Abstract
This work presents a case study of a migration of attribute-based access control enforcement from the application to the database tier. The proposed migration aims to improve the security and simplify the audit of the enterprise system by enforcing information protection principles of the least privileges and the least common mechanism. We explore the challenges of such migration and implement it in an industrial setting in a context of master data management where data security, privacy and audit are subject to regulatory compliance. Based on our implementation, we propose a general, standards-driven migration methodology.
Chapter PDF
Similar content being viewed by others
Keywords
References
Scott Graham, G., Denning, P.J.: Protection: Principles and Practice. In: Proceedings of the Spring Joint Computer Conference, AFIPS 1972, May 16-18, pp. 417–429. ACM, New York (1972)
Jajodia, S., Sandhu, R.: Toward a Multilevel Secure Relational Data Model. SIGMOD Rec. 20, 50–59 (1991)
Sandhu, R.S., Coyne, E.J., Feinstein, H.L., Youman, C.E.: Role-based Access Control Models. Computer 29(2), 38–47 (1996)
Wang, L., Wijesekera, D., Jajodia, S.: A Logic-based Framework for Attribute Based Access Control. In: Proceedings of the 2004 ACM Workshop on Formal Methods in Security Engineering, FMSE 2004, pp. 45–55 (2004)
Pfleeger, C.P., Pfleeger, S.L., Safari Tech Books Online: Security in Computing, vol. 604. Prentice Hall (2007)
Kc, G.S., Keromytis, A.D., Prevelakis, V.: Countering Code-injection Attacks with Instruction-set Randomization. In: Proceedings of the 10th ACM Conference on Computer and Communications Security, pp. 272–280. ACM (2003)
United States Code. Sarbanes-Oxley Act of 2002, PL 107-204, 116 Stat 745 (2002)
Security Standards Council. PCI DSS v2.0 (2010)
Allender, M.: HIPAA compliance in the OR. Aorn Journal (2002)
Saltzer, J.H., Schroeder, M.D.: The Protection of Information in Computer Systems. Proceedings of the IEEE 63(9), 1278–1308 (1975)
Dreibelbis, A., Hechler, E., Milman, I., Oberhofer, M., van Run, P., Wolfson, D.: Enterprise Master Data Management: An SOA Approach to Managing Core Information. IBM Press (2008)
Organization for the Advancement of Structured Information Standards (OASIS), http://www.oasis-open.org/
Zeilenga, K., et al.: Lightweight directory access protocol (ldap): Technical specification road map. Technical report, RFC 4510 (June 2006)
Franzoni, S., Mazzoleni, P., Valtolina, S., Bertino, E.: Towards a Fine-Grained Access Control Model and Mechanisms for Semantic Databases. In: IEEE International Conference on Web Services, ICWS 2007, pp. 993–1000 (2007)
Rizvi, S., Mendelzon, A., Sudarshan, S., Roy, P.: Extending Query Rewriting Techniques for Fine-grained Access Control. In: Proceedings of the 2004 ACM SIGMOD International Conference on Management of Data, SIGMOD 2004, pp. 551–562 (2004)
Roichman, A., Gudes, E.: Fine-grained access control to web databases. In: Proceedings of the 12th ACM Symposium on Access Control Models and Technologies, SACMAT 2007, pp. 31–40 (2007)
Stoller, S.D.: Trust Management and Trust Negotiation in an Extension of SQL. In: Kaklamanis, C., Nielson, F. (eds.) TGC 2008. LNCS, vol. 5474, pp. 186–200. Springer, Heidelberg (2009)
De Capitani di Vimercati, S., Jajodia, S., Paraboschi, S., Samarati, P.: Trust management services in relational databases. In: Proceedings of the 2nd ACM Symposium on Information, Computer and Communications Security, pp. 149–160. ACM (2007)
Chaudhuri, S., Dutta, T., Sudarshan, S.: Fine grained authorization through predicated grants. In: IEEE 23rd International Conference on Data Engineering, ICDE 2007, pp. 1174–1183. IEEE (2007)
Jahid, S., Gunter, C.A., Hoque, I., Okhravi, H.: MyABDAC: Compiling XACML Policies for Attribute-based Database Access Control. In: Proceedings of the First ACM Conference on Data and Application Security and Privacy, pp. 97–108. ACM (2011)
Karjoth, G.: Access Control with IBM Tivoli Access Manager. ACM Transactions on Information and System Security (TISSEC) 6(2), 232–257 (2003)
IBM. Tivoli Security Policy Manager (2011), http://www-01.ibm.com/software/tivoli/products/security-policy-mgr/
Axiomatics. Axiomatics Policy Server (2011), http://www.axiomatics.com/products/axiomatics-policy-server.html
SourceForge. Ladon - XACML enforcement for DB2 (2009), http://xacmlpep4db2.sourceforge.net/
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 IFIP International Federation for Information Processing
About this paper
Cite this paper
Yakovets, N., Gryz, J., Hazlewood, S., van Run, P. (2012). From MDM to DB2: A Case Study of Security Enforcement Migration. In: Cuppens-Boulahia, N., Cuppens, F., Garcia-Alfaro, J. (eds) Data and Applications Security and Privacy XXVI. DBSec 2012. Lecture Notes in Computer Science, vol 7371. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-31540-4_16
Download citation
DOI: https://doi.org/10.1007/978-3-642-31540-4_16
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-31539-8
Online ISBN: 978-3-642-31540-4
eBook Packages: Computer ScienceComputer Science (R0)