Download SDE-based access control mechanism

Company
LOGO
Geospatial
Database Security
Nguyễn Minh Nhật
Nguyễn Ngọc Hương Thảo
Lê Trần Hoài Thu
Content
Part
01
Basic Knowledge about GIS
Part
02
Authorization in GIS Database
Part
03
Some GIS Security Model
Is some basic information to know about GIS
Is one of regular way to authorization about users
and their privileges.
Is some of Security model common used.
2
Contents of Basic GIS
Introduction of GIS & Geospatial database
GIS database structure
3
What is GIS?
GIS
USER
Geographical
Information Systems
REAL WORLD
Application?
4
GIS: history background
 This technology has developed from:
 Digital cartography and CAD
 Data Base Management Systems
ID
X,Y
ID
ATTRIB
1
2
3
CAD System
1
2
3
1
2
3
DataBase Management System
5
Geospatial Database
Database map
Attribute values
6
Contents of Basic GIS
Introduction of GIS & Geospatial database
GIS database structure
7
Representation of Geographical
Information
 Many spatial databases are partitioned
internally:
 Partitions defined spatially
 Partitions defined thematically
 Both
 Tile: a geographical partition of a
database
 Layer: a thematic partition
8
LAYER
 A layer: logical grouping of geographic
feature, that can also be referred to as a
coverage.
!(
!(
!(
!(
!(
Thematic Map of
the Continental
United States
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!( (!
!( !(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
9
LAYER
States
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
Rivers
!(
!(
!(
!(
!(
!( !(
!( !(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
Lakes
Roads
Maps are
composed of
Layers
Capitals
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!( !(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!( !(
!(
!(
!(
!(
!(
!(
!(
!(
10
GIS database structure
 Layers contain features or surfaces
 Layers are represented by:
 Vector model
 Raster model
 TIN model
features
surfaces
 GIS database structure:
 Database map: spatial data
 Attribute map: non-spatial data
11
Representing data with vector
 Vector model: geometric objects:
 Points
 Lines
 Polygons
Type
Position
Point
3,2
Line
1,5; 3,5; 5,7; 8,8; 11,7
Polygon 5,3; 6,5; 7,4; 9,5; 11,3;
8,2; 5,3
 Spaghetti model and Topology model
12
Spaghetti model
 Stores by x, y coordinate
 Represents relational
spatial data for each
object
 Represents attribute
data
13
Spaghetti model
 Advantages:
 Simple , easy to represent
 Disadvantages:
 Unable to represent relational spatial data
among these objects
 Polygons: boundary is stored twice
14
Topology model
 Spatial data
 Relational spatial data topology
 Arc-Node topology
 Polygon-Arc topology
15
Representing data with vector
 Advantage:
 Allowing precise representation of points,
boundaries, and linear features.
 Disadvantage:
 The boundaries of the resultant map polygons
discrete, whereas in reality the map polygons
may represent continuous gradation or
gradual change
16
Representing data with raster
 Raster model as image files:
 Composed of grid-cells (pixels)
 A value attribute table (VAT) keeps track
of your value classification.
 Add custom attributes by adding more
columns.
 Disadvantage?
 Raster data has one or more bands.
 Each band has an identical grid layout
representing a different attribute.
17
Representing data with raster
 Representing well indistinct boundaries
 Thematic information on soil types, soil moisture,
vegetation, ground temperatures
 Being used as reconnaissance satellites and
aerial surveys use raster-based scanners, the
information (scanned images) can be directly
incorporated into GIS
 The higher the grid resolution, the larger the
data file is going to be.
18
Representing data with TIN
 TIN: Triangulated Irregular Networks
 Representing continuous surfaces
19
Representing data with TIN
 Network structure
20
Attribute data
 Features are stored in a
database along with
information describing
them.
 Attributes of a street: name,
street type, length, street
code, number of lanes,
pavement type.
 Attributes of a park: name,
area, hours of operation,
maintenance schedule.
21
Attribute data
1
3
4
2
Attribute values in a
GIS are stored as
relational database
table.
ID
Att1
Att2
Att3
1
X
X
X
2
X
X
X
3
X
X
X
….
