Presentation is loading. Please wait.

Presentation is loading. Please wait.

Why provenance needs its own security model Uri Braun PASS Team Harvard University Workshop on Principles of Provenance November 19-20, ‘07.

Similar presentations


Presentation on theme: "Why provenance needs its own security model Uri Braun PASS Team Harvard University Workshop on Principles of Provenance November 19-20, ‘07."— Presentation transcript:

1 Why provenance needs its own security model Uri Braun PASS Team Harvard University Workshop on Principles of Provenance November 19-20, ‘07

2 January 8, '07Slide 2 (of 22) Provenance needs security Many provenance applications involve sensitive data: Regulatory Compliance Electronic Medical Records National Security Intelligence

3 January 8, '07Slide 3 (of 22) National Intelligence Estimate Data v. Provenance Sensitivity National Intelligence Estimate Vice Chair cp vice.txt /shared/ Chair cp chair.txt /shared/ Special Advisor cp advisor.txt /shared/ cat /shared/*.txt | uniq Public: cannot read

4 January 8, '07Slide 4 (of 22) Outline Motivation Provenance needs its own security model Related Work Recap

5 January 8, '07Slide 5 (of 22) Provenance needs its own security model Sensitivity(Provenance) ≠ Sensitivity(Data) Can have cases where sensitivity of: Data > Provenance Provenance > Data

6 January 8, '07Slide 6 (of 22) Performance Review Data v. Provenance Sensitivity Employee: can read Employee: cannot read X X cp peer1 & 2’s s and edit to Peer1 to Peer2 mail –s “Joe’s Review” peer1, peer2 Employee: cannot read Manager’s mail –s “RE: Joe’s Review” manager Employee: cannot read from Peer1 from Peer2

7 January 8, '07Slide 7 (of 22) National Intelligence Estimate Data v. Provenance Sensitivity National Intelligence Estimate Vice Chair cp vice.txt /shared/ Chair cp chair.txt /shared/ Special Advisor cp advisor.txt /shared/ cat /shared/*.txt | uniq Public: cannot read

8 January 8, '07Slide 8 (of 22) Different from traditional security models Requires attributes different from existing security models Relationships fundamentally different Leak information differently

9 January 8, '07Slide 9 (of 22) Performance Review Relationship Leak Employee: can read Employee: cannot read X X cp peer1 & 2’s s and edit to Peer1 to Peer2 mail –s “Joe’s Review” peer1, peer2 Employee: cannot read Manager’s mail –s “RE: Joe’s Review” manager Employee: cannot read from Peer1 from Peer2

10 January 8, '07Slide 10 (of 22) Relationships leak information in combination with Seemingly unrelated other relationships World knowledge Mere existence of a relationship

11 January 8, '07Slide 11 (of 22) Outline Motivation Provenance needs its own security model Related Work Provenance Projects Aggregation Applications Recap

12 January 8, '07Slide 12 (of 22) PASOA Does Ensure non-repudiation Federate identity Obscure portions of records Does not Consider relationships Provide fine grained access control [Groth, et. al. D3.1.1: An Architecture for Provenance Systems]

13 January 8, '07Slide 13 (of 22) myGrid Does Authentication Access Control per repository Does not Consider relationships Fine grained access control [Miles: myGrid Security Issues] [Egglestone: Security in the myGrid project]

14 January 8, '07Slide 14 (of 22) Aggregate queries May help understand interaction among relationships Does not have a model for relationships No answers for: Existence providing data Combining with world knowledge

15 January 8, '07Slide 15 (of 22) Information Flow Similar to aggregate queries in applicability How do we model: Relationships World knowledge Existence

16 January 8, '07Slide 16 (of 22) Audit logs Audit logs useful for security Security also useful for audit logs Current security is still binary Total access No access [Radack: NIST SP : Guide to Computer Log Management]

17 January 8, '07Slide 17 (of 22) Metadata security Metadata embedded in documents Word change history has lead to many unintentional well publicized leaks Current solution is to remove metadata before publishing externally

18 January 8, '07Slide 18 (of 22) Compliance Increasing interest in tightening financial oversight Growing focus on tracking the history of decisions [Johnson: Intersections of Law and Technology in Balancing Privacy Rights with Free Information Flow]

19 January 8, '07Slide 19 (of 22) Electronic Medical Records Medical records include provenance HIPAA laws mandates access controls [Agrawal: Hippocratic Databases]

20 January 8, '07Slide 20 (of 22) Outline Motivation Provenance needs its own security model Related Work Recap

21 January 8, '07Slide 21 (of 22) Recap Provenance needs security Security needs are different No known directly applicable model

22 Questions?


Download ppt "Why provenance needs its own security model Uri Braun PASS Team Harvard University Workshop on Principles of Provenance November 19-20, ‘07."

Similar presentations


Ads by Google