The losses are staggering, and only represent incidents currently known to the U.K. government. Although there are a number of culprits contributing to the number of data breaches, I believe the primary cause may be that enterprises store personal information in many databases, resulting in the need to continually transfer information between departments and companies. From a conceptual perspective, if a single database existed with all personal and company information, then far less data would need to be stored on computers or passed between departments and organisations; only public references to individuals or companies involved would need to be shared.
However, in such a scenario it would be crucial to ensure that access to this central database is strictly controlled to protect sensitive data.
Third, 'create' rules are used to automatically determine if authenticated users can associate new information or relationships and accompanying access control rules with the virtual representation. If a suitable 'create' rule is not found that can automatically approve the association of the information/relationship, then the request could be submitted to a manual approval process, where the entity that owns the virtual representation will be informed that another user wishes to associate new information or a new relationship with his or her virtual representation, allowing the owner to approve or deny the request.
Each entity in the database would have a digital signature as a means to authenticate itself when accessing the central repository or any system. The use of digital signatures, for instance, would ensure that customers or end users could create, access and update their information securely and govern subsequent access by others to such data or relationships.
Having the ability for one entity to associate information with another entity, and specify rules that govern subsequent access to that information, provides a replacement mechanism for the multitude of existing proprietary databases.
Let's consider two more specific, illustrative examples:
1) For an organization with a website, rather than having a local database recording users' profile data, it would associate any additional 'website-specific' information with the user's virtual representation in the central repository. For example, when the user accesses the Acme Corp. website, its digital signature will identify the user without him or her having to log into the site specifically. Acme's system would then access the central repository to retrieve the information associated with the user's virtual representation. The information will be protected by access control rules that ensure it can only be read by Acme and updated by the user.
2) Medical information can be associated with an individual's virtual representation. Unlike the website example, the access control rules associated with medical information would prevent the individual from reading, updating or deleting his or her own records. (Although information is associated with an individual's virtual representation, it does not necessarily imply that he or she has the right to view or change the information.)
Considering access rules based on digital signatures
The problem with using the 'pure' digital signature approach is that the access control mechanism, which governs access to individuals' protected information in the central repository, can only be based on information contained in the digital signature of the requester, such as his or her identity.
This approach is sufficient if the potential group of entities accessing information is small, as in the website example above. In this example, only the user and Acme will have the right to access information, and therefore the access control rules have to authenticate both parties.
However, for the medical information example, the rules governing who may access and update information are more complicated. It is not a case of identifying the requester based on identity. Instead, it may be necessary to distinguish whether the requester is a doctor or medical assistant. This type of access control rule could not be implemented based on digital signature identity.
Another problem with using digital signatures as the source of information in access control rules is that the information is static; in other words, it only gets updated when the certificate is renewed. Access control rules may need to be based upon the most up-to-date information possible, e.g. whether a doctor currently has a license to practice.
So it's clear that digital signatures alone would not be sufficient to facilitate a secure central repository for sensitive data. The approach is not scalable to enable access by wide-ranging groups or entities and certainly not in situations where access needs to be based on dynamic information about an entity, as opposed to someone's actual identity. However, such a secure central repository is possible with in-depth access control rules. In my next tip, I will discuss the creation and implementation of these rules for virtual representations.
About the author:
Gary Brown has a PhD in Computer Science, and has worked in the IT industry for over 18 years in the telecoms and financial service sectors..
References:
[1] Nov 07 Sky News "Fraud Risk To Millions After 'Catastrophic' Records Blunder"
[2] Dec 07 Times Online UK "More personal data lost as nine NHS trusts admit security breaches"
[3] Jan 08 Sky News "Des Browne: Two Further Laptops With Similar Data Lost"
[4] March 08 Sky News "Lost Details Of 180 NHS Staff Found"
[5] Apr 08 Sky News "Fresh Warning Over Lost Data"
[6] Aug 08 Times Online UK "Thousands of criminal files lost in data fiasco"
