Forum for Science, Industry and Business

Sponsored by:     3M 
Search our Site:

 

Passwords to guard entry aren’t enough to protect complex data

16.02.2004


Security mechanisms also must protect what goes out



Passwords to guard entry aren’t enough to protect complex data - security mechanisms also must protect what goes out

"Data can easily find itself in danger of being accessed by ’bad guys,’" says emeritus professor of computer science Gio Wiederhold, who will speak about trusted information databases Feb. 14 in Seattle at the annual meeting of the American Association for the Advancement of Science (AAAS). "Passwords and other means of access control are okay, but additional security mechanisms are needed to provide security." To ensure that data records are not released into the wrong hands, Wiederhold suggests adding filters to outgoing data.


Traditional security systems often utilize access control in which passwords are the key to identifying authorized users and granting them access to data. While doctors or nurses may have access to medical data in a hospital database, they cannot access financial data in the hospital’s accounting database. Conversely, an insurance company can access financial records but not patient medical records. Patients, in contrast, can request access to both types of data. A database administrator in a traditional system defines different roles for different users, and those roles define the type of access allowed.

The good news about traditional systems is that bad guys must employ multiple ’hacks’ to get past the firewalls, operating systems and the database security itself. The bad news is that because the filter is at the level of user access, security stops once a user gains access to material authorized for his or her role. If a good guy turns bad - as in the case where a disgruntled employee with access privileges decides to do some damage - the database becomes endangered.

A severe disadvantage to the access-driven security model is that it requires that all of the contents be well organized and placed into neat bins for access by those with authorized roles. Protection is poor for data that are complex, multipurpose, unstructured, formatted as images, or now used for roles not recognized when the data were first collected. Medical records, for instance, are nearly impossible to organize for all the roles that they serve.

The most serious issue is that access control does not consider collaboration. For instance, in a medical setting, many types of users legitimately need access to patient data, and their legitimate access rights intersect in many ways. A document given to a researcher in a specific area, say cardiac disease, may also include information about pregnancy, psychological profile, or HIV status. Because of their holistic role, patient medical records cannot be organized to separate all of those aspects. Simply removing patient identification from every separate aspect of a patient’s record disables research, since long-term follow-up and integration of data from encounters at diverse sites are needed. Wiederhold says filters can and should check outgoing documents for terms warranting more protection.

"When these [medical] and other databases are designed, the possible uses and security needs cannot be fully considered," Wiederhold says. If a company outsources work to a consultant, the consultant needs access to the company database. By using release control - which monitors the contents of documents being delivered to the requestor - alongside traditional access control, the consultant is restricted to material that is relevant to a particular project, Wiederhold says. The databases need not be redesigned to reclassify or remove data that is inappropriate or proprietary.

Protecting data before it gets released means vetting the contents of documents retrieved from internal files, Wiederhold says. Document release protection may be desirable for diverse systems with data output, such as e-mail, file systems, databases and websites. Such filters are already operational in e-mail systems employing "dirty word" filters and in military systems that "fuzzify" shared data that only can be seen clearly using specially supplied equipment.

As data increase in complexity, it becomes increasingly difficult to define a good security model that works well for different types of collaborating users. For example, customers of an online file-sharing business need to be able to access files from the company’s database, but they should not be able to see contents pertaining to other customers, such as credit card numbers or e-mail-address. Recognizing that we must allow access to many types of users - each with their own objectives and ethics - means that a simple good guy/bad guy access model is inadequate. While access control working alongside release control will improve the protection of privacy, complex security definitions may conflict with each other or even form security holes, Wiederhold says. "The scope of potential use of data is so large that no approach that relies on any specific data organization will be adequate for all future needs," he says. "But relying only on access control is certainly inadequate."


