1. 1 ISA 662 Information System Security Hybrid Policies Chapter 6 from Bishop ’ s book

2. 2 Overview Chinese Wall Model RBAC ORCON Clinical Information Systems Security Policy

3. 3 Chinese Wall Model Chinese wall is a barrier between objects which result in conflicting interests The problem An analyst is assigned to advise two competing banks The objectivity of his opinion would be questionable He can help one gain at the expense of the other The solution An analyst can only access non-conflicting objects inside his/her enclosure

4. 4 Overview Explicitly organize objects into conflict of interest (COI) classes Control subject ’ s read accesses based on COI classes and prior access history Control subject ’ s write accesses to avoid indirect conflict of interest No control over reading sanitized data (data that cause no conflict of interest whatsoever)

5. 5 Definitions and Notations Company dataset (CD): collection of objects about a single company Conflict of interest class (COI): a collection of company datasets of companies in competition Notation Object: O Company dataset: CD (O) Conflict of interest class: COI (O) Assumption: each object belongs to exactly one CD and each CD to one COI class

6. 6 Example Bank of America Citibank Bank of the West Bank Shell Mobil Texaco Sunoco Gasoline Consider a COI class as an industry CD(object 1 )=? COI(object 1 )=? All Objects object 1 object 2 …… COI CD Object

7. 7 History-based Access Control Rights depend on access history Initially, a subject can read any CD in any COI But once the subject has read any CD in the COI, he or she can never read another CD in that COI Possible that information learned earlier may allow him to make decisions later

8. 8 Sanitized Object Sanitized object is public information contained within a CD As it is publicly available, no conflicts of interest arises from it So, should not affect read But it does affect write

9. 9 CW-Simple Security Condition Let PR(s) be the set of objects that s has already read s can read o iff any of these conditions holds: 1. There is o satisfying o  PR (s) and CD (o)=CD (o) – { s can read something else in the company dataset o } 2. For all objects o,o  PR (s)  COI (o)≠COI (o) – { s has not read any objects in COI (o) } 3. o is a sanitized object Initially, PR(s) = , so initial read request is always granted

10. 10 What About Write? Alice reads Citibank ’ s and Shell ’ CD Bob reads Bank of America ’ s and Shell ’ s CD So Bob must not read Citibank ’ s CD If Alice writes what she read from Citibank ’ s to Shell ’ CD; Bob can then read what Alice wrote Bank of America Citibank Bank of the West Bank Shell Mobil Texaco Sunoco Gasoline AliceBob

11. 11 CW-*-Property {Like Bell LaPadula} s can write to o iff both of the following hold: 1. The CW-simple condition permits s to read o 2. For all unsanitized objects o, if s can read o, then CD (o) = CD (o) – All s can read are either within the same CD, or sanitized Bank of America Citibank Bank of the West Bank Shell Mobil Texaco Sunoco Gasoline AliceBob Neither Alice nor bob can write

12. 12 How Does Information Flow? With the two conditions (CW simple security condition and CW *-property) in place, how can information flow around the system? Main Results Theorem 7-1: in each COI class (e.g. Bank), a subject can only read objects in a single CD (e.g. Citibank) Theorem 7-2: at least n subjects are required to access all objects in a COI class with totally n CDs

13. 13 How Does Information Flow? (Cont ’ d) Information flows from o to o ’ if s reads o and writes o ’ Theorem 7-3: information in an unsanitized object can only flow inside that CD; information in sanitized objects can flow freely Bank of America Citibank Bank of the West Shell Mobil Texaco Sunoco o1o1 o2o2 o3o3 o3o3 o1o1 o2o2 o3o3 sanitized unsanitized

14. 14 Compare CW to Bell-LaPadula Fundamentally different CW is based on access history, BLP is history-less (This is important) BLP can capture CW state at any time, but cannot track changes over time BLP security levels would need to be updated each time an access is allowed (This does not make sense)

15. 15 Overview Chinese Wall Model RBAC ORCON Clinical Information Systems Security Policy

16. 16 Background A policy-neutral model Can be used to express DAC (role as identity),MAC (role as clearance) … A standard (http://csrc.nist.gov/rbac/) Why role? Because rights usually depend on role (job function) but not identity Example: Alice, a bookkeeper, has access to financial records. If Bob replaces Alice as the new bookkeeper, Bob must have the same accesses The role ‘ Bookkeeper ’ is as a bridge between subjects and rights to objects (permissions)

17. 17 Background (Cont ’ d) Why role? As an intermediate layer, it simplifies the administration of access control A transition from client-server model to 3 + -tier model in transaction processing n clients m servers n*m connections With intermediate application servers, n+m connections Client  subject, server  permission, application server  role

18. 18 Definitions Trans (r): authorized transactions; all transactions that role r can execute Actr (s): active role that s is currently playing Authr (s): authorized roles; all roles that s can play Canexec (s, t): s can execute transaction t Let S be the set of subjects and T the set of transactions.

