|
In this paper we present a solution for data protection that leverages the concept
of a virtual directory and data encryption to provide a user-centric approach
to sensitive information protection, delegation, and collaboration. Specifically, we
discuss an architecture for protecting individual attributes in directory services
from unauthorized access. In standard configurations for directory data usage,
clients communicate directly with directory services using the Lightweight Directory
Access Protocol (LDAP). Clients connect to a specific port on a specific
server, and may authenticate using various methods, including providing a username
and password, if necessary in the alternative network configuration. Our architecture is based on a middle layer
placed in between the client and server, called a virtual directory, to handle
LDAP transactions between them. A data protection component within the virtual
directory is introduced and it relies on information provided by the client to
encrypt sensitive information. While other solutions have proposed encrypting
attribute information, our architecture provides this capability without requiring
additional software or hardware on either the client or destination server.
|
