Hippocratic Databases and Fine Grained Access Control

Similar documents
Special Topics in Security and Privacy of Medical Information. Hippocratic Databases. Privacy guidelines. Sujata Garera

Secure Messaging Mobile App Privacy Policy. Privacy Policy Highlights

Tracking and Reporting

1 Privacy Statement INDEX

University Policies and Procedures ELECTRONIC MAIL POLICY

Privacy Policy... 1 EU-U.S. Privacy Shield Policy... 2

Putting It All Together:

SQL Compliance Whitepaper HOW COMPLIANCE IMPACTS BACKUP STRATEGY

Department of Veterans Affairs VA DIRECTIVE April 17, 2006 WEB PAGE PRIVACY POLICY

Frequently Asked Question Regarding 201 CMR 17.00

RippleMatch Privacy Policy

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Privacy Policy Effective May 25 th 2018

Document Title: Electronic Data Protection and Encryption Policy. Revision Date Authors Description of Changes

Gramm Leach Bliley Act 15 U.S.C GLBA/HIPAA Information Security Program Committee GLBA, Safeguards Rule Training, Rev.

COUNTY OF RIVERSIDE, CALIFORNIA BOARD OF SUPERVISORS POLICY. ELECTRONIC MEDIA AND USE POLICY A-50 1 of 9

Policy. Sensitive Information. Credit Card, Social Security, Employee, and Customer Data Version 3.4

PRIVACY POLICY Let us summarize this for you...

Islam21c.com Data Protection and Privacy Policy

HIPAA Privacy & Security Training. HIPAA The Health Insurance Portability and Accountability Act of 1996

BoostMyShop.com Privacy Policy

Subject: Kier Group plc Data Protection Policy

Cloud Computing Standard 1.1 INTRODUCTION 2.1 PURPOSE. Effective Date: July 28, 2015

Subject: University Information Technology Resource Security Policy: OUTDATED

Housecall Privacy Statement Statement Date: 01/01/2007. Most recent update 09/18/2009

Cellular Site Simulator Usage and Privacy

Terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms in the HIPAA Privacy Rule.

ADEA PASS CUSTOMER SERVICE

HIPAA. Developed by The University of Texas at Dallas Callier Center for Communication Disorders

VALUE PAY SERVICES PRIVACY POLICY

Database Auditing and Forensics for Privacy Compliance: Challenges and Approaches. Bob Bradley Tizor Systems, Inc. December 2004

Beam Technologies Inc. Privacy Policy

Red Flags/Identity Theft Prevention Policy: Purpose

INFORMATION TECHNOLOGY DATA MANAGEMENT PROCEDURES AND GOVERNANCE STRUCTURE BALL STATE UNIVERSITY OFFICE OF INFORMATION SECURITY SERVICES

Throughout this Data Use Notice, we use plain English summaries which are intended to give you guidance about what each section is about.

Frequently Asked Questions Regarding Charitable Fundraising & The Personal Information Protection and Electronic Documents Act (PIPEDA)

Document Cloud (including Adobe Sign) Additional Terms of Use. Last updated June 5, Replaces all prior versions.

ecare Vault, Inc. Privacy Policy

Within the meanings of applicable data protection law (in particular EU Regulation 2016/679, the GDPR ):

This Policy has been prepared with due regard to the General Data Protection Regulation (EU Regulation 2016/679) ( GDPR ).

You are signing up to use the Middlesex Savings Bank Person to Person Service powered by Acculynk that allows you to send funds to another person.

GDPR Privacy Policy. The data protection policy of AlphaMed Press is based on the terms found in the GDPR.

Is your privacy secure? HIPAA Compliance Workshop September Presented by: Andrés Castañeda, Senior Manager Steve Nouss, Partner

UT HEALTH SAN ANTONIO HANDBOOK OF OPERATING PROCEDURES

Legal notice and Privacy policy

HIPAA Federal Security Rule H I P A A

Data Protection Policy

Employee Security Awareness Training Program

PRIVACY 102 TRAINING FOR SUPERVISORS. PRIVACY ACT OF U.S.C.552a

PRIVACY POLICY VANTAGE HOMES

Complete document security

COMPUTAMATRIX LIMITED T/A MATRICA Data Protection Policy September Table of Contents. 1. Scope, Purpose and Application to Employees 2

Learning Management System - Privacy Policy

Security and Privacy Breach Notification

HIPAA Privacy and Security Training Program

Regulation P & GLBA Training

Security Enhancements

Privacy Policy. In this data protection declaration, we use, inter alia, the following terms:

If you have any questions or concerns about this Privacy Policy, please Contact Us.

