nach oben

Information Systems Frontiers

Erschienen in:

13.08.2021

Approaches to Enforce Privacy in Databases: Classical to Information Flow-Based Models

verfasst von: R.K. Shyamasundar, Pratiksha Chaudhary, Arushi Jaiswal, Aniket Kuiri

Erschienen in: Information Systems Frontiers | Ausgabe 4/2021

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

Ever since databases became an ubiquitous part of enterprises or businesses, security and privacy became a requirement. Traditionally, privacy was realized through various methods of database access control and relied much on the use of statically defined views, which are essentially logical constructs imposed over database tables that can alter or restrict the data that can be viewed by an user. Privacy is about the responsible maintenance of private information. This responsibility is hard to define, which is why laws are necessary. With a vast accumulation of personal data in databases, there has been a heightened awareness and concern about the storage and use of private information leading to privacy-related guidelines, regulations and legislations, Compliance with these regulations has become one of the major concerns for organizations and companies. Traditionally, privacy in databases (DBs) have been addressed through access control techniques including multi-level security (MLS) based on mandatory access control (MAC), and restricted views to the users. As view definitions to comply with regulations became quite complex for accommodating all the restrictions in one view, explicit constructs for specifying privacy policies were introduced for complying with medical regulations like HIPAA (Health Insurance Portability and Accountability Act) from USA, in relational database systems. These enabled fine grained access control (FGAC) capable of enforcing disclosure control enunciated databases. Application of information flow control that is needed for multi-level security (MLS) databases to preserve privacy among multiple users but have their challenges like new abstractions for managing information flow in a relational database system, handling transactions and integrity constraints without introducing covert channels etc. As the DBs need to work alongside information flow controlled programming languages and operating systems for tracking flows, there is a need to enforce the security policy not only on the DBMS but also on the application platform. Due to the underlying requirement of decentralization, it calls for declassification/endorsement and santization requirements on the DB. In this paper, we shall first review some of the major privacy enhancing techniques used traditionally for DBs including MLS DBs, and then explore application of decentralized information flow control models for realizing information flow secure DBs in a robust manner. Towards the end, we shall also touch upon some of the roles of anonymization and psuedonymization including inference control and differential privacy in realizing privacy in practice.

Vorheriger Artikel Advances in Secure Knowledge Management in the Artificial Intelligence Era

Nächster Artikel Privacy-Preserving Mutual Authentication and Key Agreement Scheme for Multi-Server Healthcare System

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

“The Right to Privacy” (4 Harvard L.R. 193 (Dec. 15, 1890)) is a law review article written by Samuel Warren and Louis Brandeis, and published in the 1890 Harvard Law Review.

Alan F. Westin, Privacy And Freedom, 25 Wash. & Lee L. Rev. 166 (1968),

For notions like inversion privacy, the reader is referred to Gurevich et al. (2016).

Note that it also has to use the tranquility principle (Denning, 1976).

Acquisti, A., Dinev, T., & Keil, M. (eds.) (2019). Cyber security, privacy and ethics of information systems, information system frontiers, special issue. Vol. 21 6. Springer: Berlin.

Aniket, K. (2018). Security analysis in multi-level databases. IIT Bombay: M.Tech, Dissertation, Department of Computer Science and Engg.

Arushi, J. (2016). Database security using Reader Writer Flow Model. IIT Bombay: Department of Computer Science and Engg.

Chaudhary, P. (2017). SecpostgreSQL: A system for flow-secure view, transaction, sanitization and declassification on mls database. IIT Bombay: M.Tech. Thesis, Department of Computer Science and Engineering.

Cuervo, E., & Shakimov, A. (2016). Privacy and Networks, CPS96, private presentation (ppt).

Denning, D.E (1976). A lattice model of secure information ow. Communications of the ACM, 19(5), 236–243.CrossRef

Denning, D.E. (1982). Cryptography and data security. Reading MA: Addison-wesley.

Denning, D.E., Lunt, T.F., Schell, R.R., Shockley, W.R., & Heckman, M. (1988). The SeaView security model. In Proceedings, 1988 IEEE symposium on security and privacy, Oakland, CA, USA, pp. 218–233.

Denning, D.E., Akl, S.G., Heckman, M., Lunt, T.F., Morgenstern, M., Neumann, P.G., & Roger, R.S. (1987). Views for multilevel database security. IEEE Trans. on Software Engineering.

Dwork, C., & Naor, M. (2010). On the difficulties of disclosure prevention in statistical databases or the case for differential privacy. Journal of Privacy and Confidentiality, 2(1), 93–107.CrossRef

Dwork, C., & Roth, A. (2014). The algorithmic foundations of differential privacy. Foundations and Trends in Theoretical Computer Science, 9(3–4), 211–407.

Farkas, C., & Jajodia, S. (2002). The inference problem: a survey. SIGKDD Explorations, 4(2), 6–11.CrossRef

Ghosal, S, Shyamasundar, R.K., & Narendra Kumar, N.V. (2019). Compile-time security certification of imperative programming languages. In E-business and telecommunications, revised selected papers of 15th int. joint conference ICETE’18, pp 159–182, Springer CCIS vol., 1118.

Gurevich, Y., Hudis, E., & Wing, J.M. (2016). Inverse privacy. Communications of the ACM, 59(7), 38–42.CrossRef

Jajodia, S., & Sandhu, R. (1991). Toward a multilevel secure relational data model. In Proceedings of the 1991 ACM SIGMOD international conference on management of data (SIGMOD 1991), Association for computing machinery, New york, NY, USA, pp 50–59.

