IT Baseline Protection Manual - The Information Warfare Site

Safeguard Catalogue - Organisation Remarks
____________________________________________________________________ .........................................
S 2.127 Inference prevention
Initiation responsibility: Head of IT Section, IT Security Management
Implementation responsibility: Administrators
To protect person related data and other confidential information stored in a
database system, each user should only be allowed to access the data required
for performing the tasks assigned to that particular user. All the other
information in the database must be concealed from the user.
For this purpose, it must be possible to define the access rights on tables up to
their individual fields. This can be done using Views and Grants (refer to S
2.129 Controlling access to database information). In this manner, users are
only allowed to view and process the data intended specifically for them.
Database queries issued by a user to access other information are rejected by
the DBMS.
Different security requirements arise for statistical databases containing data
on groups of persons, social strata etc. In a statistical database, entries related
to individual persons are protected as private data, although the statistical
information based on these entries is accessible by all users.
Here, measures are required to prevent information on a group of persons
from being used to make inferences on individual members of the group.
Steps must also be taken to prevent the anonymity of the information in the
database from being circumvented through the use of database queries
formulated in accordance with the data storage patterns (e.g. if the result set of
a database query only contains one data record). This situation is termed
"inference problem", and measures to preclude its occurrence constitute
"inference prevention."
Even if the data in a statistical database is technically anonymous, methods of
inference can be used to restore associations between persons and certain data
records. The rejection of specific queries (e.g. queries with only one or very
few result tupels) does not generally prove sufficient, as even a refusal issued
by the database management system as a response to a query can contain
relevant information.
The anonymity of data can also be impaired through the collection of different
statistics. Such techniques of indirect attack use several statistics as a basis for
drawing conclusions on the personal data of an individual. A protective
measure in this case is to prohibit the release of "sensitive" statistics - this is
termed "suppressed inference prevention". Another possibility is to distort
such statistics through controlled rounding (identical rounding of identical
statistics) or restrict queries to statistically relevant subsets with the
prerequisite that identical queries must always refer to the same subsets. This
technique is termed "inference prevention through distortion".
If additional demands concerning the confidentiality of data are to be met, the
data must be encrypted (refer to S 4.72 Database encryption).
____________________________________________________________________ .........................................
IT-Baseline Protection Manual: Oktober 2000