Databases Reference
In-Depth Information
data warehouses may lead to losses of information that translate into financial
losses or losses whose values are obviously high but dicult to quantify (for
example, national security).
Unlike in traditional databases, information stored in data warehouses is
typically accessed through decision support systems, such as OLAP systems.
OLAP systems help analysts to gain insights to different perspectives of large
amounts of data stored in a data warehouse. Due to the sheer volume of data,
OLAP systems heavily depend on aggregates of data in order to hide in-
significant details and hence to accentuate global patterns and trends. As the
underlying data model, a data cube [15] can nicely organize multi-dimensional
aggregates formulated by dimension hierarchies. Although security breaches
in a data warehouse are possible in many ways, the most challenging threat is
from insiders who have legitimate accesses to data through OLAP queries. Un-
fortunately, most of today's OLAP systems lack effective security measures to
safeguard the data accessed through them. Existing security mechanisms can
at best alleviate security breaches but cannot completely remove the threat.
Data sanitization
has long been recognized as insucient for protecting sen-
sitive data by itself due to potential linking attacks [24].
Access control
tech-
niques, although mature in traditional data management systems, are usually
not directly applicable to OLAP systems and data warehouses due to the
difference in data models.
Moreover, OLAP systems and underlying data warehouses are especially
vulnerable to indirect
inferences
of protected data. The aggregation process
used by OLAP systems does not completely destroy sensitive information. The
remaining vestiges of sensitive information, together with knowledge obtained
through out of bound channels, can cause disclosures of such information.
Although studied since 1970s in statistical databases,
inference control
for
on-line systems is largely regarded as impractical due to its negative-in-tone
complexity results [7]. Most restriction-based inference control methods adopt
a
detecting-then-removing
approach. The detection of inferences must take
into accounts all combinations of answered queries, which implies complicated
on-line computations and constant bookkeeping of queries. Even at such a
high cost, each method usually applies to only a few unrealistically simplified
cases, such as with only one aggregation type. These facts partially explain
why inference control is absent in most commercial OLAP systems. On the
other hand, off-line inference control methods have long been used in releasing
census tables, which demonstrates that the threat of inferences is real.
This chapter starts by demonstrating the security threat to data ware-
houses caused by inferences using OLAP queries. Various requirements in
designing security measures for such systems are discussed. Armed with this
understanding, the chapter then takes steps to meet the stated requirements.
Two efforts in extending existing inference control methods to the special
setting of OLAP systems are reviewed. The results show that the threat of
unauthorized accesses and indirect inferences known in relational databases
is still possible even when users are restricted to OLAP queries. Although im-
