Jeremy Hilton & Pete Burnap {Jeremy.hilton}{p.burnap}@cs.cardiff.ac.uk

Self Protecting Information for De-perimeterised Electronic Relationships

(SPIDER)

  The way people work is changing   Web 2.0 technology and Cloud computing is

supporting/driving a collaborative, on-demand culture

  Virtual Organisations are frequently used to support collaborative, distributed working   Government Services (Transformational

Government)   Medical (Patient Records)   Research (e-Research)

  Inter-disciplinary organisations contribute content, others have access to the content

  With the change to UK Data Protection laws meaning Government Data Controllers face civil action as well as financial penalties following a data breach, what is the impact of current information security limitations?

  Information needs to be shared to support collaborative working but the risk of sharing information appears very high considering the latest data losses (UK HRMC 25 million records)

  As a result HMRC have completely locked down their systems when it comes to taking data outside the perimeter

3

“In relation to rights, the Government believes piracy of intellectual property for profit is theft and will be pursued as such through the criminal law. The civil infringement of taking someone else’s intellectual property or passing it on to others through file-sharing without any compensating payment is, in plain English, wrong. However, the Government also believes, and the evidence suggests, that most people, given a reasonable choice would much prefer not to do wrong or break the law…”

4

“Personal data is the new currency of the digital world. Privacy and security of that data is an increasingly critical issue. The Information Commissioner is developing a new Code of Practice “Personal Information Online” for publication later this year. The Prime Minister has appointed Sir Tim Berners-Lee to form a panel of experts to deliver better use of public data. Effective self-regulation is also vital…”

5

  #2 Define the information architecture

Developed to control information sharing between G8 countries, Business Impact levels added.

External Secured This zone is similar to the secured zone but is owned and operated by a business partner. The trust relationship between the Org X and the business partner is stronger than in the restricted zones. Information Assets: Distributed to named individuals only.

Secured

This zone is the most secured area within the architecture.

Access should be limited to highly trusted principals.

Information Access limited to named principals only.

External Restricted Similar to Restricted Zone but owned /operated by a business partner. The trust relationship is stronger that that in the External Controlled Zone. Information Access limited to Groups of authenticated principals

Restricted The restricted Zone is the next higher level of security above Controlled. Access is Restricted to authenticated users or processes. Most data processing and storage occurs here. Information Access limited to pre-defined groups made up of authenticated principals.

External Controlled Similar to Controlled Zone but owned /operated by an external organisation.

Controlled This is where the lowest levels of control are applied to manage Information Assets with the prime goals of managing Availability and Compliance

Uncontrolled (Public) The uncontrolled environment outside the control of Org X.

Managed Belongs to IT and is used to administer servers, network devices and other managed devices. May be implemented with secure sessions (SSH) separate out of band networks or greater controls on Admin devices.

Attribution: The Open Group

  Traditional access control applied:   At or within a network perimeter   To the entire resource

  Information often required to be shared outside of the perimeter (in VOs) for collaboration

  Information resources often made up on content with varying access control requirements

  What are the issues?   Persistent control of information

  Changes/Differences in Access Control Requirements   Intellectual Property (Research Data)   Data in the cloud

  Changes/Differences in Data Protection Requirements   Confidentiality (Medical Record)   Commercial Data (Financial Report)

  Encryption can be used but once keys are shared, data controller loses persistent control of shared information using the traditional model

  Entire resource protection means all information is controlled in accordance with the highest level requirement and with an individual label

  Both reduce the potential for information sharing and collaboration

  SPIDER is concerned with the accurate, distributed, auditable and persistent control of information in collaborative working environments (VOs)

  Considers the following issues:   How can you protect shared information to the

required level of granularity and in such as way as you can modify access privileges at any time even after it has left the perimeter?

  How can you provide information related to access controls granted and people in possession of information at any point in time following a data breach?

  How can you make a case for prosecution against a malicious individual who has misused your information?

  SPIDER aims to break down information content within a single resource and classify the content based on protection requirements, and communicate the control requirements:   Icon-based labelling   Human- and machine-readable controls   Security labels based on the classification added to the

content as metadata   Labels bound to a centralised access control policy for the

resource   Content encrypted and distributed   Information accessed using an on-demand secure access

client   Access privileges and current information holders auditable

Adapting the creative commons approach for information classification and control

•  A set of licenses that are flexible enough to let you add as much or as little restrictions on you work as you like

•  Expressed in 3 different formats:

•  Lawyer-readable

•  Human-readable

•  Machine-readable

•  www.creativecommons.org

  A set of classifications that are flexible enough to enable to define and communicate the controls to be applied to your information

