Merge branch 'revert-split-privacy' into 'master'

Revert part of "mv pseudonyms and db split to separate "data separation" page" See merge request !81

Merge branch 'revert-split-privacy' into 'master'
Revert part of "mv pseudonyms and db split to separate "data separation" page" See merge request !81
8887a549 · Bengfort · 222ea1e2 · 7c3dc23d · 8887a549 · 8887a549
Commit 8887a549 authored Aug 18, 2021 by Bengfort
--- a/source/privacy.rst
+++ b/source/privacy.rst
@@ -97,20 +97,3 @@ Relevant guides:
 -   :ref:`study-domains`
 -   :ref:`subject-get-pseudonym`
 -   :ref:`subject-delete`
-
-
-Database split
--------------
-
-In Castellum, contact data is handled in a database server which is separated
-from everything else to provide an additional barrier.
-
-This provides a clear structure for developers that should help avoiding
-critical data leaks. Even if an attacker is able to dump a whole table or even
-a whole database, this structure still limits the impact.
-
-However, it is important to understand that the barrier between recruitment and
-contact data is not that high. Since castellum has full access to both, an
-attacker can also gain full access. Spreading the system across several
-databases on different servers or even in different organizations does not help
-much if there is still a single point of entry.
--- a/source/security.rst
+++ b/source/security.rst
@@ -81,6 +81,35 @@ user's privacy level is controlled via the special permissions
 ``privacy_level_1`` and ``privacy_level_2``. The three levels (0-2) accord to
 the data security levels of the Max Planck Society.

+Data separation
+---------------
+
+Implementation
+~~~~~~~~~~~~~~
+
+We chose to split the data into three different categories:
+
+-  Scientific data is handled outside of castellum. Castellum only
+   provides the pseudonyms that are used to map this data to subjects.
+-  Data relevant for recruitment is handled in castellum.
+-  Contact data is also handled in castellum, but in a separate database
+   to provide an additional barrier.
+
+Security Considerations
+~~~~~~~~~~~~~~~~~~~~~~~
+
+The described architecture provides a clear structure for developers
+that should help avoiding critical data leaks. Even if an attacker is
+able to dump a whole table or even a whole database, this structure
+still limits the impact.
+
+However, it is important to understand that the barrier between
+recruitment and contact data is not that high. Since castellum has full
+access to both, an attacker can also gain full access. Spreading the
+system across several databases on different servers or even in
+different organizations does not help much if there is still a single
+point of entry.
+
 Monitoring
 ----------