CECID has been awarded HK6.58 million for a new Innovation Technology Fund (ITF) project, "An Intelligent Data Security Gateway for Multiparty Data Transfer Supported by Multi-Factor and Multi-Dimensional Data protection Scheme", under the Guangdong - Hong Kong Technology Cooperation Funding Scheme (TCFS). On top of ITF funding, the project received industry sponsorships and tremendous support from 7 industry partners. They include Apacus, EagleTec, ICO, ISCAS, Guangdong Linux Centre, Microsoft, and Peking University Tomorrow Resources Technology. Led by Prof. David Cheung, the project will commence on 1 April 2009 and will last for 2 years.
In recent years, the occurrence of many personal data leakage incidents has caused alarming concern on data security issue. These cases revealed the needs to strengthen data security governance policies, especially on the use of portable devices, and their enforcement technologies. Coined Hare, this project aims to develop a suit of software control tools to facilitate enterprises to define their security policies on data access and turn them into data protection enforcement via a centralized data security infrastructure.
The deliverables of this project include:
The diagram below depicts the high level view on the proposed centralized data security infrastructure:
Secure Data Zone Planner
It is an administration tool to facilitate data security administrator to define necessary data protection measures (such as encryption, perturbation, and digital signature) on each Secure Data Zone and defining Secure Data Views for different types of data users. Each Secure Data Zone is in fact formed by virtually grouping enterprise data based on their intended usages, intended users and/or intended access channels; whereas Secure Data View is defined by mapping the Secure Data Zone to different data users and applications.
Intelligent Data Security Gateway (IDSG)
IDSG is a run-time proxy server for execution of the data protection measures set forth by the Secure Data Zone Planner. It provides a multi-dimensional, rule-based security control mechanism, so that enterprise data can be protected to the level required by the defined security policies. In addition, it supports data access audit logging, which can be used to support advanced features or enterprise management, like monitoring and data leakage detection, etc.
It is a portable extension of the Intelligent Data Security Gateway, which encrypts all the data stored, allowing only authorized users to access the content inside. The decryption process involves a novel technique called multi-factor encryption algorithm. It enables enterprises flexibly define the necessary conditions for users to obtain enough information to decrypt the content, so that enterprise security policies can be extended to remote and portable data usage, including B2B activities.
Multi-Factor Encryption Key Manager
It is designed to handle the management of keys according to the multi-factor encryption algorithm. It consists of (1) a key generation engine for preparing secret keys and splitting them into parts, (2) a key repository for storing generated keys, (3) an application programming interface (API) for reconstructing secret keys from parts, and (4) a device loader for deploying generated keys into various storage media (such as USB flash drives).