Tuesday, 12 March 2013

Paper reviews

Reviewed 4 papers.

A paper reviewed: Kayem, A.V.D.M., "On monitoring information flow of outsourced data," Information Security for South Africa (ISSA), 2010 , vol., no., pp.1,8, 2-4 Aug. 2010
doi: 10.1109/ISSA.2010.5588602
Key Ideas/Contributions:
- Prevents authorised users from illegal data exchange
- Uses an invisible digital watermark which is a hash of the encrypted data and key.
- Hash of the user’s role key and the data hash are compared before enabling data access.
- Keeps data secure from unauthorised users and the service provider

- Neat paper structure, especially the first two sections
- Prevents authorised users from transferring data to unauthorised users even when fully decrypted.
- Doesn’t provide data owner full control such as how data is to be viewed, how many copies can be made, etc.

Paper reviewed: Qihua Wang and Hongxia Jin. 2011. Data leakage mitigation for discretionary access control in collaboration clouds. In Proceedings of the 16th ACM symposium on Access control models and technologies (SACMAT '11). ACM, New York, NY, USA, 103-112. DOI=10.1145/1998441.1998457 http://doi.acm.org/10.1145/1998441.1998457
Key Ideas/Contributions
  • Provides a controlled SaaS collaboration environment for collaboration and information sharing between different organisations
  • Uses the idea of mandatory access control policies (MAC Policy) to control data sharing among different organisations based on the organisation's code-of-conduct and non-disclosure agreements (NDA)
  • Users also have a list of contacts of which they can select users to share information with. Provided the contact satisfies the MAC Policy conditions, users can share information with other organisations without fear of accidentally leaking information to an unauthorised organisation.
  • Users may also accidentally make typos when sharing data and hence accidentally leak information to unauthorised users which may cost organisations. The solution contains a recommender algorithm which checks whether the selected user is relevant to the data based on keyword strength and if not warns the user and suggests a better candidate from the user's contacts.
  • Neat paper structure
  • Data access control mainly from business perspective
  • Business users can share data without worrying about breaking code-of-conduct and MAC Policies.
  • MAC Policies also prevent users sharing data outside the perimeter of the authorised organisation(s).
  • Solution helps prevent users from making typos when entering users names for sharing. It issues warnings and suggests the likely user based on the likelihood of data interest of that user.

  • Polices are not fine-grained enough. Does not control access based on roles, only on organisations.
  • Only protects honest users from leaking information by mistake. A malicious user may create fake keywords and share data maliciously with whoever.

A Paper reviewed: Maritza L. Johnson, Steven M. Bellovin, Robert W. Reeder, and Stuart E. Schechter. 2009. Laissez-faire file sharing: access control designed for individuals at the endpoints. InProceedings of the 2009 workshop on New security paradigms workshop (NSPW '09). ACM, New York, NY, USA, 1-10. DOI=10.1145/1719030.1719032 http://doi.acm.org/10.1145/1719030.1719032
Key Ideas/Contributions

  • Laissez-Faire file sharing is defined by 5 properties - ownership, freedom of delegation, transparency, dependability and minimisation of friction.
  • Most users in an enterprise who have to abide by policies and strict rules on file sharing almost always subvert to sharing files through email attachments, USB, etc without the organisations file sharing system as it was too limiting and not as convenient.
  • Email attachments prevent data owner the ability to permanently delete files, prevent readers from forwarding data to others and preventing others from working on and modifying the data.
  • Highlights the need for a controlled data sharing environment
  • Highlights the reality that many people find other ways to share data (e.g email attachments, USB) when data sharing laws are too restrictive
  • Laissez Faire sharing does not prevent re-sharing of data

A Paper reviewed:
Burnap, P.; Hilton, J.; , "Self Protecting Data for De-perimeterised Information Sharing," Digital Society, 2009. ICDS '09. Third International Conference on , vol., no., pp.65-70, 1-7 Feb. 2009
doi: 10.1109/ICDS.2009.41
Key Ideas/Contributions
  • Provides access control on machines outside the perimeter of the organisation or enterprise
  • Data remains encrypted throughout its lifetime and can only be decrypted if user has access rights.
  • Parts of the document are provided access control such that certain users can only have access rights. Parts of the document are classified into categories.
  • In a document, a subsection of a document may be highly confidential whereas other sections may be publicly available. Traditionally, the whole document would be restricted to those with access rights and hence limiting effectiveness, dynamism of collaborative working. The solution allows parts of document to be protected while others are publicly available and hence effective.
  • Access control still stays in place when shared, copied, transferred, and stored on other organisation’s systems.
  • Doesn’t provide data owner control over his data. The data only controls who views the data but doesn’t let the data owner know if any other operations occur with the data that the data owner doesn’t know about, such as tampering or distributing illegal copies of the data. Hence, not enough data control.

No comments:

Post a Comment