 Each feature within in
GIS layer will be
represented as a record
in a table
22
Content
Part
01
Basic Knowledge about GIS
Part
02
Authorization in GIS Database
Part
03
Some GIS Security Model
Is some basic information to know about GIS
Is one of regular way to authorization about users
and their privileges.
Is some of Security model common used.
23
Contents of Authorization in GIS
Why is authorization in GIS important?
Topological spatial data model (TSDM)
Basic components of the model
The geographic access control model
Authorization control mechanism
24
Why is authorization in GIS important?
Geographical data have a strategic
relevance in a large variety of contexts




Gathering and analyzing intelligence
Protecting critical infrastructure
Responding to complex emergencies
Preparing for disease outbreaks and
bioterrorism
 Securing complex events
25
Topological spatial data model (TSDM)
Geometric layer:
 Shape and location on the earth surface of
features
 Geometric value: set of points, set of simple
connected (or not) polylines, set of simple
polygons
Topological layer:
 Describing the topological relations of the
feature with others features of the map
 Relation: {Disjoint, Touch, In, Contains, Equal,
Cross, Overlap}
26
Topological spatial data model (TSDM)
Example of a geographical database the railway network
27
Topological spatial data model (TSDM)
Topological relations among the features of the Region and
the County feature types
28
Topological spatial data model (TSDM)
Geometric layer
Topological layer
Operators:
 Feature-based operators
 Map-based operators
 Mixed operators
29
Basic components of the model
Subject and object
 Subject: All users that interact with the system
 Object:
• Schema objects
• Instance objects
• Group objects
privileges
 Instances privileges
 Insertion privileges
 Schema privileges
30
Basic components of the model
Authorization sign and type
 Sign
• (+) A subject is authorized for a given privilege
• (-) A subject is denied access to a given object under
a given privilege
 Type: specifies whether an authorization can be
overridden or not
• Weak authorizations
• Strong authorizations
Queries and windows
Grant option: Only (+) authorizations can be delegated
31
The geographic access control model
Authorization
Authorization extension
Correct authorization
32
Authorization
A tuple containing all the basic components
of the model
The form: (u, p, pt, g, go, o ,t, w, q)
Example:
 Set A = {
a8 = (Ted, selM(2,geo),+,Bob,false,M_rail,st,Milan, ┴),
a9 = (Ted, updF(0,space,+, Bod, false,Accident,wk,
Milan, N=‘wrong manouevre’Name=‘X’(Accident))
}
33
Derivation rule
Derivation over object relationships
Derivation over privilege relationships
 An authorization granting a privilege to objects
with a certain dimension has to be propagated
to objects with lower dimension
 An authorization denying a privilege to objects
with a certain dimension has to be propagated
to objects with higher dimension
34
Derivation rule
35
Derivation rule
36
Algorithms for access control
Given an access request r = (u,p,o)
An authorization: a = (u,p,pt,g,go,o,t,w,q)
The access request can be satisfied if:
 R depends on a strong positive authorization
and on no strong negative authorization
 R depends on a weak positive authorization,
on no weak negative authorization and on no
strong authorization.
37
Content
Part
01
Basic Knowledge about GIS
Part
02
Authorization in GIS Database
Part
03
Some GIS Security Model
Is some basic information to know about GIS
Is one of regular way to authorization about users
and their privileges.
Is some of Security model common used.
38
Contents of GIS Security Model
Aspects in Security of Database System
Analysis of Access Control Mechanisms for Spatial DB
Secure Access Control in a Multi-User Geodatabase
Access control model for spatial data on web
Q&A
39
Aspects in Security of Database System
Privacy
Confidential
Secrecy
Integrity
Accuracy
Granularity
Availability
40
Privacy & Secrecy

Access limit control
 User private access right.
 GIS User-level based.
 Problems:
 Non module GIS database.
 Module GIS database.
GIS
Database
Aspects in Security of Database System
41
Privacy & Secrecy (cont)

GIS
Database
Change 01
User 01
Change 02
User 02
Change 03
User 03
Change 04
User 04
Change 05
User 05
Change 06
User 06
Change 07
User 07
Change ….
