Collaboration requirements: a point of failure in protecting information

Abstract

It is sometimes necessary to collaborate with individuals and organizations which should not be fully trusted. Collaborators must be authorized to access information systems some of the data in which, typically, should be withheld. New collaborations require dynamic alterations to security provisions. Solutions based on extending access control to deal with collaborations are either awkward and costly, or unreliable. An alternative approach, complementing basic access control, is results filtering. Content filtering is also costly, but provides a number of benefits not obtainable with access control alone. The most important is that the complexity of setting up and maintaining isolating information cells for every combination of access rights is avoided. New classes of collaborators can be added without requiring a reorganization of the entire information structure. There is no overhead for internal use. Since content of documents, not their labels, is checked, misfiling will not cause inappropriate release. The approach used in the TIHI/SAW projects at Stanford uses simple rules to drive filtering primitives. The filters run on a modest, but dedicated computer managed by a security officer. The rules implement the security policy and balance manual effort and complexity. The functional allocation of responsibilities is good. Result filtering can also be used to implement pure intrusion detection, since it is invisible. The intruder can be given an impression of success, while becoming a target for monitoring or cover stories.