Unraveling the Quandary of Access Layer versus Storage Layer Security

Written by

With horizontal standards such as the General Data Protection Regulation (GDPR) and vertical mandates like the Fair Credit Reporting Act increasing in scope and number, information security is impacted by regulatory compliance more than ever. 

Organizations frequently decide between concentrating protection at the access layer via role-based security filtering, or at the storage layer with methods like encryption, masking, and tokenization.

The argument is that the former underpins data governance policy and regulatory compliance by restricting data access according to department or organizational role. However, the latter’s perceived as providing more granular security implemented at the data layer.

The debate is further complicated by the reality that deployed independently, each of these methods has flaws. Skeptics of role-based access methods contend they’re easily undermined by exfiltration or assuming the credentials of an authorized user; critics of encryption related methods cite delayed data access and the presence of third party providers holding the keys as problematic.

The validity of each viewpoint is readily apparent, heightening the need for organizations to redress these shortcomings for trustworthy security and expedient data access flexible enough for regulatory compliance.

A hybrid of access based security and security at the data layer—implemented by triple attributes—can counteract the weakness of each approach with the other’s strength, resulting in information security that Franz CEO Jans Aasman characterized as “fine-grained and flexible enough” for any regulatory requirements or security model.

Security Filtering
The dual mechanism of triple attribute security revolves around using semantic statements known as ‘triples’ to describe data and their access in RDF stores. Triples are extremely adaptive to describe any individual datum—or access requirement for securing it—in a format consisting of a subject, predicate, and object. Thus, triples provide access-based security filtering by denoting which users or departments can view specific data.

This way, triples provide expedient access to data for those with the requisite role or department, which is essential for quick responses to requests from consumers to see personally identifiable information organizations have about them as stipulated in mandates such as GDPR or the California Consumer Privacy Act.

Key-Value Pairs
The security provided by this semantic technology is considerably enhanced by the addition of key-value pairs as JSON objects, which can be arbitrarily assigned to triples within databases. These key-value pairs provide a second security mechanism “embedded in the storage, so you cannot cheat,” Aasman remarked.

The arbitrary nature of key-value pairs rectifies the limitations of only accessing data according to department or user. They’re configurable according to a particular security clearance level, use case, password, or any other determinant organizations believe is necessary for fortifying security.

Moreover, the number of key-value pairs is also arbitrary. Regardless if users can access data according to the security filtering capabilities of triples, they can’t view them if they don’t have the requisite triple attributes according to the key values ingrained in the data layer. Unlike other methods of securing data at the storage layer, this approach doesn’t involve third parties, encryption keys, or delays accessing data. 

Use Cases
The applicability of this amalgamation of access and storage based security is virtually endless and readily realized when devising security models for specific regulatory requirements. The triple attribute approach is particularly efficacious for conforming to the Health Insurance Portability and Accountability Act (HIPPA), for example, which involves strict demands for access to data. Data for certain types of patients, like those with mental health issues, are extremely sensitive.

When implementing HIPPA standards with triple attributes, “even if you’re a doctor, you can only see a patient record if all your other attributes are okay,” Aasman mentioned. In this use case, triple attributes might include security level, medical record number, clinical specialty, and department. Organizations could build a similar security model around the many accords in finance, or for any other regulations. 

In addition to fortifying security models based on regulatory requirements, triple attributes are also a compelling means of reinforcing permissions in Blockchain. Applications such as smart contracts or transactions preserving confidential information between partners hinge on reliable, inviolable permissions. Security filters provide a basic level of security for such permissions, but nuanced triple attributes can significantly reinforce them and the integrity of Blockchain.

Malleable Protection
Triple attribute security allows organizations to simultaneously fortify data at the access and storage layers for comprehensive information security. It’s robust enough to strengthen security in databases, yet flexible enough to provide role-based access, too. These security benefits are redoubled in instances of remote data access utilizing cloud technology and mobile applications.

“We’re talking about a very flexible mechanism where we can add any combination of key-value pairs to any triples, and have a very flexible language to specify how to use that to create flexible security models,” Aasman said.

What’s hot on Infosecurity Magazine?