Efficient audit-based compliance for relational data retention

Hasan, Ragib; Winslett, Marianne

doi:10.1145/1966913.1966944

Cited by 12 publications

(9 citation statements)

References 22 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The problem of predicting and encoding all permissible requests has been recognised in an a posteriori compliance control model [Etalle and Winsborough 2007] and an audit-based access control model [Cederquist et al 2007;Hasan and Winslett 2011]. These models allow access to take place but retrospectively check to determine whether it conforms to policy.…”

Section: Related Workmentioning

confidence: 99%

Rumpole

Marinovic

Dulay

Sloman

2014

ACM Trans. Inf. Syst. Secur.

View full text Add to dashboard Cite

Access control policies define what resources can be accessed by which subjects and under which conditions. It is, however, often not possible to anticipate all subjects that should be permitted access and the conditions under which they should be permitted. For example, predicting and correctly encoding all emergency and exceptional situations is impractical. Traditional access control models simply deny all requests that are not permitted, and in doing so may cause unpredictable and unacceptable consequences. To overcome this issue, break-glass access control models permit a subject to override an access control denial if he accepts a set of obligatory actions and certain override conditions are met. Existing break-glass models are limited in how the override decision is specified. They either grant overrides for a predefined set of exceptional situations, or they grant unlimited overrides to selected subjects, and as such, they suffer from the difficulty of correctly encoding and predicting all override situations and permissions. To address this, we develop Rumpole, a novel break-glass language that explicitly represents and infers knowledge gaps and knowledge conflicts about the subject's attributes and the contextual conditions, such as emergencies. For example, a Rumpole policy can distinguish whether or not it is known that an emergency holds. This leads to a more informed decision for an override request, whereas current break-glass languages simply assume that there is no emergency if the evidence for it is missing. To formally define Rumpole, we construct a novel many-valued logic programming language called Beagle. It has a simple syntax similar to that of Datalog, and its semantics is an extension of Fitting's bilattice-based semantics for logic programs. Beagle is a knowledge non-monotonic langauge, and as such, is strictly more expressive than current many-valued logic programming languages.

show abstract

Section: Related Workmentioning

confidence: 99%

Rumpole

Marinovic

Dulay

Sloman

2014

ACM Trans. Inf. Syst. Secur.

View full text Add to dashboard Cite

show abstract

“…A more efficient architecture is the transaction log on WORM (TLOW) approach for supporting long-term immutability of relational tuples [Hasan and Winslett 2011]. TLOW stores the current database instance in ordinary storage and the transaction log on WORM storage, while dispensing with the compliance log altogether.…”

Section: Related Workmentioning

confidence: 99%

Generalizing database forensics

Pavlou

Snodgrass

2013

ACM Trans. Database Syst.

View full text Add to dashboard Cite

In this article we present refinements on previously proposed approaches to forensic analysis of database tampering. We significantly generalize the basic structure of these algorithms to admit new characterizations of the "where" axis of the corruption diagram. Specifically, we introduce page-based partitioning as well as attribute-based partitioning along with their associated corruption diagrams. We compare the structure of all the forensic analysis algorithms and discuss the various design choices available with respect to forensic analysis. We characterize the forensic cost of the newly introduced algorithms, compare their forensic cost, and give our recommendations.We then introduce a comprehensive taxonomy of the types of possible corruption events, along with an associated forensic analysis protocol that consolidates all extant forensic algorithms and the corresponding type(s) of corruption events they detect. The result is a generalization of these algorithms and an overarching characterization of the process of database forensic analysis, thus providing a context within the overall operation of a DBMS for all existing forensic analysis algorithms.

show abstract

“…These techniques are also insufficient for a DUM because they often protect privacy by limiting data access too much, hence affecting its utility [22]. Finally, auditing systems [6,14,13,10] are designed to detect data misuses after the fact, which is in contrast to the DUM which works both in an online and offline settings. Triggers [19] are inadequate since they only apply to DML statements (all our example policies are non-DML statements) and can not validate policies across multiple databases.…”

Section: Related Workmentioning

confidence: 99%

The power of data use management in action

Upadhyaya

Anderson

Balazinska

et al. 2013

Proceedings of the 2013 ACM SIGMOD International Conference on Management of Data

View full text Add to dashboard Cite

In this demonstration, we show-case a database management system extended with a new type of component that we call a Data Use Manager (DUM). The DUM enables DBAs to attach policies to data loaded into the DBMS. It then monitors how users query the data, flags potential policy violations, recommends possible fixes, and supports offline analysis of user activities related to data policies. The demonstration uses real healthcare data.

show abstract

Efficient audit-based compliance for relational data retention

Cited by 12 publications

References 22 publications

Rumpole

Rumpole

Generalizing database forensics

The power of data use management in action

Contact Info

Product

Resources

About