Database Security-Concepts, Approaches, and Challenges

Subscribe (Full Service)


	Search: The ACM Digital Library The Guide

	Feedback

Database Security-Concepts, Approaches, and Challenges

Full text

Publisher Site

Source

IEEE Transactions on Dependable and Secure Computing archive
Volume 2 , Issue 1 (January 2005) table of contents

Pages: 2 - 19

Year of Publication: 2005

ISSN:1545-5971

Fellows

Elisa Bertino	IEEE
Ravi Sandhu	IEEE

Publisher

IEEE Computer Society Press Los Alamitos, CA, USA

Bibliometrics

Downloads (6 Weeks): n/a, Downloads (12 Months): n/a, Citation Count: 11

Additional Information:

abstract references cited by index terms collaborative colleagues

Tools and Actions:	Review this Article Save this Article to a Binder Display Formats: BibTeX EndNote ACM Ref

DOI Bookmark:	10.1109/TDSC.2005.9

ABSTRACT

As organizations increase their reliance on, possibly distributed, information systems for daily business, they become more vulnerable to security breaches even as they gain productivity and efficiency advantages. Though a number of techniques, such as encryption and electronic signatures, are currently available to protect data when transmitted across sites, a truly comprehensive approach for data protection must also include mechanisms for enforcing access control policies based on data contents, subject qualifications and characteristics, and other relevant contextual information, such as time. It is well understood today that the semantics of data must be taken into account in order to specify effective access control policies. Also, techniques for data integrity and availability specifically tailored to database systems must be adopted. In this respect, over the years the database security community has developed a number of different techniques and approaches to assure data confidentiality, integrity, and availability. However, despite such advances, the database security area faces several new challenges. Factors such as the evolution of security concerns, the "disintermediation¿ of access to data, new computing paradigms and applications, such as grid-based computing and on-demand business, have introduced both new security requirements and new contexts in which to apply and possibly extend current approaches. In this paper, we first survey the most relevant concepts underlying the notion of database security and summarize the most well-known techniques. We focus on access control systems, on which a large body of research has been devoted, and describe the key access control models, namely, the discretionary and mandatory access control models, and the role-based access control (RBAC) model. We also discuss security for advanced data management systems, and cover topics such as access control for XML. We then discuss current challenges for database security and some preliminary approaches that address some of these challenges.

REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	R. Agrawal R. Srikant and Y. Xu, “Database Technologies for Electronic Commerce,” <i>Proc. Very Large Databases Conf. (VLDB),</i> 2002.
	2	R. Agrawal J. Kiernan R. Srikant and Y. Xu, “Hippocratic Databases,” <i>Proc. 28th Int'l Conf. Very Large Databases (VLDB),</i> 2002.
	3	Rakesh Agrawal , Jerry Kiernan , Ramakrishnan Srikant , Yirong Xu, Order preserving encryption for numeric data, Proceedings of the 2004 ACM SIGMOD international conference on Management of data, June 13-18, 2004, Paris, France [doi>10.1145/1007568.1007632]
	4	Rafiul Ahad , James Davis , Stefan Gower , Peter Lyngbæk , Andra Marynowski , Emmanuel Onuegbe, Supporting Access Control in an Object-Oriented Database Language, Proceedings of the 3rd International Conference on Extending Database Technology: Advances in Database Technology, p.184-200, March 23-27, 1992
	5	Gail-Joon Ahn , Ravi Sandhu, Role-based authorization constraints specification, ACM Transactions on Information and System Security (TISSEC), v.3 n.4, p.207-226, Nov. 2000 [doi>10.1145/382912.382913]
	6	M. M. Astrahan , M. W. Blasgen , D. D. Chamberlin , K. P. Eswaran , J. N. Gray , P. P. Griffiths , W. F. King , R. A. Lorie , P. R. McJones , J. W. Mehl , G. R. Putzolu , I. L. Traiger , B. W. Wade , V. Watson, System R: relational approach to database management, ACM Transactions on Database Systems (TODS), v.1 n.2, p.97-137, June 1976 [doi>10.1145/320455.320457]
	7	S. Axelsson, “Intrusion Detection Systems: A Survey and Taxonomy,” Technical Report No. 99-15, Dept. of Computer Eng., Chalmers Univ. of Technology, Sweden, 2000.
	8	Jean Bacon , Ken Moody , Walt Yao, A model of OASIS role-based access control and its support for active security, ACM Transactions on Information and System Security (TISSEC), v.5 n.4, p.492-540, November 2002 [doi>10.1145/581271.581276]
	9	D.E. Bell and L.J. LaPadula, “Secure Computer Systems: Unified Exposition and Multics Interpretation,” Technical Report MTR-2997, The Mitre Corp., Bedford, Mass., 1976.
	10	Elisa Bertino , Claudio Bettini , Elena Ferrari , Pierangela Samarati, An access control model supporting periodicity constraints and temporal reasoning, ACM Transactions on Database Systems (TODS), v.23 n.3, p.231-285, Sept. 1998 [doi>10.1145/293910.293151]
	11	Elisa Bertino , Piero Andrea Bonatti , Elena Ferrari, TRBAC: A temporal role-based access control model, ACM Transactions on Information and System Security (TISSEC), v.4 n.3, p.191-233, August 2001 [doi>10.1145/501978.501979]
	12	E. Bertino D. Bruschi S. Franzoni I. Nai-Fovino and S. Valtolina, “Threat Modeling for SQL Server,” <i>Proc. Eighth IFIP TC-6 and TC-11 Conf. Comm. and Multimedia Security (CMS 2004),</i> Sept. 2004.
	13	Elisa Bertino , Barbara Carminati , Elena Ferrari , Bhavani Thuraisingham , Amar Gupta, Selective and Authentic Third-Party Distribution of XML Documents, IEEE Transactions on Knowledge and Data Engineering, v.16 n.10, p.1263-1278, October 2004 [doi>10.1109/TKDE.2004.63]
	14	Elisa Bertino , Silvana Castano , Elena Ferrari, Securing XML Documents with Author-X, IEEE Internet Computing, v.5 n.3, p.21-31, May 2001 [doi>10.1109/4236.935172]
	15	Elisa Bertino , Barbara Catania , Elena Ferrari, A nested transaction model for multilevel secure database management systems, ACM Transactions on Information and System Security (TISSEC), v.4 n.4, p.321-370, November 2001 [doi>10.1145/503339.503340]
	16	Elisa Bertino , Barbara Catania , Elena Ferrari , Paolo Perlasca, A logical framework for reasoning about access control models, ACM Transactions on Information and System Security (TISSEC), v.6 n.1, p.71-127, February 2003 [doi>10.1145/605434.605437]
