Skip to main content

Hitachi ID Systems Blogs

Posts Tagged ‘privacy compromise’

Advanced search in an IAM system: a privacy threat

Monday, September 15th, 2014

XKCD posted an amusing comic about the intersection of SQL and data privacy a while ago, here – xkcd.com/1409/.

This is interesting in that it highlights the threat to privacy by an innocuous seeming search feature. Never mind the SQL syntax in the comic – imagine that you can search for users whose ‘scheduled term date’ is in the next 30 days, or whose ‘most recent performance review’ was a low grade. Even if the IAM system refuses to show you the values of those fields, the presence or absence of a user in a search result set would compromise privacy and possibly corporate security.

What to do?

You have two options:

  • Eliminate search on sensitive attributes entirely; or
  • Ensure that the IAM system filters out search results which were included on the basis of the values of sensitive attributes.

I imagine that most IAM products and deployments out there opt for the former. You can’t search on ‘scheduled term date’ and the like. That’s fine – it’s safe, I guess, but it’s also extremely limiting. What if, as a manager, I want to run that query and see which of my subordinates, some of which are contractors, are about to reach the end of their work term? I might then wish to request extensions for some of them, because their projects are still active. Alternately, I might request to turn some contractors into employees.

In other words, simply refusing to search on these things is not a satisfactory solution – it leaves out too much useful functionality.

That brings us to the second option — build a search engine smart enough to figure that a given record should not be included in the result set because this particular requester should not be able to see the sensitive attribute value for this particular user. That’s hard, but creates much more value for the end user.

This is the approach we opted for at Hitachi ID. Hopefully our customers like it. ;-)

XKeyscore

Wednesday, July 31st, 2013

Just read the latest bit from our friend Mr. Snowden:

The Guardian

Interesting slides. Some thoughts:

  • This is an internal training deck, from 2008.
  • It shows full data capture – emails, VPN connections and more — in many countries around the world.
  • Data remains local — it’s not practical to feed all this stuff back to the US. Sensible architecture.
  • Interesting to see which countries are collaborating with the NSA on this kind of snooping and which are not.
  • This is from 2008. Imagine how much more they can do today!
  • Not snooping on US citizens/residents? Yeah, right.
  • Cool to see that Canada (where I live) is not on the list of cooperating states.
  • They claim ability to decrypt VPN traffic. I wonder how that’s done? Is there some secret key leakage/disclosure going on in popular VPN client packages? This may be the most worrying bit in the presentation
  • They claim 300 terrorists arrested using this platform. If true, and if they have convictions, this would go a long way towards justifying the whole thing. Privacy invasion to support theoretical security is one thing. To support concrete security results is something else again.

Bottom line: if they are actually putting away real terrorists with this stuff (as claimed) and are basically doing pattern match searches (almost certainly true), I’m not sure this is all that bad for my privacy or that of any other “honest citizens” — seems like a reasonable program, on that basis.

Just my $0.02. Let the flame war begin. :-)

– Idan

page top page top