Access to data is becoming ever more conditional and retention and disposal of data is becoming ever more regulated. This spans the gamut of government agencies and private industries. Today's technology does not have a turnkey solution to deal with the infinite number of privileges, clearances, and conditions placed on a blob of data. Solutions must be implemented by the end user, and in many cases must be done manually on a datum by datum basis. Such solutions are exemplified in both document redaction techniques and the fact that there are entire departments dedicated to implementation of document retention policies. Those solutions that are automated are typically implemented in a computing space that is not secure, or more commonly programmed without regard to security factors because of time constraints, ignorance, or perceived effort level and cost.
Access control of information based on user permissions is a fundamental part of most computer software. Microsoft Windows, for example, uses access control lists (ACLs) to control which users can access files and folders on the computer. Most databases enforce access controls on the server login, databases, and on objects within a database (such as tables). In both cases, the level at which information is controlled extends only to a certain level of granularity. Windows controls access to user files, but not to portions of user files. RDBMSs control access to tables but does not provide row-level or cell-level security within tables.
In some scenarios, however, there is a requirement to control access at a more granular level. A list of patients and diagnoses, for example, may be stored in a single file or table. Any one doctor, however, may only be permitted to review information related to their own patients. In such a case, merely setting an ACL on a file or issuing a GRANT/DENY SELECT on a table will not meet the business requirements. Similar scenarios exist in many environments, including finance, law, government, and military applications and consumer privacy requirements.
The typical approach to meeting such requirements in database applications has been to implement the necessary logic in application code. The business logic layer of an n-tier application might apply the filtering, for example. Or, in a two-tier client-server application, the client might do it. This approach may be effective for the application, but the data is not actually secured. A user connecting to the back-end database with a SQL query tool will have unrestricted access to all rows in tables on which they have SELECT permission.
Another common approach, which mitigates the last issue mentioned, is to wrap all data access in stored procedures. Users are denied all permissions on the underlying tables, and are instead given execute permissions on the stored procedures that implement the filtering logic. This approach has its own drawbacks. For example, ad hoc user reporting against such a database is difficult or impossible.
Such filtering as mentioned above is impossible for files. Access control to files on a computer up until now has been either all or nothing, or at best sometimes the option of read-only restrictions versus editing of the document.
From the database point of view, what is needed is a way to present the actual tables (or views) to user accounts with the filtering logic applied quickly, accurately, and automatically from within the database itself, based on the user. In this case, all users might have access to the Patient table but, for each user, “SELECT*FROM Patient” returns only the data that user should see.
The need for such granular control of data extends well beyond the database into all forms of documents and communications. In the wake of Enron and Arthur Anderson document retention has not only been increasingly scrutinized by the government and investors, but also extended beyond paper documents to include electronic documents and particularly email. There exists significant value in developing an email server that can be integrated with the security features and document retention policies of the data security server.
In the government intelligence community, data materials are organized by classification and compartment. Classification falls into 1 of 4 categories which are Unclassified, Confidential, Secret, and Top Secret. To further complicate matters users with Top Secret clearance are granted access to Secret, Confidential and Unclassified materials, however the same is not true in reverse. Users with confidential clearance do not have access secret or top-secret materials. Some material is further organized by compartment meaning that a user must have explicit authorization for access to the material in that compartment regardless of their classification authorization. The government classifies data by the degree of harm caused to the security and the citizens of the United States if that data were given to an adversary. Needless to say, the protection of this data must be taken very seriously.
The intelligence community is far from the only place where such data is secured and access authorization is required. Many sectors of business are just as concerned and just as liable for the consequences should data access be gained by someone without authorization. In healthcare, for example, privacy and access to patients' records is becoming increasingly more regulated.
Companies spend millions of dollars on research and development of new products. That research and the trade secrets that come from the research must be guarded and protected to prevent competitors from taking that research and using it against the company that spent the time and money developing the idea.
One of the primary products of law firms is documents. These documents range from wills to contracts to evidence. Unauthorized access to such documents or alteration of such documents can have devastating effects on individuals, and as such must be given a high degree of protection as well as requiring absolute authentication of a user's identity.