research-article

Data protection in outsourcing scenarios: issues and directions

Authors:
Pierangela Samarati

Università degli Studi di Milano, Crema, Italy

Università degli Studi di Milano, Crema, Italy
View Profile

,
Sabrina De Capitani di Vimercati

Università degli Studi di Milano, Crema, Italy

Università degli Studi di Milano, Crema, Italy
View Profile

ASIACCS '10: Proceedings of the 5th ACM Symposium on Information, Computer and Communications SecurityApril 2010Pages 1–14https://doi.org/10.1145/1755688.1755690

Published:13 April 2010Publication History

ASIACCS '10: Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security

Pages 1–14

ABSTRACT

Data outsourcing is an emerging paradigm that allows users and companies to give their (potentially sensitive) data to external servers that then become responsible for their storage, management, and dissemination. Although data outsourcing provides many benefits, especially for parties with limited resources for managing an ever more increasing amount of data, it introduces new privacy and security concerns. In this paper we discuss the main privacy issues to be addressed in data outsourcing, ranging from data confidentiality to data utility. We then illustrate the main research directions being investigated for providing effective data protection to data externally stored and for enabling their querying.

References

G. Aggarwal, M. Bawa, P. Ganesan, H. Garcia-Molina, K. Kenthapadi, R. Motwani, U. Srivastava, D. Thomas, and Y. Xu. Two can keep a secret: a distributed architecture for secure database services. In Proc. of the Second Biennial Conference on Innovative Data Systems Research (CIDR 2005), Asilomar, CA, USA, January 2005.Google Scholar
R. Agrawal, J. Kierman, R. Srikant, and Y. Xu. Order preserving encryption for numeric data. In Proc. of ACM SIGMOD 2004, Paris, France, June 2004. Google ScholarDigital Library
S. Akl and P. Taylor. Cryptographic solution to a problem of access control in a hierarchy. ACM Transactions on Computer System, 1(3):239--248, August 1983. Google ScholarDigital Library
M. Atallah, K. Frikken, and M. Blanton. Dynamic and efficient key management for access hierarchies. In Proc. of the 12th ACM Conference on Computer and Communications Security (CCS 2005), Alexandria, USA, November 2005. Google ScholarDigital Library
D. Boneh and B. Waters. Conjunctive, subset, and range queries on encrypted data. In Proc. of the 4th Theory of Cryptography Conference (TCC 2007), Amsterdam, The Netherlands, February 2007. Google ScholarDigital Library
C. Boyens and O. Günter. Using online services in untrusted environments - a privacy-preserving architecture. In Proc. of the 11th European Conference on Information Systems (ECIS 2003), Naples, Italy, June 2003.Google Scholar
A. Ceselli, E. Damiani, S. De Capitani di Vimercati, S. Jajodia, S. Paraboschi, and P. Samarati. Modeling and assessing inference exposure in encrypted databases. ACM Transactions on Information and System Security (TISSEC), 8(1):119--152, February 2005. Google ScholarDigital Library
V. Ciriani, S. De Capitani di Vimercati, S. Foresti, S. Jajodia, S. Paraboschi, and P. Samarati. Fragmentation design for efficient query execution over sensitive distributed databases. In Proc. of the 29th International Conference on Distributed Computing Systems (ICDCS 2009), Montreal, Quebec, Canada, June 2009. Google ScholarDigital Library
V. Ciriani, S. De Capitani di Vimercati, S. Foresti, S. Jajodia, S. Paraboschi, and P. Samarati. Keep a few: Outsourcing data while maintaining confidentiality. In Proc. of the 14th European Symposium On Research In Computer Security (ESORICS 2009), Saint Malo, France, September 2009. Google ScholarDigital Library
V. Ciriani, S. De Capitani di Vimercati, S. Foresti, S. Jajodia, S. Paraboschi, and P. Samarati. Combining fragmentation and encryption to protect privacy in data storage. ACM Transactions on Information and System Security (TISSEC), 2010. (to appear). Google ScholarDigital Library
V. Ciriani, S. De Capitani di Vimercati, S. Foresti, and P. Samarati. k-Anonymity. In T. Yu and S. Jajodia, editors, Secure Data Management in Decentralized Systems. Springer-Verlag, 2007.Google Scholar
G. Cormode, D. Srivastava, T. Yu, and Q. Zhang. Anonymizing bipartite graph data using safe groupings. In Proc. of the 34th International Conference on Very Large Data Bases (VLDB 2008), Auckland, New Zealand, August 2008.Google ScholarDigital Library
E. Damiani, S. De Capitani di Vimercati, S. Jajodia, S. Paraboschi, and P. Samarati. Balancing confidentiality and efficiency in untrusted relational DBMSs. In Proc. of the 10th ACM Conference on Computer and Communications Security (CCS 2003), Washington, DC, USA, October 2003. Google ScholarDigital Library
T. K. Dang. Oblivious search and updates for outsourced tree-structured data on untrusted servers. International Journal of Computer Science & Applications, 2(2):67--84, 2005.Google Scholar
S. De Capitani di Vimercati, S. Foresti, S. Jajodia, S. Paraboschi, and P. Samarati. Over-encryption: Management of access control evolution on outsourced data. In Proc. of the 33rd International Conference on Very Large Data Bases (VLDB 2007), Vienna, Austria, September 2007. Google ScholarDigital Library
