22
Why provenance needs its own security model Uri Braun PASS Team Harvard University Workshop on Principles of Provenance November 19-20, ‘07
| Date post: | 16-Dec-2015 |
| Category: |
Documents |
| Upload: | lynn-mills |
| View: | 216 times |
| Download: | 0 times |
Why provenance needs its own security model
Uri BraunPASS Team
Harvard UniversityWorkshop on Principles of Provenance
November 19-20, ‘07
January 8, '07 Slide 2 (of 22)
Provenance needs security
Many provenance applications involve sensitive data: Regulatory Compliance Electronic Medical Records National Security Intelligence
January 8, '07 Slide 3 (of 22)
National Intelligence EstimateData v. Provenance Sensitivity
National Intelligence Estimate
Vice Chair
cp vice.txt /shared/
Chair
cp chair.txt /shared/
Special Advisor
cp advisor.txt /shared/
cat /shared/*.txt | uniq
Public: cannot read Public: cannot read Public: cannot read
Public: cannot read
January 8, '07 Slide 4 (of 22)
Outline
Motivation Provenance needs its own security
model Related Work Recap
January 8, '07 Slide 5 (of 22)
Provenance needs its own security model
Sensitivity(Provenance) ≠ Sensitivity(Data)
Can have cases where sensitivity of: Data > Provenance Provenance > Data
January 8, '07 Slide 6 (of 22)
Performance ReviewData v. Provenance Sensitivity
Employee: can read
Employee: cannot readEmployee: cannot read
XXcp peer1 & 2’s emails and edit
Email to Peer1 Email to Peer2
mail –s “Joe’s Review” peer1, peer2Employee: cannot read
Manager’s email
mail –s “RE: Joe’s Review” manager mail –s “RE: Joe’s Review” manager
Employee: cannot readEmployee: cannot read
Email from Peer1 Email from Peer2
January 8, '07 Slide 7 (of 22)
National Intelligence EstimateData v. Provenance Sensitivity
National Intelligence Estimate
Vice Chair
cp vice.txt /shared/
Chair
cp chair.txt /shared/
Special Advisor
cp advisor.txt /shared/
cat /shared/*.txt | uniq
Public: cannot read Public: cannot read Public: cannot read
Public: cannot read
January 8, '07 Slide 8 (of 22)
Different from traditional security models
Requires attributes different from existing security models Relationships fundamentally different Leak information differently
January 8, '07 Slide 9 (of 22)
Performance ReviewRelationship Leak
Employee: can read
Employee: cannot readEmployee: cannot read
XXcp peer1 & 2’s emails and edit
Email to Peer1 Email to Peer2
mail –s “Joe’s Review” peer1, peer2Employee: cannot read
Manager’s email
mail –s “RE: Joe’s Review” manager mail –s “RE: Joe’s Review” manager
Employee: cannot readEmployee: cannot read
Email from Peer1 Email from Peer2
January 8, '07 Slide 10 (of 22)
Relationships leak informationin combination with
Seemingly unrelated other relationships
World knowledge Mere existence of a relationship
January 8, '07 Slide 11 (of 22)
Outline Motivation Provenance needs its own security
model Related Work
Provenance Projects Aggregation Applications
Recap
January 8, '07 Slide 12 (of 22)
PASOA
Does Ensure non-repudiation Federate identity Obscure portions of records
Does not Consider relationships Provide fine grained access control
[Groth, et. al. D3.1.1: An Architecture for Provenance Systems]
January 8, '07 Slide 13 (of 22)
myGrid Does
Authentication Access Control per repository
Does not Consider relationships Fine grained access control
[Miles: myGrid Security Issues][Egglestone: Security in the myGrid project]
January 8, '07 Slide 14 (of 22)
Aggregate queries
May help understand interaction among relationships
Does not have a model for relationships
No answers for: Existence providing data Combining with world knowledge
January 8, '07 Slide 15 (of 22)
Information Flow
Similar to aggregate queries in applicability
How do we model: Relationships World knowledge Existence
January 8, '07 Slide 16 (of 22)
Audit logs
Audit logs useful for security Security also useful for audit logs Current security is still binary
Total access No access
[Radack: NIST SP 800-92: Guide to Computer Log Management]
January 8, '07 Slide 17 (of 22)
Metadata security
Metadata embedded in documents Word change history has lead to
many unintentional well publicized leaks
Current solution is to remove metadata before publishing externally
January 8, '07 Slide 18 (of 22)
Compliance
Increasing interest in tightening financial oversight
Growing focus on tracking the history of decisions
[Johnson: Intersections of Law and Technology in Balancing Privacy Rights with Free Information Flow]
January 8, '07 Slide 19 (of 22)
Electronic Medical Records
Medical records include provenance HIPAA laws mandates access controls
[Agrawal: Hippocratic Databases]
January 8, '07 Slide 20 (of 22)
Outline
Motivation Provenance needs its own security
model Related Work Recap
January 8, '07 Slide 21 (of 22)
Recap
Provenance needs security Security needs are different No known directly applicable
model
Questions?
