1. Analyzing and Securing Social Networks Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #3 Introduction to Data and Applications Security August 28, 2015

2. Outline l Data and Applications Security - Developments and Directions l Secure Semantic Web - XML Security; Other directions l Some Emerging Secure DAS Technologies - Secure Sensor Information Management; Secure Dependable Information Management l Some Directions for Privacy Research - Data Mining for handling security problems; Privacy vs. National Security; Privacy Constraint Processing; Foundations of the Privacy Problem l What are the Challenges?

3. Developments in Data and Applications Security: 1975 - Present l Access Control for Systems R and Ingres (mid 1970s) l Multilevel secure database systems (1980 – present) - Relational database systems: research prototypes and products; Distributed database systems: research prototypes and some operational systems; Object data systems; Inference problem and deductive database system; Transactions l Recent developments in Secure Data Management (1996 – Present) - Secure data warehousing, Role-based access control (RBAC); E- commerce; XML security and Secure Semantic Web; Data mining for intrusion detection and national security; Privacy; Dependable data management; Secure knowledge management and collaboration

4. Developments in Data and Applications Security: Multilevel Secure Databases - I l Air Force Summer Study in 1982 l Early systems based on Integrity Lock approach l Systems in the mid to late 1980s, early 90s - E.g., Seaview by SRI, Lock Data Views by Honeywell, ASD and ASD Views by TRW - Prototypes and commercial products - Trusted Database Interpretation and Evaluation of Commercial Products l Secure Distributed Databases (late 80s to mid 90s) - Architectures; Algorithms and Prototype for distributed query processing; Simulation of distributed transaction management and concurrency control algorithms; Secure federated data management

5. Developments in Data and Applications Security: Multilevel Secure Databases - II l Inference Problem (mid 80s to mid 90s) - Unsolvability of the inference problem; Security constraint processing during query, update and database design operations; Semantic models and conceptual structures l Secure Object Databases and Systems (late 80s to mid 90s) - Secure object models; Distributed object systems security; Object modeling for designing secure applications; Secure multimedia data management l Secure Transactions (1990s) - Single Level/ Multilevel Transactions; Secure recovery and commit protocols

6. Some Directions and Challenges for Data and Applications Security - I l Secure semantic web and Social Networks - Security models l Secure Information Integration - How do you securely integrate numerous and heterogeneous data sources on the web and otherwise l Secure Sensor Information Management - Fusing and managing data/information from distributed and autonomous sensors l Secure Dependable Information Management - Integrating Security, Real-time Processing and Fault Tolerance l Data Sharing vs. Privacy - Federated database architectures?

7. Some Directions and Challenges for Data and Applications Security - II l Data mining and knowledge discovery for intrusion detection - Need realistic models; real-time data mining l Secure knowledge management - Protect the assets and intellectual rights of an organization l Information assurance, Infrastructure protection, Access Control - Insider cyber-threat analysis, Protecting national databases, Role-based access control for emerging applications l Security for emerging applications - Geospatial, Biomedical, E-Commerce, etc. l Other Directions - Trust and Economics, Trust Management/Negotiation, Secure Peer-to-peer computing,

8. Coalition Data and Policy Sharing Export Data/Policy Component Data/Policy for Agency A Data/Policy for Federation Export Data/Policy Component Data/Policy for Agency C Component Data/Policy for Agency B Export Data/Policy

9. Other topics of Interest l Secure Cloud Computing l Mobile code security l Vulnerability Analysis l Infrastructure security - Power grid l Healthcare Security l Financial Security

10. Access Control l Discretionary Access Control in Relational Databases l Mandatory Access Control in Relational Databases - Security Constraints l Types of Access Control - Inference problem, Role-based, Temporal, Usage l Access Control in Other Databases - Objects, Federated l Current Trends in Access Control - Date Warehousing, Semantic Web, Privacy Control l Next Steps in Access Control

11. Access Control in Relational Databases: 1975 - Present l Access Control policies were developed initially for file systems - E.g., Read/write policies for files l Access control in databases started with the work in System R and Ingres Projects - Access Control rules were defined for databases, relations, tuples, attributes and elements - SQL and QUEL languages were extended l GRANT and REVOKE Statements l Read access on EMP to User group A Where EMP.Salary > 30K and EMP.Dept <> Security - Query Modification: l Modify the query according to the access control rules l Retrieve all employee information where salary > 30K and Dept is not Security

12. Query Modification Algorithm l Inputs: Query, Access Control Rules l Output: Modified Query l Algorithm: - Given a query Q, examine all the access control rules relevant to the query - Introduce a Where Clause to the query that negates access to the relevant attributes in the access control rules l Example: rules are John does not have access to Salary in EMP and Budget in DEPT l EMP (E#, Ename, Salary, D#), DEPT (D#, Dname, Budg, Mgr) Query is to join the EMP and DEPT relations on Dept # l Modify the query to Join EMP and DEPT on Dept # and project on all attributes except Salary and Budget - Output is the resulting query

