On Usage Control in Relational Database Management Systems - Obligations and Their Enforcement in Joining Datasets

Mortaza S. Bargh, Marco Vink, sunil choenni

Abstract

When datasets are collected and accessed legitimately, they must still be used appropriately according to policies, guidelines, rules, laws, and/or the (current) preferences of data subjects. Any inconsistency between the data collection and data usage processes can conflict with many principles of privacy like the transparency principle, no secondary use principle, or intended purpose usage principle. In this contribution we show how the usage control for the inner join operation in vertically separated relational datasets can be characterized as pre and post obligations of the Usage Control (UCON) model. This type of obligations is defined not only by the state of the UCON object (i.e., a dataset) itself, but also with respect to the state of another dataset. Such dependency on two datasets/objects provides a new insight in UCON obligation constructs when applied to the join operation. We describe also a mechanism to realize the identified obligation in a database management system and present an example realization of the proposed mechanism. Furthermore, we enlist a number of methods to determine whether two given datasets can be joined.

References

  1. Agrawal, R. et al., 2002. Hippocratic databases. Proceedings of the 28th international conference on Very Large Data Bases, 4(1890), pp.143-154.
  2. Bargh, M.S. & Choenni, S., 2013. On preserving privacy whilst integrating data in connected information systems. In Proceedings of International Conference on Cloud Security Management (ICCSM'13). Guimarães, Portugal.
  3. Bettini, C. et al., 2003. Provisions and Obligations in Policy Rule Management. Journal of Network and Systems Management, 11(3), pp.351-372.
  4. Byun, J. & Li, N., 2008. Purpose based access control for privacy protection in relational database systems. The VLDB Journal, pp.603-619.
  5. Choenni, S. et al., 2016. Privacy and security in smart data collection by citizens. In J. R. Gil-Garcia, T. A. Pardo, & T. Nam, eds. Smarter as the New Urban Agenda. Springer, pp. 349-366.
  6. Choenni, S., Dijk, J. van & Leeuw, F., 2010. Preserving privacy whilst integrating data: Applied to criminal justice. Information Polity, 15(1-2), pp.125-138.
  7. Colombo, P. & Ferrari, E., 2014. Enforcing obligations within relational database management systems. IEEE Transactions on Dependable and Secure Computing, pp.1-14.
  8. Dawes, S.S., 2010a. Information Policy Meta-Principles: Stewardship and Usefulness R. H. Sprague Jr., ed. Proceedings of the 43rd Hawaii International Conference on System Sciences (HICSS-43), pp. 1-10.
  9. Dawes, S.S., 2010b. Stewardship and usefulness: Policy principles for information-based transparency. Government Information Quarterly, 27(4), pp.377- 383.
  10. Fung, B.C.M. et al., 2010. Privacy-preserving data publishing. ACM Computing Surveys, 42(4), pp.1-53.
  11. Gama, P., Ribeiro, C. & Ferreira, P., 2006. Heimdhal: A History-based Policy Engine for Grids. In Sixth IEEE International Symposium on In Cluster Computing and the Grid (CCGRID).
  12. Hilty, M., Basin, D. & Pretschner, A., 2005. On obligations. Computer Security-ESORICS 2005, pp.98-117.
  13. Karr, A.F. et al., 2007. Secure, privacy-preserving analysis of distributed databases. Technometrics, 49(3), pp.335-345.
  14. Katt, B. et al., 2008. A general obligation model and continuity: enhanced policy enforcement engine for usage control. Proceedings of the 13th ACM symposium on Access control models and technologies (SACMAT 7808), pp.123-132.
  15. Kosinski, M., Stillwell, D. & Graepel, T., 2013. Private traits and attributes are predictable from digital records of human behavior. Proceedings of the National Academy of Sciences of the United States of America, 110(15), pp.5802-5.
  16. Laur, S., Talviste, R. & Willemson, J., 2013. From oblivious AES to efficient and secure database join in the multiparty setting. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), 7954 LNCS, pp.84-101.
  17. Lazouski, A., Martinelli, F. & Mori, P., 2010. Usage control in computer security: A survey. Computer Science Review, 4(2), pp.81-99.
  18. Lopez, J., Oppliger, R. & Pernul, G., 2004. Authentication and authorization infrastructures (AAIs): a comparative survey. Computers & Security, 23(7), pp.578-590.
  19. de Montjoye, Y.-A. et al., 2013. Unique in the Crowd: The privacy bounds of human mobility. Scientific reports, 3, p.1376.
  20. Narayanan, A. & Shmatikov, V., 2008. Robust deanonymization of large sparse datasets open datasets. In IEEE Symposium on Security and Privacy (SP'08). pp. 111-125.
  21. Ni, Q., Bertino, E. & Lobo, J., 2008. An obligation model bridging access control policies and privacy policies. Proceedings of the 13th ACM symposium on Access control models and technologies - SACMAT'08, p.133.
  22. Park, J. & Sandhu, R., 2004. The UCON ABC usage control model. ACM Transactions on Information and System …, 7(1), pp.128-174.
  23. Sandhu, R. & Park, J., 2003. Usage Control?: A Vision for Next Generation Access Control. , pp.17-31.
  24. Sankar, L., Rajagopalan, S. & Poor, H., 2013. UtilityPrivacy Tradeoff in Databases: An Informationtheoretic Approach. IEEE Transactions on Information Forensics and Security, pp.1-1.
  25. Verheul, E. et al., 2016. Polymorphic Encryption and Pseudonymisation for Personalised Healthcare, Available at: https://www.semanticscholar.org/paper/PolymorphicEncryption-and-Pseudonymisation-for-VerheulJacobs/7dfce578644bc101ae4ffcd0184d2227c6d07809 .
  26. Wang, W., Ying, L. & Zhang, J., 2014. On the relation between identifiability, differential privacy and mutual-information privacy. In In 52nd IEEE Annual Allerton Conference on Communication, Control, and Computing (Allerton). pp. 1086-1092. Available at: http://arxiv.org/abs/1402.3757.
  27. Zhang, X. et al., 2005. Formal model and policy specification of usage control. ACM Transactions on Information and System Security, 8(4), pp.351-387.
Download


Paper Citation


in Harvard Style

S. Bargh M., Vink M. and choenni S. (2017). On Usage Control in Relational Database Management Systems - Obligations and Their Enforcement in Joining Datasets . In Proceedings of the 3rd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP, ISBN 978-989-758-209-7, pages 190-201. DOI: 10.5220/0006209801900201


in Bibtex Style

@conference{icissp17,
author={Mortaza S. Bargh and Marco Vink and sunil choenni},
title={On Usage Control in Relational Database Management Systems - Obligations and Their Enforcement in Joining Datasets},
booktitle={Proceedings of the 3rd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,},
year={2017},
pages={190-201},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0006209801900201},
isbn={978-989-758-209-7},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 3rd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,
TI - On Usage Control in Relational Database Management Systems - Obligations and Their Enforcement in Joining Datasets
SN - 978-989-758-209-7
AU - S. Bargh M.
AU - Vink M.
AU - choenni S.
PY - 2017
SP - 190
EP - 201
DO - 10.5220/0006209801900201