	17	Elisa Bertino , Elena Ferrari, Administration Policies in a Multipolicy Autorization System, Proceedings of the IFIP TC11 WG11.3 Eleventh International Conference on Database Securty XI: Status and Prospects, p.341-355, August 10-13, 1997
	18	Elisa Bertino , Elena Ferrari, Secure and selective dissemination of XML documents, ACM Transactions on Information and System Security (TISSEC), v.5 n.3, p.290-331, August 2002 [doi>10.1145/545186.545190]
	19	Elisa Bertino , Elena Ferrari , Vijay Atluri, The specification and enforcement of authorization constraints in workflow management systems, ACM Transactions on Information and System Security (TISSEC), v.2 n.1, p.65-104, Feb. 1999 [doi>10.1145/300830.300837]
	20	Elisa Bertino , Jianping Fan , Elena Ferrari , Mohand-Said Hacid , Ahmed K. Elmagarmid , Xingquan Zhu, A hierarchical access control model for video database systems, ACM Transactions on Information Systems (TOIS), v.21 n.2, p.155-191, April 2003 [doi>10.1145/763693.763695]
	21	E. Bertino , E. Ferrari , G. Mella, An approach to cooperative updates of XML documents in distributed systems, Journal of Computer Security, v.13 n.2, p.191-242, March 2005
	22	E. Bertino E. Ferrari and L. ParasilitiProvenza, “Signature and Access Control Policies,” <i>Proc. 2003 European Symp. Research in Computer Security (ESORICS-03),</i> Oct. 2003.
	23	Trust-X: A Peer-to-Peer Framework for Trust Establishment, IEEE Transactions on Knowledge and Data Engineering, v.16 n.7, p.827-842, July 2004 [doi>10.1109/TKDE.2004.1318565]
	24	Elisa Bertino , Laura M. Haas, Views and Security in Distributed Database Management Systems, Proceedings of the International Conference on Extending Database Technology: Advances in Database Technology, p.155-169, March 14-18, 1988
	25	E. Bertino D. Leggieri and E. Terzi, “Securing DBMS: Characterizing and Detecting Query Flood,” <i>Proc. Ninth Information Security Conf. (ISC '04),</i> Sept. 2004.
	26	Elisa Bertino , Sushil Jajodia , Pierangela Samarati, Database security: research and practice, Information Systems, v.20 n.7, p.537-556, Nov. 1995 [doi>10.1016/0306-4379(95)00029-4]
	27	Elisa Bertino , Pierangela Samarati , Sushil Jajodia, An Extended Authorization Model for Relational Databases, IEEE Transactions on Knowledge and Data Engineering, v.9 n.1, p.85-101, January 1997 [doi>10.1109/69.567051]
	28	Rafae Bhatti , Elisa Bertino , Arif Ghafoor , James B. D. Joshi, XML-Based Specification for Web Services Document Security, Computer, v.37 n.4, p.41-49, April 2004 [doi>10.1109/MC.2004.1297300]
	29	Marina Bykova , Mikhail Atallah, Succinct specifications of portable document access policies, Proceedings of the ninth ACM symposium on Access control models and technologies, June 02-04, 2004, Yorktown Heights, New York, USA [doi>10.1145/990036.990043]
	30	J.W. Byun E. Bertino and N. Lui, “Purpose-Based Access Control for Privacy Protection in Relational Database Systems,” CERIAS Technical Report 2004-52, Purdue Univ., 2004.
	31	David W. Chadwick , Alexander Otenko , Edward Ball, Role-Based Access Control With X.509 Attribute Certificates, IEEE Internet Computing, v.7 n.2, p.62-69, March 2003 [doi>10.1109/MIC.2003.1189190]
	32	Chris Clifton, Using sample size to limit exposure to data mining, Journal of Computer Security, v.8 n.4, p.281-307, Dec. 2000
	33	COPPA, <i>Children's Online Privacy Protection Act of 1998,</i> Oct. 1998, available at www.cdt.org/legislation/105th/privacy/coppa.html.
	34	Jason Crampton , George Loizou, Administrative scope: A foundation for role-based administrative models, ACM Transactions on Information and System Security (TISSEC), v.6 n.2, p.201-231, May 2003 [doi>10.1145/762476.762478]