13. Mandatory Access Control (MAC) in Databases: 1982- Present l Bell and LaPadula Policy adapted for databases - Read at or below your level and Write at your level; Granularity of classification: Databases, Relations, Tuples, Attributes, Elements (Note: writing above your level is not a security problem) l Security Architectures - Operating system providing mandatory access control and DBMS is untrusted with respect to MAC (e.g., SRI’s SeaView) - Trusted Subject Architecture where DBMS is trusted with respect to MAC (e.g., TRW’s ASD and ASD Views) - Integrity Lock where Trusted front-end computes checksums (e.g., MITRE’s MISTRESS Prototype) - Distributed Architecture where data is distributed according to security levels and access through trusted front-end (e.g., NRL’s SINTRA) Extended Kernel for Security Policy Enforcement such as constraints (e.g., Honeywell’s Lock Data Views)

14. Security Constraints / Access Control Rules l Simple Constraint: John cannot access the attribute Salary of relation EMP l Content-based constraint: If relation MISS contains information about missions in the Middle East, then John cannot access MISS l Association-based Constraint: Ship’s location and mission taken together cannot be accessed by John; individually each attribute can be accessed by John l Release constraint: After X is released Y cannot be accessed by John l Aggregate Constraints: Ten or more tuples taken together cannot be accessed by John l Dynamic Constraints: After the Mission, information about the mission can be accessed by John

15. Enforcement of Security Constraints User Interface Manager Constraint Manager Security Constraints Query Processor: Constraints during query and release operations Update Processor: Constraints during update operation Database Design Tool Constraints during database design operation Database Relational DBMS

16. Other Developments in Access Control l Inference Problem and Access Control - Inference problem occurs when users pose queries and deduce unauthorized information from the legitimate responses - Security constraint processing for controlling inferences - More recently there is work on controlling release information instead of controlling access to information l Temporal Access Control Models - Incorporates time parameter into the access control models l Role-based access control - Controlling access based on roles of people and the activities they carry out; Implemented in commercial systems l Positive and Negative Authorizations - Should negative authorizations be explicitly specified? How can conflicts be resolved?

17. Some Examples l Temporal Access Control - After 1/1/05, only doctors have access to medical records l Role-based Access Control - Manager has access to salary information - Project leader has access to project budgets, but he does not have access to salary information - What happens if the manager is also the project leader? l Positive and Negative Authorizations - John has write access to EMP - John does not have read access to DEPT - John does not have write access to Salary attribute in EMP - How are conflicts resolved?

18. Privacy Constraints / Access Control Rules l Privacy constraints processing - Simple Constraint: an attribute of a document is private - Content-based constraint: If document contains information about X, then it is private - Association-based Constraint: Two or more documents taken together is private; individually each document is public - Release constraint: After X is released Y becomes private l Augment a database system with a privacy controller for constraint processing

19. Integrated Architecture for Privacy Constraint Processing User Interface Manager Constraint Manager Privacy Constraints Query Processor: Constraints during query and release operations Update Processor: Constraints during update operation XML Database Design Tool Constraints during database design operation Database Relational DBMS

20. Other Policies l Trust Policies - To what extent do you trust the source of the data - How can trust be propagated - Adding trust value to each piece of data - A trusts B and B trusts C, does this mean A trusts C? - A department head sends messages to all the faculty; however he/she may not trust a particular person - Developing a language to specify trust l Integrity Policies - Maintaining the quality of the data - Adding an attribute to each piece of data to specify the quality - Quality also depends on how much you trust the source - Algebra for data quality

21. Access Control in Databases: Next Steps l Access Control in Databases will continue to be very important - We also need to examine alternatives l We need new kinds of access control models - 1975 models may not be suitable for emerging applications such as semantic web, e-commerce and stream data management - Role-based access control has become very popular and is implemented now in commercial systems. What variations of this model are appropriate for emerging applications? l End-to-end security is critical - We cannot have secure databases and have insecure networks and middleware; Composability l Flexible security policies - Confidentiality, Authenticity, Completeness, Integrity, Trust, Privacy, Data Quality, etc.

22. Policies l Need to Know to Need to Share l RBAC l UCON l ABAC l Dissemination l Risk based access control l Trust Management/Credential/Disclosure l Directions l Major conferences for Policy and Access Control: - IEEE Policy Workshop - ACM SACMAT

23. Need to Know to Need to Share l Need to know policies during the cold war; even if the user has access, does the user have a need to know? l Post 9/11 the emphasis is on need to share - User may not have access, but needs the data l Do we give the data to the user and then analyze the consequences l Do we analyze the consequences and then determine the actions to take l Do we simply not give the data to the user l What are risks involved?

