Policy-as-Code Row-Level Security: Compiling DPL Rules into Spark SQL Views
Keywords:
Policy-as-Code, Data Protection Language, Spark SQL, row-level security, data lakes, schema evolutionAbstract
Showing a declarative DPL rule compiler for parameterized Spark SQL views. The distributed processing protects rows. Policy-as- Code abstracts data access rules to generate Spark SQL. Consent enforcement is fine-grained without manual rule adjustments. User settings and role-based access constraints might cause dynamic view data rows to be incorrect. Data security and analysis. Data lineage tracking and policy propagation are enhanced by schema evolution events. Data lakes sync schema migrations. Compilers beat access filters in latency and administration. Declarative, scalable, privacy-preserving platform security for corporate data.
Downloads
References
J. Park and R. Sandhu, “The UCONABC usage control model,” ACM Trans. Inf. Syst. Secur., vol. 7, no. 1, pp. 128–174, Feb. 2004.
R. Zhang, J. Liu, and Y. Zhang, “Access control for information systems: A systematic literature review,” Computers & Security, vol. 109, pp. 102390, Oct. 2021.
M. B. Iyer, K. R. Joshi, and W. H. Sanders, “A policy framework for data governance with fine-grained access control in cloud-based data lakes,” in Proc. IEEE Int. Conf. Big Data, Dec. 2020, pp. 2370–2379.
S. Chaudhuri and U. Dayal, “An overview of data warehousing and OLAP technology,” ACM SIGMOD Record, vol. 26, no. 1, pp. 65–74, Mar. 1997.
M. Armbrust et al., “Spark SQL: Relational data processing in Spark,” in Proc. ACM SIGMOD Int. Conf. Management of Data, May 2015, pp. 1383–1394.
K. Keahey, M. Tsugawa, A. Matsunaga, and J. A. Fortes, “Sky computing,” IEEE Internet Comput., vol. 13, no. 5, pp. 43–51, Sep./Oct. 2009.
N. Zeldovich, S. Boyd-Wickizer, and D. Mazieres, “Securing distributed systems with information flow control,” in Proc. USENIX Symp. Networked Systems Design and Implementation (NSDI), 2008, pp. 293–308.
J. Lobo, R. Bhatia, and S. Naqvi, “A policy description language,” in Proc. AAAI Conf. Artificial Intelligence, 1999, pp. 291–298.
T. J. Watson, “Policy-based data management: A new paradigm for controlling access to data,” IEEE Security & Privacy, vol. 5, no. 3, pp. 26–31, May/Jun. 2007.
M. Becker, C. Fournet, and A. Gordon, “SecPAL: Design and semantics of a decentralized authorization language,” J. Comput. Secur., vol. 18, no. 4, pp. 619–665, 2010.
A. Schaad, “An architecture for role-based access control with constraints,” in Proc. ACM SACMAT, Jun. 2001, pp. 64–69.
M. E. Zurko, R. T. Simon, and T. Sanfilippo, “A user-centered, modular authorization service built on an RBAC foundation,” in Proc. IEEE Symp. Security and Privacy, 1999, pp. 57–71.
S. Chari, C. J. Wang, and H. R. M. Neuman, “Towards automated policy enforcement in data lakes,” in Proc. IEEE Int. Conf. Cloud Engineering (IC2E), 2020, pp. 89–96.
A. J. Lee, T. Yu, and Y. H. Bertino, “FlexDP: Flexible data publication with differential privacy using policy-based security model,” in Proc. ACM CODASPY, 2013, pp. 115–126.
M. R. Clarkson, S. Chong, and A. C. Myers, “Language-based information flow security,” IEEE J. Sel. Areas Commun., vol. 21, no. 1, pp. 5–19, Jan. 2003.
K. Takabi, J. Joshi, and G. Ahn, “Security and privacy challenges in cloud computing environments,” IEEE Security & Privacy, vol. 8, no. 6, pp. 24–31, Nov./Dec. 2010.
R. Poddar, A. Popa, and I. Stoica, “Shredder: GPU-accelerated incremental storage and processing for encrypted data,” in Proc. USENIX Security Symp., 2016, pp. 555–570.
S. Rajamani et al., “Automated policy verification using SMT solving,” in Proc. IEEE CSF, Jul. 2011, pp. 45–58.
H. Chen, H. Hu, Y. Tang, and Y. Chen, “Fine-grained and policy-aware access control for SQL databases,” in Proc. ACM AsiaCCS, 2018, pp. 582–595.
D. Basin, S. Mödersheim, and L. Viganò, “An on-the-fly model-checker for security protocol analysis,” in Proc. ESORICS, 2003, pp. 253–270.
