Keeping Secrets by Separation of Duties While Minimizing the Amount of Cloud Servers

  • Ferdinand Bollwein
  • Lena WieseEmail author
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10940)


In this paper we address the problem of data confidentiality when outsourcing data to cloud service providers. In our separation of duties approach, the original data set is fragmented into insensitive subsets such that each subset can be managed by an independent cloud provider. Security policies are expressed as sets of confidentiality constraints that induce the fragmentation process. We assume that the different cloud providers do not communicate with each other so that only the actual data owner is able to link the subsets and reconstruct the original data set. While confidentiality is a hard constraint that has to be satisfied in our approach, we consider two further optimization goals (the minimization of the amount of cloud providers and the maximization of utility as defined by visibility constraints) as well as data dependencies that might lead to unwanted disclosure of data. We extend prior work by formally defining the confidentiality and optimization requirements as an optimization problem. We provide an integer linear program (ILP) formulation and analyze different settings of the problem. We present a prototype that exploits a distributed installation of several PostgreSQL database systems; we give an in-depth account of the sophisticated distributed query management that is enforced by defining views for the outsourced data sets and rewriting queries according to the fragments.


  1. 1.
    Aggarwal, G., et al.: Two can keep a secret: a distributed architecture for secure database services. In: The Second Biennial Conference on Innovative Data Systems Research (CIDR 2005) (2005)Google Scholar
  2. 2.
    Biskup, J., Preuß, M.: Database fragmentation with encryption: under which semantic constraints and a priori knowledge can two keep a secret? In: Wang, L., Shafiq, B. (eds.) DBSec 2013. LNCS, vol. 7964, pp. 17–32. Springer, Heidelberg (2013). Scholar
  3. 3.
    Biskup, J., Preuß, M.: Inference-proof data publishing by minimally weakening a database instance. In: Prakash, A., Shyamasundar, R. (eds.) ICISS 2014. LNCS, vol. 8880, pp. 30–49. Springer, Cham (2014). Scholar
  4. 4.
    Biskup, J., Preuß, M., Wiese, L.: On the inference-proofness of database fragmentation satisfying confidentiality constraints. In: Lai, X., Zhou, J., Li, H. (eds.) ISC 2011. LNCS, vol. 7001, pp. 246–261. Springer, Heidelberg (2011). Scholar
  5. 5.
    Bollwein, F.: CloudDBSOD Client.
  6. 6.
    Bollwein, F., Wiese, L.: Closeness constraints for separation of duties in cloud databases as an optimization problem. In: Calì, A., Wood, P., Martin, N., Poulovassilis, A. (eds.) BICOD 2017. LNCS, vol. 10365, pp. 133–145. Springer, Cham (2017). Scholar
  7. 7.
    Bollwein, F., Wiese, L.: Separation of duties for multiple relations in cloud databases as an optimization problem. In: Proceedings of the 21st International Database Engineering and Applications Symposium, pp. 98–107. ACM (2017)Google Scholar
  8. 8.
    Canim, M., Kantarcioglu, M., Inan, A.: Query optimization in encrypted relational databases by vertical schema partitioning. In: Jonker, W., Petković, M. (eds.) SDM 2009. LNCS, vol. 5776, pp. 1–16. Springer, Heidelberg (2009). Scholar
  9. 9.
    Chakravarthy, S., Muthuraj, J., Varadarajan, R., Navathe, S.B.: An objective function for vertically partitioning relations in distributed databases and its analysis. Distrib. Parallel Databases 2(2), 183–207 (1994)CrossRefGoogle Scholar
  10. 10.
    Ciriani, V., De Capitani di Vimercati, S., Foresti, S., Jajodia, S., Paraboschi, S., Samarati, P.: Fragmentation and encryption to enforce privacy in data storage. In: Biskup, J., López, J. (eds.) ESORICS 2007. LNCS, vol. 4734, pp. 171–186. Springer, Heidelberg (2007). Scholar
  11. 11.
    Ciriani, V., De Capitani di Vimercati, S., Foresti, S., Jajodia, S., Paraboschi, S., Samarati, P.: Fragmentation design for efficient query execution over sensitive distributed databases. In: ICDCS, pp. 32–39. IEEE Computer Society (2009)Google Scholar
  12. 12.
    Ciriani, V., De Capitani di Vimercati, S., Foresti, S., Jajodia, S., Paraboschi, S., Samarati, P.: Keep a few: outsourcing data while maintaining confidentiality. In: Backes, M., Ning, P. (eds.) ESORICS 2009. LNCS, vol. 5789, pp. 440–455. Springer, Heidelberg (2009). Scholar
  13. 13.
    Ciriani, V., De Capitani Di Vimercati, S., Foresti, S., Jajodia, S., Paraboschi, S., Samarati, P.: Combining fragmentation and encryption to protect privacy in data storage. ACM Trans. Inf. Syst. Secur. (TISSEC) 13(3), 22 (2010)CrossRefGoogle Scholar
  14. 14.
    Ciriani, V., De Capitani di Vimercati, S., Foresti, S., Jajodia, S., Paraboschi, S., Samarati, P.: Selective data outsourcing for enforcing privacy. J. Comput. Secur. 19(3), 531–566 (2011)CrossRefGoogle Scholar