User ….
Aspects in Security of Database System
42
Availability

 Storage Structure
Data
Database
Management
Application
Web Service
Web Users
 Operating System
Data
Image
Aspects in Security of Database System
43
Availability (cont)

Database Restore
 Loss of power
 Disconnect.
 Hardware or Software errors.
Packet
Aspects in Security of Database System
44

Granularity
Metadata
Aspects in Security of Database System
45

Integrity & Accuracy
 Data type
 Rules
 Not Null Definitions
 Triggers
 Default Definitions
 Indexes
 Identity Properties
 Advanced Query
 Constraints
Techniques
Integrity & Accuracy = Can’t be tampered (added,
deleted, or altered) by illegal
users.
Aspects in Security of Database System
46
Confidentialy

Data
Network
Data
Confidentialy = only user
knows data
Aspects in Security of Database System
47
Contents of GIS Security Model
Aspects in Security of Database System
Analysis of Access Control Mechanisms for Spatial DB
Efficient Techniques for Realizing Geo-Spatial Access Control
Secure Access Control in a Multi-User Geodatabase
Access control model for spatial data on web
48
Introduction
SDE-based
access
control
mechanism
View-based
access
control
mechanism.
Two possible solution to restricting access to
database:
 SDE-based access control mechanism.
 View-based access control mechanism.
Analysis of Access Control Mechanisms for Spatial DB
49
SDE-based access control mechanism
 SDE (Spatial Data Engine).
 Function: manage unstructured spatial
data in structure RDBMS (Relational
database management system)
http://en.wikipedia.org/wiki/Relational_database_management_system
50
Analysis of Access Control Mechanisms for Spatial DB
SDE-based access control mechanism
MAP
Property
01
Property
02
Property
03
Property
04
Property
Property
05
Record
Analysis of Access Control Mechanisms for Spatial DB
51
SDE-based access control mechanism
All geospatial objects in the same map
layer are stored in a table.
Each geospatial object is represented by a
record of the table.
The geometric property of a geospatial
object is stored as a field of the record.
Analysis of Access Control Mechanisms for Spatial DB
52
SDE-based access control mechanism
Analysis of Access Control Mechanisms for Spatial DB
53
SDE-based access control mechanism
Analysis of Access Control Mechanisms for Spatial DB
54
SDE-based access control mechanism
Analysis of Access Control Mechanisms for Spatial DB
55
SDE-based access control mechanism
Analysis of Access Control Mechanisms for Spatial DB
56
SDE-based access control mechanism
Authentication: System firstly ensure log-in
users are legal
Authorize: Legal users are executting
permit operations on spatial objects of
interest.
Analysis of Access Control Mechanisms for Spatial DB
57
SDE-based access control mechanism
Analysis of Access Control Mechanisms for Spatial DB
58
SDE – Spatial data organization
SDE uses layers to store features (spatial
objects)
Each layer contains one of: point, line or
polygon.
Each layer is composed of business table,
feature table, spatial index table, and point
table
Analysis of Access Control Mechanisms for Spatial DB
59
SDE – Spatial data LAYERs
Analysis of Access Control Mechanisms for Spatial DB
60
SDE – Spatial data LAYERs
Analysis of Access Control Mechanisms for Spatial DB
61
SDE – Spatial data LAYERs
Analysis of Access Control Mechanisms for Spatial DB
62
SDE – Spatial data – Business table
Business table represents a feature and
stores attribute properties of the feature
Analysis of Access Control Mechanisms for Spatial DB
63
SDE – Spatial data – Features table
Feature table stores shape types and
boundary boxes of features in feature
tables.
Analysis of Access Control Mechanisms for Spatial DB
64
SDE – Spatial data – Spatial index table
Spatial index table contains information of
the grid unit and boundary boxes of
features.
Analysis of Access Control Mechanisms for Spatial DB
65
SDE – Spatial data – Point table
Point table stores coordinate values of
each shape in a binary type of BLOB,
which is translated into spatial meanings
by SDE.
