As I mentioned in my last tip about the feasibility of the central data repository model, the main limitation in solely using digital signatures to control access to information in a centralised database is that it restricts the complexity of the access rules to listing a set of identities that can read, update and delete data. This approach is not scalable to enable access by a group of diverse users, and is particularly inadequate in situations where access needs to be based on potentially dynamic user information -- such as a doctor's license status or a project manager's involvement with a certain project -- as opposed to one's identity.
For this tip, I will explain the how to prevent data loss by developing in-depth access control rules required to allow a single-database system to function securely and enable a revolution in the way information is securely managed.
Data-access scenarios in the central repository model
As an example, consider the possibility of providing access to an individual's medical records: The access control system may need to identify whether the requestor is a doctor or medical practitioner. This type of access control rule could not be implemented based simply on digital signature identity, because it may be important to define that 'read' and 'update' access to the medical records can only be permitted by registered doctors. How can this access control rule be implemented?
With a centralised repository of information, it is possible to build access control rules that use the information in the repository. Continuing the previous example, let's assume Dr. Jones requests access to Mary Poppins' medical records. The access control rules associated with Mary Poppins' medical records can define a query on the virtual representation of Dr. Jones (i.e. the requesting user) to determine if he is certified by the General Medical Council. This information would have been created by the General Medical Council, and associated with Dr. Jones, with access control rules to allow anyone to read the information, but only the General Medical Council would be able to update or delete it. This means that Dr. Jones cannot forge this credential, and if he were no longer a doctor (i.e. he retires or is struck off), then the General Medical Council could simply delete this credential, which would take immediate effect and prevent him from gaining access.
Payment information and the central repository model
Payment information is currently handled in different ways when completing financial transactions over the Internet. On some websites, credit and debit card details are recorded within a user's website profile. With other websites, this information is instead requested for each new transaction, and isn't locally stored by the website. A third method uses the services of third-party payment processors, such as PayPal, which enable the card details to be hidden from the website.
Using the central repository model, it is possible to record credit and debit card information with an individual's virtual representation with access control rules to ensure that only authorised payment processing organisations can read the information.
To illustrate this scenario, when a user makes an online purchase, the website passes the user's virtual representation ID (or URL) to the payment processor along with the other transaction details. The payment processing organisation can then retrieve the card details from the user's virtual representation, as they will have the appropriate privileges to access the information. As an extra level of validation, the payment processor can communicate with the user via his or her virtual representation, to confirm the transaction. This approach would effectively mean that users no longer need to directly specify their credit or debit card details when purchasing goods or services over the Internet.
The current approach to storing sensitive data, which involves the duplication of personal and corporate information in a multitude of databases, and an increasing number of profiles registered with different websites, cannot persist. It is not scalable and is extremely insecure -- whether based on evidence such as the numerous, well publicised data security breaches of recent years, or simply because the more profiles that a user must maintain, the greater the likelihood that his or her information will eventually be compromised.
Digital signature technology provides a level of assurance that the party making a data request is who they say they are. This is an important pre-requisite in any secure infrastructure. However, it has limitations in the way it can be used to govern general access to information.
Governing access to data with access control rules that relate to information about a requester, as opposed to simply relying on his or her identity, offers greater flexibility and scalability. This type of approach could provide a long-term solution to the types of information security problems entailed by moving data from and storing data in so many different databases, since it removes the need to replicate and transfer data about individuals and companies.
This digital signature-based paradigm meets the business requirements of most organisations by enabling access to common information about entities that is guaranteed to be up to date and consistent, while at the same time providing the capability to record their own specific information against those entities, and ensure that only authorised third parties can access it.
About the author:
Gary Brown has a PhD in Computer Science, and has worked in the IT industry for over 18 years in the telecoms and financial service sectors.