RECORDS AND INFORMATION MANAGEMENT AND RETENTION

Catalent Inc. Privacy Policy v.1 Effective Date: May 25, 2018 Page 1

NOTICE OF PRIVACY PRACTICES

HIPAA Technical Safeguards and (a)(7)(ii) Administrative Safeguards

Cybersecurity in Higher Ed

Privacy Policy. Data Controller - the entity that determines the purposes, conditions and means of the processing of personal data

NYDFS Cybersecurity Regulations: What do they mean? What is their impact?

-Eight types of cyber data, (Sec. 708(7))

Why you MUST protect your customer data

PPR TOKENS SALE PRIVACY POLICY. Last updated:

the processing of personal data relating to him or her.

Privacy Policy CARGOWAYS Logistik & Transport GmbH

ACCEPTABLE USE OF HCHD INTERNET AND SYSTEM

1.2 Participant means a third party who interacts with the Services as a result of that party s relationship with or connection to you.

Privacy & Information Security Protocol: Breach Notification & Mitigation

Key Customer Issues to Consider Before Entering into a Cloud Services Arrangement

CAET Privacy Policy August

DATA PROTECTION ISACA MALTA CHAPTER BIENNIAL CONFERENCE Saviour Cachia Commissioner for Information and Data Protection

Information Technology Standards

HF Markets SA (Pty) Ltd Protection of Personal Information Policy

DATA PROTECTION AND PRIVACY POLICY

Overview Bank IT examination perspective Background information Elements of a sound plan Customer notifications

This website is managed by Club Systems International on behalf of the Hoburne and Burry and Knight Groups.

HIPAA FOR BROKERS. revised 10/17

FLORIDA S PREHOSPITAL EMERGENCY MEDICAL SERVICES TRACKING & REPORTING SYSTEM

LifeWays Operating Procedures

POLICY TITLE: Record Retention and Destruction POLICY NO: 277 PAGE 1 of 6

Data Compromise Notice Procedure Summary and Guide

Website Privacy Policy

Privacy Law Doing Business In Canada

Privacy notice. Last updated: 25 May 2018

efolder White Paper: HIPAA Compliance

Data Protection Policy

GPS & Maps - Privacy Policy

PRIVACY NOTICE. What Information Is Collected and How Is It Collected? Last Updated: May 21, 2018

Summary Comparison of Current Data Security and Breach Notification Bills

Government Privacy. Julie Smith McEwen, CIPP/G, CISSP Principal Information Systems Privacy and Security Engineer

Organization information. When you create an organization on icentrex, we collect your address (as the Organization Owner), your

Let s get started with the module Ensuring the Security of your Clients Data.

SURGICAL REVIEW CORPORATION Privacy Policy

University Privacy Campaign. Introduction to the Personal Data (Privacy) Ordinance

Transcription:

Hippocratic Databases and Fine Grained Access Control Li Xiong CS573 Data Privacy and Security

Review Anonymity - an individual (or an element) not identifiable within a well-defined set Confidentiality - information is accessible only to those authorized to have access Access control - control which principles have access to which resources Privacy - the right of individuals to determine for themselves when, how and to what extent information about them is communicated to others. 2

From Access Control to Hippocratic Databases and Fine Grained Access Control Access control - control which principles have access to which resources Traditional database security provided by access control Control which user have access to which table We need to re-architect database systems to include responsibility for the privacy of data.

Hippocratic databases (Agrawal 02) A vision, inspired by the Hippocratic Oath, of databases that preserve privacy Key privacy principles A strawman design for a Hippocratic database Technical challenges

Hippocratic Oath And about whatever I may see or hear in treatment, or even without treatment, in the life of human beings things that should not ever be blurted out outside I will remain silent, holding such things to be unutterable. 5

Traditional Databases Fundamental to a database system is 1. Ability to manage persistent data. 2. Ability to access a large amount of data efficiently. Universal capabilities of a database system 1. Support for at least one data model. 2. Support for certain high-level languages that allow the user to define the structure of data, access data, and manipulate data. 3. Transaction management, the capability to provide correct, concurrent access to the database by many users at once. 4. Access control, the ability to deny access to data by unauthorized users and the ability to check the validity of the data. 5. Resiliency, the ability to recover from system failures 6 without losing data.

