Controlled Query Evaluation Enforcing Privacy-Policy for Safe and Efficient Data Sharing

Abstract

With the growth in information access, comes the challenge of maintaining privacy and security on sensitive data in shared data storage. For instance, the Information Technology for Economic and Clinical Health (HITECH) Acts provisions penalize organizations who do not take measures to protect privacy of patient data even if the organization was unaware of such a duty. Thus, an efficient mechanism of fine-grained access control (FGAC) on such data should be considered. However, current techniques suffer from the possibility of revealing too much information or giving incorrect answers to aggregate queries. This dissertation targets data warehouse systems using SQL and aims for a generic approach to safeguard sensitive information stored in them while providing reasonably accurate query answers. It proposes improvements by considering properties of good security and defining levels of information revelation, and then develops an algorithm to evaluate user queries against a privacy policy. We assume a policy contains at least one rule and both rules and queries are written in SQL. A user query is evaluated against rules in the policy one after another. If the algorithm meets any rule with which the query is compliant, it stops and accepts the query as it is. Otherwise, it either rejects or rewrites the query by the configuration. Given each rule in a policy, its attributes are classified into four categories, which represent different levels of information revelation to prevent inference attacks and used to decide a querys compliance with it. For a query to be compliant with a given rule, all attributes of the query should be allowed by the rule. Whether an attribute of the query is permitted by the rule or not is determined by the category which the attribute belongs to. If the algorithm fails to meet any rule with which the query is compliant (i.e. there is no rule in the policy to allow all attributes of the query), it either rejects or rewrites the query. For rewriting, it chooses a rule with which the query is more compliant than any other rule in the policy, and rewrites the query so as to be compliant with the chosen rule. We built prototypes of privacy-policy enforcement using two typical data warehouse systems: database management system (DBMS) and Hadoop-based query engine. Traditionally, DBMS has maintained a large amount of information and supported efficient data processing for it. However, the rapid growth of data sets being collected and analyzed has made it run into limitations on scalability and processing time. As a promising solution to efficiently process huge amount of data, cloud computing has come to the fore. Not only to provide a familiar programming model for existing users but to ease the programming burden for writing queries, data warehouse systems in the Cloud support SQL. Evaluation of prototype systems demonstrates that the overhead from our privacy-policy enforcement is small and scales well with typical query sizes.