|
|
| year | 2001 | | title | Collaboration Requirements: A Point of Failure in Protecting Information | | abstract |
There are settings where we have to collaborate with individuals and
organizations who, while not being enemies, should not be fully trusted.
Collaborators must be authorized to access those information systems that
contain information that they should be able to receive. However, these systems
typically also contain information that should be withheld. Collaborations can be
rapidly created, requiring dynamic alterations to security provisions. Solutions
based on extending access control methods to deal with collaborations are either
awkward and costly, or unreliable.
An alternative approach to protection of mixed source information, complementing
basic access control, is to provide filtering of results. Filtering of contents
is also costly, but provides a number of benefits not obtainable with access
control alone. The most important one is that the complexity of setting up and
maintaining specific, isolating information cells for every combination of access
rights assigned to external collaborators is avoided. New classes of collaborators
can be added without requiring a reorganization of the entire information structure.
There is no overhead for internal use, i.e., for participants that are wholly trusted.
Finally, since contents of the documents rather than their labels is being checked,
cases of misfiled information will not cause inappropriate release.
The approach used in the TIHI/SAW projects at Stanford uses simple rules to drive
filtering primitives. The filters run on a modest, but dedicated computer to be managed
by the organization’s security officer. The rules implement the institution’s security
policy and balance manual effort and complexity. By not relying on the database and network
administrators and system facilities, a better functional allocation of responsibilities ensues.
Result filtering can also be used to implement pure intrusion detection, since it
can be implemented invisibly. The intruder can be given an impression of success,
while becoming a target for monitoring or cover stories.
| | keywords | information |
|
|
|