Databases Reference
In-Depth Information
because it would wrongly suggest to the ocer that there are no friendly forces
in the building. Rather, it would be preferable to
deny
the ocer's query by
suggesting that he is not authorized to view the results. This would prevent
the ocer from accessing prohibited information without returning inaccurate
or incomplete results.
In other situations, filtering is more appropriate than denial. Suppose that
a military ocer would like to determine the safest path into a particular
town, so he would like to know the current locations of all friendly and enemy
forces within a ten mile radius of the town. Within this radius are covert
friendly operatives that exceed the ocer's clearance level. In this situation,
the system should not broadly
deny
the ocer's query, rather it should
filter
the results to remove the locations of the covert operatives, but return the
locations of all other forces. Here, filtering is preferable because it would not
mislead the ocer into taking inappropriate action due to incomplete query
results. To handle these types of situations, database access controls should
support both filter and deny semantics depending on the context of the query.
Rosenthal and Winslett originally highlighted this problem [20]. Ager, et al.
proposed an initial solution to integrate filter and deny semantics involving
policy scoping rules [21]. Miklau and Suciu have proposed a database instance
independent approach to prevent disclosure on the basis of the query and
the policies, regardless of the information that exists in the database [22].
However, Miklau and Suciu determined that discerning whether a particular
query violates a policy rule for all possible database instances is an intractable
problem [22].
Future HDB systems should seamlessly support both filter and deny se-
mantics in an ecient manner.
Limited Retention.
Another key principle of a Hippocratic database
is that personal information should be kept for only as long as necessary to
accomplish its intended purpose. Enterprises should comply with their own
privacy policies, applicable legal regulations, and individual consents regard-
ing the purposes for which they may use information and the duration for
which they may keep information. Ananthanarayanan, et al. have explored
how to automatically enforce policies related to handling personal informa-
tion, and resolve conflicts among different policy obligations applicable to the
same information [23]. However, in certain instances, an individual may want
his or her information removed from a database after the enterprise has ac-
complished the purpose for which the information was collected. At the same
time, there may be regulatory mandates that state that particular classes
of documents must be retained for specific periods of time. Both (seemingly
conflicting) requirements must be met by future systems. Obviously, there
remains a significant research challenge in designing database systems that
can entirely remove information, even beyond the point of recovery, without
affecting their ability to recover non-expired information [2].
