trademark
2c2kIhh
2c2kIhh
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
8.0 Granular Access Control (cont.)<br />
7.8.2 How?<br />
8.2.2 How?<br />
The core of fine-grained access control is to maintain labels with data. When denormalizing<br />
data, maintain provenance information for any provenance elements that are referenced in<br />
the data access policy. For example, if the source of data affects who can see that data, then<br />
maintain source information in tags along with fields that came from that source.<br />
8.3 Track secrecy requirements<br />
8.3.1 Why?<br />
To implement a scalable access control system. Part of building a scalable granular<br />
access control mechanism is to pre-join secrecy policy with data in the form of labels.<br />
Secrecy requirements can change over time, and it is important to be able to adapt<br />
granular access control mechanisms to keep up with changing policies.<br />
8.3.2 How?<br />
Use a labeling scheme that labels data with elements of policy that are unlikely to<br />
change over time, while more mutable policy elements are checked at query time.<br />
Keep track of the data-labeling policies that are applied at data ingest time to reduce<br />
assumptions made in policy evaluation at query time.<br />
8.4 Maintain access labels<br />
8.4.1 Why?<br />
To make policy decisions on data with complex provenance. Accurately maintaining<br />
access labels includes an amount of provenance tracking.<br />
8.4.2 How?<br />
Label data as far upstream as possible. Keep track of labels that are referenced in data<br />
access policy through all data transformations. Use access control mechanisms that<br />
support Boolean logic and/or label sets to simplify label tracking through data aggregation.<br />
CLOUD SECURITY ALLIANCE Big Data Working Group Guidance<br />
© Copyright 2016, Cloud Security Alliance. All rights reserved.<br />
44