From MDM to DB2: A Case Study of Security Enforcement Migration

  • Nikolay Yakovets
  • Jarek Gryz
  • Stephanie Hazlewood
  • Paul van Run
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7371)


This work presents a case study of a migration of attribute-based access control enforcement from the application to the database tier. The proposed migration aims to improve the security and simplify the audit of the enterprise system by enforcing information protection principles of the least privileges and the least common mechanism. We explore the challenges of such migration and implement it in an industrial setting in a context of master data management where data security, privacy and audit are subject to regulatory compliance. Based on our implementation, we propose a general, standards-driven migration methodology.


Master Data Management Enterprise Security Attribute-Based Access Control Database Security XACML DB2 


  1. 1.
    Scott Graham, G., Denning, P.J.: Protection: Principles and Practice. In: Proceedings of the Spring Joint Computer Conference, AFIPS 1972, May 16-18, pp. 417–429. ACM, New York (1972)Google Scholar
  2. 2.
    Jajodia, S., Sandhu, R.: Toward a Multilevel Secure Relational Data Model. SIGMOD Rec. 20, 50–59 (1991)CrossRefGoogle Scholar
  3. 3.
    Sandhu, R.S., Coyne, E.J., Feinstein, H.L., Youman, C.E.: Role-based Access Control Models. Computer 29(2), 38–47 (1996)CrossRefGoogle Scholar
  4. 4.
    Wang, L., Wijesekera, D., Jajodia, S.: A Logic-based Framework for Attribute Based Access Control. In: Proceedings of the 2004 ACM Workshop on Formal Methods in Security Engineering, FMSE 2004, pp. 45–55 (2004)Google Scholar
  5. 5.
    Pfleeger, C.P., Pfleeger, S.L., Safari Tech Books Online: Security in Computing, vol. 604. Prentice Hall (2007)Google Scholar
  6. 6.
    Kc, G.S., Keromytis, A.D., Prevelakis, V.: Countering Code-injection Attacks with Instruction-set Randomization. In: Proceedings of the 10th ACM Conference on Computer and Communications Security, pp. 272–280. ACM (2003)Google Scholar
  7. 7.
    United States Code. Sarbanes-Oxley Act of 2002, PL 107-204, 116 Stat 745 (2002)Google Scholar
  8. 8.
    Security Standards Council. PCI DSS v2.0 (2010)Google Scholar
  9. 9.
    Allender, M.: HIPAA compliance in the OR. Aorn Journal (2002)Google Scholar
  10. 10.
    Saltzer, J.H., Schroeder, M.D.: The Protection of Information in Computer Systems. Proceedings of the IEEE 63(9), 1278–1308 (1975)CrossRefGoogle Scholar
  11. 11.
    Dreibelbis, A., Hechler, E., Milman, I., Oberhofer, M., van Run, P., Wolfson, D.: Enterprise Master Data Management: An SOA Approach to Managing Core Information. IBM Press (2008)Google Scholar
  12. 12.
    Organization for the Advancement of Structured Information Standards (OASIS),
  13. 13.
    Zeilenga, K., et al.: Lightweight directory access protocol (ldap): Technical specification road map. Technical report, RFC 4510 (June 2006)Google Scholar
  14. 14.
    Franzoni, S., Mazzoleni, P., Valtolina, S., Bertino, E.: Towards a Fine-Grained Access Control Model and Mechanisms for Semantic Databases. In: IEEE International Conference on Web Services, ICWS 2007, pp. 993–1000 (2007)Google Scholar
  15. 15.
    Rizvi, S., Mendelzon, A., Sudarshan, S., Roy, P.: Extending Query Rewriting Techniques for Fine-grained Access Control. In: Proceedings of the 2004 ACM SIGMOD International Conference on Management of Data, SIGMOD 2004, pp. 551–562 (2004)Google Scholar
  16. 16.
    Roichman, A., Gudes, E.: Fine-grained access control to web databases. In: Proceedings of the 12th ACM Symposium on Access Control Models and Technologies, SACMAT 2007, pp. 31–40 (2007)Google Scholar
  17. 17.
    Stoller, S.D.: Trust Management and Trust Negotiation in an Extension of SQL. In: Kaklamanis, C., Nielson, F. (eds.) TGC 2008. LNCS, vol. 5474, pp. 186–200. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  18. 18.
    De Capitani di Vimercati, S., Jajodia, S., Paraboschi, S., Samarati, P.: Trust management services in relational databases. In: Proceedings of the 2nd ACM Symposium on Information, Computer and Communications Security, pp. 149–160. ACM (2007)Google Scholar
  19. 19.
    Chaudhuri, S., Dutta, T., Sudarshan, S.: Fine grained authorization through predicated grants. In: IEEE 23rd International Conference on Data Engineering, ICDE 2007, pp. 1174–1183. IEEE (2007)Google Scholar
  20. 20.
    Jahid, S., Gunter, C.A., Hoque, I., Okhravi, H.: MyABDAC: Compiling XACML Policies for Attribute-based Database Access Control. In: Proceedings of the First ACM Conference on Data and Application Security and Privacy, pp. 97–108. ACM (2011)Google Scholar
  21. 21.
    Karjoth, G.: Access Control with IBM Tivoli Access Manager. ACM Transactions on Information and System Security (TISSEC) 6(2), 232–257 (2003)CrossRefGoogle Scholar
  22. 22.
    IBM. Tivoli Security Policy Manager (2011),
  23. 23.
    Axiomatics. Axiomatics Policy Server (2011),
  24. 24.
    SourceForge. Ladon - XACML enforcement for DB2 (2009),

Copyright information

© IFIP International Federation for Information Processing 2012

Authors and Affiliations

  • Nikolay Yakovets
    • 1
    • 2
  • Jarek Gryz
    • 1
    • 2
  • Stephanie Hazlewood
    • 3
  • Paul van Run
    • 3
  1. 1.Department of Computer Science and EngineeringYork UniversityCanada
  2. 2.Centre for Advanced StudiesIBM CanadaCanada
  3. 3.IBM CanadaCanada

Personalised recommendations