Dear colleagues,
I said earlier I'd ask around about some of the literature on security
controls vs. databse accessibility and side channels. I did, and I
heard back.
One person told me that this conference often has things on this
topic:
http://www.ieee-security.org/TC/SP-Index.html
From my brief glimpse of the TOCs from the proceedings, as well as
some spelunking in the ACM guide, it seems to me that some people have
already worked out what ought to happen in many of these cases, and
all we need to do is write down what we think ought to happen for the
various use cases. I note in particular that an awful lot of work
seems to be coming out of the health care sector in this area. That
strikes me as at least as good a guide as national security concerns,
and anything that one might want to do probably ought to be able to
cope with at least those two caricatures of use cases.
I also found a 2007 doctoral thesis by Azhar Rauf, Colorado Technical
University, _A tradeoff analysis between data accessibility and
inference control for row, column, and cell level security in
relational databases_. The title and abstract make me think it might
be worth looking at.
Hope this is helpful,
A
--
Andrew Sullivan
ajs@commandprompt.com
+1 503 667 4564 x104
http://www.commandprompt.com/