Purpose and consent enforcement in DBMS
Resumo
Nowadays, personal data is subject to laws and regulations that oblige data holders to ensure proper compliance with users’ consent regarding how their data should be used. Existing tools in the DBMS, like RBAC/FGAC, can accomplish some level of control over data. However, they cannot model and correctly apply the required and desired restrictions, bringing this theme to a resurgence. In this tutorial, we explore a timeline of approaches to solve purpose-based access control and compare recent works over a common baseline to assert strong and weak points and suggest new research topics on this theme.
Palavras-chave:
DBMS, compliance
Referências
Agrawal, R., Bird, P., Grandison, T., Kiernan, J., Logan, S., and Rjaibi, W. (2005). Extending relational database systems to automatically enforce privacy policies. In ICDE, pages 1013–1022. IEEE Computer Society.
Agrawal, R., Kiernan, J., Srikant, R., and Xu, Y. (2002). Hippocratic databases. In VLDB, pages 143–154. Morgan Kaufmann.
Byun, J. and Li, N. (2008). Purpose based access control for privacy protection in relational database systems. VLDB J., 17(4):603–619.
Konstantinidis, G., Holt, J., and Chapman, A. (2021). Enabling personal consent in databases. Proc. VLDB Endow., 15(2):375–387.
Kraska, T., Stonebraker, M., Brodie, M. L., Servan-Schreiber, S., and Weitzner, D. J. (2019). Schengendb: A data protection database proposal. In Poly/DMAH@VLDB, volume 11721 of Lecture Notes in Computer Science, pages 24–38. Springer.
Machado, J. C. and Amora, P. R. P. (2021). The impact of privacy regulations on DB systems. J. Inf. Data Manag., 12(5).
Pappachan, P., Yus, R., Mehrotra, S., and Freytag, J. (2020). Sieve: A middleware approach to scalable access control for database management systems. Proc. VLDB Endow., 13(11):2424–2437.
Pappachan, P., Zhang, S., He, X., and Mehrotra, S. (2022). Don’t be a tattle-tale: Preventing leakages through data dependencies on access control protected data. Proc. VLDB Endow., 15(11):2437–2449.
Praciano, F. D. B. S., Amora, P. R. P., Abreu, I. C., and Machado, J. C. (2022). Purpose scan: A purpose-aware access method. In Poly/DMAH@VLDB, volume 13814 of Lecture Notes in Computer Science, pages 24–36. Springer.
Schwarzkopf, M., Kohler, E., Kaashoek, M. F., and Morris, R. T. (2019). Position: GDPR compliance by construction. In Poly/DMAH@VLDB, volume 11721 of Lecture Notes in Computer Science, pages 39–53. Springer.
Shastri, S., Banakar, V., Wasserman, M., Kumar, A., and Chidambaram, V. (2020). Understanding and benchmarking the impact of GDPR on database systems. Proc. VLDB Endow., 13(7):1064–1077.
Ítalo de Abreu, Praciano, F., Amora, P., and Machado, J. (2021). ConSQL: Consentimentos em SQL para o processamento de consultas orientado a propósitos. In Anais Estendidos do XXXVI Simpósio Brasileiro de Bancos de Dados, pages 8–14. SBC.
Agrawal, R., Kiernan, J., Srikant, R., and Xu, Y. (2002). Hippocratic databases. In VLDB, pages 143–154. Morgan Kaufmann.
Byun, J. and Li, N. (2008). Purpose based access control for privacy protection in relational database systems. VLDB J., 17(4):603–619.
Konstantinidis, G., Holt, J., and Chapman, A. (2021). Enabling personal consent in databases. Proc. VLDB Endow., 15(2):375–387.
Kraska, T., Stonebraker, M., Brodie, M. L., Servan-Schreiber, S., and Weitzner, D. J. (2019). Schengendb: A data protection database proposal. In Poly/DMAH@VLDB, volume 11721 of Lecture Notes in Computer Science, pages 24–38. Springer.
Machado, J. C. and Amora, P. R. P. (2021). The impact of privacy regulations on DB systems. J. Inf. Data Manag., 12(5).
Pappachan, P., Yus, R., Mehrotra, S., and Freytag, J. (2020). Sieve: A middleware approach to scalable access control for database management systems. Proc. VLDB Endow., 13(11):2424–2437.
Pappachan, P., Zhang, S., He, X., and Mehrotra, S. (2022). Don’t be a tattle-tale: Preventing leakages through data dependencies on access control protected data. Proc. VLDB Endow., 15(11):2437–2449.
Praciano, F. D. B. S., Amora, P. R. P., Abreu, I. C., and Machado, J. C. (2022). Purpose scan: A purpose-aware access method. In Poly/DMAH@VLDB, volume 13814 of Lecture Notes in Computer Science, pages 24–36. Springer.
Schwarzkopf, M., Kohler, E., Kaashoek, M. F., and Morris, R. T. (2019). Position: GDPR compliance by construction. In Poly/DMAH@VLDB, volume 11721 of Lecture Notes in Computer Science, pages 39–53. Springer.
Shastri, S., Banakar, V., Wasserman, M., Kumar, A., and Chidambaram, V. (2020). Understanding and benchmarking the impact of GDPR on database systems. Proc. VLDB Endow., 13(7):1064–1077.
Ítalo de Abreu, Praciano, F., Amora, P., and Machado, J. (2021). ConSQL: Consentimentos em SQL para o processamento de consultas orientado a propósitos. In Anais Estendidos do XXXVI Simpósio Brasileiro de Bancos de Dados, pages 8–14. SBC.
Publicado
14/10/2024
Como Citar
MACHADO, Javam; AMORA, Paulo; PRACIANO, Francisco D. B. S..
Purpose and consent enforcement in DBMS. In: TUTORIAIS - SIMPÓSIO BRASILEIRO DE BANCO DE DADOS (SBBD), 39. , 2024, Florianópolis/SC.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2024
.
p. 172-175.
DOI: https://doi.org/10.5753/sbbd_estendido.2024.tutorial1.
