In my previous blog posting I
discussed the applicability of information flow model (IFM) for assessing
security and privacy policies of biometric systems. Implementing this model
requires the ability to monitor exchange of content between hosts, which can be either on internal or external networks. Once implemented the IFM can be
used for:
- testing compliance of information exchange policies for biometric information
- monitoring information flow path of biometric information
- detecting unauthorized leakage of biometric
Recently I had an opportunity to use Fidelis XPS, which is designed and used for malware threat detection
and prevention. One of the core product capabilities allows a user to setup a
rule for detecting string patterns in the information being exchanged between
two hosts. If the rule detects presence of the string pattern in any
information flowing between two hosts then an alarm is generated and further preventive
action can be taken. To test the functionality of monitoring biometric
information flow between two hosts I downloaded INCITS 378 dataset from the NIST website consisting
of standardized finger minutiae templates. All templates conforming to this
standard have the string “FMR” embedded in it, and a rule was setup to detect any
files with this string pattern in it.
The files were downloaded in gzip
format over HTTP and Fidelis XPS successfully detected
100% of the files. Although this was quite a simple experiment it highlights
existing technical capabilities for creating and implementing information flow
models. Such products can also be deployed to prevent leakage of personally identifiable information to unauthorized recipients.
There are a few challenges that need to be addressed for a comprehensive IFM, including : language for expressing exchange policies, getting buy-in from all entities in the ecosystem, and automating enforcement of policies.
There are a few challenges that need to be addressed for a comprehensive IFM, including : language for expressing exchange policies, getting buy-in from all entities in the ecosystem, and automating enforcement of policies.
Comments and discussions are welcome!