2,547 research outputs found
Hierarchical Role-Based Access Control with Homomorphic Encryption for Database as a Service
Database as a service provides services for accessing and managing customers
data which provides ease of access, and the cost is less for these services.
There is a possibility that the DBaaS service provider may not be trusted, and
data may be stored on untrusted server. The access control mechanism can
restrict users from unauthorized access, but in cloud environment access
control policies are more flexible. However, an attacker can gather sensitive
information for a malicious purpose by abusing the privileges as another user
and so database security is compromised. The other problems associated with the
DBaaS are to manage role hierarchy and secure session management for query
transaction in the database. In this paper, a role-based access control for the
multitenant database with role hierarchy is proposed. The query is granted with
least access privileges, and a session key is used for session management. The
proposed work protects data from privilege escalation and SQL injection. It
uses the partial homomorphic encryption (Paillier Encryption) for the
encrypting the sensitive data. If a query is to perform any operation on
sensitive data, then extra permissions are required for accessing sensitive
data. Data confidentiality and integrity are achieved using the role-based
access control with partial homomorphic encryption.Comment: 11 Pages,4 figures, Proceedings of International Conference on ICT
for Sustainable Developmen
ESPOON: Enforcing Security Policies In Outsourced Environments
Data outsourcing is a growing business model offering services to individuals
and enterprises for processing and storing a huge amount of data. It is not
only economical but also promises higher availability, scalability, and more
effective quality of service than in-house solutions. Despite all its benefits,
data outsourcing raises serious security concerns for preserving data
confidentiality. There are solutions for preserving confidentiality of data
while supporting search on the data stored in outsourced environments. However,
such solutions do not support access policies to regulate access to a
particular subset of the stored data.
For complex user management, large enterprises employ Role-Based Access
Controls (RBAC) models for making access decisions based on the role in which a
user is active in. However, RBAC models cannot be deployed in outsourced
environments as they rely on trusted infrastructure in order to regulate access
to the data. The deployment of RBAC models may reveal private information about
sensitive data they aim to protect. In this paper, we aim at filling this gap
by proposing \textbf{} for enforcing RBAC policies in
outsourced environments. enforces RBAC policies in an
encrypted manner where a curious service provider may learn a very limited
information about RBAC policies. We have implemented
and provided its performance evaluation showing a limited overhead, thus
confirming viability of our approach.Comment: The final version of this paper has been accepted for publication in
Elsevier Computers & Security 2013. arXiv admin note: text overlap with
arXiv:1306.482
Towards Software-Defined Data Protection: GDPR Compliance at the Storage Layer is Within Reach
Enforcing data protection and privacy rules within large data processing
applications is becoming increasingly important, especially in the light of
GDPR and similar regulatory frameworks. Most modern data processing happens on
top of a distributed storage layer, and securing this layer against accidental
or malicious misuse is crucial to ensuring global privacy guarantees. However,
the performance overhead and the additional complexity for this is often
assumed to be significant -- in this work we describe a path forward that
tackles both challenges. We propose "Software-Defined Data Protection" (SDP),
an adoption of the "Software-Defined Storage" approach to non-performance
aspects: a trusted controller translates company and application-specific
policies to a set of rules deployed on the storage nodes. These, in turn, apply
the rules at line-rate but do not take any decisions on their own. Such an
approach decouples often changing policies from request-level enforcement and
allows storage nodes to implement the latter more efficiently.
Even though in-storage processing brings challenges, mainly because it can
jeopardize line-rate processing, we argue that today's Smart Storage solutions
can already implement the required functionality, thanks to the separation of
concerns introduced by SDP. We highlight the challenges that remain, especially
that of trusting the storage nodes. These need to be tackled before we can
reach widespread adoption in cloud environments
Privacy Preserving Enforcement of Sensitive Policies in Outsourced and Distributed Environments
The enforcement of sensitive policies in untrusted environments is still an
open challenge for policy-based systems. On the one hand, taking any
appropriate security decision requires access to these policies. On the other
hand, if such access is allowed in an untrusted environment then confidential
information might be leaked by the policies. The key challenge is how to
enforce sensitive policies and protect content in untrusted environments. In
the context of untrusted environments, we mainly distinguish between outsourced
and distributed environments. The most attractive paradigms concerning
outsourced and distributed environments are cloud computing and opportunistic
networks, respectively.
In this dissertation, we present the design, technical and implementation
details of our proposed policy-based access control mechanisms for untrusted
environments. First of all, we provide full confidentiality of access policies
in outsourced environments, where service providers do not learn private
information about policies. We support expressive policies and take into
account contextual information. The system entities do not share any encryption
keys. For complex user management, we offer the full-fledged Role-Based Access
Control (RBAC) policies.
In opportunistic networks, we protect content by specifying expressive
policies. In our proposed approach, brokers match subscriptions against
policies associated with content without compromising privacy of subscribers.
As a result, unauthorised brokers neither gain access to content nor learn
policies and authorised nodes gain access only if they satisfy policies
specified by publishers. Our proposed system provides scalable key management
in which loosely-coupled publishers and subscribers communicate without any
prior contact. Finally, we have developed a prototype of the system that runs
on real smartphones and analysed its performance.Comment: Ph.D. Dissertation. http://eprints-phd.biblio.unitn.it/1124
Software-Defined Data Protection: Low Overhead Policy Compliance at the Storage Layer is Within Reach!
Most modern data processing pipelines run on top of a distributed storage layer, and securing the whole system, and the storage layer in particular, against accidental or malicious misuse is crucial to ensuring compliance to rules and regulations. Enforcing data protection and privacy rules, however, stands at odds with the requirement to achieve higher and higher access bandwidths and processing rates in large data processing pipelines. In this work we describe our proposal for the path forward that reconciles the two goals. We call our approach "Software-Defined Data Protection" (SDP). Its premise is simple, yet powerful: decoupling often changing policies from request-level enforcement allows distributed smart storage nodes to implement the latter at line-rate. Existing and future data protection frameworks can be translated to the same hardware interface which allows storage nodes to offload enforcement efficiently both for company-specific rules and regulations, such as GDPR or CCPA. While SDP is a promising approach, there are several remaining challenges to making this vision reality. As we explain in the paper, overcoming these will require collaboration across several domains, including security, databases and specialized hardware design
- …