Analysis of Access Control Mechanisms for Spatial DB
66
SDE-based access control
SDE-based access control
Authorization
Map Layers
Features
Spatial
Context
67
SDE-based access control
FOR AUTHORIZATION
Namely user information is stored in
database and RDBMS is in charge of
authenticating users
Spatial authorization must alter schemas
of related tables to store authorization
information (legal users and corresponding
privileges) according to granularities of
control
Analysis of Access Control Mechanisms for Spatial DB
68
SDE-based access control
FOR MAP LAYERS
The schema of layer tables is added
fields: user and privilege
According to User’ specific authorization
requirements, the fields: user and privilege
will be filled.
Analysis of Access Control Mechanisms for Spatial DB
69
SDE-based access control
FOR FEATURES
The similar modification will be made to
the schema of business tables, as each
record of business tables stores properties
of a single feature
Analysis of Access Control Mechanisms for Spatial DB
70
SDE-based access control
FOR SPATIAL CONTEXT
As for spatial context, for example eatures
in a rectangular window of certain
privilege, the authorization information is
filled in feature tables on the fly. Those
features falling in the window are alculated
with the window rectangle and the
boundary boxes stored in the feature
table.
Analysis of Access Control Mechanisms for Spatial DB
71
SDE-based access control
1. Certificated IDs
2. Read authorization information or intentd
map layer
3. Compared legal users and privileges from
layer table and intended operations
4. Decide authorizing access to the map
layer or just rejecting
5. Make similar procedure to achieve
permistion to specific features.
Analysis of Access Control Mechanisms for Spatial DB
72
Introduction
SDE-based
access
control
mechanism
View-based
access
control
mechanism.
Analysis of Access Control Mechanisms for Spatial DB
73
View-based access control mechanism.
GIS
Database
View 01
User 01
View 02
User 02
View 03
User 03
View 04
User 04
View 05
User 05
View 06
User 06
View 07
User 07
View ….
User ….
Analysis of Access Control Mechanisms for Spatial DB
74
View-based access control mechanism.
4 component:
 Database acounts
 Database login (authentication)
 Privileges
 View
Analysis of Access Control Mechanisms for Spatial DB
75
View-based access control mechanism.
Analysis of Access Control Mechanisms for Spatial DB
76
View-based access control mechanism.
Alternative method to grant Carol access
to name and email columns:
create view employee_public as
select name,email from employee;
grant select on employee_public to
carol;
Analysis of Access Control Mechanisms for Spatial DB
77
Contents of GIS Security Model
Aspects in Security of Database System
Analysis of Access Control Mechanisms for Spatial DB
Secure Access Control in a Multi-User Geodatabase
Efficient Techniques for Realizing Geo-Spatial Access Control
Access control model for spatial data on web
78
Secure Access Control in a Multi-user
Geodatabase
Problem in multi-user access:
Some information need to be
secret.
Some Users can view, Others can’t.
Other:
• Fake Users.
• Virtual Users.
79
Secure Access Control in a Multi-user
Geodatabase
Aspect to security of GeoDatabase:
Privacy.
Confidentialy.
Secrecy.
Integrity.
Accuracy
Granularity.
Availability.
80
Secure Access Control in a Multi-user
Geodatabase
Three main Access Control Models:
Mandatory (label-based).
Discretionary (User-based)
Role-Based.
81
Secure Access Control in a Multi-user
Geodatabase
Mandatory (label-based).
Different security levels -> users of
database have security clearances
assigned.
Discretionary (User-based)
Permission Access. Users can protect
or grant access rights.
Role-Based
Access control is enforced in terms of
roles.
82
Secure Access Control in a Multi-user
Geodatabase
Access Control Models for Geodatabase
Allow view-based access control.
Access predefined sets of views, based
on authorizations.
Views are built from a multi-level
database, may be updated, according to
users privileges.
83
Secure Access Control in a Multi-user
Geodatabase
Three new different security architectures:
Single Multi-Level Database ( Multi-level
Relations).
Replicated Multi-Level Database.
Single Multi-level Database (Uni-level
Relations).
84
Secure Access Control in a Multi-user
Geodatabase
Single Multi-Level Database ( Multi-level
Relations).
