Access Control for Data Integration in Presence of Data Dependencies

International audienceDefining access control policies in a data integration scenario is a challenging task. In such a scenario typically each source specifies its local access control policy and cannot anticipate data inferences that can arise when data is integrated at the mediator level. Inferences, e.g., using functional dependencies, can allow malicious users to obtain, at the mediator level, prohibited information by linking multiple queries and thus violating the local policies. In this paper, we propose a framework, i.e., a methodology and a set of algorithms, to prevent such violations. First, we use a graph-based approach to identify sets of queries, called violating transactions, and then we propose an approach to forbid the execution of those transactions by identifying additional access control rules that should be added to the mediator. We also state the complexity of the algorithms and discuss a set of experiments we conducted by using both real and synthetic datasets. Tests also confirm the complexity and upper bounds in worst-case scenarios of the proposed algorithms

Cloud Computing in the health sector

L’elaborato tratta della tecnologia cloud computing, con particolare riferimento al settore sanitario pubblico e privato. Il percorso seguito è di tipo interdisciplinare tra la tecnologia informatica e il diritto. La tesi è suddivisa in sei parti, di cui: le prime due dedicate principalmente agli aspetti informatici del cloud computing; la parte terza illustra la diffusione di tale tecnologia nella Pubblica Amministrazione come strumento di e-health; la quarta parte tratta dei vantaggi e delle criticità del cloud computing con particolare attenzione alla disciplina dettata in materia di protezione dei dati personali; la quinta parte analizza gli aspetti negoziali delle fattispecie maggiormente utilizzate, nella prassi commerciale, per l’erogazione di servizi in cloud; e, infine, la sesta parte presenta alcune eccellenze e casi d’uso italiani, pubbliche e private, di adozione della tecnologia suddetta. Nell’elaborato sono contemplate anche le più recenti evoluzioni normative e giurisprudenziali compreso il Regolamento UE 2016/679, del 27 aprile 2016, e la sentenza della corte di giustizia dell’Unione Europea che ha determinato l’invalidità dell’accordo “Safe Harbor”. Sono state, inoltre, illustrate le norme più tecniche contenute nel nuovo standard 27018 pubblicato dall’ente internazionale ISO per i cloud providers.This essay aims to provide a discussion about cloud computing technology with specific referral to the sector of private and public healthcare. The methodology we have applied consists of an interdisciplinary approach between Information science and Law. The composition is divided into six parts: the first two are mainly dedicated to the Information science cloud computing; the third one illustrates the adoption of that technology by Public Administration as an instrument of e-health; the forth takes into account advantages and critical points of cloud computing with specific referral to data protection regulation; the fifth analyzes the negotiable features of the most frequent facti-species, in commercial practice, for cloud services providing; and, lastly, the sixth part refers to some excellence and some Italian practice, both private and public, adopting the above-mentioned technology. The exposition covers the most recent evolutions of Law and Jurisprudence, including EU Regulation 2016/679, issued on April 27th 2016, and the EUCJ judgment calling-off the “Safe Harbour” agreement. Furthermore, we have exposed the technical rules of the new 27018 standard published by ISO with regard to cloud providers