	35	Y. Cui , J. Widom, Lineage tracing for general data warehouse transformations, The VLDB Journal — The International Journal on Very Large Data Bases, v.12 n.1, p.41-58, May 2003 [doi>10.1007/s00778-002-0083-8]
	36	Dorothy E. Denning, A lattice model of secure information flow, Communications of the ACM, v.19 n.5, p.236-243, May 1976 [doi>10.1145/360051.360056]
	37	Dorothy E. Denning, Secure statistical databases with random sample queries, ACM Transactions on Database Systems (TODS), v.5 n.3, p.291-315, Sept. 1980 [doi>10.1145/320613.320616]
	38	Dorothy E. Denning , Jan Schlörer, A fast procedure for finding a tracker in a statistical database, ACM Transactions on Database Systems (TODS), v.5 n.1, p.88-102, March 1980 [doi>10.1145/320128.320138]
	39	US Dept. of Defense, <i>Trusted Computer System Evaluation Criteria,</i> DOD 5200. 28-STD, Dept. of Defense, Washington, D.C., 1975.
	40	Y. Diao S. Rivzi and M. Franklin, “Toward an Internet-Scale XML Dissemination Service,” <i>Proc. Very Large Databases Conf.,</i> 2004.
	41	Andrew Eisenberg , Jim Melton, SQL: 1999, formerly known as SQL3, ACM SIGMOD Record, v.28 n.1, p.131-138, March 1999 [doi>10.1145/309844.310075]
	42	Ronald Fagin, On an authorization mechanism, ACM Transactions on Database Systems (TODS), v.3 n.3, p.310-319, Sept. 1978 [doi>10.1145/320263.320288]
	43	Federal Trade Commission, “FTC Announces Settlement with Bankrupt Website, Toysmart.com, Regarding Alleged Privacy Policy Violations,” July 2000, available at www.ftc.gov/opa/2000/07/toysmart2.htm.
	44	E.B. Fernandez R.C. Summers and T. Lang, “Definition and Evaluation of Access Rules in Data Management Systems,” <i>Proc. Very Large Databases Conf.,</i> 1975.
	45	Eduardo B. Fernandez , Rita C. Summers , Christopher Wood, Database Security and Integrity, Addison-Wesley Longman Publishing Co., Inc., Boston, MA, 1981
	46	E. Ferrari and B.M. Thuraisingham, “Security and Privacy for Web Databases and Services,” <i>Advances in Database Technology-EDBT 2004, Proc. Ninth Int'l Conf. Extending Database Technology,</i> Mar. 2004.
	47	David F. Ferraiolo , Ravi Sandhu , Serban Gavrila , D. Richard Kuhn , Ramaswamy Chandramouli, Proposed NIST standard for role-based access control, ACM Transactions on Information and System Security (TISSEC), v.4 n.3, p.224-274, August 2001 [doi>10.1145/501978.501980]
	48	David F. Ferraiolo , D. Richard Kuhn , Ramaswamy Chandramouli, Role-Based Access Control, Artech House, Inc., Norwood, MA, 2003
	49	Alban Gabillon , Emmanuel Bruno, Regulating access to XML documents, Proceedings of the fifteenth annual working conference on Database and application security, p.299-314, July 15-18, 2001, Niagara, Ontario, Canada
	50	Jim Gray , Andreas Reuter, Transaction Processing: Concepts and Techniques, Morgan Kaufmann Publishers Inc., San Francisco, CA, 1992
	51	Patricia P. Griffiths , Bradford W. Wade, An authorization mechanism for a relational database system, ACM Transactions on Database Systems (TODS), v.1 n.3, p.242-255, Sept. 1976 [doi>10.1145/320473.320482]
	52	Hao He , Raymond K. Wong, A Role-Based Access Control Model for XML Repositories, Proceedings of the First International Conference on Web Information Systems Engineering (WISE'00)-Volume 1, p.138, June 19-20, 2000
	53	HIPAA, <i>Health Insurance Portability and Accountability Act of 1996,</i> available at http://www.hep-c-alert.org/links/hipaa.html, 1996.
	54	B. Iyer S. Mehrotra E. Mykletun G. Tsudik and Y. Wu, “A Framework for Efficient Storage Security in RDBMS,” <i>Proc. Seventh Int'l Conf. Extending Database Technology (EDBT 2004),</i> Mar. 2004.
	55	S. Jajodia R. Sandhu and B. Blaustein, “Solutions to the Polyinstantiation Problem,” <i>Information Security: An Integrated Collection of Essays,</i> vol. 1, M.A. Abrams et al. eds., IEEE CS Press, pp. 493-529, 1994.
