1 isa 662 information system security hybrid policies chapter 6 from bishop ’ s book
TRANSCRIPT
1
ISA 662 Information System Security
Hybrid PoliciesChapter 6 from Bishop’s
book
3
Chinese Wall Model Chinese wall is a barrier between objects
which result in conflicting interests The problem
An analyst is assigned to advise two competing banks
The objectivity of his opinion would be questionable He can help one gain at the expense of the other
The solution An analyst can only access non-conflicting objects
inside his/her enclosure
4
Overview Explicitly organize objects into conflict of
interest (COI) classes Control subject’s read accesses based on COI
classes and prior access history Control subject’s write accesses to avoid
indirect conflict of interest No control over reading sanitized data (data
that cause no conflict of interest whatsoever)
5
Definitions and Notations
Company dataset (CD): collection of objects about a single company
Conflict of interest class (COI): a collection of company datasets of companies in competition
Notation Object: O Company dataset: CD (O) Conflict of interest class: COI (O)
Assumption: each object belongs to exactly one CD and each CD to one COI class
6
Example
Bank of America
Citibank Bank of the West
Bank
Shell Mobil TexacoSunoco
Gasoline
Consider a COI class as an industryCD(object1)=? COI(object1)=?
All Objects
object1 object2 ……
COI
CD
Object
7
History-based Access Control
Rights depend on access historyInitially, a subject can read any CD in any COI
But once the subject has read any CD in the COI, he or she can never read another CD in that COI Possible that information learned earlier may
allow him to make decisions later
8
Sanitized Object
Sanitized object is public information contained within a CD
As it is publicly available, no conflicts of interest arises from it
So, should not affect read
But it does affect write
9
CW-Simple Security Condition
Let PR(s) be the set of objects that s has already read
s can read o iff any of these conditions holds:1. There is o satisfying oPR (s) and CD (o)=CD
(o)– { s can read something else in the company dataset
o }
2. For all objects o,oPR (s)COI (o)≠COI (o)– { s has not read any objects in COI (o) }
3. o is a sanitized object
Initially, PR(s) = , so initial read request is always granted
10
What About Write? Alice reads Citibank’s and Shell’ CD Bob reads Bank of America’s and Shell’s CD
So Bob must not read Citibank’s CD
If Alice writes what she read from Citibank’s to Shell’ CD; Bob can then read what Alice wrote
Bank of America
Citibank Bank of the West
Bank
Shell Mobil TexacoSunoco
Gasoline
Alice Bob
11
CW-*-Property {Like Bell LaPadula}
s can write to o iff both of the following hold:1. The CW-simple condition permits s to read o2. For all unsanitized objects o, if s can read o,
then CD (o) = CD (o)– All s can read are either within the same CD, or
sanitized
Bank of America
Citibank Bank of the West
Bank
Shell Mobil TexacoSunoco
Gasoline
Alice Bob
Neither Alice nor bob can write
12
How Does Information Flow? With the two conditions (CW simple security
condition and CW *-property) in place, how can information flow around the system?
Main Results Theorem 7-1: in each COI class (e.g. Bank), a
subject can only read objects in a single CD (e.g. Citibank)
Theorem 7-2: at least n subjects are required to access all objects in a COI class with totally n CDs
13
How Does Information Flow? (Cont’d)
Information flows from o to o’ if s reads o and writes o’
Theorem 7-3: information in an unsanitized object can only flow inside that CD; information in sanitized objects can flow freely
Bank of America
Citibank Bank of the West
Shell Mobil TexacoSunoco
o1 o2 o3
o3 o1 o2 o3
sanitized
unsanitized
14
Compare CW to Bell-LaPadula
Fundamentally different CW is based on access history, BLP is history-less (This is important)
BLP can capture CW state at any time, but cannot track changes over time BLP security levels would need to be updated
each time an access is allowed (This does not make sense)
16
Background
A policy-neutral model Can be used to express DAC (role as
identity),MAC (role as clearance)… A standard (http://csrc.nist.gov/rbac/)
Why role? Because rights usually depend on role (job function) but not identity Example:
Alice, a bookkeeper, has access to financial records. If Bob replaces Alice as the new bookkeeper, Bob must
have the same accesses The role ‘Bookkeeper’ is as a bridge between
subjects and rights to objects (permissions)
17
Background (Cont’d) Why role?
As an intermediate layer, it simplifies the administration of access control
A transition from client-server model to 3+-tier model in transaction processing
n clients m servers n*m connections With intermediate application servers, n+m
connectionsClient subject, server permission, application server
role
18
Definitions Trans (r): authorized transactions; all
transactions that role r can execute Actr (s): active role that s is currently playing Authr (s): authorized roles; all roles that s
can play Canexec (s, t): s can execute transaction t Let S be the set of subjects and T the set of
transactions.
