Protecting Data in a Collaborative Environment

Download Report

Transcript Protecting Data in a Collaborative Environment

Protecting Data in a
Collaborative Environment
Willa Pickering, Ph.D.
1
CDM Responsibilities for Data Protection
• Identify what data must be protected
–
–
–
–
Shared data in collaborative environments
Intellectual property
Personal and private
National security
• Identify why the data must be protected
– Threats
– Federal and state regulations
• Identify who can access the data
– Communities of interest
• Identify how the data can be protected
– Security Plan
– Data risk management
2
Collaborative Data Warehouse
Environment (What Data Needs Protection)
• Integration of data from multiple sources
– Health data, banking data, knowledge discovery in
business intelligence systems
– Users may access data that they don’t have permission
to access in the source system
• Data Mining
– On the fly queries
• Aggregation of data
– Inference issues - construct new groupings and extract
information based on derived patterns
Data
Collection/Provider
Controls
Warehouse Server
Controls
Data Access/Mining
Server Control
Inference Controls
Query/Union Checks
Raw Data Protection
Data Sanitization
3
Collaborative Net-Centric Environment
(What Data Needs Protection)
Global Connectivity (Cloud
Computing, SOA, Post/Pull)
Enterprise Services
(Collaboration, Content
Delivery & Discovery, Metadata
Discovery)
• Visible to the right people
or systems
• Need to know vs. need to
share challenge
Authoritative Data (Relevant,
Sufficient)
Common Platform (Portal,
Integration, Interoperability)
Consolidated Infrastructure
(Architectures, Standards)
4
Data Protection Threats (Why Data Needs
Protection)
• Threat to Data
– All forms of electronic data (printouts, photocopies, data in documents, spreadsheets,
email, graphics, databases)
– Theft or misuse by unauthorized users
• Threat to Physical Assets
–
–
–
–
Loss of physical data (mainframes, servers, workstations, laptops, networks)
Intentional or accidental destruction
Natural forces (electrical or magnetic disturbances)
Control by inside or outside forces
• Threat to Business
– Denial of service attack
– Unauthorized access to sensitive data
• Threat to Networks
–
–
–
–
–
–
Terrorists
Disgruntled employees
Hackers
Competitors
Criminals
Information brokers
5
Increasing Regulations (Why Data Needs
Protection)
• Non-US Regulations
– UK Data Protection Act of 1998
– European Union Data Protection Directive
– Canada Personal Information Protection and Electronic Documents
Act
– Russia Convention for the Protection of Individuals with regard to
Automatic Processing of Personal Data
• Federal
– Gramm-Leach-Bliley Financial Services Modernization Act
– Health Insurance Portability and Accountability Act
– Health Information Technology for Economic and Clinical Health Act
• States
– California Data Security Breach Notification Act
– Minnesota Consumer Card Data Protection
– Nevada Data Encryption Policy
6
Communities (Who Can Access the Data)
Manage COIs
Identify the appropriate groups of people
to share data
• Establish charters and governance
structure
– Identify data assets to share
– Understand data sharing constraints
– Promote trust by identifying
authoritative sources and associating
trust discovery metadata
• Manage feedback mechanisms by
identifying and establishing processes
to evaluate and refine the quality of the
data
Identify COIs
Establish COIs
Manage Feedback
Mechanisms
Develop COI
Charter
Identify COI
Governance
Register in COI
Directory
7
IT Security Mechanisms (How Can Data Be
Protected)
Authentication
◦
◦
◦
User ID and password
Physical security device, ATM card, computer chip
Biometric identification, voice, eye, thumbprint
 Authorization
◦
◦
Level of access
Controls
 Database attribute/column, row/object, table/class
 Application
 Host/geographic
 Security Strategies
◦
◦
◦
◦
◦
◦
◦
◦
◦
Check points to validate users
Error handling if viewers seek to view without permissions
Roles
Limited view of only what viewer has permission to see
Roles
Secure Access Layer/Firewall Protection
Session Content - logging
Single Access Point - no back doors
Cross-Domain Guards
8
Data Risk Management (How Can Data Be
Protected)
• Audits
–
–
–
–
Liability exposures
Compliance risks
Unmet data security requirements
End-to-end security checks
• Risk Mitigation
–
–
–
–
–
Data replication/versions
Altered data
Logs
Exception monitoring
Event alerts
9
References
• Data Warehouse
– Inmon, W., Security in the data warehouse: data privatization, Enterprise
Systems Journal, 11, n3, p.76, March 1996
– Mack, D. & Cain, M., The Essential Guide to Security and The Data Warehouse,
2010
– Zhang, N. & Zhao, W., Privacy-preserving data mining systems, IEEE
Computer Society, 2007
– Zhang, N. & Zhao, W., Privacy-preserving OLAM: An information-theoretic
approach, IEEE Computer Society, 2009
• Net-Centric Environments/Communities
–
–
DoD Net-Centric Data Strategy, 2003
DoD Metadata Discovery Specification, 2003
• Security Access Controls
–
Ambler, S., Agile Database Techniques, 2003
• Security Plan
– Kimball, R., “Hackers, Crackers, and Spooks,” DBMS 10, n4, p.14, April 1997
• Data Risk Management
– Winn, J. & Wrathall, J. Who Owns the Customer? The emerging law
of commercial transactions in electronic customer data,
http.//www.law.washington.edu/Profile.aspx?ID=103&vw=pubs
10