We are currently active in two projects that address the problem of protecting information assets in a selectively shared environment: Trusted Interoperation of Healthcare Information Systems (TIHI), sponsored by the National Science Foundation, and the Secure Access Wrapper (SAW) project, sponsored by DARPA/ITO. In the TIHI project we have made progress toward the definition and composition of mandatory policies independently specified by component systems to regulate access to and retrieval of their resources when entering a collaboration. The TIHI approach uses a security workstation in the firewall to enforce mandatory access control policies. This approach allows collaborators to interoperate and make their data selectively available to external applications, while maintaining local autonomy and security. Sources can be heterogeneous with respect to both the data model and the security lattices governing access control. The software is based on the use of wrappers and mediators. A wrapper for each data source provides a uniform data model interface to the global system. The wrapper also provides translation services for mapping between the security levels of subjects (at the application level) and objects in the local data source. A mediator interfaces one or more applications with the wrapped sources. It provides for the specification of mappings between application and source security lattices, and for ensuring that these mappings are consistent. The mediator also provides for the definition of semantic mappings between applications and data sources. At run time, the mediator provides interoperation by processing every application query for global access control, matching and transformation to queries answerable by data sources, and information retrieval from the sources. We have implemented a prototype system that demonstrates our approach on a practical application involving selective sharing of medical information. We also have aided in the installation of such a security mediator in a high-risk commercial setting.

The SAW project encompasses a broader spectrum of issues concerning the specification and realization of security wrappers for protection of sensitive or proprietary local information, while permitting dissemination of data that needs to be shared. By employing such wrappers, organizations can share their information with others selectively, with the assurance that information to be protected will neither be improperly and directly accessed, nor indirectly disclosed through other released information. A key goal of SAW technology is to bring a substantial level of automation to trusted information sharing, thereby reducing organizations' reliance on manual, often paper-based, methods for information release that can be cumbersome and costly. SAW technology will form the basis of an automated tool kit for generation of composable security wrappers. Databases wrapped by SAWs can then combine to form scalable, secure information systems.

In the SAW architecture, external accesses are handled via the wrapper, while internal accesses are unaffected. In this way, only external accesses incur any added expense or delay resulting from the SAW's security mechanisms. The SAW for each database or organization is specified and maintained by the security officer, who is responsible for ensuring that the security policy of the organization is enforced. From the security officer's point of view, creating a SAW involves specifying, with the help of the SAW tool kit, the security policy of the underlying database. From this specification, the SAW tool kit generates a wrapper for the database. Thus, the SAW tool kit is effectively a wrapper generator easily customizable to the different security policies that may need to be enforced in component databases. The language of security constraints permitted in a SAW specification attempts to strike a reasonable balance between expressiveness of security requirements and efficiency of analysis.

The SAW consists of a variety of techniques and tools to provide mandatory enforcement of its security policy on external accesses, addressing four key issues in information-system security: access control, composability and scalability, auditing, and assurance. Tools provided by SAW also allow validation of design drawings and other multimedia objects, items that have not been the focus of past security tools, but are becoming an increasingly large fraction of information interchange.

The SAW security mediator enforces mandatory access control to guarantee that all requests for information, and any data released as a result, meet the requirements of the data holder's security policy. It provides uniform query and security interfaces to permit direct composition and interoperation of wrapped databases. These interfaces allow composed systems to be analyzed to determine whether and how interoperation may lead to compromises of local security constraints. The SAW also provides for selective auditing of information requests and releases, so that potential compromises resulting from sequences of requests can be detected and prevented. Finally, the SAW addresses assurance through security policy transformation. Rather than enforcing security policies itself, the SAW transforms its security policies into those enforceable by internal databases, when possible.

Back to the Table of Contents
   [12]