Page 407 -
P. 407

Security Guide






                        SemantiC SeCurity








                    Security is a very difficult problem—and risks      semantic security. Semantic security concerns the unin-
                    grow larger every year. Not only do we have cheaper, faster   tended release of protected information through the release
                    computers (remember Moore’s Law), we also have more data,   of a combination of reports or documents that are indepen-
                    more systems for reporting and querying  that data, and   dently not protected. The term data triangulation is also
                    easier, faster, and  broader communication. We  have orga-  used for this same phenomenon.
                    nizational data in the cloud that is not physically under our   Take an example from class. Suppose I assign a group
                      control. All of these combine to increase the chances that pri-  project, and I post a list of groups and the names of students
                    vate or proprietary information is inappropriately divulged.  assigned  to each  group. Later, after  the assignments  have
                       Access security is hard enough: How do we know that   been completed and graded, I post a list of grades on the Web
                    the person (or program) who signs on as Megan Cho  really   site. Because of university privacy policy, I cannot post the
                    is Megan Cho? We use  pass-
                    words,  but files of  passwords
                    can be stolen. Setting that  issue
                    aside, we  need  to know  that
                    Megan Cho’s permissions are set
                    appropriately. Suppose Megan
                    works in the HR department, so
                    she  has  access to personal  and
                    private data of other employees.
                    We need to design the reporting
                    system so that Megan can access
                    all of the data she needs to do her
                    job, and no more.
                       Also,  the delivery system
                    must be secure. A BI server is an
                    obvious and juicy  target for any
                    would-be  intruder.  Someone can
                    break in and change access  per-
                    missions. Or a hacker could pose
                    as someone else to obtain reports.
                    Application servers  help  the au-
                    thorized  user,  resulting  in  faster
                    access  to more information. But
                    without  proper security report-
                    ing, servers also ease  the intru-
                    sion task for unauthorized users.
                       All of  these issues relate  to
                    access security. Another dimen-
                    sion  to security is equally seri-
                    ous and far more  problematic:
                                                                                                         Source: Freshidea/Fotolia
                406
   402   403   404   405   406   407   408   409   410   411   412