Hippocratic Databases Hippocratic databases require all the capabilities provided by current database systems Different focus Need to rethink data definition and query languages, query processing, indexing and storage structures, and access control mechanisms Privacy Consented sharing Forget data for unauthorized uses 7 Efficiency Maximizing Concurrency Resiliency

Hippocratic Databases vs. Statistical Databases Hippocratic databases vs. Statistical databases Hippocratic databases share the goal of preventing disclosure of private information but the class of queries for Hippocratic databases is much broader. Hippocratic databases vs. traditional access control Hippocratic databases requires more complex privacy policy management and more finegrained access control 8

Privacy Regulations United States Privacy Act of 1974 requires federal agencies to 1. permit an individual to determine what records pertaining to him are collected, maintained, used, or disseminated; 2. permit an individual to prevent records pertaining to him obtained for a particular purpose from being used or made available for another purpose without his consent; 3. permit an individual to gain access to information pertaining to him in records, and to correct or amend such records; 4. collect, maintain, use or disseminate any record of personally identifiable information in a manner that assures that such action is for a necessary and lawful purpose, that the information is current and accurate for its intended use, and that adequate safeguards are provided to prevent misuse of such information; 5. permit exemptions from the requirements with respect to the records provided in this Act only in those cases where there is an important public policy need for such exemption as has been determined by specific statutory authority; and 6. be subject to civil suit for any damages which occur as a result of willful or intentional action which violates any individual s right under this Act. 9 CPSC 601.07, Oct 20/Nov 5, 2004

Privacy Regulations Recent privacy documents 1996 Health Insurance Portability and Accountability Act (HIPAA) 1999 Gramm-Leach-Bliley Financial Services Modernization Act 2000 Personal Information Protection and Electronic Documents Act (PIPEDA) 2003 Personal Information Protection Act (PIPA) 10

Guidelines Collection Retention Use Disclosure Example: Grad student information at the university 11

Ten Founding Principles 1. Purpose Specification. For personal information stored in the database, the purposes for which the information has been collected shall be associated with that information. 2. Consent. The purposes associated with personal information shall have consent of the donor of the personal information. 3. Limited Collection. The personal information collected shall be limited to the minimum necessary for accomplishing the specified purposes. 4. Limited Use. The database shall run only those queries that are consistent with the purposes for which the information has been collected. 5. Limited Disclosure. The personal information stored in the database shall not be communicated outside the database for purposes other than those for which there is consent from the donor of the information. 12

Ten Founding Principles 6. Limited Retention. Personal information shall be retained only as long as necessary for the fulfillment of the purposes for which it has been collected. 7. Accuracy. Personal information stored in the database shall be accurate and up-to-date. 8. Safety. Personal information shall be protected by security safeguards against theft and other misappropriations. 9. Openness. A donor shall be able to access all information about the donor stored in the database. 10. Compliance. A donor shall be able to verify compliance with the above principles. Similarly, the database shall be able to address a challenge concerning compliance. 13

Strawman Design Use purpose as the central concept Use scenario Mississippi is an on-line bookseller who needs to obtain certain minimum personal information to complete a purchase transaction. This information includes name, shipping address, and credit card number. Mississippi also needs an email address to notify the customer of the status of the order. Mississippi uses the purchase history of customers to offer book recommendations on its site. It also publishes information about books popular in the various regions of the country (purchase circles). 14

The Characters Name: Alice Privacy fundamentalist Does not want Mississippi to retain any information once her purchase transaction is complete.

The Characters Name: Bob Privacy pragmatist Likes the convenience of providing his email and shipping address only once by registering at Mississippi. Also likes recommendations but he does not want his transactions used for purchase circles. 16

The Characters Name: Mallory Employee with questionable ethics The database and privacy officer must ensure that she is not able to obtain more information that she is supposed to. 17

Strawman Architecture This object is copied from the original paper. 18

Privacy meta data Privacy meta data defines for each purpose, and for each piece of information collected for that purpose: Authorized-users: set of users (applications) who can access this information External-recipients: whom the information can be given out to Retention-period: how long the information is stored Privacy-policies table external recipients and retention period Privacy-authorization table access supporting the policies 19

Privacy Metadata Privacy Metadata Schema Database Schema Privacy-Policies Table 20

Privacy Metadata Privacy-Authorizations Table This object is copied from the original paper. 21