85
Secure Access Control in a Multi-user
Geodatabase
Replicated Multi-Level Database.
86
Secure Access Control in a Multi-user
Geodatabase
Single Multi-level Database (Uni-level
Relations).
87
Contents of GIS Security Model
Aspects in Security of Database System
Analysis of Access Control Mechanisms for Spatial DB
Efficient Techniques for Realizing Geo-Spatial Access Control
Access control model for spatial data on web
Secure Access Control in a Multi-User Geodatabase
88
INTRODUCTION (1)
The use of map is crucial for correctly geoprocessing data. Currently, several commercial
map management systems support visualization
and editing of spatial objects on Web.
Enforcing controlled access to spatial data has
not been much investigated to ensure
confidentiality and integrity of information.
89
INTRODUCTION (2)
Ensuring confidentiality means preventing
improper disclosure of information to nonauthorized users to see it.
Ensuring integrity means protecting data from
unofficial modifications and thus preventing nonauthorized users from inserting or modifying
data in the database.
90
INTRODUCTION (3)
 The model is based on the following assumptions
:
Spatial data consist of objects with sharp
boundaries located in a geographical space.
Data are manipulated by remote users through
the operations
provided by a Web Map
Management Service.
 The goal of the system in to control the way data
are accessed by users having different profiles.
 The model is an extension of the classical access
control model based on the notion of authorized
rule.
91
INTRODUCTION (4)
The central idea is to assign an authorization a
geographical scope, namely a bounded region in
which the authorization is valid.
Therefore, operations that users may execute on
spatial data may vary, depending on user
identity and object position.
92
PRELIMINARY NOTIONS (1)
Spatial data model used is the vector model
defined by the OpenGIS Consortium (OGC)
based on the notion of simple spatial feature.
The architecture of Web map management
applications is organized according to 3-tier
architecture including Presentation, Application,
Data Storage layers.
93
PRELIMINARY NOTIONS (2)
The Data Storage layer consists of files and
database servers.
The Application layer implements the
operations requested by the application.
The Presentation layer on the client side
includes either HTML pages or specialized
programs.
94
PRELIMINARY NOTIONS (3)
We assumed that features are transferred in
a vector format and the geo-processing is
distributed on both client and server.
95
PRELIMINARY NOTIONS (4)
96
PRELIMINARY NOTIONS (5)
The Application layer consists of 2 main services :
The Access Control Service implements the operations
for authorization rules checking and administration.
The Application Service implements the application
logic and access the application data.
Besides, it also includes the Authentication Service based
on username/password, SSL or some complex services.
97
PRELIMINARY NOTIONS (6)
98
THE ACCESS CONTROL
SYSTEM (1)
 Data access is controlled through a set of
authorization rules. Each authorization rule, in basic
form, consist of a triple = <subject, object, privilege>.
 The subject indicates who can access the data
resource.
 The object is a spatial feature class.
 The privilege is the kind of action that can be
performed by the subject on the given object.
99
THE ACCESS CONTROL
SYSTEM (2)
 In the model, it is not possible to define
authorization rules for objects at a finer level of
granularity, on single feature for example, or on
feature class attributes.
 Privileges used in the model :
Notify : controls the execution of the
operations for feature
insertion
and
deletion.
Analysis : controls the execution of the
different querying operation.
ViewGeometry : controls the single operation
of GetFeature.
ViewAttribute : controls the operation of
GetFeatureInfo.
100
DEFINITIONS AND CONSTRAINTS (1)
 Definition 1 (Basic authorization)
Let R be a set of roles, FC the set of feature classes, O the set
of Web service operations, P the set of privileges defined as a
partition over the set O. A basic authorization rule is defined as
a triple <r, f, p> where r ∈ R, f ∈ FC, p ∈ P.
Example :
The rule authorizing a surveyor to notify illegal waste deposits
can be expressed as follows:
<surveyor, illegal_waste_deposit, Notify>.
