1. Data and Applications Security Developments and Directions
Dr. Bhavani Thuraisingham
The University of Texas at Dallas
Lecture #23
Secure Knowledge Management:
and Web Security
April 2, 2006

2. Outline of the Unit Background on Knowledge Management
Secure Knowledge Management
Confidentiality: Access Control
Privacy
Trust Management
Integrated System
Secure Knowledge Management Technologies
Directions

3. References Proceedings Secure Knowledge Management Workshop
Secure Knowledge Management Workshop, Buffalo, NY, September 2004
Secure Knowledge Management
Bertino, Khan, Sandhu and Thuraisingham
To be published in IEEE Transactions on Systems man and Cybernetics
This lecture is based on the above paper

4. What is Knowledge Management
Knowledge management, or KM, is the process through which organizations generate value from their intellectual property and knowledge-based assets
KM involves the creation, dissemination, and utilization of knowledge
Reference: management.htm?source=google

5. Knowledge Management Components
Components of
Management:
Components,
Cycle and
Technologies
Cycle:
Technologies:
Components:
Knowledge, Creation
Expert systems
Strategies
Sharing, Measurement
Collaboration
Processes
And Improvement
Training
None of these things were endorsed by military acquisitions, but all have gradually started happening out of necessity and user requirements.
Metrics
Web

6. Organizational Learning Process
Diffusion -
Tacit, Explicit
Incentives
Integration
Modification
Identification
Creation
Metrics
Action
Overall focus is on learning actionable knowledge
Organizations successful at KM Generate and Generalize knowledge
Generate - Create new knowledge and Identify knowledge that exists inside and outside the organization
Generalize - Transfer Knowledge from person to person, group to group, organization to organization
Diffusion - tacit/explicit - Tacit - Dialogue, Explicit - someone creates an external representation of their understanding (Word, , PowerPoint)
Integration - Knowledge transfer only matters to the receiver. Person knowledge is transferred to must be open to new ideas, able to challenge assumptions to integrate into their mental model.
Modification - Knowledge is never received “pure”, typically the receiver takes out the pieces that work for him/her.
Action - Important experiential knowledge is built through action. Wouldn’t expect someone to be able to <choose example> by reading a book or paper. Need tacit knowledge built up in action.
Need metrics to determine success in each area and to provide incentive. Not measured it won’t get done.
Focus of this MSR is on metrics and incentives for the diffusion process.
Examine available tools and develop tools for each area. (I.e. Expert Finder (identification), CVW - diffusion, Invention Machine (integration), PowerSim (Action)
Source:
Reinhardt and Pawlowsky

7. Aspects of Secure Knowledge Management (SKM)
Protecting the intellectual property of an organization
Access control including role-based access control
Security for process/activity management and workflow
Users must have certain credentials to carry out an activity
Composing multiple security policies across organizations
Security for knowledge management strategies and processes
Risk management and economic tradeoffs
Digital rights management and trust negotiation

8. SKM: Strategies, Processes, Metrics, Techniques
Security Strategies:
Policies and procedures for sharing data
Protecting intellectual property
Should be tightly integrated with business strategy
Security processes
Secure workflow
Processes for contracting, purchasing, order management, etc.
Metrics
What is impact of security on number of documents published and other metrics gathered
Techniques
Access control, Trust management

9. SKM: Strategies, Processes, Metrics, Techniques

10. Security Impact on Organizational Learning Process
Diffusion -
Tacit, Explicit
Incentives
Integration
Modification
Identification
Creation
Metrics
Action
Overall focus is on learning actionable knowledge
Organizations successful at KM Generate and Generalize knowledge
Generate - Create new knowledge and Identify knowledge that exists inside and outside the organization
Generalize - Transfer Knowledge from person to person, group to group, organization to organization
Diffusion - tacit/explicit - Tacit - Dialogue, Explicit - someone creates an external representation of their understanding (Word, , PowerPoint)
Integration - Knowledge transfer only matters to the receiver. Person knowledge is transferred to must be open to new ideas, able to challenge assumptions to integrate into their mental model.
Modification - Knowledge is never received “pure”, typically the receiver takes out the pieces that work for him/her.
Action - Important experiential knowledge is built through action. Wouldn’t expect someone to be able to <choose example> by reading a book or paper. Need tacit knowledge built up in action.
Need metrics to determine success in each area and to provide incentive. Not measured it won’t get done.
Focus of this MSR is on metrics and incentives for the diffusion process.
Examine available tools and develop tools for each area. (I.e. Expert Finder (identification), CVW - diffusion, Invention Machine (integration), PowerSim (Action)
What are the restrictions
On knowledge sharing
By incorporating security