S. De Capitani di Vimercati, S. Foresti, S. Jajodia, S. Paraboschi, and P. Samarati. Controlled information sharing in collaborative distributed query processing. In Proc. of the 28th International Conference on Distributed Computing Systems (ICDCS 2008), Beijing, China, June 2008. Google ScholarDigital Library
S. De Capitani di Vimercati, S. Foresti, S. Jajodia, S. Paraboschi, and P. Samarati. Encryption policies for regulating access to outsourced data. ACM Transactions on Database Systems, 2010. (to appear). Google ScholarDigital Library
S. De Capitani di Vimercati, S. Foresti, S. Paraboschi, and P. Samarati. Privacy of outsourced data. In A. Acquisti, S. Gritzalis, C. Lambrinoudakis, and S. De Capitani di Vimercati, editors, Digital Privacy: Theory, Technologies and Practices. Auerbach Publications (Taylor and Francis Group), 2007.Google Scholar
G. Di Battista and B. Palazzi. Authenticated relational tables and authenticated skip lists. In Proc. of the 21th IFIP WG11.3 Working Conference on Data and Application Security, Redondo Beach, CA, USA, August 2007. Google ScholarDigital Library
J. Domingo-Ferrer. A new privacy homomorphism and applications. Information Processing Letters, 60(5):277--282, December 1996. Google ScholarDigital Library
W. Du and M. Atallah. Secure multi-party computation problems and their applications: A review and open problems. In Proc. of the New Security Paradigms Workshop (NSPW 2001), Cloudcroft, New Mexico, USA, September 2001. Google ScholarDigital Library
C. Gentry. Fully homomorphic encryption using ideal lattices. In Proc. of the 41st ACM Symposium on Theory of Computing (STOC 2009), Bethesda, Maryland, USA, May 2009. Google ScholarDigital Library
O. Goldreich and R. Ostrovsky. Software protection and simulation on oblivious RAMs. Journal of the ACM, 43(3):431--473, May 1996. Google ScholarDigital Library
H. Hacigümüş, B. Iyer, C. Li, and S. Mehrotra. Executing SQL over encrypted data in the database-service-provider model. In Proc. of ACM SIGMOD 2002, Madison, Wisconsin, USA, June 2002. Google ScholarDigital Library
H. Hacigümüş, B. Iyer, and S. Mehrotra. Providing database as a service. In Proc. of 18th International Conference on Data Engineering (ICDE 2002), San Jose, California, USA, February 2002. Google ScholarDigital Library
H. Hacigümüş, B. Iyer, and S. Mehrotra. Efficient execution of aggregation queries over encrypted relational databases. In Proc. of the 9th International Conference on Database Systems for Advanced Applications (DASFAA 2004), Jeju Island, Korea, March 2004.Google Scholar
B. Hore, S. Mehrotra, and G. Tsudik. A privacy-preserving index for range queries. In Proc. of the 30th International Conference on Very Large Data Bases (VLDB 2004), Toronto, Canada, August-September 2004. Google ScholarDigital Library
B. Iyer, S. Mehrotra, E. Mykletun, G. Tsudik, and Y. Wu. A framework for efficient storage security in RDBMS. In Proc. of International Conference on Extending Database Technology (EDBT 2004), Crete, Greece, March 2004.Google ScholarCross Ref
P. Lin and K. Candan. Hiding traversal of tree structured data from untrusted data stores. In Proc. of the Workshop on Security In Information Systems (WOSIS 2004), Porto, Portugal, April 2004.Google Scholar
G. Miklau and D. Suciu. Controlling access to published data using cryptography. In Proc. of the 29th International Conference on Very Large Data Bases (VLDB 2003), Berlin, Germany, September 2003. Google ScholarDigital Library
E. Mykletun, M. Narasimha, and G. Tsudik. Authentication and integrity in outsourced databases. ACM Transactions on Storage, 2(2):107--138, May 2006. Google ScholarDigital Library
R. Rivest, L. Adleman, and M. Dertouzos. Foundations of Secure Computation, chapter On data banks and privacy homomorphisms, pages 169--179. Academic Press, Orlando, FL, USA, 1978.Google Scholar
P. Samarati. Protecting respondents' identities in microdata release. IEEE Transactions on Knowledge and Data Engineering, 13(6):1010--1027, November/December 2001. Google ScholarDigital Library
B. Schneier. Applied Cryptography (2nd ed.). John Wiley & Sons, 1996.Google Scholar
D. Song, D. Wagner, and A. Perrig. Practical techniques for searches on encrypted data. In Proc. of the IEEE Symposium on Security and Privacy, Berkeley, CA, USA, May 2000. Google ScholarDigital Library
H. Wang and L. Lakshmanan. Efficient secure query evaluation over encrypted XML databases. In Proc. of 32nd International Conference on Very Large Data Bases (VLDB 2006), Seoul, Korea, September 2006. Google ScholarDigital Library
Z. Wang, W. Wang, and B. Shi. Storage and query over encrypted character and numerical data in database. In Proc. of the 5th International Conference on Computer and Information Technology (CIT 2005), Shanghai, China, September 2005. Google ScholarDigital Library
P. Williams, R. Sion, and B. Carbunar. Building castles out of mud: practical access pattern privacy and correctness on untrusted storage. In Proc. of the 15th ACM Conference on Computer and Communications Security (CCS 2008), Alexandria, VA, USA, October 2008. Google ScholarDigital Library
M. Xie, H. Wang, J. Yin, and X. Meng. Integrity auditing of outsourced data. In Proc. of the 33rd International Conference on Very Large Data Bases (VLDB 2007), Vienna, Austria, September 2007. Google ScholarDigital Library

