trademark
2c2kIhh
2c2kIhh
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
8.0<br />
Granular Access Control<br />
There are two sides to any access control solution. The first is restricting data and<br />
operations from users who should not have access, and the second is granting access<br />
to users who should have access. Picking the right access control strategy can have<br />
a profound impact on how effectively users can leverage a database. To satisfy policy<br />
restrictions, coarse-grained access mechanisms often must restrict data that could<br />
otherwise be shared. Granular access control mechanisms are a tool that can be used to<br />
reduce data restriction without violating policies. The following best practices should be<br />
followed while ensuring granular access control.<br />
8.1 Choose appropriate level of granularity required<br />
8.1.1 Why?<br />
To balance complexity and granularity of access control. The use of fine-grained access<br />
controls requires an increased complexity in data labeling and security attribute<br />
management, while coarse-grained access controls demand data modeling. For<br />
example, database views can be used to protect databases that do not support row-,<br />
column-, or cell-level access controls, but users must then maintain the views.<br />
8.1.2 How?<br />
Oblivious RAM [SSS11] shuffles memory locations after each access. Thus, even a cloud service<br />
provider cannot tell which data is accessed; therefore, the access pattern can be effectively hidden.<br />
8.2 Normalize mutable elements, denormalize<br />
immutable elements<br />
8.2.1 Why?<br />
To design suitable access control mechanisms. Recent advances in database<br />
technology have opened the door to more forms of denormalized data modeling. For<br />
data elements that are more immutable, denormalized models can provide higher<br />
concurrency and lower latency than models that require more joins. Granular access<br />
controls become even more important when using denormalized data models, since<br />
data from many sources and of many types are thrown together in a single bucket.<br />
7.8.2 How?<br />
CLOUD SECURITY ALLIANCE Big Data Working Group Guidance<br />
© Copyright 2016, Cloud Security Alliance. All rights reserved.<br />
43