Practical Data Confinement

One of the chief security concerns in managing an organization is controlling the flow of sensitive information, by which we mean ensuring that data and documents are only disseminated to the appropriate parties, whether they be a small group of corporate officers, or only those with a particular security clearance, or anyone within the organization but not the general public. The recent history of major leakages of sensitive information,1 (including several recent incidents at our own institution in which databases containing confidential student information were breached [1, 2]) suggests that most organizations are severely deficient in this regard, including those in government [3, 4], education [5], and the commercial world [6, 7]. None of the incidents cited above were due to malicious insiders purposely leaking data; the cited leaks were all the result of employee carelessness and/or external attackers, and in many cases, the organization devoted significant resources to improving their security prior to the leak (e.g., our own institution spent many millions of dollars improving security, yet the leaks continue). Thus, it appears that data confinement is a serious problem, and the blame cannot be placed on organizational complacency or internal malfeasance. After all the money and effort devoted to developing new security technology, why is it so hard to prevent leaks of sensitive information even in wellmanaged organizations with well-intentioned employees? In short, as we explain below, it is because most current efforts to confine sensitive data rely on two imperfect components. First, because most sensitive data and documents are handled by computers, data confinement requires that operating system and application software must be resilient against attackers attempting to exfiltrate sensitive data.2 However, most software in use today is rife with bugs that can easily be exploited for exfiltration. There is little hope that this will be rectified in the near future, because legacy code will remain in use for a long time and because even modern software has significant vulnerabilities. Second, confining sensitive data requires users to obey dissemination restrictions on documents and datasets. Yet we know that users are careless and occasionally email