In the last few years, the wide availability of computational and storage resources at low prices has substantially changed the way in which data are managed, stored, and disseminated. As testified by the growing success of data outsourcing, cloud computing, and services for sharing personal information (e.g., Flickr, YouTube, Facebook), both individuals and companies are more and more resorting to external third parties for the management, storage, and (possibly selective) dissemination of their data. This practice has several advantages with respect to the in-house management of the data. First, the data owner needs neither to buy expensive hardware and software licenses nor to hire skilled personnel for managing her data, thus having economic advantages. Second, the external server guarantees high data availability and highly effective disaster protection. Third, even private individuals can take advantage of the avant-garde hardware and software resources made available by providers to store, elaborate, and widely disseminate large data collections (e.g., multimedia files). The main problem of this outsourcing trend is that the data owner loses control over her data, thus increasing security and privacy risks. Indeed, the data stored at an external server may include sensitive information that the external server (or users accessing them) is not allowed to read. The specific security and privacy issues that need to be considered vary depending on the main goal for which the data owner provides her data to a third party. In particular, we identify two scenarios: a data outsourcing scenario where the data owner delegates the management and storage of a data collection, possibly including sensitive information that can be selectively accessed by authorized users, to a honest-but-curious external server; and a data publishing scenario where the data owner delegates the storage of a data collection to an external server for its public dissemination. An honest-but-curious server is typically trusted to properly manage the data and make them available when needed, but it may not be trusted by the data owner to read data content. Both these scenarios are characterized by the interactions among four parties: data owner, an organization (or an individual) who outsources her data to an external server; user, an individual who can access the data; client, the user’s front-end in charge of translating access requests formulated by the user in equivalent requests operating on the outsourced data; and server, the external third party that stores and manages the data.
Database security and privacy / S. De Capitani di Vimercati, S. Foresti, S. Jajodia, P. Samarati - In: Computing handbook : information systems and information technology / [a cura di] H. Topi, A. Tucker. - Riedizione. - New York : Chapman and Hall/CRC, 2014. - ISBN 9781439898543. - pp. 1-21
Database security and privacy
S. De Capitani di Vimercati;S. Foresti;P. Samarati
2014
Abstract
In the last few years, the wide availability of computational and storage resources at low prices has substantially changed the way in which data are managed, stored, and disseminated. As testified by the growing success of data outsourcing, cloud computing, and services for sharing personal information (e.g., Flickr, YouTube, Facebook), both individuals and companies are more and more resorting to external third parties for the management, storage, and (possibly selective) dissemination of their data. This practice has several advantages with respect to the in-house management of the data. First, the data owner needs neither to buy expensive hardware and software licenses nor to hire skilled personnel for managing her data, thus having economic advantages. Second, the external server guarantees high data availability and highly effective disaster protection. Third, even private individuals can take advantage of the avant-garde hardware and software resources made available by providers to store, elaborate, and widely disseminate large data collections (e.g., multimedia files). The main problem of this outsourcing trend is that the data owner loses control over her data, thus increasing security and privacy risks. Indeed, the data stored at an external server may include sensitive information that the external server (or users accessing them) is not allowed to read. The specific security and privacy issues that need to be considered vary depending on the main goal for which the data owner provides her data to a third party. In particular, we identify two scenarios: a data outsourcing scenario where the data owner delegates the management and storage of a data collection, possibly including sensitive information that can be selectively accessed by authorized users, to a honest-but-curious external server; and a data publishing scenario where the data owner delegates the storage of a data collection to an external server for its public dissemination. An honest-but-curious server is typically trusted to properly manage the data and make them available when needed, but it may not be trusted by the data owner to read data content. Both these scenarios are characterized by the interactions among four parties: data owner, an organization (or an individual) who outsources her data to an external server; user, an individual who can access the data; client, the user’s front-end in charge of translating access requests formulated by the user in equivalent requests operating on the outsourced data; and server, the external third party that stores and manages the data.
Pubblicazioni consigliate
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