19
Axioms
Rule of role assignment: (s S)(t T) [canexec (s, t) actr (s) ≠ ]. To execute a transaction, s must be playing some role
Rule of role authorization:(s S) [actr (s) authr (s)]. s can only play an authorized role
Rule of transaction authorization:(s S)(t T) [canexec (s, t) t trans (actr
(s))]. A subject can only execute a transaction if the transaction
is authorized for the active role
20
Containment of Roles (Role Hierarchy)
Instructor can do all transactions that TA can do (and maybe more). Thus an instructor role contains a TA role where (instructor > TA). (s S)[ r authr (s) r > r r authr (s) ](t T)[ t trans (r) r > r t trans (r’) ]
All roles form a partial order
21
Separation of Duties
Let predicate meauth (r) be the set of roles a subject s cannot play if s can play r, because of a separation of duty requirement. r is cashier, meauth (r) may include sales
assistant
Add a constraint:(r1, r2 R) [ r2 meauth (r1)
[ (s S) [ r1 authr (s) r2 authr (s) ] ] ] If anyone works as a cashier, he/she must not
work as a sales assistant.
23
ORiginator CONtrol
Problem: organization creating document wants to control its dissemination
Example: Secretary of Agriculture writes a memo for distribution to her immediate subordinates, and she must give permission for it to be disseminated to anyone else.
24
Requirements
Subject s S marks object o O as ORCON (in organization X).
X allows o to be disclosed to subjects acting on behalf of another organization Y with the restrictions:1. o cannot be released to a subject in
another organization without X ’s permission; and
2. Any copy of o must have the same restrictions placed on it.
25
Different between DAC and MAC
DAC allows owner to set any permission
MAC depends on centralized control
ORCON is inherently decentralized (important)
26
Combine MAC and DAC Owner does not control access after the
object is copied ; access control restrictions are copied with the object This is not DAC (owner can’t control them) Is it MAC?
Creator (Originator) can alter access control restrictions on a per-subject and per-object basis. This is DAC (owner can control it)
27
Key Points Chinese wall policy focuses on conflict of
interest Information flows inside each CD
RBAC is a policy-neutral model Uses role to simplify administration of access
control ORCON is different from DAC and MAC
Enforcement is a much bigger issue
29
Clinical Information Systems Security
Prototypical HIPAAIntended for medical records
Conflict of interest not critical problem Patient confidentiality, authentication of records
and annotators, and data integrity are critical
Subjects and objects: Patient: subject of medical records Clinician: health-care professional with access to
personal health information ONLY while doing job Personal health information: data about patient’s
health or treatment having identification of patient
30
Principles
Originated in medical ethics (e.g.Hippocratic Oath)
Principles Access Creation Deletion Confinement Aggregation Enforcement
31
Access 1 Principle 1: Each medical record has an
access control list naming the individuals or groups who may read and append information to the record. The system must restrict access to those identified on the access control list. Clinicians need access, but no-one else does. Auditors have access to copies, but they cannot
alter records
32
Access 2 and 3 Principle 2: One of the clinicians on the ACL
must have the right to add other clinicians to it. The responsible clinician
Principle 3: This clinician must notify the patient of the names on the ACL whenever the patient’s medical record is opened. Except for situations given in statutes, or a state of emergency, the clinician must obtain the patient’s consent. Patient must consent to all treatment, and must be
informed of any violation of security
33
Access 4 Principle 4: The name of the clinician, the
date, and the time of the access of a medical record must be recorded. Similar information must be kept for deletions.This is for auditing. Don’t delete information; update it
(deletion of records only after death or when required by law).
Record information about all accesses.
34
Creation
A clinician may open a record, if the clinician and the patient are on the ACL. If a record is opened as a result of a referral, the referring clinician may also be placed on the ACL.
Creating clinician needs access, and patient should have access.
If created from a referral, referring clinician needs access to get results.
35
Deletion
Clinical information must not be deleted from a medical record until the appropriate time has passed. During patient lifetime May vary with circumstances (8 years or
longer)
36
Confinement
Information from one medical record may be appended to a different medical record iff the ACL of the second record is a subset of the ACL of the first.
This keeps information from leaking to unauthorized users. All users have to be on the access control list.
37
Aggregation
Measures for preventing aggregation of patient data must be effective. In particular, a patient must be notified if anyone is to be added to the ACL of his or her record and if that person has access to a large number of medical records.
Fear that a corrupt investigator may obtain access to a large number of records, correlate them, and discover private information about individuals which can then be used for nefarious purposes (such as blackmail)
38
Enforcement
Any computer system that handles medical records must have a subsystem that enforces the rules.
The effectiveness of enforcement must be evaluated by independent auditors. This policy has to be enforced, and the enforcement
mechanisms must be auditable (and audited)
39
Comparison BLP: imposes lattice structure on
subjects/objects Clark-Wilson provides a framework
CDIs are medical records TPs are functions updating records, access control
lists IVPs certify:
A person identified as a clinician is one; A clinician validates, or has validated, information in the
medical record; When someone is to be notified of an event, the notification
occurs; and When someone must give consent, the operation cannot
proceed until the it is obtained Auditing (CR4) requirement: make all records append-
only, notify patient when access control list changed