views:

150

answers:

2

Hi, I am building an application with health information inside. This application will be consumer-facing with is new for me. I would like a method to put privacy concerns completely at ease. As I review methods for securing sensitive data in publicly accessible databases I have frequently come across the notion of database translucency. There is the original book on the subject and an excellent tutorial on the subject from Oriellynet.

My concern is that I have seen very little information regarding this idea on what I would consider very-modern programming sites (like this one). There does not seem to be an article about the idea on wikipedia. No questions on the subject here, and no very recent tutorials or articles on the subject. To be uber-brief, the idea is that certain data is clear to some users of the system, while other users a cryptographically prevented from accessing that data, even if they have administrator access.

I have done substantial work on a prototype database that provides translucent data access. I have run across a considerable problem: To be truly translucent, there can be no mechanism for password recovery. If an administrator can reset a users password, then they can briefly gain access to a users data. To be truly translucent, the user must never loose the password.

Those of us who use strong encryption to protect private data in our daily lives (technorati to be sure) are used to this problem when using these kinds of strong encryption systems. If the word "blowfish" is part of your daily lexicon that is one thing, but a website that is consumer focused? I am concerned that users will not be willing to wrap their mind around the "truly encrypted just for you" notion implicit with true database translucency. I am afraid of the support call that begins with "I lost my password" and ends with me saying "There is nothing that I can do for you".

My question: Should I implement this method in my application? Are there other open source applications that have gone down this route that I can compare database designs with (esp using php/MySQL)? I anyone else pursuing these kind of truly secure, but really inconvenient feature sets? Is there another database security model that is more popular and modern that I have missed? Was database translucency a fad or a legitimate database design method that I should embrace? While I always appreciate discussion I would prefer objective answers that I can leverage in my design.

+1  A: 

Re: translucent databases. You could, I suppose, use fingerprints. What about burn victims, or people who end up losing their fingerprints? Oops. Is it worth that small percentage of users?

Familiarize yourself with HIPAA, especially when it comes to technology. Remember that no system is truly secure, except Skynet*, and look what happened with that! Humans are in charge. When you work in a medical company, you sign an NDA indicating that you won't release any of the information you learn as part of your duties because it is confidential. There will be someone to reset people's passwords. That's the way it is, because not everyone is technologically competent, and that's the way it stays for now. You only have to implement security as well as HIPAA says.

  • in truth, there is another truly secure system: it is unplugged from both the network and the electricity, and it is turned off.
Trevoke
I shudder to think of a system that is unplugged from the network and the electricity, but is still on.
yodaj007
I was thinking of a laptop, but the image of a sentient computer crossed my mind.
Trevoke
If there is still someone that thinks a computer that is unplugged from the network is secure, probably haven't yet seen these guys: http://lasecwww.epfl.ch/keyboard/
ercan
This application is consumer facing and therefore not covered by HIPAA. So that advice is largely worthless. Beyond that...You have not answered the question.
ftrotter
My short answer is 'Do not implement this'.
Trevoke
+1  A: 

Should I implement this method in my application? Well like other things in life, there is a trade off :) It's probably more secure but harder to built.

Are there other open source applications that have gone down this route that I can compare database designs with (esp using php/MySQL)?

Don't know, I guess the tools are there to do it yourself :)

Is anyone else pursuing these kind of truly secure, but really inconvenient feature sets?

Yes, but it seems like it's still in an immature state, like your problem you describe concerning lost passwords.

Is there another database security model that is more popular and modern that I have missed?

Basically there are two kinds of database connections. One option gives users a real database account, the other is to use single sign-on to the database. Prior to the web coming along, there were proponents of both models in the client/server world, but amongst web developers the single sign-on method is leading.

Was database translucency a fad or a legitimate database design method that I should embrace?

Don't think so, the UNIX password database, for instance, is a great example of a basic translucent database ;)

here something to read link text

R van Rijn
excellent point regarding the unix password database. Do you have more information on the "single sign-on" issue you mentioned?Thanks,-FT
ftrotter