From 7c3dc23da503616515bb0a060a08778f2308d663 Mon Sep 17 00:00:00 2001 From: Tobias Bengfort Date: Tue, 17 Aug 2021 11:05:56 +0200 Subject: [PATCH] Revert part of "mv pseudonyms and db split to separate "data separation" page" This reverts parts of commit f9b2e2603c438ca37be5165bad4a8ef844d2c343. The technical details fit better in the secrutiy chapter because it is supposed to give a quick overview of security measures implemented in castellum. --- source/privacy.rst | 17 ----------------- source/security.rst | 29 +++++++++++++++++++++++++++++ 2 files changed, 29 insertions(+), 17 deletions(-) diff --git a/source/privacy.rst b/source/privacy.rst index 718f87e..018e2cd 100644 --- a/source/privacy.rst +++ b/source/privacy.rst @@ -97,20 +97,3 @@ Relevant guides: - :ref:`study-domains` - :ref:`subject-get-pseudonym` - :ref:`subject-delete` - - -Database split --------------- - -In Castellum, contact data is handled in a database server which is separated -from everything else to provide an additional barrier. - -This provides a clear structure for developers that should help avoiding -critical data leaks. Even if an attacker is able to dump a whole table or even -a whole database, this structure still limits the impact. - -However, it is important to understand that the barrier between recruitment and -contact data is not that high. Since castellum has full access to both, an -attacker can also gain full access. Spreading the system across several -databases on different servers or even in different organizations does not help -much if there is still a single point of entry. diff --git a/source/security.rst b/source/security.rst index 8e482b7..cf9493a 100644 --- a/source/security.rst +++ b/source/security.rst @@ -81,6 +81,35 @@ user's privacy level is controlled via the special permissions ``privacy_level_1`` and ``privacy_level_2``. The three levels (0-2) accord to the data security levels of the Max Planck Society. +Data separation +--------------- + +Implementation +~~~~~~~~~~~~~~ + +We chose to split the data into three different categories: + +- Scientific data is handled outside of castellum. Castellum only + provides the pseudonyms that are used to map this data to subjects. +- Data relevant for recruitment is handled in castellum. +- Contact data is also handled in castellum, but in a separate database + to provide an additional barrier. + +Security Considerations +~~~~~~~~~~~~~~~~~~~~~~~ + +The described architecture provides a clear structure for developers +that should help avoiding critical data leaks. Even if an attacker is +able to dump a whole table or even a whole database, this structure +still limits the impact. + +However, it is important to understand that the barrier between +recruitment and contact data is not that high. Since castellum has full +access to both, an attacker can also gain full access. Spreading the +system across several databases on different servers or even in +different organizations does not help much if there is still a single +point of entry. + Monitoring ---------- -- GitLab