Requires attributes different from existing security models • Relationships fundamentally different • Leak information differently Slide 8 (of 22)

  9. Performance ReviewRelationship Leak Manager’s email Employee: cannot read mail –s “Joe’s Review” peer1, peer2 Employee: cannot read Employee: cannot read Email to Peer1 Email to Peer2 mail –s “RE: Joe’s Review” manager mail –s “RE: Joe’s Review” manager Employee: cannot read Employee: cannot read Email from Peer1 Email from Peer2 X X cp peer1 & 2’s emails and edit Employee: can read Slide 9 (of 22)

  10. Relationships leak informationin combination with • Seemingly unrelated other relationships • World knowledge • Mere existence of a relationship Slide 10 (of 22)

  11. Outline • Motivation • Provenance needs its own security model • Related Work • Provenance Projects • Aggregation • Applications • Recap Slide 11 (of 22)

  12. PASOA • Does • Ensure non-repudiation • Federate identity • Obscure portions of records • Does not • Consider relationships • Provide fine grained access control [Groth, et. al. D3.1.1: An Architecture for Provenance Systems] Slide 12 (of 22)

  13. myGrid • Does • Authentication • Access Control per repository • Does not • Consider relationships • Fine grained access control [Miles: myGrid Security Issues] [Egglestone: Security in the myGrid project] Slide 13 (of 22)

  14. Aggregate queries • May help understand interaction among relationships • Does not have a model for relationships • No answers for: • Existence providing data • Combining with world knowledge Slide 14 (of 22)

  15. Information Flow • Similar to aggregate queries in applicability • How do we model: • Relationships • World knowledge • Existence Slide 15 (of 22)

  16. Audit logs • Audit logs useful for security • Security also useful for audit logs • Current security is still binary • Total access • No access [Radack: NIST SP 800-92: Guide to Computer Log Management] Slide 16 (of 22)

  17. Metadata security • Metadata embedded in documents • Word change history has lead to many unintentional well publicized leaks • Current solution is to remove metadata before publishing externally Slide 17 (of 22)

  18. Compliance • Increasing interest in tightening financial oversight • Growing focus on tracking the history of decisions [Johnson: Intersections of Law and Technology in Balancing Privacy Rights with Free Information Flow] Slide 18 (of 22)

  19. Electronic Medical Records • Medical records include provenance • HIPAA laws mandates access controls [Agrawal: Hippocratic Databases] Slide 19 (of 22)

  20. Outline • Motivation • Provenance needs its own security model • Related Work • Recap Slide 20 (of 22)

  21. Recap • Provenance needs security • Security needs are different • No known directly applicable model Slide 21 (of 22)

  22. Questions?

More Related