trademark
2c2kIhh
2c2kIhh
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
8.0 Granular Access Control (cont.)<br />
8.9.2 How?<br />
Ensure that the application does not “change hats” without clearing session data. Defer<br />
to the database’s granular access control mechanism where possible.<br />
8.10 Develop protocols for tracking access restrictions<br />
8.10.1 Why?<br />
To operate access control system as expected. Data privacy policies are often complex and<br />
difficult to implement with 100 accuracy. It is important to review what policies are in place on<br />
a given system, as well as maintaining the capacity to revise policies when deemed necessary.<br />
8.10.2 How?<br />
Protocols for tracking access restrictions come in two forms: those used to encode<br />
policies and those used to audit the instantiations of those policies. Logging and<br />
aggregating audits of policy decisions can provide critical information about what<br />
data users are accessing, what data users are trying to access (unsuccessfully) and<br />
how users are attempting to access the system in an unauthorized manner. Analysis<br />
of those audits is critical to refining policy for both the purposes of increased privacy<br />
and increased sharing. When encoding policies, choose a standard language such as<br />
eXtensible Access Control Markup Language (XACML). This will allow policy creators to<br />
bring in help from a community of tool builders for visualizing, editing, and reasoning<br />
during the encoding process.<br />
CLOUD SECURITY ALLIANCE Big Data Working Group Guidance<br />
© Copyright 2016, Cloud Security Alliance. All rights reserved.<br />
47