Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Protecting Data in a Collaborative Environment Willa Pickering, Ph.D. 1 CDM Responsibilities for Data Protection • Identify what data must be protected – – – – Shared data in collaborative environments Intellectual property Personal and private National security • Identify why the data must be protected – Threats – Federal and state regulations • Identify who can access the data – Communities of interest • Identify how the data can be protected – Security Plan – Data risk management 2 Collaborative Data Warehouse Environment (What Data Needs Protection) • Integration of data from multiple sources – Health data, banking data, knowledge discovery in business intelligence systems – Users may access data that they don’t have permission to access in the source system • Data Mining – On the fly queries • Aggregation of data – Inference issues - construct new groupings and extract information based on derived patterns Data Collection/Provider Controls Warehouse Server Controls Data Access/Mining Server Control Inference Controls Query/Union Checks Raw Data Protection Data Sanitization 3 Collaborative Net-Centric Environment (What Data Needs Protection) Global Connectivity (Cloud Computing, SOA, Post/Pull) Enterprise Services (Collaboration, Content Delivery & Discovery, Metadata Discovery) • Visible to the right people or systems • Need to know vs. need to share challenge Authoritative Data (Relevant, Sufficient) Common Platform (Portal, Integration, Interoperability) Consolidated Infrastructure (Architectures, Standards) 4 Data Protection Threats (Why Data Needs Protection) • Threat to Data – All forms of electronic data (printouts, photocopies, data in documents, spreadsheets, email, graphics, databases) – Theft or misuse by unauthorized users • Threat to Physical Assets – – – – Loss of physical data (mainframes, servers, workstations, laptops, networks) Intentional or accidental destruction Natural forces (electrical or magnetic disturbances) Control by inside or outside forces • Threat to Business – Denial of service attack – Unauthorized access to sensitive data • Threat to Networks – – – – – – Terrorists Disgruntled employees Hackers Competitors Criminals Information brokers 5 Increasing Regulations (Why Data Needs Protection) • Non-US Regulations – UK Data Protection Act of 1998 – European Union Data Protection Directive – Canada Personal Information Protection and Electronic Documents Act – Russia Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data • Federal – Gramm-Leach-Bliley Financial Services Modernization Act – Health Insurance Portability and Accountability Act – Health Information Technology for Economic and Clinical Health Act • States – California Data Security Breach Notification Act – Minnesota Consumer Card Data Protection – Nevada Data Encryption Policy 6 Communities (Who Can Access the Data) Manage COIs Identify the appropriate groups of people to share data • Establish charters and governance structure – Identify data assets to share – Understand data sharing constraints – Promote trust by identifying authoritative sources and associating trust discovery metadata • Manage feedback mechanisms by identifying and establishing processes to evaluate and refine the quality of the data Identify COIs Establish COIs Manage Feedback Mechanisms Develop COI Charter Identify COI Governance Register in COI Directory 7 IT Security Mechanisms (How Can Data Be Protected) Authentication ◦ ◦ ◦ User ID and password Physical security device, ATM card, computer chip Biometric identification, voice, eye, thumbprint Authorization ◦ ◦ Level of access Controls Database attribute/column, row/object, table/class Application Host/geographic Security Strategies ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ Check points to validate users Error handling if viewers seek to view without permissions Roles Limited view of only what viewer has permission to see Roles Secure Access Layer/Firewall Protection Session Content - logging Single Access Point - no back doors Cross-Domain Guards 8 Data Risk Management (How Can Data Be Protected) • Audits – – – – Liability exposures Compliance risks Unmet data security requirements End-to-end security checks • Risk Mitigation – – – – – Data replication/versions Altered data Logs Exception monitoring Event alerts 9 References • Data Warehouse – Inmon, W., Security in the data warehouse: data privatization, Enterprise Systems Journal, 11, n3, p.76, March 1996 – Mack, D. & Cain, M., The Essential Guide to Security and The Data Warehouse, 2010 – Zhang, N. & Zhao, W., Privacy-preserving data mining systems, IEEE Computer Society, 2007 – Zhang, N. & Zhao, W., Privacy-preserving OLAM: An information-theoretic approach, IEEE Computer Society, 2009 • Net-Centric Environments/Communities – – DoD Net-Centric Data Strategy, 2003 DoD Metadata Discovery Specification, 2003 • Security Access Controls – Ambler, S., Agile Database Techniques, 2003 • Security Plan – Kimball, R., “Hackers, Crackers, and Spooks,” DBMS 10, n4, p.14, April 1997 • Data Risk Management – Winn, J. & Wrathall, J. Who Owns the Customer? The emerging law of commercial transactions in electronic customer data, http.//www.law.washington.edu/Profile.aspx?ID=103&vw=pubs 10