Index Terms

Data protection in outsourcing scenarios: issues and directions

Recommendations

k-anonymity-based horizontal fragmentation to preserve privacy in data outsourcing
DBSec'12: Proceedings of the 26th Annual IFIP WG 11.3 conference on Data and Applications Security and Privacy

This paper proposes a horizontal fragmentation method to preserve privacy in data outsourcing. The basic idea is to identify sensitive tuples, anonymize them based on a privacy model and store them at the external server. The remaining non-sensitive ...
Read More
On opening sensitive data sets in light of GDPR
ICEGOV '19: Proceedings of the 12th International Conference on Theory and Practice of Electronic Governance

Disclosure of personal data is considered as one of the main threats for data opening. In this contribution we consider the data that are sensitive in GDPR terms (for example, criminal justice data within the Dutch justice domain) and discuss how they ...
Read More
Confidentiality-Preserving query execution of fragmented outsourced data
ICT-EurAsia'13: Proceedings of the 2013 international conference on Information and Communication Technology

Ensuring confidentiality of outsourced data continues to be an area of active research in the field of privacy protection. Almost all existing privacy-preserving approaches to address this problem rely on heavyweight cryptographic techniques with a ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
ASIACCS '10: Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security
April 2010
363 pages
ISBN:9781605589367
DOI:10.1145/1755688
General Chair:
Dengguo Feng
Chinese Academy of Sciences, China
,
Program Chairs:
David Basin
ETH Zurich, Switzerland
,
Peng Liu
Pennsylvania State University
Copyright © 2010 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 13 April 2010
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
access control
confidentiality
data fragmentation
data outsourcing
data protection
encryption
privacy
Qualifiers
- research-article
Conference

Acceptance Rates
ASIACCS '10 Paper Acceptance Rate25of166submissions,15%Overall Acceptance Rate418of2,322submissions,18%
More
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 84
  Total Citations
  View Citations
- 1,674
  Total Downloads
- Downloads (Last 12 months)55
- Downloads (Last 6 weeks)7
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Data protection in outsourcing scenarios: issues and directions

ASIACCS '10: Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security

ABSTRACT

References

Cited By

Index Terms

Recommendations

k-anonymity-based horizontal fragmentation to preserve privacy in data outsourcing

On opening sensitive data sets in light of GDPR

Confidentiality-Preserving query execution of fragmented outsourced data