Secure Information Sharing Models

for Community Cyber Security Ravi Sandra

Agenda

1. Overview

2. SIS Major Challenges

3. Community Cyber Security

4. The Current Status…

5. Requirements

6. Life-Cycle of a Cyber Incident

7. Privacy Consent State of Mind

8. National Strategy Could Nudge SIS Forward

9. Goals

1. Overview

• “Share but protect”

• Saltzer-Schroeder1 identified the desirability and difficulty of maintaining:

• “some control over the user of the information even after it has been released”

1 J. SALTZER AND M. SCHROEDER. THE PROTECTION OF INFORMATION IN COMPUTERSYSTEMS. PROCEEDINGS OF IEEE, 63(9):1278–1308, 1975.

2. SIS Major Challenges

• Policy Challenge

• Modeling, specifying and enforcing SIS policies

• Need intuitive yet formal models, guaranteed security properties, etc.

• Containment Challenge

• Ensure that protected information is accessible to users as permitted by the policy

• Security mechanisms such as authentication, cryptography, trusted hardware, etc.

3. Community Cyber Security

• Community refers to a geographical area• E.g. county or a city with demarcated boundary

• The Center for Infrastructure Assurance and Security at UTSA conducts nation-wide cyber security preparedness exercises and training• communication

• incident response

• disaster recovery

• business continuity

• security awareness, etc.

4. The Current Status…

• Exchange of business cards

• No process exists for information sharing

• Technology is not the bottleneck

• Resistance due to political/competitive reasons

• Also want to avoid embarrassment

• E.g. by sharing attack data

• Participants have no clue as to what to share and how to effectively specify what to share

5. Requirements

• Need abstract models• With rigorous mathematical foundations

• Should ease administration

• Classic models are limited• Discretionary Access Control

• Too low-level to configure

• Lattice-Based Access Control (E.g. Bell LaPadula)• Rigid

• One directional info flow is not the primary concern

• Lot of work on Dynamic Coalitions• Many times heavy-weight

• Mainly focus on technological/infrastructural integration

6. Life-Cycle of a Cyber IncidentSecure Sharing in a Community

Core Group

Incident Group

Open Group

Conditional Membership

Automatic Membership

Administered

Membership

Filtered RW

Administered Membership

Filtered RW

Administered Membership

7. Privacy Consent State of Mind

• The space of Privacy Consent is full of trepidation. I would like to show that although there are complexity, there is also simplicity. The complexity comes in fine-details. The fundamentals, and the technology, are simple.

• Privacy Consent can be viewed as a "State Diagram", that is by showing what the current state of a patients consent, we can show the changes in state. This is the modeling tool I will use here.

Privacy Consent State of Mind

• I will focus on how Privacy Consent relates to the access to Health Information, that is shared through some form of Health Information Exchange (HIE).

• The architecture of this HIE doesn't matter, it could be PUSH or PULL or anything else. The concepts I show can apply anywhere,  but for simplicity think only about the broad use of healthcare information sharing across organizations.

Privacy Consent of OPT-OUT

• At the right is the diagram for an OPT-OUT environment. One where the patient has the choice to OPT-OUT, that  is to stop the use of their data. This means that there is a presumption that when there is no evidence of a choice by the patient, that the data can be used.

Privacy Consent of OPT-IN

• At the right is the diagram for an OPT-IN environment. In an OPT-IN environment the patient is given the opportunity to ALLOW sharing of their information. This means that there is a presumption that the patient does not want their health information shared. I would view it more as a respect for the patient to make the decision.

Privacy Consent: YES vs NO

• The reality of privacy consent is that there will be a number of patients that will change their mind. This is just human nature, and there are many really good reasons they might change their mind. A patient that has given OPT-IN authorization might revoke their authorization. A patient that has indicated they don't want their data to be shared might decide that they now do want to share their data.

Privacy Consent of Maybe

• There are those that have special circumstances that really require special handling.

• This state is an indicator, just like "YES" or "NO", but in this case the indicator indicates that there are patient-specific rules. These patient-specific rules likely start with a "YES" or a "NO" and then apply additional rules.

Privacy Consent of Maybe

• These additional rules might be to block a specific time-period, block a specific report, block a specific person from access, allow a specific person access, etc.

• These special rules are applied against each access.Note that the state diagram shows transitions between all three states. It is possible that one goes into the "MAYBE" state forever, or just a while.

8. National Strategy Could Nudge SIS Forward

• In the early days of the Obama administration, the president declared cyberspace a critical asset. Since then, little more than lip service has been paid on a policy level to the security of the country’s critical infrastructure, despite increasing public awareness of the problem and high-profile attacks on business and government alike.

National Strategy Could Nudge SIS Forward

• In December 2013, there was more movement. The White House released the National Strategy for Information Sharing and Safeguarding which is a framework for government agencies to share attack data to repel terrorist threats, cyberattacks and more.

National Strategy Could Nudge SIS Forward

• The strategy stresses that information must be treated as a national asset and such data must be made available to support national security, it states. It also urges agencies to work together to identify and reduce risks, rather than not share at all. Information, the document states, must underlie all decisions.

9. Goals

The president hopes the strategy achieves five goals:

• Drive collective action through collaboration and accountability: Using models to build trust and simplify the processes for sharing

• Improve information discovery and access through common standards: Doing so paves the way for less ambiguous policies. To achieve this, secure access via authentication and authorization controls, data classification and sharing standards is vital.

Goals

• Optimize mission effectiveness through shared services and interoperability: Bettering the efficacy of how information is acquired and shared is key here.

• Strengthen information safeguarding through structural reform, policy and technical solutions: This calls for controls on data, monitoring for insider and external attacks to better stave off threats to systems and information.

Goals

• Protect privacy, civil rights and civil liberties through consistency and compliance: Public trust must be a key consideration here, the document stresses. Privacy and civil protections must be built into any sharing mechanism.