Publication Detail
titleCollaboration Requirements: A Point of Failure in Protecting Information
abstract There are settings where we have to collaborate with individuals and organizations who, while not being enemies, should not be fully trusted. Collaborators must be authorized to access those information systems that contain information that they should be able to receive. However, these systems typically also contain information that should be withheld. Collaborations can be rapidly created, requiring dynamic alterations to security provisions. Solutions based on extending access control methods to deal with collaborations are either awkward and costly, or unreliable. An alternative approach to protection of mixed source information, complementing basic access control, is to provide filtering of results. Filtering of contents is also costly, but provides a number of benefits not obtainable with access control alone. The most important one is that the complexity of setting up and maintaining specific, isolating information cells for every combination of access rights assigned to external collaborators is avoided. New classes of collaborators can be added without requiring a reorganization of the entire information structure. There is no overhead for internal use, i.e., for participants that are wholly trusted. Finally, since contents of the documents rather than their labels is being checked, cases of misfiled information will not cause inappropriate release. The approach used in the TIHI/SAW projects at Stanford uses simple rules to drive filtering primitives. The filters run on a modest, but dedicated computer to be managed by the organizationís security officer. The rules implement the institutionís security policy and balance manual effort and complexity. By not relying on the database and network administrators and system facilities, a better functional allocation of responsibilities ensues. Result filtering can also be used to implement pure intrusion detection, since it can be implemented invisibly. The intruder can be given an impression of success, while becoming a target for monitoring or cover stories.