	56	Ninghui Li , Mahesh V. Tripunitara, Security analysis in role-based access control, Proceedings of the ninth ACM symposium on Access control models and technologies, June 02-04, 2004, Yorktown Heights, New York, USA [doi>10.1145/990036.990058]
	57	Liberty Alliance Project (www.projectliberty.org), 2001.
	58	Peng Liu, Architectures for Intrusion Tolerant Database Systems, Proceedings of the 18th Annual Computer Security Applications Conference, p.311, December 09-13, 2002
	59	T. F. Lunt , D. E. Denning , R. R. Schell , M. Heckman , W. R. Shockley, The SeaView Security Model, IEEE Transactions on Software Engineering, v.16 n.6, p.593-607, June 1990 [doi>10.1109/32.55088]
	60	Günter Karjoth, Access control with IBM Tivoli access manager, ACM Transactions on Information and System Security (TISSEC), v.6 n.2, p.232-257, May 2003 [doi>10.1145/762476.762479]
	61	Günter Karjoth , Matthias Schunter , Els Van Herreweghen, Translating Privacy Practices into Privacy Promises—How to Promise What You Can Keep, Proceedings of the 4th IEEE International Workshop on Policies for Distributed Systems and Networks, p.135, June 04-06, 2003
	62	Network security: PRIVATE communication in a PUBLIC world, Prentice Hall PTR, Upper Saddle River, NJ, 02
	63	Axel Kern , Martin Kuhlmann , Rainer Kuropka , Andreas Ruthert, A meta model for authorisations in application security systems and their integration into RBAC administration, Proceedings of the ninth ACM symposium on Access control models and technologies, June 02-04, 2004, Yorktown Heights, New York, USA [doi>10.1145/990036.990050]
	64	Himanshu Khurana, Scalable security and accounting services for content-based publish/subscribe systems, Proceedings of the 2005 ACM symposium on Applied computing, March 13-17, 2005, Santa Fe, New Mexico [doi>10.1145/1066677.1066862]
	65	M. Koch , L. V. Mancini , F. Parisi-Presicce, Administrative scope in the graph-based framework, Proceedings of the ninth ACM symposium on Access control models and technologies, June 02-04, 2004, Yorktown Heights, New York, USA [doi>10.1145/990036.990051]
	66	Naren Kodali , Csilla Farkas , Duminda Wijesekera, An authorization model for multimedia digital libraries, International Journal on Digital Libraries, v.4 n.3, p.139-155, November 2004 [doi>10.1007/s00799-004-0080-1]
	67	D. Richard Kuhn, Mutual exclusion of roles as a means of implementing separation of duty in role-based access control systems, Proceedings of the second ACM workshop on Role-based access control, p.23-30, November 06-07, 1997, Fairfax, Virginia, United States [doi>10.1145/266741.266749]
	68	James B. D. Joshi , Elisa Bertino , Usman Latif , Arif Ghafoor, A Generalized Temporal Role-Based Access Control Model, IEEE Transactions on Knowledge and Data Engineering, v.17 n.1, p.4-23, January 2005 [doi>10.1109/TKDE.2005.1]
	69	P. Missier , G. Lalk , V. Verykios , F. Grillo , T. Lorusso , P. Angeletti, Improving Data Quality in Practice: A Case Study in the Italian Public Administration, Distributed and Parallel Databases, v.13 n.2, p.135-160, March 2003 [doi>10.1023/A:1021548024224]
	70	J. E.B. Moss, Nested transactions: an approach to reliable distributed computing, Massachusetts Institute of Technology, Cambridge, MA, 1985
	71	Makoto Murata , Akihiko Tozawa , Michiharu Kudo , Satoshi Hada, XML access control using static analysis, Proceedings of the 10th ACM conference on Computer and communications security, October 27-30, 2003, Washington D.C., USA [doi>10.1145/948109.948122]
	72	OASIS Consortium, eXtensible Access Control Markup Language (XACML) Committee Specification, Version 1.1, available at: http://www.oasis-open.org/committees/xacml/, 2000.
