ITTChapter_07_Slides

ITTChapter_07_Slides - 9/6/2010 Chapter 7: Hybrid Policies...

Info iconThis preview shows pages 1–6. Sign up to view the full content.

View Full Document Right Arrow Icon
9/6/2010 1 Chapter 7: Hybrid Policies Overview • Overview • Chinese Wall Model • Clinical Information Systems Security Policy ORCON Slide #7-1 • ORCON • RBAC Overview Chinese Wall Mode • Chinese Wall Model – Focuses on conflict of interest • CISS Policy – Combines integrity and confidentiality • ORCON Cb i d t d i t i t l Slide #7-2 – Combines mandatory, discretionary access controls • RBAC – Base controls on job function
Background image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
9/6/2010 2 Chinese Wall Model Problem Problem: – Tony advises American Bank about investments – He is asked to advise Toyland Bank about investments Slide #7-3 • Conflict of interest to accept, because his advice for either bank would affect his advice to the other bank Organization Organize entities into “conflict of interest” • Organize entities into conflict of interest classes • Control subject accesses to each class • Control writing to all classes to ensure information is not passed along in violation fl Slide #7-4 of rules • Allow sanitized data to be viewed by everyone
Background image of page 2
9/6/2010 3 Definitions Object : items of information related to a Objects : items of information related to a company Company dataset (CD): contains objects related to a single company – Written CD ( O ) Conflict of interest class (COI): contains datasets Slide #7-5 of companies in competition – Written COI ( O ) – Assume: each object belongs to exactly one COI class Example Bank of America Citibank Bank of the West Bank COI Class Shell Oil Union ’76 Standard Oil ARCO Gasoline Company COI Class Slide #7-6
Background image of page 3

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
9/6/2010 4 Temporal Element If Anthony reads any CD in a COI he can • If Anthony reads any CD in a COI, he can never read another CD in that COI – Possible that information learned earlier may allow him to make decisions later –Le t PR ( S ) be set of objects that S has already Slide #7-7 read CW-Simple Security Condition can read o iff either condition holds s can read iff either condition holds: 1. There is an o such that s has accessed o and CD ( o ) = CD ( o ) Meaning s has read something in o ’s dataset 2. For all o O , o PR ( s ) COI ( o ) COI ( o ) Meaning s has not read any objects in o ’s conflict of interest class Slide #7-8 Ignores sanitized data (see below) Initially, PR ( s ) = , so initial read request granted
Background image of page 4
9/6/2010 5 Sanitization Public information may belong to a CD As is publicly available, no conflicts of interest arise So, should not affect ability of analysts to read Typically, all sensitive data removed from such information before it is released publicly (called sanitization ) Slide #7-9 Add third condition to CW-Simple Security Condition: 3. o is a sanitized object Writing Anthony Susan work in same trading hous • Anthony, Susan work in same trading house • Anthony can read Bank 1’s CD, Gas’ CD • Susan can read Bank 2’s CD, Gas’ CD • If Anthony could write to Gas’ CD, Susan can read i Slide #7-10 can read it – Hence, indirectly, she can read information from Bank 1’s CD, a clear conflict of interest
Background image of page 5

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Image of page 6
This is the end of the preview. Sign up to access the rest of the document.

This note was uploaded on 02/08/2012 for the course ITT 650 taught by Professor Dewey during the Spring '11 term at UNC Asheville.

Page1 / 20

ITTChapter_07_Slides - 9/6/2010 Chapter 7: Hybrid Policies...

This preview shows document pages 1 - 6. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online