19. 19 Axioms Rule of role assignment: (  s  S)(  t  T) [canexec (s, t)  actr (s) ≠  ]. To execute a transaction, s must be playing some role Rule of role authorization: (  s  S) [actr (s)  authr (s)]. s can only play an authorized role Rule of transaction authorization: (  s  S)(  t  T) [canexec (s, t)  t  trans (actr (s))]. A subject can only execute a transaction if the transaction is authorized for the active role

20. 20 Containment of Roles (Role Hierarchy) Instructor can do all transactions that TA can do (and maybe more). Thus an instructor role contains a TA role where (instructor > TA). (  s  S)[ r  authr (s)  r > r  r  authr (s) ] (  t  T)[ t  trans (r)  r > r  t  trans (r ’ ) ] All roles form a partial order

21. 21 Separation of Duties Let predicate meauth (r) be the set of roles a subject s cannot play if s can play r, because of a separation of duty requirement. r is cashier, meauth (r) may include sales assistant Add a constraint: (  r 1, r 2  R) [ r 2  meauth (r 1 )  [ (  s  S) [ r 1  authr (s)  r 2  authr (s) ] ] ] If anyone works as a cashier, he/she must not work as a sales assistant.

22. 22 Overview Chinese Wall Model RBAC ORCON Clinical Information Systems Security Policy

23. 23 OR iginator CON trol Problem: organization creating document wants to control its dissemination Example: Secretary of Agriculture writes a memo for distribution to her immediate subordinates, and she must give permission for it to be disseminated to anyone else.

24. 24 Requirements Subject s  S marks object o  O as ORCON (in organization X). X allows o to be disclosed to subjects acting on behalf of another organization Y with the restrictions: 1. o cannot be released to a subject in another organization without X ’ s permission; and 2. Any copy of o must have the same restrictions placed on it.

25. 25 Different between DAC and MAC DAC allows owner to set any permission MAC depends on centralized control ORCON is inherently decentralized (important)

26. 26 Combine MAC and DAC Owner does not control access after the object is copied ; access control restrictions are copied with the object This is not DAC (owner can ’ t control them) Is it MAC? Creator (Originator) can alter access control restrictions on a per-subject and per-object basis. This is DAC (owner can control it)

27. 27 Key Points Chinese wall policy focuses on conflict of interest Information flows inside each CD RBAC is a policy-neutral model Uses role to simplify administration of access control ORCON is different from DAC and MAC Enforcement is a much bigger issue

28. 28 Overview Chinese Wall Model RBAC ORCON Clinical Information Systems Security Policy

29. 29 Clinical Information Systems Security Prototypical HIPAA Intended for medical records Conflict of interest not critical problem Patient confidentiality, authentication of records and annotators, and data integrity are critical Subjects and objects: Patient: subject of medical records Clinician: health-care professional with access to personal health information ONLY while doing job Personal health information: data about patient ’ s health or treatment having identification of patient

30. 30 Principles Originated in medical ethics (e.g.Hippocratic Oath) Principles Access Creation Deletion Confinement Aggregation Enforcement

31. 31 Access 1 Principle 1: Each medical record has an access control list naming the individuals or groups who may read and append information to the record. The system must restrict access to those identified on the access control list. Clinicians need access, but no-one else does. Auditors have access to copies, but they cannot alter records

32. 32 Access 2 and 3 Principle 2: One of the clinicians on the ACL must have the right to add other clinicians to it. The responsible clinician Principle 3: This clinician must notify the patient of the names on the ACL whenever the patient ’ s medical record is opened. Except for situations given in statutes, or a state of emergency, the clinician must obtain the patient ’ s consent. Patient must consent to all treatment, and must be informed of any violation of security

33. 33 Access 4 Principle 4: The name of the clinician, the date, and the time of the access of a medical record must be recorded. Similar information must be kept for deletions. This is for auditing. Don ’ t delete information; update it (deletion of records only after death or when required by law). Record information about all accesses.

34. 34 Creation A clinician may open a record, if the clinician and the patient are on the ACL. If a record is opened as a result of a referral, the referring clinician may also be placed on the ACL. Creating clinician needs access, and patient should have access. If created from a referral, referring clinician needs access to get results.

35. 35 Deletion Clinical information must not be deleted from a medical record until the appropriate time has passed. During patient lifetime May vary with circumstances (8 years or longer)

36. 36 Confinement Information from one medical record may be appended to a different medical record iff the ACL of the second record is a subset of the ACL of the first. This keeps information from leaking to unauthorized users. All users have to be on the access control list.

37. 37 Aggregation Measures for preventing aggregation of patient data must be effective. In particular, a patient must be notified if anyone is to be added to the ACL of his or her record and if that person has access to a large number of medical records. Fear that a corrupt investigator may obtain access to a large number of records, correlate them, and discover private information about individuals which can then be used for nefarious purposes (such as blackmail)

38. 38 Enforcement Any computer system that handles medical records must have a subsystem that enforces the rules. The effectiveness of enforcement must be evaluated by independent auditors. This policy has to be enforced, and the enforcement mechanisms must be auditable (and audited)

39. 39 Comparison BLP: imposes lattice structure on subjects/objects Clark-Wilson provides a framework CDIs are medical records TPs are functions updating records, access control lists IVPs certify: A person identified as a clinician is one; A clinician validates, or has validated, information in the medical record; When someone is to be notified of an event, the notification occurs; and When someone must give consent, the operation cannot proceed until the it is obtained Auditing (CR4) requirement: make all records append- only, notify patient when access control list changed