  15. 15.
    Ciriani, V., De Capitani di Vimercati, S., Foresti, S., Livraga, G., Samarati, P.: An OBDD approach to enforce confidentiality and visibility constraints in data publishing. J. Comput. Secur. 20(5), 463–508 (2012)CrossRefGoogle Scholar
  16. 16.
  17. 17.
    De Capitani di Vimercati, S., Erbacher, R.F., Foresti, S., Jajodia, S., Livraga, G., Samarati, P.: Encryption and fragmentation for data confidentiality in the cloud. In: Aldini, A., Lopez, J., Martinelli, F. (eds.) FOSAD 2012-2013. LNCS, vol. 8604, pp. 212–243. Springer, Cham (2014). Scholar
  18. 18.
    De Capitani di Vimercati, S., Foresti, S., Jajodia, S., Livraga, G., Paraboschi, S., Samarati, P.: Fragmentation in presence of data dependencies. IEEE Trans. Dependable Secure Comput. 11(6), 510–523 (2014)CrossRefGoogle Scholar
  19. 19.
    De Capitani di Vimercati, S., Foresti, S., Jajodia, S., Paraboschi, S., Samarati, P.: Fragments and loose associations: respecting privacy in data publishing. Proc. VLDB Endow. 3(1–2), 1370–1381 (2010)CrossRefGoogle Scholar
  20. 20.
    Dwork, C.: Differential privacy: a survey of results. In: Agrawal, M., Du, D., Duan, Z., Li, A. (eds.) TAMC 2008. LNCS, vol. 4978, pp. 1–19. Springer, Heidelberg (2008). Scholar
  21. 21.
    Göge, C., Waage, T., Homann, D., Wiese, L.: Improving fuzzy searchable encryption with direct bigram embedding. In: Lopez, J., Fischer-Hübner, S., Lambrinoudakis, C. (eds.) TrustBus 2017. LNCS, vol. 10442, pp. 115–129. Springer, Cham (2017). Scholar
  22. 22.
  23. 23.
    Homann, D., Göge, C., Wiese, L.: Dynamic similarity search over encrypted data with low leakage. In: Livraga, G., Mitchell, C. (eds.) STM 2017. LNCS, vol. 10547, pp. 19–35. Springer, Cham (2017). Scholar
  24. 24.
    Hore, B., Jammalamadaka, R.C., Mehrotra, S.: Flexible anonymization for privacy preserving data publishing: a systematic search based approach. In: Seventh SIAM International Conference on Data Mining. SIAM (2007)Google Scholar
  25. 25.
    Jindal, A., Palatinus, E., Pavlov, V., Dittrich, J.: A comparison of knives for bread slicing. Proc. VLDB Endow. 6(6), 361–372 (2013)CrossRefGoogle Scholar
  26. 26.
    Özsu, M.T., Valduriez, P.: Principles of Distributed Database Systems. Springer, New York (2011). Scholar
  27. 27.
    Popa, R.A., Redfield, C., Zeldovich, N., Balakrishnan, H.: CryptDB: processing queries on an encrypted database. Commun. ACM 55(9), 103–111 (2012)CrossRefGoogle Scholar
  28. 28.
    Sweeney, L.: k-anonymity: a model for protecting privacy. Int. J. Uncertain. Fuzziness Knowl.-Based Syst. 10(05), 557–570 (2002)MathSciNetCrossRefGoogle Scholar
  29. 29.
    Transaction Processing Performance Council: TPC-E Benchmark Version 1.14.0.
  30. 30.
    Transaction Processing Performance Council: TPC-H Benchmark Version 2.17.1.
  31. 31.
    Tu, S., Kaashoek, M.F., Madden, S., Zeldovich, N.: Processing analytical queries over encrypted data. In: Proceedings of the VLDB Endowment, vol. 6, pp. 289–300. VLDB Endowment (2013)Google Scholar
  32. 32.
    Waage, T., Homann, D., Wiese, L.: Practical application of order-preserving encryption in wide column stores. In: SECRYPT, pp. 352–359. SciTePress (2016)Google Scholar
  33. 33.
    Waage, T., Jhajj, R.S., Wiese, L.: Searchable encryption in Apache Cassandra. In: Garcia-Alfaro, J., Kranakis, E., Bonfante, G. (eds.) FPS 2015. LNCS, vol. 9482, pp. 286–293. Springer, Cham (2016). Scholar
  34. 34.
    Waage, T., Wiese, L.: Property preserving encryption in NoSQL wide column stores. In: Panetto, H., et al. (eds.) OTM 2017. LNCS, vol. 10574, pp. 3–21. Springer, Cham (2017). Scholar
  35. 35.
    Wiese, L.: Horizontal fragmentation for data outsourcing with formula-based confidentiality constraints. In: Echizen, I., Kunihiro, N., Sasaki, R. (eds.) IWSEC 2010. LNCS, vol. 6434, pp. 101–116. Springer, Heidelberg (2010). Scholar
  36. 36.
    Wiese, L.: Advanced Data Management for SQL, NoSQL, Cloud and Distributed Databases. DeGruyter/Oldenbourg, Munich (2015)Google Scholar
  37. 37.
    Xiao, Y., Xiong, L., Yuan, C.: Differentially private data release through multidimensional partitioning. In: Jonker, W., Petković, M. (eds.) SDM 2010. LNCS, vol. 6358, pp. 150–168. Springer, Heidelberg (2010). Scholar
  38. 38.
    Zakerzadeh, H., Aggarwal, C.C., Barker, K.: Managing dimensionality in data privacy anonymization. Knowl. Inf. Syst. 49(1), 341–373 (2016)CrossRefGoogle Scholar
  39. 39.
    Zhang, J., Xiao, X., Xie, X.: PrivTree: a differentially private algorithm for hierarchical decompositions. In: Proceedings of the 2016 International Conference on Management of Data, pp. 155–170. ACM (2016)Google Scholar

Copyright information

© Springer-Verlag GmbH Germany, part of Springer Nature 2018

Authors and Affiliations

  1. 1.Institute of Computer ScienceTU ClausthalClausthal-ZellerfeldGermany
  2. 2.Institute of Computer ScienceUniversity of GoettingenGöttingenGermany

Personalised recommendations