Collaborative End-to-end Enforcement of Fine-grained Information Sharing Policies in Distributed Systems

Executive Summary Reliable and timely sharing of information across a community of collaborating principals is an integral part of Microsoft's vision of the " new world of work " [30]. Examples of Microsoft's investment in this vision abound. For one, Sharepoint specifically aims to share information assets across teams, departments, and organizations while maintaining IT control. Tools like One Note allow information from disparate software applications to be conveniently aggregated in a form that can be shared across a community of users. Longer-range initiatives like HealthVault target the sharing of patient medical records across a wide array of organizations, ranging from hospitals and insurance provides to employers and the patients themselves. Microsoft's partnership with consortiums like the Trans-global Secure Collaboration Program aim to build a platform for multinational secure information sharing between government and industry. Despite its prevalence, widespread information sharing is, clearly, a two-edged sword. While ready access to relevant information can make a collaboration more effective, uncontrolled sharing of digital assets raises many security concerns, e.g., the unintended dissemination of HealthVault records can compromise a patient's privacy. This paper describes work currently underway that has as its goal the formal verification of security properties for distributed information-sharing applications. Our work applies to the setting where principals have incentives (such as legal contracts) to abide by the security policies placed by data custodians. In this setting, we wish to make it possible for principals to collaborate with each other (e.g., by sharing security-critical software) and enforce a system-wide security policy with a high-degree of assurance. We aim to address a number of concerns. As a first measure, we control information sharing by protecting resources by a formally specified claims-based access-control policy. Going further, we also address the specification and enforcement of usage-control policies so that a custodian of a resource can retain some control over how a resource is used after access has been granted, e.g., to prevent further dissemination of data. In order to promote as much information sharing as possible without compromising security, policies are applicable at a fine granularity, e.g., it will be possible to apply security controls to small fragments of documents rather than only to entire documents. As the number of data sources grows, keeping track of data dependences becomes important—both for enforcing security policies as well as assisting users with making sense of complex data sets. We aim to provide principled ways of …