| Passwords to guard entry aren't enough to protect complex data
Traditional security systems often utilise access control in which passwords are the key to identifying authorised users and granting them access to data. The good news about traditional systems, says Wiederhold, is that ‘bad guys’ must employ multiple 'hacks' to get past the firewalls, operating systems and the database security itself. The bad news is that because the filter is at the level of user access, security stops once a user gains access to material authorised for his or her role. If a good guy turns bad - as in the case where a disgruntled employee with access privileges decides to do some damage - the database becomes endangered. A severe disadvantage to the access-driven security model is that it requires that all of the contents be well organised and placed into neat bins for access by those with authorised roles. Protection is poor for data that is complex, multipurpose, unstructured, formatted as images, or now used for roles not recognised when the data was first collected. Medical records, for instance, are nearly impossible to organise for all the roles that they serve. The most serious issue is that access control does not consider collaboration. For instance, in a medical setting, many types of users legitimately need access to patient data, and their legitimate access rights intersect in many ways. A document given to a researcher in a specific area, say cardiac disease, may also include information about pregnancy, psychological profile, or HIV status. Because of their holistic role, patient medical records cannot be organised to separate all of those aspects. Simply removing patient identification from every separate aspect of a patient's record disables research, since long-term follow-up and integration of data from encounters at diverse sites are needed. Wiederhold says that filters can and should check outgoing documents for terms warranting more protection. "When these [medical] and other databases are designed, the possible uses and security needs cannot be fully considered," Wiederhold says. If a company outsources work to a consultant, the consultant needs access to the company database. By using release control - which monitors the contents of documents being delivered to the requestor - alongside traditional access control, the consultant is restricted to material that is relevant to a particular project, Wiederhold says. The databases need not be redesigned to reclassify or remove data that is inappropriate or proprietary. Protecting data before it gets released means vetting the contents of documents retrieved from internal files, Wiederhold says. Document release protection may be desirable for diverse systems with data output, such as e-mail, file systems, databases and websites. Such filters are already operational in e-mail systems employing "dirty word" filters and in military systems that "fuzzify" shared data so that it can only can be seen clearly using specially supplied equipment. As data increases in complexity, it becomes increasingly difficult to define a good security model that works well for different types of collaborating users. Recognising that we must allow access to many types of users means that a simple good guy/bad guy access model is inadequate. While access control working alongside release control will improve the protection of privacy, complex security definitions may conflict with each other or even form security holes, Wiederhold says. "The scope of potential use of data is so large that no approach that relies on any specific data organisation will be adequate for all future needs," he says. "But relying only on access control is certainly inadequate."
•Date:
17th February 2004 •Region: N.America/World
•Type: Article •Topic:
ISM |
