Commit 7c3dc23d authored by Bengfort's avatar Bengfort
Browse files

Revert part of "mv pseudonyms and db split to separate "data separation" page"

This reverts parts of commit f9b2e260.

The technical details fit better in the secrutiy chapter because it is
supposed to give a quick overview of security measures implemented in
castellum.
parent 37cd044f
Pipeline #10850 passed with stage
in 27 seconds
......@@ -97,20 +97,3 @@ Relevant guides:
- :ref:`study-domains`
- :ref:`subject-get-pseudonym`
- :ref:`subject-delete`
Database split
--------------
In Castellum, contact data is handled in a database server which is separated
from everything else to provide an additional barrier.
This provides a clear structure for developers that should help avoiding
critical data leaks. Even if an attacker is able to dump a whole table or even
a whole database, this structure still limits the impact.
However, it is important to understand that the barrier between recruitment and
contact data is not that high. Since castellum has full access to both, an
attacker can also gain full access. Spreading the system across several
databases on different servers or even in different organizations does not help
much if there is still a single point of entry.
......@@ -81,6 +81,35 @@ user's privacy level is controlled via the special permissions
``privacy_level_1`` and ``privacy_level_2``. The three levels (0-2) accord to
the data security levels of the Max Planck Society.
Data separation
---------------
Implementation
~~~~~~~~~~~~~~
We chose to split the data into three different categories:
- Scientific data is handled outside of castellum. Castellum only
provides the pseudonyms that are used to map this data to subjects.
- Data relevant for recruitment is handled in castellum.
- Contact data is also handled in castellum, but in a separate database
to provide an additional barrier.
Security Considerations
~~~~~~~~~~~~~~~~~~~~~~~
The described architecture provides a clear structure for developers
that should help avoiding critical data leaks. Even if an attacker is
able to dump a whole table or even a whole database, this structure
still limits the impact.
However, it is important to understand that the barrier between
recruitment and contact data is not that high. Since castellum has full
access to both, an attacker can also gain full access. Spreading the
system across several databases on different servers or even in
different organizations does not help much if there is still a single
point of entry.
Monitoring
----------
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment