Data Security

Dorothy E. Denning and Peter J. Denning


Absolute data security is impossible (security is economics), but we can try to make the computer hardware and software not be the weakest links. This paper examines four kinds of controls which provide needed protections to different areas: access controls, flow controls, inference controls, and cryptographic controls.

Access Controls

Access controls govern the availability of objects to users for various uses. For example, records in a database, or files in a filesystem, can be read or written by some users but not others. Three main features are necessary:

Different kinds of systems have different requirements.

Flow Controls

Flow controls govern the ability of information to be transmitted from one part of the system to another (or, ultimately, from one user to another). The main idea is to assign a "security class" to each piece of data, and to require that the security class of data cannot be lowered.

Inference Controls

Inference controls govern the ability of users to determine specific information in a database, if they are allowed to query for summary information. The systems must try to make the cost of reconstructing the specific information to be prohibitive. Three types of controls are possible: As well, use threat monitoring to watch for suspicious queries in log files (but then what about the privacy issues of this?!).

Cryptographic Controls

Cryptographic controls govern who can read data that isn't protected (by an operating system, for example). This includes data being transmitted over a network, and data stored on disks or tapes. There are two major classes of encryption: (Usually, the performance issue is mitigated by using a hybrid approach: pick a random key, use it to do symmetric encryption, and transmit the result of this encryption, as well as the result of encrypting the key itself with public key encryption.)