  May be combined with creative commons licenses

  Expressed in 3 different formats:   Security Officer-readable   Human-readable   Machine readable

  Confidentiality

  Authentication

  Use

  Integrity

CA – Community Access

RA – Restricted Access PI – Personal Information

OO – Organisation Only ND – Non-Disclosure

CG – Corporate Governance

SD – Safe Disposal

CU – Controlled Until

AB – Authorised By ND – Non-Derivatives

BY – Attribution cc

cc

AD – Approved for Disclosure

OA – Open Access

  The information is restricted to the nominated recipients

  The owner of the information will nominate the authorised recipients

  The owner may delegate responsibility for nominating authorised recipients

Restricted Access

  The information contains personal information and consideration must be made before sharing the information

  This classification is likely to be used in conjunction with other labels such as

Personal Information

cc

Binding Policy to data and technical implementation

<Document Identifier>

<serverLocation> Web address of Access Request Web Service

<content label=“Classification-X”> Each section of classified content will be wrapped in an XML nest with its own parent element (the <content> bit). Each parent element has a “label” attribute, with a value representing the classification label assigned to that section </content> <content label=“Classification-Y”> The access control tables in the access control database, located on the “server-side” (the information controller) contain user identity details alongside a list of classification labels the user is permitted to access </content> <content label=“Classification-Z”> Because of the structured nature of the document, all content held between the <content>…</content> elements can only be accessed by a user if their document-specific access privileges contain the label representing the content classification

Encrypted

Unencrypted

Encrypted Content

<Classification Level X> Identity Details

< /Classification Level X>

<Classification Level Y> Medical History

< /Classification Level Y>

<Classification Level Z> Current Medication

< /Classification Level Z> .....

Information Controller

Access Control

DB PKI

Access Request

Web Service

Client

Shared Content

(Encrypted)

SPIDER Application

Content

User Certificate

Document Identifier

User ID Details

Crypto Key DB

Information Controller

Access Request

Web Service

Document Identifier User ID Details

Access Control DB

Document Identifier

Doc-Specific Table

Document Access Control Tables

User ID Details

Doc-Specific Access Privileges

If User Verification = TRUE

Document Identifier

Doc-Specific Crypto Key

Doc-Specific Access Privileges

Doc-Specific Crypto Key

Cryptography Key DB

Client

SPIDER Application

Content Doc-Specific Access Privileges

Doc-Specific Key

•  Apply Doc-Specific crypto key (Decrypt)

•  Parse information for content tagged with labels contained in the Access Privileges

•  Display unrestricted content to user

Collaborator

Encrypted Content

<Classification Level X> Identity Details

< /Classification Level X>

<Classification Level Y> Medical History

< /Classification Level Y>

<Classification Level Z> Current Medication

< /Classification Level Z> .....

Decrypt key & access privileges e.g. Access to: Classification X & Z

Identity Details

Current Medication

Information Displayed

  Very similar to DRM model, except that content can be controlled at different levels of restriction and the policy is bound to a central point of control and can be modified at a later date

  DRM is quite often seen as a “disabler”. This approach is positioned very much as an “enabler”, but a transparent one. A model that supports secure information sharing through audit-ability and transparency of action

  The persistent link to a central point of control allows audit to determine who had access privileges at the point of information misuse.

  In addition, this allows modifications to be recorded

  Absolute security is arguably impossible to achieve   This approach supports modifiable controls on

distributed information and transparent capture of information modification action

  It is positioned in the collaborative, distributed working domain to assist organisations such as Government departments to work securely and collaboratively

  Data misuse can be traced, reported and dealt with. Arguably more “appropriate technical and organisational measures” than currently exist

  Makes it viable for data controllers to share information

37

38 Developed by Shada Al-Salamah as part of an MSc Project

39 Developed by Shada Al-Salamah as part of an MSc Project

40 Developed by Shada Al-Salamah as part of an MSc Project

41 Developed by Shada Al-Salamah as part of an MSc Project

Avon & Somerset Criminal Justice Board - PRIMADS

42

  Multi-Agency environment   Police   Courts Service   Probation Service   Lawyers   Social Services   Health, etc

  Offender management   Privacy issues in data shared during arrest,

prosecution and detention   Release under licence

43

  Changing individuals’ behaviour such that:   the need for safe handling of information

is understood & accepted; and   controls agreed and applied

  Because the individuals choose to, not because they are told to.

44

45

46

  ASCJS workshops confirmed the usefulness of the scenario-based risk assessment and icon-based approach for communicating controls

  Identified a number of additional benefits that contributed to an increased understanding of the distributed community and the need for controls

  In addition, they expressed an interest in the ability to implement a technical solution to provide fine-grained assess to data-sharing in a collaborative, distributed environment

47

48