Dan Griffin's Blog

Comments on security, PKI, smart cards, cryptography, and entrepreneurship.

Interesting article in this month’s BioIT World magazine entitled "The Case for Security in Bioinformatics" - http://www.bio-itworld.com/issues/2007/april/bioinformatics-security/. In summary, the article observes that some old network security problems apply to an emerging field - surprise - but there are a couple of points worth discussing.

The observation is made that the use of distributed research resources, such as shared data repositories, is a potential problem. Due to the high stakes and big dollar values involved in drug research, labs typically want to reveal as little as possible about the types of efforts they’re investing in. But even the behavior ("meta-data") of network traffic can be revealing. For example, what type of queries is a reseacher making against a hosted database? The nature of the queries may indicate a new research direction that was intended to be kept secret.

How to prevent this? Well, application or transport-layer encryption come to mind - options include SSL/TLS and IPsec. The former is widely deployed in ecommerce; perhaps it’s less so in the context of scientific data repositories. The latter is less widely used, although might be an interesting option for providing an encrypted link between a lab’s network edge and a hosted database on the internet. Of course, the amount of raw data involved in such research scenarios tends to be huge. I don’t know whether the overhead imposed by TLS or IPsec encryption would be noticeable; however, a dedicated encrypted link between two edge servers would likely warrant special offload hardware (a solution which has historically proven cost prohibitive on individual workstations).

Although confidentiality may be less of a concern within the laboratory LAN (as compared to data sent across the wide-open internet), data integrity is still an issue. A colleague recently shared with me that the entire lab data path (from device to network to device, etc) is of concern from a compliance perspective. That is, what assurances are made that data in transit, or at rest, hasn’t been modified, maliciously or otherwise? Again, the amount of data for which integrity claims must be made is huge - potentially hundreds of gigabytes per day or more!

Another point raised by the article is that of trustworthy software. How should research labs evaluate the quality of a given software solution from a security perspective? As in any computing environment, there will be those who reflexively prefer either closed source or open source. But I’m not aware of any correlation between the "openness" of a body of code, and the caliber/qualifications of the people who wrote, reviewed, and tested it, especially from a security perspective. What criteria then - reputation, number of patches issued? I’m a (biased) fan of 3rd party assessments, although that approach is expensive. The current state of the "software evaluation and deployment" art seems to be a best-effort combination of all of the above, plus some perimeter security and patching solution, with the costs shared (one way or another) between each vendor and its clients. This is an area ripe for disruptive innovation!

Permalink |

1 Comment »

  1. Dan,

    Though the post is old , i thought to seek your view !

    Do you think , Bio informatics need a focused research based product of Security Software or Hardware, which can address the key concerns highlighted above .

    Chrs,
    Kuldeep

    Comment by Kuldeep — March 28, 2010 @ 1:58 pm

RSS feed for comments on this post. TrackBack URL

Leave a comment