CONTACT: Dawn Levy, News Service: (650) 725-1944, dawnlevy@stanford.edu
COMMENT: Gio Wiederhold, Computer Science: (650) 725-8363, gio@cs.stanford.edu

Mirella Bucci | EurekAlert!
Further information:
http://www.stanford.edu/dept/news/

More articles from Information Technology:

nachricht Five developments for improved data exploitation
19.04.2017 | Deutsches Forschungszentrum für Künstliche Intelligenz GmbH, DFKI

nachricht Smart Manual Workstations Deliver More Flexible Production
04.04.2017 | Deutsches Forschungszentrum für Künstliche Intelligenz GmbH, DFKI

All articles from Information Technology >>>

The most recent press releases about innovation >>>

Die letzten 5 Focus-News des innovations-reports im Überblick:

Im Focus: Making lightweight construction suitable for series production

More and more automobile companies are focusing on body parts made of carbon fiber reinforced plastics (CFRP). However, manufacturing and repair costs must be further reduced in order to make CFRP more economical in use. Together with the Volkswagen AG and five other partners in the project HolQueSt 3D, the Laser Zentrum Hannover e.V. (LZH) has developed laser processes for the automatic trimming, drilling and repair of three-dimensional components.

Automated manufacturing processes are the basis for ultimately establishing the series production of CFRP components. In the project HolQueSt 3D, the LZH has...

Im Focus: Wonder material? Novel nanotube structure strengthens thin films for flexible electronics

Reflecting the structure of composites found in nature and the ancient world, researchers at the University of Illinois at Urbana-Champaign have synthesized thin carbon nanotube (CNT) textiles that exhibit both high electrical conductivity and a level of toughness that is about fifty times higher than copper films, currently used in electronics.

"The structural robustness of thin metal films has significant importance for the reliable operation of smart skin and flexible electronics including...

Im Focus: Deep inside Galaxy M87

The nearby, giant radio galaxy M87 hosts a supermassive black hole (BH) and is well-known for its bright jet dominating the spectrum over ten orders of magnitude in frequency. Due to its proximity, jet prominence, and the large black hole mass, M87 is the best laboratory for investigating the formation, acceleration, and collimation of relativistic jets. A research team led by Silke Britzen from the Max Planck Institute for Radio Astronomy in Bonn, Germany, has found strong indication for turbulent processes connecting the accretion disk and the jet of that galaxy providing insights into the longstanding problem of the origin of astrophysical jets.

Supermassive black holes form some of the most enigmatic phenomena in astrophysics. Their enormous energy output is supposed to be generated by the...

Im Focus: A Quantum Low Pass for Photons

Physicists in Garching observe novel quantum effect that limits the number of emitted photons.

The probability to find a certain number of photons inside a laser pulse usually corresponds to a classical distribution of independent events, the so-called...

Im Focus: Microprocessors based on a layer of just three atoms

Microprocessors based on atomically thin materials hold the promise of the evolution of traditional processors as well as new applications in the field of flexible electronics. Now, a TU Wien research team led by Thomas Müller has made a breakthrough in this field as part of an ongoing research project.

Two-dimensional materials, or 2D materials for short, are extremely versatile, although – or often more precisely because – they are made up of just one or a...

All Focus news of the innovation-report >>>

Anzeige

Anzeige

Event News

Expert meeting “Health Business Connect” will connect international medical technology companies

20.04.2017 | Event News

Wenn der Computer das Gehirn austrickst

18.04.2017 | Event News

7th International Conference on Crystalline Silicon Photovoltaics in Freiburg on April 3-5, 2017

03.04.2017 | Event News

 
Latest News

NASA's Fermi catches gamma-ray flashes from tropical storms

25.04.2017 | Physics and Astronomy

Researchers invent process to make sustainable rubber, plastics

25.04.2017 | Materials Sciences

Transfecting cells gently – the LZH presents a GNOME prototype at the Labvolution 2017

25.04.2017 | Life Sciences

VideoLinks
B2B-VideoLinks
More VideoLinks >>>