Data Collection Matching privacy policy with user preferences Privacy Constraint Validator checks whether the business s privacy policy is acceptable to the user Example: If Alice required a 2 week retention period, the database would reject the transaction Data insertion Data is inserted with the purpose for which it may be used 22

Queries Submitted to the database along with their purpose. Example: recommendations Before query execution: Attribute Access Control checks privacy-authorizations table for a match on purpose, attribute and user. Mallary (customer service) queries creditcardinfo with purchase authorized-users: charge 23

Queries During query execution: Record Access Control ensures that only records whose purpose attribute includes the query s purpose will be visible to the query. E.g. queries with recommendations will see Bob s books but not Alice s Alice s purpose attribute: purchase 24

Queries After query execution: Query Intrusion Detector is run on the query results to spot queries whose access pattern is different from the usual access pattern for queries with that purpose and by that user. An audit trail of all queries is maintained for external privacy audits, as well as addressing challenges regarding compliance. 25

Other Features Data Retention Manager deletes data items that have outlived their purpose. Data Collection Analyzer examines the set of queries for each purpose to determine if any information is being collected but not used. (Limited Collection). DCA determines if data is being kept for longer than necessary. (Limited Retention) DCA determines if people have unused (unnecessary) authorizations to issue queries with a given purpose. (Limited Use) Encryption Support allows some data items to be stored in encrypted form to guard against snooping. 26

P3P and Hippocratic Databases Platform for Privacy Preferences (P3P) A P3P policy describes the purpose of the collection of information along with intended recipients and retention period. The sites policy is programmatically compared to a user s privacy preferences Very few implementations 27

New Challenges Language P3P language insufficient Developed for web shopping language restricted P3P is a good starting for a language which can be used in a wider variety of environments such as finance, insurance, and health care Difficult to find balance between expressibility and usability Work is being done to arrange purposes in a hierarchy rather than the flat space that P3P uses 28

New Challenges Efficiency What type of performance hit will integrated privacy checking entail? Some techniques from multilevel secure databases will apply Storage of purpose space versus efficiency 29

Challenges Limited Collection Access Analysis: Analyze the queries for each purpose and identify attributes that are collected for a given purpose but not used. Problem: Necessity of one attribute may depend on others Granularity Analysis: Analyze the queries for each purpose and numeric attribute and determine the granularity at which information is needed (data generalization?) Minimal Query Generation: Generate the minimal query that is required to solve a given 30 problem.

New Challenges Others Compliance Query auditing and compliance checking Limited retention How to delete a record not only from the table, but logs w/o affecting recovery How to support historical analysis Openness How to allow Alice to find out what databases have information about her? 31

Conclusion Presented a vision, inspired by the Hippocratic Oath, of databases that preserve privacy Enunciated key privacy principles Discussed a strawman design for a Hippocratic database Identified technical challenges 32

Limiting disclosure in Hippocratic databases (Lefevre 04) One approach to implement the privacy policy enforcement for Hippocratic databases and in general fine-grained access control Support of privacy policies Support of cell-level access control Table semantics Query semantics 33

Implementation Architecture 34

Policy definition A policy meta-language for defining privacy policy rules A policy is a set of rules <data, purposerecipient pair, condition> E.g. <address, solicitation-charity, optin = yes> Potential difficulties in translating from highlevel policy to meta specifications 35

Access control Table semantics (independent of queries) For each table, define a view for each purpose-recipient pair Prohibited values are replaced with null based on the policy constraints Queries are evaluated against the view Query semantics (take queries into account) For the table in the FROM clause, define a view for the querying purpose-recipient pair Result tuples that are null in all columns are discarded 36

Example 37

Example 38

Query Modification Query modification algorithms to enforce the privacy conditions at cell-level SELECT Phone FROM Patients SELECT CASE WHEN EXISTS (SELECT phone_choice FROM PatientChoices WHERE Patient.P# = PatientChoices.P# AND PatientChoices.Phone_Choice = 1) THEN phone ELSE null END FROM patients WHERE EXISTS (SELECT ID_Choice FROM PatientChoices WHERE Patient.P# = PatientChoices.P# AND PatientChoices.Phone_Choice = 1) 39

Overhead and scalability 40

Impact of Record Filtering 41

References Hippocratic databases, Agrawal, 2002 Limiting disclosure in Hippocratic databases, LeFevre, 2003

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback