© 2008 Palantir Technologies Inc. All rights reserved.

Palantir Access Control

Bob McGrew

Director of Engineering

2

Secure Information Integration

Imagine you have two data sources:– Profiles database

• Name, address, e-mail address• Accessible to all analysts

– E-mail message database• Accessible only to a small group A of analysts

Goals– Allow all analysts to use profiles information for analysis– Integrate the e-mails with the profiles information for group A– Analysts who cannot access the e-mail database learn no more

than what they could find out from the profiles database Secure Information Integration

3

Secure Information Discovery

Another scenario:– Profiles database

• Name, address, e-mail address• Accessible to all analysts

– E-mail message database• Accessible only to a small group A of analysts

Goals– Want to allow analysts not in A access to the e-mail data only if

they can show that they need to know it– Analysts not in A can learn that there is additional information

available for a particular profile, but no details Secure Information Discovery

4

Overview

Palantir Access Control– Guarantees confidentiality, integrity, and auditing– Enables secure information integration and discovery

In this talk– Security and Data Models– Security Guarantees– Two applications of our guarantees

• Confidentiality Under Resolution (CUR)• Confidentiality Under Discovery (CUD)

5

Overview

Palantir Access Control– Guarantees confidentiality, integrity, and auditing– Enables secure information integration and discovery

In this talk– Security and Data Models– Security Guarantees– Two applications of our guarantees

• Confidentiality Under Resolution (CUR)• Confidentiality Under Discovery (CUD)

6

Security Definitions

Group: – Set of users– User can belong to multiple groups

Permissions (ordered)– Discovery (d)– Read (r)– Write (w)– Ownership (o)

Access Control Item (ACI)– (Group, Permissions) pair

Access Control List (ACL)– Set of ACIs

ACL 1

ACI 101: (Group A, dr)

Group A Group B

ACI 102: (Group B, drw)

Alice Bob

Carol

7

Object Model

Data Source– Single source of data to Palantir– Examples: documents, Excel files, databases

Object– Single entity, event, or document

Property– Piece of information about an Object

Data Source Record (DSR)– Ties a Property to a Data Source– Each Property has one or more DSRs– Each DSR has an ACL, derived from its

Data Source

ObjectType = Entity

PropertyName =

“Mike Fikri”

DSRACL 1

Data Source

profiles.xls

PropertyAge =

32

DSR ACL 2

DSRACL 2

Data Source

email.msg

8

Security & Data Model

DSR-centric, not Object-centric All sensitive data on Properties A Property can be read if any of its DSRs

can be read

ObjectType = Entity

PropertyName =

“Mike Fikri”

DSRACL 1

Data Source

profiles.xls

PropertyAge =

32

DSR ACL 2

DSRACL 2

Data Source

email.msg

9

Discovery

An organization may want to make sensitive data available only to those who can show that they need to know about it.

Searches can yield discovery results with only data source name and discovery message

Objects viewed in the Browser also may have discovery messages

10

Discovery

Each data source has a discovery message– e.g., “To acquire permission to data from profiles.xls, please contact John Doe.”

Object load – Removes all DSRs for which the user has only discovery permissions– For each removed DSR, returns instead the Discovery Message for its Data Source

Search– Returns a Discovery Messages if the query would have matched if the user had read

instead of discovery permissions

11

Overview

Palantir Access Control– Guarantees confidentiality, integrity, and auditing– Enables secure information integration and discovery

In this talk– Security and Data Models– Security Guarantees– Two applications of our guarantees

• Confidentiality Under Resolution (CUR)• Confidentiality Under Discovery (CUD)

12

Security Guarantees

Confidentiality– Cannot read a Property without read permissions to a DSR– Cannot read a DSR without read permissions– Cannot discover the existence of a Property without discovery permissions to a

DSR

Integrity– Cannot edit a Property without write permissions to a DSR– Cannot change the ACL on a DSR without ownership permissions

Auditing– Every action is logged and attributed to the user who performed it

13

Untrusted Client

Palantir Security Model makes no assumptions about the client

Security guarantees hold under:– Normal operation of Palantir Workspace– Abnormal operation of Palantir Workspace– Arbitrary calls against our public API

Assumptions:– Attacker cannot directly connect to database– Attacker does not have physical access to server

14

Access control by data sources

Access control is based on data sources– Tied to objects and properties through DSRs

Suppose access controls were per-object– No fine-grained control– Cannot perform resolution across data sources

15

Overview

Palantir Access Control– Guarantees confidentiality, integrity, and auditing– Enables secure information integration and discovery

In this talk– Security and Data Models– Security Guarantees– Two applications of our guarantees

• Confidentiality Under Resolution (CUR)• Confidentiality Under Discovery (CUD)

16

Confidentiality Under Resolution (CUR)

Two Data Sources: A and B Analyst has read access to Data Source A Analyst has no access to Data Source B

The following two cases must be indistinguishable1. Data Source A imported2. Data Sources A and B imported and resolved together

17

ObjectType = Entity

PropertyName =

“Mike Fikri”

