Data Sensitivity and Classification Management: A Declarative Approach

摘要

Data protection according to sensitivity and classification has become a mandatory security mechanism for safety- and security-critical organizations. There is however no consensus on how to implement data sensitivity and classification in existing big-data systems. An approach is proposed to express and compute data sensitivity and multidimensional data classification in fine granularity. The approach is based on a declarative logic programming language, which is able to separate security requirement definitions and deduction from implementation details. Expressing and validating the security rules can be done transparently, ignoring underlying technical migrations and infrastructure differences. It is therefore possible to use the same set of security rules among various big data systems. Compared to other logic-programming-based approach, the declarative nature also makes it preferable for modular development and system maintenance. Sensitivity specification is shown and security analysis including conflict detection and resolution is performed on the same platform. Several typical types of data classification have also been illustrated and analyzed. The approach is capable of expressing complex classification methods, including classification with multiple parameters, classification according to graph computation, and classification based on relations among multiple data objects. The logic programming-based method is shown to have more expressive power and better complexity performance than conventional methods.