Ravi Sandhu, The Secure Information Sharing Problem and Solution Approaches

The secure information sharing problem is one of the oldest and most fundamental and elusive problems in information security. Mission objectives dictate that Information must be shared and made available to authorized recipients, and yet information must be protected from leakage and subversion by malicious insiders and malicious software. The doctrine of "share but protect" indicates the inherent conflict in achieving effective secure information sharing. In this talk we demonstrate the complexity and richness of the secure information sharing problem space. We then identify some "sweet spots" that appear promising in their practical benefit and feasibility of solutions. We describe the PEI models approach to decompose security problems into the three layers of policy models (topmost), enforcement models (middle), and implementation models (bottom). We discuss how this approach can be applied to the secure information sharing problem. Finally we indicate how modern trusted computing technology can be used to solve important variations of this problem. About the speaker: Dr. Ravi Sandhu earned B.Tech. and M.Tech. degrees from IIT Bombay and Delhi respectively, and M.S. and Ph.D. degrees from Rutgers University. He is a Fellow of ACM and IEEE, and recipient of the IEEE Computer Society Technical Achievement Award. His research has focused on information security, privacy and trust, with special emphasis on models, protocols and mechanisms. His doctoral work on safety and expressive power of access control was further developed by him culminating in the Typed Access Matrix in 1992. In collaboration with Prof. Jajodia, he analyzed and reconciled confidentiality and integrity in multilevel secure databases. In 1993 he showed that Chinese Wall separation of duty policies were instances of information flow. In 1996, along with industry colleagues, he published the seminal paper on role-based access control which evolved into the 2004 NIST/ANSI standard RBAC model. In 2002, with Jaehong Park, he introduced the Usage Control model for next-generation access. Other recent activities include Information Sharing models and implementations using Trusted Computing, and the PEI (policy, enforcement and implementation) layered models method for synthesizing secure systems. Ravi has published over 160 technical papers on information security, has received over 30 research grants and has graduated 12 PhD's in his career.Ravi is the founding editor of the Synergy Lecture Series on Information Security, Privacy and Trust. Earlier, he was the founding editor-in-chief of the ACM Transactions on Information and Systems Security (TISSEC), from 1997 to 2004. He was Chairman of ACM SIGSAC from 1995 to 2003, and founded and led the ACM Conference on Computer and Communications Security and the ACM Symposium on Access Control Models and Technologies to high reputation and prestige. He served as the security editor for IEEE Internet Computing from 1998 to 2004. In 2000 Ravi Sandhu co-founded the company now known as TriCipher and continues to serve as its Chief Scientist. He is the principal security architect of the TriCipher Armored Credential System. He is an inventor on eight security technology patents and has over fifteen patents pending. He is also the principal architect of the M.S. and Ph.D. programs in Information Security and Assurance at George Mason University.