Date post: | 19-Dec-2014 |
Category: |
Design |
Upload: | palantirtech |
View: | 1,713 times |
Download: | 20 times |
© 2008 Palantir Technologies Inc. All rights reserved.
Palantir Access Control
Bob McGrew
Director of Engineering
2
Secure Information Integration
Imagine you have two data sources:– Profiles database
• Name, address, e-mail address• Accessible to all analysts
– E-mail message database• Accessible only to a small group A of analysts
Goals– Allow all analysts to use profiles information for analysis– Integrate the e-mails with the profiles information for group A– Analysts who cannot access the e-mail database learn no more
than what they could find out from the profiles database Secure Information Integration
3
Secure Information Discovery
Another scenario:– Profiles database
• Name, address, e-mail address• Accessible to all analysts
– E-mail message database• Accessible only to a small group A of analysts
Goals– Want to allow analysts not in A access to the e-mail data only if
they can show that they need to know it– Analysts not in A can learn that there is additional information
available for a particular profile, but no details Secure Information Discovery
4
Overview
Palantir Access Control– Guarantees confidentiality, integrity, and auditing– Enables secure information integration and discovery
In this talk– Security and Data Models– Security Guarantees– Two applications of our guarantees
• Confidentiality Under Resolution (CUR)• Confidentiality Under Discovery (CUD)
5
Overview
Palantir Access Control– Guarantees confidentiality, integrity, and auditing– Enables secure information integration and discovery
In this talk– Security and Data Models– Security Guarantees– Two applications of our guarantees
• Confidentiality Under Resolution (CUR)• Confidentiality Under Discovery (CUD)
6
Security Definitions
Group: – Set of users– User can belong to multiple groups
Permissions (ordered)– Discovery (d)– Read (r)– Write (w)– Ownership (o)
Access Control Item (ACI)– (Group, Permissions) pair
Access Control List (ACL)– Set of ACIs
ACL 1
ACI 101: (Group A, dr)
Group A Group B
ACI 102: (Group B, drw)
Alice Bob
Carol
7
Object Model
Data Source– Single source of data to Palantir– Examples: documents, Excel files, databases
Object– Single entity, event, or document
Property– Piece of information about an Object
Data Source Record (DSR)– Ties a Property to a Data Source– Each Property has one or more DSRs– Each DSR has an ACL, derived from its
Data Source
ObjectType = Entity
PropertyName =
“Mike Fikri”
DSRACL 1
Data Source
profiles.xls
PropertyAge =
32
DSR ACL 2
DSRACL 2
Data Source
email.msg
8
Security & Data Model
DSR-centric, not Object-centric All sensitive data on Properties A Property can be read if any of its DSRs
can be read
ObjectType = Entity
PropertyName =
“Mike Fikri”
DSRACL 1
Data Source
profiles.xls
PropertyAge =
32
DSR ACL 2
DSRACL 2
Data Source
email.msg
9
Discovery
An organization may want to make sensitive data available only to those who can show that they need to know about it.
Searches can yield discovery results with only data source name and discovery message
Objects viewed in the Browser also may have discovery messages
10
Discovery
Each data source has a discovery message– e.g., “To acquire permission to data from profiles.xls, please contact John Doe.”
Object load – Removes all DSRs for which the user has only discovery permissions– For each removed DSR, returns instead the Discovery Message for its Data Source
Search– Returns a Discovery Messages if the query would have matched if the user had read
instead of discovery permissions
11
Overview
Palantir Access Control– Guarantees confidentiality, integrity, and auditing– Enables secure information integration and discovery
In this talk– Security and Data Models– Security Guarantees– Two applications of our guarantees
• Confidentiality Under Resolution (CUR)• Confidentiality Under Discovery (CUD)
12
Security Guarantees
Confidentiality– Cannot read a Property without read permissions to a DSR– Cannot read a DSR without read permissions– Cannot discover the existence of a Property without discovery permissions to a
DSR
Integrity– Cannot edit a Property without write permissions to a DSR– Cannot change the ACL on a DSR without ownership permissions
Auditing– Every action is logged and attributed to the user who performed it
13
Untrusted Client
Palantir Security Model makes no assumptions about the client
Security guarantees hold under:– Normal operation of Palantir Workspace– Abnormal operation of Palantir Workspace– Arbitrary calls against our public API
Assumptions:– Attacker cannot directly connect to database– Attacker does not have physical access to server
14
Access control by data sources
Access control is based on data sources– Tied to objects and properties through DSRs
Suppose access controls were per-object– No fine-grained control– Cannot perform resolution across data sources