24. RBAC l Access to information sources including structured and unstructured data both within the organization and external to the organization l Access based on roles l Hierarchy of roles: handling conflicts l Controlled dissemination and sharing of the data

25. RBAC (Sandhu)

26. UCON l RBAC model is incorporated into UCON and useful for various applications - Authorization component l Obligations - Obligations are actions required to be performed before an access is permitted - Obligations can be used to determine whether an expensive knowledge search is required l Attribute Mutability - Used to control the scope of the knowledge search l Condition - Can be used for resource usage policies to be relaxed or tightened

27. UCON (Sandhu)

28. Role-based Usage Control (RBUC) RBAC with UCON extension

29. Release and Dissemination Policies l Release policies will determine to whom to release the data - What is the connection to access control - Is access control sufficient - Once the data is retrieved from the information source (e.g., database) should it be released to the user l Once the data is released, dissemination policies will determine who the data can be given to - Electronic music, etc.

30. ABAC: Attribute-based Access Control l User specifies his/her attributes (e.g., gender, citizenship) l Policies would specify access based on user credentials l Open environment l XACML

31. Risk Based Data Sharing/Access Control l What are the risks involved in releasing/disseminating the data l Risk modeling should be integrated with the access control model l Simple method: assign risk values l Higher the risk, lower the sharing l What is the cost of releasing the data? l Cost/Risk/Security closely related

32. Trust Management l Trust Services - Identify services, authorization services, reputation services l Trust negotiation (TN) - Digital credentials, Disclosure policies l TN Requirements - Language requirements l Semantics, constraints, policies - System requirements l Credential ownership, validity, alternative negotiation strategies, privacy l Example TN systems - KeyNote and Trust-X (U of Milan), TrustBuilder (UIUC)

33. Trust Management

34. The problem: establishing trust in open systems l Mutual authentication - Assumption on the counterpart honesty no longer holds - Both participants need to authenticate each other  Interactions between strangers - In conventional systems user identity is known in advance and can be used for performing access control - In open systems partecipants may have no pre-existing relationship and may not share a common security domain

35. Trust Negotiation model l A promising approach for open systems where most of the interactions occur between strangers l The goal : establish trust between parties in order to exchange sensitive information and services l The approach : establish trust by verifying properties of the other party

36. Trust negotiation: the approach Interactions between strangers in open systems are different from traditional access control models Policies and mechanisms developed in conventional systems need to be revised USER ID’s VS. SUBJECT PROPERTIES ACCESS CONTROL POLICIES VS. DISCLOSURE POLICIES

37. Subject properties: digital credentials l Assertion about the credential owner issued and certified by a Certification Authority. CA  Each entity has an associated set of credentials, describing properties and attributes of the owner.

38. Use of Credentials Credential Issuer Digital Credentials -Julie -3 kids -Married -American Company A Company B Want to know citizenship Want to know marital status -Julie - American -Julie - Married Alice Check Referenced from http://www.credentica.com/technology/overview.pdfhttp://www.credentica.com/technology/overview.pdf

39. Credentials l Credentials can be expressed through the Security Assertion Mark-up Language (SAML) l SAML allows a party to express security statements about a given subject - Authentication statements - Attribute statements - Authorization decision statements

40. Disclosure policies l Disclosure policies govern: Access to protected resources Access to sensitive information Disclosure of sensitive credentials l Disclosure policies express trust requirements by means of credential combinations that must be disclosed to obtain authorization Disclosure policies

41. Disclosure policies - Example l Suppose NBG Bank offers loans to students l To check the eligibility of the requester, the Bank asks the student to present the following credentials - The student card - The ID card - Social Security Card - Financial information – either a copy of the Federal Income Tax Return or a bank statement

42. Disclosure policies - Example p1= ({}, Student_Loan  Student_Card()); p2= ({p1}), Student_Loan  Social_Security_Card()); p3= ({p2}, Student_Loan  Federal_Income_Tax_Return()); p4= ({p2}, Student_Loan  Bank_Statement()); P5=({p3,p4}, Student_Loan  DELIV); These policies result in two distinct “policy chains” that lead to disclosure [p1, p2, p3, p5][p1, p2, p4, p5]

43. Trust Negotiation - definition The gradual disclosure of credentials and requests for credentials between two strangers, with the goal of establishing sufficient trust so that the parties can exchange sensitive information and/or resources

44. Directions l Policies are of much interest to many organizations and applications - Financial, Medical, Retail, Manufacturing etc l Roles and responsibilities l Flexible policies l RBAC, UCON, RBUC, Trust Negotiation, Dissemination Policies l Need to Know to Need to Share l IEEE POLICY and ACM SACMAT