DSRACL 1

Data Source

profiles.xls

Property

Age = 32

DSRACL 2

DSRACL 2

Data Source

email.msg

PropertyName =

“Mike Fikri”

ObjectType = Entity

Alice’s PermissionsACL 1: readACL 2: none

CUR Example: Pre-Resolution

18

CUR Example: Post-Resolution

ObjectType = Entity

PropertyName =

“Mike Fikri”

DSRACL 1

Data Source

profiles.xls

PropertyAge =

32

DSRACL 2

DSRACL 2

Data Source

email.msg

19

CUR Example: Post-Resolution

Alice’s PermissionsACL 1: readACL 2: none

ObjectType = Entity

PropertyName =

“Mike Fikri”

DSRACL 1

Data Source

profiles.xls

PropertyAge =

32

DSRACL 2

DSRACL 2

Data Source

email.msg

20

Object-Load Satisfies CUR

Returns readable projection of Object

No sensitive data directly on the Object (e.g., creation time)

Randomized IDs

ObjectType = Entity

PropertyName =

“Mike Fikri”

DSRACL 1

Data Source

profiles.xls

Property

Age = 32

DSRACL 2

DSRACL 2

Data Source

email.msg

21

Search Satisfies CUR

Search terms are indexed with ACLs– Mike (ACL 1, ACL 2)– Fikri (ACL 1, ACL 2)– 32 (ACL 2)

Relevance is computed only over readable fields

ObjectType = Entity

PropertyName =

“Mike Fikri”

DSRACL 1

Data Source

profiles.xls

Property

Age = 32

DSRACL 2

DSRACL 2

Data Source

email.msg

22

Overview

Palantir Access Control– Guarantees confidentiality, integrity, and auditing– Enables secure information integration and discovery

In this talk– Security and Data Models– Security Guarantees– Two applications of our guarantees

• Confidentiality Under Resolution (CUR)• Confidentiality Under Discovery (CUD)

Confidentiality Under Discovery (CUD)

Searching for a phone number– Search reveals a discovery-only property matching that query– No information revealed about what object has that phone

number Viewing the owner of the phone number

– Load reveals a discovery-only property for that object– No information revealed about the value of the property

Intuition: cannot tie the value of a discovery-only property to the object it is associated with

24

Confidentiality Under Discovery (CUD)

Setting below should be indistinguishable to Alice from the same setting with ages reversed

Object1Type = Entity

PropertyName = “John”

DSRACL 1

Data Source

profiles.xls

PropertyAge = 33

DSRACL 2

Data Source

email.msg

Object2Type = Entity

PropertyAge = 44

DSRACL 2

PropertyName = “James”

DSRACL 1

Data Source

profiles.xls

Alice’s Permissions

ACL 1: read ACL 2: discovery

25

Confidentiality Under Discovery (CUD)

Setting below should be indistinguishable to Alice from the same setting with ages reversed

Object1Type = Entity

PropertyName = “John”

DSRACL 1

Data Source

profiles.xls

PropertyAge = 44

DSRACL 2

Data Source

email.msg

Object2Type = Entity

PropertyAge = 33

DSRACL 2

PropertyName = “James”

DSRACL 1

Data Source

profiles.xls

Alice’s Permissions

ACL 1: read ACL 2: discovery

26

Object-Load Satisfies CUD

Same results in both cases No information is leaked!

Object1Type = Entity

PropertyName = “John”

DSRACL 1

Data Source

profiles.xls

Object2Type = Entity

PropertyName = “James”

DSRACL 1

Discovery Message

for email.msg

Discovery Message

for email.msg

27

Search Satisfies CUD

Search for “Age=33” yields discovery message for email.msg Search for “Age=44” yields the same No information is leaked!

Object1Type = Entity

PropertyName = “John”

DSRACL 1

Data Source

profiles.xls

PropertyAge = 33

DSRACL 2

Data Source

email.msg

Object2Type = Entity

PropertyAge = 44

DSRACL 2

PropertyName = “James”

DSRACL 1

Data Source

profiles.xls

Alice’s Permissions

ACL 1: read ACL 2: discovery

28

Conjunctive Searches Do Not Satisfy CUD

Search for “Age=33 AND Name=John” Cannot answer without knowing which age is associated with Object1 No discovery results returned for conjunctive searches

Object1Type = Entity

PropertyName = “John”

DSRACL 1

Data Source

profiles.xls

PropertyAge = 33

DSRACL 2

Data Source

email.msg

Object2Type = Entity

PropertyAge = 44

DSRACL 2

PropertyName = “James”

DSRACL 1

Data Source

profiles.xls

Alice’s Permissions

ACL 1: read ACL 2: discovery

29

Conclusion

Security and Data Models Security Guarantees Two applications of our guarantees

– Confidentiality Under Resolution (CUR)– Confidentiality Under Discovery (CUD)

For more details, see the“Palantir Access Control Model” whitepaper

© 2008 Palantir Technologies Inc. All rights reserved.

Palantir Access Control

Bob McGrew

Director of Engineering