15
Overview
Palantir Access Control– Guarantees confidentiality, integrity, and auditing– Enables secure information integration and discovery
In this talk– Security and Data Models– Security Guarantees– Two applications of our guarantees
• Confidentiality Under Resolution (CUR)• Confidentiality Under Discovery (CUD)
16
Confidentiality Under Resolution (CUR)
Two Data Sources: A and B Analyst has read access to Data Source A Analyst has no access to Data Source B
The following two cases must be indistinguishable1. Data Source A imported2. Data Sources A and B imported and resolved together
17
ObjectType = Entity
PropertyName =
“Mike Fikri”
DSRACL 1
Data Source
profiles.xls
Property
Age = 32
DSRACL 2
DSRACL 2
Data Source
email.msg
PropertyName =
“Mike Fikri”
ObjectType = Entity
Alice’s PermissionsACL 1: readACL 2: none
CUR Example: Pre-Resolution
18
CUR Example: Post-Resolution
ObjectType = Entity
PropertyName =
“Mike Fikri”
DSRACL 1
Data Source
profiles.xls
PropertyAge =
32
DSRACL 2
DSRACL 2
Data Source
email.msg
19
CUR Example: Post-Resolution
Alice’s PermissionsACL 1: readACL 2: none
ObjectType = Entity
PropertyName =
“Mike Fikri”
DSRACL 1
Data Source
profiles.xls
PropertyAge =
32
DSRACL 2
DSRACL 2
Data Source
email.msg
20
Object-Load Satisfies CUR
Returns readable projection of Object
No sensitive data directly on the Object (e.g., creation time)
Randomized IDs
ObjectType = Entity
PropertyName =
“Mike Fikri”
DSRACL 1
Data Source
profiles.xls
Property
Age = 32
DSRACL 2
DSRACL 2
Data Source
email.msg
21
Search Satisfies CUR
Search terms are indexed with ACLs– Mike (ACL 1, ACL 2)– Fikri (ACL 1, ACL 2)– 32 (ACL 2)
Relevance is computed only over readable fields
ObjectType = Entity
PropertyName =
“Mike Fikri”
DSRACL 1
Data Source
profiles.xls
Property
Age = 32
DSRACL 2
DSRACL 2
Data Source
email.msg
22
Overview
Palantir Access Control– Guarantees confidentiality, integrity, and auditing– Enables secure information integration and discovery
In this talk– Security and Data Models– Security Guarantees– Two applications of our guarantees
• Confidentiality Under Resolution (CUR)• Confidentiality Under Discovery (CUD)
Confidentiality Under Discovery (CUD)
Searching for a phone number– Search reveals a discovery-only property matching that query– No information revealed about what object has that phone
number Viewing the owner of the phone number
– Load reveals a discovery-only property for that object– No information revealed about the value of the property
Intuition: cannot tie the value of a discovery-only property to the object it is associated with
24
Confidentiality Under Discovery (CUD)
Setting below should be indistinguishable to Alice from the same setting with ages reversed
Object1Type = Entity
PropertyName = “John”
DSRACL 1
Data Source
profiles.xls
PropertyAge = 33
DSRACL 2
Data Source
email.msg
Object2Type = Entity
PropertyAge = 44
DSRACL 2
PropertyName = “James”
DSRACL 1
Data Source
profiles.xls
Alice’s Permissions
ACL 1: read ACL 2: discovery
25
Confidentiality Under Discovery (CUD)
Setting below should be indistinguishable to Alice from the same setting with ages reversed
Object1Type = Entity
PropertyName = “John”
DSRACL 1
Data Source
profiles.xls
PropertyAge = 44
DSRACL 2
Data Source
email.msg
Object2Type = Entity
PropertyAge = 33
DSRACL 2
PropertyName = “James”
DSRACL 1
Data Source
profiles.xls
Alice’s Permissions
ACL 1: read ACL 2: discovery
26
Object-Load Satisfies CUD
Same results in both cases No information is leaked!
Object1Type = Entity
PropertyName = “John”
DSRACL 1
Data Source
profiles.xls
Object2Type = Entity
PropertyName = “James”
DSRACL 1
Discovery Message
for email.msg
Discovery Message
for email.msg
27
Search Satisfies CUD
Search for “Age=33” yields discovery message for email.msg Search for “Age=44” yields the same No information is leaked!
Object1Type = Entity
PropertyName = “John”
DSRACL 1
Data Source
profiles.xls
PropertyAge = 33
DSRACL 2
Data Source
email.msg
Object2Type = Entity
PropertyAge = 44
DSRACL 2
PropertyName = “James”
DSRACL 1
Data Source
profiles.xls
Alice’s Permissions
ACL 1: read ACL 2: discovery
28
Conjunctive Searches Do Not Satisfy CUD
Search for “Age=33 AND Name=John” Cannot answer without knowing which age is associated with Object1 No discovery results returned for conjunctive searches
Object1Type = Entity
PropertyName = “John”
DSRACL 1
Data Source
profiles.xls
PropertyAge = 33
DSRACL 2
Data Source
email.msg
Object2Type = Entity
PropertyAge = 44
DSRACL 2
PropertyName = “James”
DSRACL 1
Data Source
profiles.xls
Alice’s Permissions
ACL 1: read ACL 2: discovery
29
Conclusion
Security and Data Models Security Guarantees Two applications of our guarantees
– Confidentiality Under Resolution (CUR)– Confidentiality Under Discovery (CUD)
For more details, see the“Palantir Access Control Model” whitepaper
© 2008 Palantir Technologies Inc. All rights reserved.
Palantir Access Control
Bob McGrew
Director of Engineering