One of the oldest and most challenging problems in cyber security is to enable secure information sharing (SIS) (i.e., maintaining some control over information even after it has been shared.) For example, a product manufacturer may need to share customer account information with a company that ships the products and bills the customers. The manufacturer cannot allow its partner to then misuse those customer records by direct marketing or selling customer records. This project focuses on the policy challenge of specifying, analyzing and enforcing SIS policies. The project is developing intuitive, usable, and mathematically sound models that can be used by organizations to specify and enforce SIS policies.
This project focuses on specifying, analyzing and enforcing group-centric secure information sharing (g-SIS) policies. The researchers are developing a theory of multiple, connected groups based on relationships such as subordination, conditional membership and mutual exclusion, with broad, real-world application. The approach separates policy layer specifications from enforcement layer specifications, and develops varying levels of formal consistency metrics between the two with respect to authorization decisions. The research team is working with organizations to prototype and use the information sharing platform in ongoing community cyber incident information sharing efforts.
|