101
DEFINITIONS AND CONSTRAINTS (2)
 Constraint 1 (Constraint on privilege dependency)
Let r be a role, fc a feature class, p1, p2…, pn privileges.We
say that p1 depends on p2…pn (written as p1 → p2… ˄ pn) iff
the existence of the rule: a1 = <r, fc, p1> implies the existence
of the rules: a2=<r, fc,p2>,...,an = <r, fc, pn>. The rule a1 is
said to be dependent on a2...an (written a1 → a2… ˄ an).
Example :
The dependency discussed above can be expressed in a
simple way as follows:
Notify → ViewGeometry ˄ ViewAttributes
102
DEFINITIONS AND CONSTRAINTS (3)
 Definition 2 (Authorization with window)
Let Polygon denote the set of polygonal geometries.
An authorization rule with window is a tuple
<r,fc,p,w> where r ∈ R, fc ∈ FC, p ∈ P, w ∈ Polygon.
 Constraint 2 (Constraint on authorization
window)
Let a1 = <r, fc, p1, w1> and a2 = <r, fc, p2, w2> be
two authorizations rules defined for the same role r
and feature class fc but on two different privileges p1
and p2. If p1→p2 then w1 ⊆ w2.
103
DEFINITIONS AND CONSTRAINTS (4)
 Definition 3 (Authorization rule with grant option)
Let R be a set of roles, FC the set of feature classes, P the set of
privileges, W the set of Polygons. An authorization is defined as a
tuple : <r,fc,p,w,gr,gr_op>, where r ∈ R, f ∈ FC, p ∈ P, w ∈ W, gr ∈ R,
gr_op ∈{true, false}.
 Constraint 3 (Constraint on authorization rule grant)
Let a = <r1, fc, p, w , gr, true> be an authorization granted to role r1.
The privilege p on feature class fc can be granted by r1 to r2 through
the authorization b = <r2, fc , p, wb , r1, _> iff the window of b is
contained in the window of a, that is, wb ⊆ wa.
104
DEFINITIONS AND CONSTRAINTS (5)
 Definition 4 (Authorization rule consistency)
The authorization rule a = <r, fc, p, w, gr, gr_op> is
consistent iff the following constraints are satisfied :
a) Constraint 1 and constraint 2 must hold, that is,
for each privilege pi such that p → pi, the
authorization ai = <r, fc, pi, wi , gr, _> must belong to
the rule set and w ⊆ wi.
b) Constraint 3 must hold, that is, let b = <gr, fc, p,
wb,_, true> be the corresponding authorization given
to the grantor of a; then the relationship w ⊆ wb
must hold.
105
SUMMARY (1)
Strong points :
Protect vector-based spatial data against
requests issued through a Web service.
Authorizations on spatial objects can be
applied on limited areas within the
reference space.
106
SUMMARY (2)
Weak points :
Do not support topological representation.
Do not support multiple representation of the
same feature (such as various object
dimension).
Do not support both positive authorizations
(giving permissions) and negative ones
(specifying denials).
107
Summary of GIS Security Model
Aspects in Security of Database System
Analysis of Access Control Mechanisms for Spatial DB
Secure Access Control in a Multi-User Geodatabase
Access control model for spatial data on web
Q&A
108
References
[1] Jiayuan LIN, Yu FANG, Bin CHEN,
Pengei WU – Analysis of access control
mechanisms for spatial database.
[2] Elisa Bertino, Micheal Gertz – Security
and Privacy for Geospatial Data: Concepts
and Research Directions.
[3] Elisa Bertino, Maria Luisa Damiani - A
Controlled Access to Spatial Data on Web
[4] MikhailJ.Atallah, MarinaBlanton,
KeithB.Frikken - Efficient Techniques for
109
Realizing Geo-Spatial Access Control
References (cont.)
[5] Sahadeb De, Caroline M. Eastman,
Csilla Farkas - Secure Access Control in a
Multi-user Geodatabase.
[6] Zhu Tang, Shiguang Ju, Weihe Chen Active Authorization Rules for Enforcing
RBAC with Spatial Characteristics.
[7] A.Belussi, E.Bertino, B.Catania – An
Authorization Model for Geographical Maps.
[8] www.gis.com
[9] www.esri.com/casestudies
110
Question?
111
112