Keil, M., Culnan, M., Dinev, T., & et al. (2019). Data governance, consumer privacy, and project status reporting: Remembering h. Jeff smith. Information Systems Frontiers, 21, 1207–1212. https://doi.org/10.1007/s10796-019-09964-4.CrossRef

Myers, A., & Barbara, L. (1997). A decentralized model for information flow control. In Proc. of the 16th ACM symposium on operating systems principles (SOSP 1997), pp 129–142 Saint Malo France.

Narendrakumar, N.V., & Shyamasundar, R.K. (2014). Realizing purpose-based privacy policies succinctly via information-flow labels. In IEEE int. conf. on big data and cloud computing (BdCloud), Sydney 3-5.

Narendrakumar, N.V., & Shyamasundar, R.K. (2017). A complete generative label model for lattice-based access control models. In Software engineering and formal methods, Trento, Italy, September 4-8, 2017, LNCS 10469, Springer International Publishing, pp. 35–53.

Narendra Kumar, N.V., & RKS. (2016). A decentralized information flow security model for multilevel security and privacy domains, US Patent 9,507,929.

Patil, V.T., & Shyamasundar, R.K. (2017). Privacy as a currency: un-regulated?. In Proc. of the 14th Int. Jt. conf.on e-business and telecommunications, Vol. 4: SECRYPT, pp.586-595, SciTePress, INSTICC, ISBN 978-989-758-259-2.

Radhika, B.S., Kumar, N.V.N., Shyamasundar, R.K., & Vyas, P. (2020). Consistency analysis and flow secure enforcement of selinux policies. Computer Security, 94, 101816.CrossRef

Rakesh, A., Kiernan, J., Srikant, R., & Yirong, X. (2002). Hippocratic databases. In Proceedings of the 28th international conference on very large data bases (VLDB 2002), VLDB Endowment, pp. 143–154.

Ray, D. (2019). Privacy patient and ownership of electronic health records on a blockchain, ICBC 2019, LNCS, 11521, pp. 95–111.

Rizvi, S., Mendelzon, A., Sudarshan, S., & Prasan, R. (2004). Extending query rewriting techniques for fine grained access control. ACM SIGMOD.

Schoepe, D. (2014). Information flow in databases for free. Sweden: Masters Thesis, Chalmers University of Technology, Gothenburg.

Schultz, D. (2013). Barbara Liskov IFDB: decentralized information flow control for databases. In Proceeding EuroSys ’13, proceedings of the 8th ACM european conference on computer systems, p. 43.

Schultz, D. (2012). Decentralized information flow control for databases, Doctoral Dissertation, v.

Shyamasundar, R.K., Narendra Kumar, N.V., Taware, A., & Vyas, P. (2018). An Experimental Flow Secure File System. In 17th IEEE international conference on trust, security and privacy in computing and communications, 1-3 pp. 790–799.

Shyamasundar, R.K., Satheesan, S., Mittal, D., & Chaudhary, A. (2019). Sechadoop: A privacy preserving hadoop. In Proceedings of the 12th IEEE/ACM international conference on utility and cloud computing (UCC 2019), association for computing machinery, New York, NY, USA, pp. 111–121.

Silberschatz, A., Korth, H.F., & Sudarshan, S. (2013). Database system concepts. 6th Edition, McGraw Hill.

Smith, K., & Winslett, M. (1992). Entity modeling in the MLS relational model. VLDB.

Smith, K., Jajodia, S., Swarup, V., Hoyt, J., & Hamilton, G. (2004). Enabling the sharing of neuroimaging data through well-defined intermediate levels of visibility. NeuroImage, 22, 1646–1656.CrossRef

Vamshi, C., Nihita, G., Naren, N., & Shyamasundar, R.K. (2017). Secure document management through information-flow control, 7th secure knowledge management workshop (SKM 2017), Oct. 6-7 2017, St Pet. Florida.

Vishwas, P., & Shyamasundar, R.K. (2018). Efficacy of the right-to-be-forgotten on facebook, ICISS 2018, LNCS, 11281, pp. 364–385.

Vyas, P., Shyamasundar, R.K., Patil, B., Borse, S., & Sen, S. (2021). SPLinux: A information flow secure Linux, 15th IEEE SpaCCS, Oct 2021, NY, USA.

Titel: Approaches to Enforce Privacy in Databases: Classical to Information Flow-Based Models
verfasst von: R.K. Shyamasundar
Pratiksha Chaudhary
Arushi Jaiswal
Aniket Kuiri
Publikationsdatum: 13.08.2021
Verlag: Springer US
Erschienen in: Information Systems Frontiers / Ausgabe 4/2021
Print ISSN: 1387-3326
Elektronische ISSN: 1572-9419
DOI: https://doi.org/10.1007/s10796-021-10178-w

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Weitere Artikel der Ausgabe 4/2021

Exploring the Multi-Level Digital Divide in Mobile Phone Adoption: A Comparison of Developing Nations

An Investigation of Misinformation Harms Related to Social Media during Two Humanitarian Crises

Assessing the Role of Age, Education, Gender and Income on the Digital Divide: Evidence for the European Union

Decepticon: a Theoretical Framework to Counter Advanced Persistent Threats

Borrower Learning Effects: Do Prior Experiences Promote Continuous Successes in Peer-to-Peer Lending?

Privacy-Preserving Mutual Authentication and Key Agreement Scheme for Multi-Server Healthcare System