11. Security Policy Issues for Knowledge Management
Defining Policies during Knowledge Creation
Representing policies during knowledge management
Enforcing policies during knowledge manipulation and dissemination

12. Secure Knowledge Management Architecture

13. SKM for Coalitions
Organizations for federations and coalitions work together to solve a problem
Universities, Commercial corporation, Government agencies
Challenges is to share data/information and at the same time ensure security and autonomy for the individual organizations
How can knowledge be shared across coalitions?

14. SKM Coalition Architecture
Knowledge for Coalition
Export
Export
Knowledge
Knowledge
Export
Knowledge
Component
Component
Knowledge for
Knowledge for
Agency A
Agency C
Component
Knowledge for
Agency B

15. SKM Technologies Data Mining
Mining the information and determine resources without violating security
Secure Semantic Web
Secure knowledge sharing
Secure Annotation Management
Managing annotations about expertise and resources
Secure content management
Markup technologies and related aspects for managing content
Secure multimedia information management

16. Directions for SKM We have identified high level aspects of SKM
Strategies, Processes. Metrics, techniques, Technologies, Architecture
Need to investigate security issues
RBAC, UCON, Trust etc.
CS departments should collaborate with business schools on KM and SKM

17. Web Security End-to-end security
Need to secure the clients, servers, networks, operating systems, transactions, data, and programming languages
The various systems when put together have to be secure
Composable properties for security
Access control rules, enforce security policies, auditing, intrusion detection
Verification and validation
Security solutions proposed by W3C and OMG
Java Security
Firewalls
Digital signatures and Message Digests, Cryptography

18. Attacks to Web Security

19. Secure Web Components

20. E-Commerce Transactions
E-commerce functions are carried out as transactions
Banking and trading on the internet
Each data transaction could contain many tasks
Database transactions may be built on top of the data transaction service
Database transactions are needed for multiuser access to web databases
Need to enforce concurrency control and recovery techniques

21. Types of Transaction Systems
Stored Account Payment
e.g., Credit and debit card transactions
Electronic payment systems
Examples: First Virtual, CyberCash, Secure Electronic Transaction
Stored Value Payment
Uses bearer certificates
Modeled after hard cash
Goal is to replace hard cash with e-cash
Examples: E-cash, Cybercoin, Smart cards

22. Building Database Transactions
Database Transaction Protocol
Payments Protocol
HTTP Protocol
Socket Protocol
TCP/IP Protocol

23. Secure Digital Libraries
Digital libraries are e-libraries
Several communities have developed digital libraries
Medical, Social, Library of Congress
Components technologies
Web data management, Multimedia, information retrieval, indexing, browsing,
Security has to be incorporated into all aspects
Secure models for digital libraries, secure functions

24. Secure Digital Libraries

25. Secure Web Databases Database access through the web
JDBC and related technologies
Query, indexing and transaction management
E.g., New transaction models for E-commerce applications
Index strategies for unstructured data
Query languages and data models
XML has become the standard document interchange language
Managing XML databases on the web
XML-QL, Extensions to XML, Query and Indexing strategies
Integrating heterogeneous data sources on the web
Information integration and ontologies are key aspects
Mining the data on the web
Web content, usage, structure and content mining

26. Directions for Web Security
End-to-end security
Secure networks, clients, servers, middleware
Secure Web databases, agents, information retrieval systems, browsers, search engines, - - -
As technologies evolve, more security problems
Data mining, intrusion detection, encryption are some of the technologies for security
Next steps
Secure semantic web, Secure knowledge management