A trust boundary in an electronic network is defined as a region within which all computer systems, their operations, and the data are trusted. Typically, a trust boundary is protected by computer security hardware and software such as firewalls, Virtual Private Networks (VPNs), intrusion detection and prevention systems, data leakage protections, antivirus programs, etc. For example, for an organization, a trust boundary may include an entire data center infrastructure, including computers connected via VPNs. For an individual, a laptop computer could be her trust boundary.
Various mechanisms exist today to facilitate secure communications between trust boundaries. SSL/TLS and IPSec are two examples. These mechanisms are intrinsically point-to-point, thus for many-to-many secure information sharing and collaboration, it will require a worst case “N-squared messy cross-bar” connectivity for all N trust boundaries where every party needs to be able to field electronic communications from every other party. This can become costly and complex.
On the other hand, Web based technologies, and now cloud computing make information sharing and collaboration increasingly cheaper and easier. In essence, this is a central intermediary based hub-spoke communication model. When it comes to secure sharing, this model requires that the central intermediary to be a trusted escrow that must be trusted by all parties across all trust boundaries in the network and that no one in the network will surreptitiously game the system for their own profit.
Such a blind trust hub-spoke model tends to fail due to a range of challenges that include breaches of hub's electronic perimeters, insider attacks, coercion from governments and organized crimes, and other threats to the hub. All indications are that any model that involves conventional electronic security, and is based on a need to trust any central individual or organization to follow the rules, is deeply flawed. This is demonstrated by the fact that even with improvements in technologies for monitoring and protection, the rate of successful intrusions and internal malfeasance is actually rising rapidly.
In present day enterprises, the custodian (typically the hub, the infrastructure service operator/provider in physical possession of the sensitive data) and the curator (typically some spoke, the IT organization that owes and authorizes access to this data) are within the same organization, and most likely within the same legal and compliance domain. Authentication is typically implemented through techniques such as Kerberos and Open ID; authorization is typically through infrastructure such as AD and Security Groups; access control is enforced by the various data containers that include databases, document management systems, and networked file systems. Organizations also leverage PKI and X.509v3 for identity through Smart Cards, SAML/WS-Trust/WS-Federation for single sign-on and federation of authorization. Various technologies and solutions exist for the organization to implement its own Authentication and Authorization, and to federate beyond that organization with business partners and other service providers or service consumers.
When IT infrastructures such as data storage or containers are moved to a hosting service in the cloud, the role of the custodian and curator is separated, where the cloud service provider that is hosting the data is now the custodian of that data, while the curatorship continues to remain in the hands of functionaries within that organization. For legal, compliance and other business IP protection reasons, organizations can't afford the blind trust on the cloud service providers, thus are disinclined to adopt these services, or they demand unlimited liability protection.
In order to solve this problem, the cloud needs to be constrained in function to be only a policy enforcement service that is implementing the exact policy specified by the customer organization and its curator functionary. Furthermore, this new cloud architecture needs to seamlessly integrate, without any significant requirement to modify the existing IT infrastructure, or the existing business process.
Typically for an individual, business or other organization that is regulated, it is an option for them to outsource their IT, but it is not an option for them to outsource their risk. In the case of negligence or maleficence on the part of a service provider (hub), the risks to the individual or organization could be significant. As a consequence, organizations and businesses require significant liability protection from the service provider. This would transfer the risk to the hub, which could exacerbate that organization's own risk since it could be subject to negligence or maleficence on the part of their own employees, or coercion from governments, or intrusions by hackers.
In short, there is no solution existing today that can allow organizations and individuals (curators) to extend the existing IT infrastructures along with the business processes (such as Governance, Risk Management, and Compliance, GRC in short) to the cloud service providers (custodians), across the trust boundaries while a) the data privacy and confidentiality are ensured—custodians can never see the sensitive data nor the policies about how the data can be accessed; b) the visibility into, and the control over access to, or modification of the data are fully retained by the curators; and c) multiple curators across trust boundaries can collaborate and share the sensitive data through the custodians.
There is a need for systems, methods and apparatuses that address the above-listed requirements in cloud computing, and provide a trustworthy workflow across trust boundaries between parties.
A trustworthy workflow is defined as a cryptography-based mechanism that enables all parties to securely communicate across trust boundaries through the central intermediary (the hub), without the hub ever being able to access the data, nor the data access policies. All end-points in such a workflow can count on the same degree of trustworthiness of a point-to-point secure communications supported by protocols such as SSL/TSL and IPSec, as described before.
In addition, for a geo-distributed solution, there are technical, geo-political or legal reasons why a single trustworthy hub would not be sufficient. The technical reasons might include performance; the geo-political reasons might include governments that desire to suppress collaboration or commerce for sovereign reasons; the legal reasons might include the inefficiency of settlement, reconciliation, litigation and arbitrage across distinct legal boundaries. For that reason, it is necessary to have a federation of trustworthy hubs in disparate regions that can collaborate to provide the same trustworthiness, but with a greater degree of resilience, lower latencies and higher scale.
It is desirable to have methods, systems and apparatuses for monitoring and controlling access to an electronic content.