Vaibhav Khadilkar

A language for provenance access control

Provenance is a directed acyclic graph that explains how a resource came to be in its current form. Traditional access control does not support provenance graphs. We cannot achieve all the benefits of access control if the relationships between the data and their sources are not protected. In this paper, we propose a language that complements and extends existing access control languages to support provenance. This language also provides access to data based on integrity criteria. We have also built a prototype to show that this language can be implemented effectively using Semantic Web technologies.

Transforming provenance using redaction

Ongoing mutual relationships among entities rely on sharing quality information while preventing release of sensitive content. Provenance records the history of a document for ensuring both, the quality and trustworthiness; while redaction identifies and removes sensitive information from a document. Traditional redaction techniques do not extend to the directed graph representation of provenance. In this paper, we propose a graph grammar approach for rewriting redaction policies over provenance. Our rewriting procedure converts a high level specification of a redaction policy into a graph grammar rule that transforms a provenance graph into a redacted provenance graph. Our prototype shows that this approach can be effectively implemented using Semantic Web technologies.

Risk-Aware Workload Distribution in Hybrid Clouds

This paper explores an efficient and secure mechanism to partition computations across public and private machines in a hybrid cloud setting. We propose a principled framework for distributing data and processing in a hybrid cloud that meets the conflicting goals of performance, sensitive data disclosure risk and resource allocation costs. The proposed solution is implemented as an add-on tool for a Hadoop and Hive based cloud computing infrastructure. Our experiments demonstrate that the developed mechanism can lead to a major performance gain by exploiting both the hybrid cloud components without violating any pre-determined public cloud usage constraints.

BigSecret: A Secure Data Management Framework for Key-Value Stores

Data storage is one of the most popular cloud services, and is therefore offered by most service providers. Among the various cloud based data storage services, key-value stores has emerged as a popular option for storing and retrieving billions of key-value pairs. Although using such cloud based key-value store services could generate many benefits, companies are reluctant to utilize such services due to security concerns. For example, if keys are used to represent social security numbers of health insurance customers, and values are their medical claim details, then outsourcing such key-value pairs to a public cloud could create significant privacy and security risks. To mitigate such risks, we propose BigSecret, a framework that enables secure outsourcing and processing of encrypted data over public key-value stores. Furthermore, our proposed framework could automatically make use of multiple cloud providers, including existing private clouds, to securely distribute data and workloads for improving efficiency and performance. Our experiments show that efficient and secure processing over outsourced encrypted data residing in key-value stores is possible with a minor overhead in most cases. In addition, we show that BigSecrets data and workload distribution algorithm can lead to major performance gains in a multi-cloud setting.

A cloud-based RDF policy engine for assured information sharing

In this paper, we describe a general-purpose, scalable RDF policy engine. The innovations in our work include seamless support for a diverse set of security policies enforced by a highly available and scalable policy engine designed using a cloud-based platform. Our main goal is to demonstrate how coalition agencies can share information stored in multiple formats, through the enforcement of appropriate policies.

Design and implementation of a cloud-based assured information sharing system

The advent of cloud computing and the continuing movement toward software as a service (SaaS) paradigms have posed an increasing need for assured information sharing (AIS) as a service in the cloud. This paper describes the first of its kind assured information sharing system that operates in a cloud. The idea is for each organization to store their data and the information sharing policies in a cloud. The information is shared according to the policies. We describe a cloud-based information sharing framework that utilizes Semantic Web technologies; our framework consists of a policy engine that reasons about the policies for information sharing purposes and a secure data engine that stores and queries data in the cloud. We also describe the operation of our system with example policies.

Cloud-Centric assured information sharing

In this paper we describe the design and implementation of cloud-based assured information sharing systems. In particular, we will describe our current implementation of a centralized cloud-based assured information sharing system and the design of a decentralized hybrid cloud-based assured information sharing system of the future. Our goal is for coalition organizations to share information stored in multiple clouds and enforce appropriate policies.

Secure information integration with a semantic web-based framework

In this paper we describe the design and implementation of a semantic web based framework for secure information integration. In particular, we have evaluated Amazons Simple Storage Services ability to provide storage support for large-scale semantic data used by a semantic web-based framework called Blackbook. We describe cryptographic techniques for enforcing the protection of published data on Amazon S3. We also explore access control issues associated with such services and provide a solution using Suns implementation of eXtensible Access Control Markup Language (XACML).

Secure Data Provenance and Inference Control with Semantic Web

With an ever-increasing amount of information on the web, it is critical to understand the pedigree, quality, and accuracy of your data. Using provenance, you can ascertain the quality of data based on its ancestral data and derivations, track back to sources of errors, allow automatic re-enactment of derivations to update data, and provide attribution of the data source. Secure Data Provenance and Inference Control with Semantic Web supplies step-by-step instructions on how to secure the provenance of your data to make sure it is safe from inference attacks. It details the design and implementation of a policy engine for provenance of data and presents case studies that illustrate solutions in a typical distributed health care system for hospitals. Although the case studies describe solutions in the health care domain, you can easily apply the methods presented in the book to a range of other domains.The book describes the design and implementation of a policy engine for provenance and demonstrates the use of Semantic Web technologies and cloud computing technologies to enhancethe scalability of solutions. It covers Semantic Web technologies for the representation and reasoning of the provenance of the data and provides a unifying framework for securing provenance that can help to address the various criteria of your information systems. Illustrating key concepts and practical techniques, the book considers cloud computing technologies that can enhance the scalability of solutions. After reading this book you will be better prepared to keep up with the on-going development of the prototypes, products, tools, and standards for secure data management, secure Semantic Web, secure web services, and secure cloud computing.

REDACT: a framework for sanitizing RDF data

Resource Description Framework (RDF) is the foundational data model of the Semantic Web, and is essentially designed for integration of heterogeneous data from varying sources. However, lack of security features for managing sensitive RDF data while sharing may result in privacy breaches, which in turn, result in loss of user trust. Therefore, it is imperative to provide an infrastructure to secure RDF data. We present a set of graph sanitization operations that are built as an extension to SPARQL. These operations allow one to sanitize sensitive parts of an RDF graph and further enable one to build more sophisticated security and privacy features, thus allowing RDF data to be shared securely.