Databases Reference
In-Depth Information
not shown in the figure. Finally, a new SQL query is generated by HDB Ac-
tive Enforcement component and submitted to the database using the native
JDBC driver interfaces. In the figure, the generated query shows that patients
can opt-in or out of having their information used for research purposes. A
sub-query is used to verify the choices of individual patients in order to comply
with the policy.
Application Query
:
select
x.name, y.diagnosis
from
Patient x, Treatment y
where
x.pid=y.pid and x.state='CA'
Parse and
build QGM
select: x.name, y.diagnosis
where: x.pid=y.pid and
x.state='CA'
x
y
select: x.name, y.diagnosis
where: x.pid=y.pid and
x.state='CA'
AE
AE
Query
Transformation
x
y
Patient
Treatment
Patient
Treatment
Generate
SQL
Generated Query
:
select
x.name, y.diagnosis
from
Patient x,Treatment y
where
x.pid=y.pid and x.state='CA' and
exists (
select * from Patient_choice c
where x.pid=c.pid and
c.choice='research' and c.value='opt-in')
Fig. 3.
Query Transformation for Policy Enforcement
HDB active enforcement can also be implemented within the database
system to eliminate potential concerns about circumventing the enforcement
component [6]. With the organization shown in Figure 2, policies are enforced
provided that applications use JDBC to access the database and load the HDB
JDBC driver rather than, say, a native JDBC driver. If database interfaces
other than JDBC are used or the HDB driver is not loaded, policy enforce-
ment is bypassed altogether. Nevertheless, there are application environments
in which users only have database access through, say, a web portal supported
by a restricted set of applications all using HDB to access the database. In
such application environments, the configuration presented in Figure 2 can be
used to protect sensitive data for large classes of users. In other environments,
where all interfaces to the database must be policy-enabled to safeguard the
sensitive data, policy enforcement must be pushed down into the database