	73	Stanley R. M. Oliveira , Osmar R. Zaïane, Privacy preserving frequent itemset mining, Proceedings of the IEEE international conference on Privacy, security and data mining, p.43-54, December 01, 2002, Maebashi City, Japan
	74	Oracle, The Virtual Private Database in Oracle9iR2, available at http://otn.oracle.com/deploy/security/oracle9iR2/pdf/VPD9ir2twp.pdf, 2000.
	75	Fausto Rabitti , Elisa Bertino , Won Kim , Darrell Woelk, A model of authorization for next-generation database systems, ACM Transactions on Database Systems (TODS), v.16 n.1, p.88-131, March 1991 [doi>10.1145/103140.103144]
	76	C. Ramaswamy and R. Sandhu, “Role-Based Access Control Features in Commercial Database Management Systems,” <i>Proc. 21st Nat'l Information Systems Security Conf.,</i> pp. 503-511, Oct. 1998.
	77	Joel Richardson , Peter Schwarz , Luis-Felipe Cabrera, CACL: efficient fine-grained protection for objects, conference proceedings on Object-oriented programming systems, languages, and applications, p.263-275, October 18-22, 1992, Vancouver, British Columbia, Canada
	78	Shariq Rizvi , Alberto Mendelzon , S. Sudarshan , Prasan Roy, Extending query rewriting techniques for fine-grained access control, Proceedings of the 2004 ACM SIGMOD international conference on Management of data, June 13-18, 2004, Paris, France [doi>10.1145/1007568.1007631]
	79	Ravi S. Sandhu, Lattice-Based Access Control Models, Computer, v.26 n.11, p.9-19, November 1993 [doi>10.1109/2.241422]
	80	Ravi S. Sandhu , Edward J. Coyne , Hal L. Feinstein , Charles E. Youman, Role-Based Access Control Models, Computer, v.29 n.2, p.38-47, February 1996 [doi>10.1109/2.485845]
	81	Ravi Sandhu , Fang Chen, The multilevel relational (MLR) data model, ACM Transactions on Information and System Security (TISSEC), v.1 n.1, p.93-132, Nov. 1998 [doi>10.1145/290163.290171]
	82	O. Sami Saydjari, Multilevel Security: Reprise, IEEE Security and Privacy, v.2 n.5, p.64-67, September 2004 [doi>10.1109/MSP.2004.78]
	83	Bruce Schneier, Hacking the Business Climate for Network Security, Computer, v.37 n.4, p.87-89, April 2004 [doi>10.1109/MC.2004.1297316]
	84	R. Sion M. Atallah and S. Prabhakar, “Resilient Rights Proofs for Sensor Streams,” <i>Proc. Conf. Very Large Databases,</i> Sept. 2004.
	85	Radu Sion , Mikhail Atallah , Sunil Prabhakar, Rights Protection for Relational Data, IEEE Transactions on Knowledge and Data Engineering, v.16 n.12, p.1509-1525, December 2004 [doi>10.1109/TKDE.2004.94]
	86	Latanya Sweeney, Achieving k-anonymity privacy protection using generalization and suppression, International Journal of Uncertainty, Fuzziness and Knowledge-Based Systems, v.10 n.5, p.571-588, October 2002 [doi>10.1142/S021848850200165X]
	87	Roshan K. Thomas , Ravi S. Sandhu, Task-Based Authorization Controls (TBAC): A Family of Models for Active and Enterprise-Oriented Autorization Management, Proceedings of the IFIP TC11 WG11.3 Eleventh International Conference on Database Securty XI: Status and Prospects, p.166-181, August 10-13, 1997
	88	W. G. Tzeng, A Time-Bound Cryptographic Key Assignment Scheme for Access Control in a Hierarchy, IEEE Transactions on Knowledge and Data Engineering, v.14 n.1, p.182-188, January 2002 [doi>10.1109/69.979981]
	89	M. B. Thuraisingham, Mandatory security in object-oriented database systems, Conference proceedings on Object-oriented programming systems, languages and applications, p.203-210, October 02-06, 1989, New Orleans, Louisiana, United States
	90	B. Thuraisingham, <i>Database and Applications Security: Integrating Databases and Applications Security.</i> CRC Press, Dec. 2004.
	91	Bhavani Thuraisingham , William Ford , Marie Collins , Jonathan O'Keeffe, Design and implementation of a database inference controller, Data & Knowledge Engineering, v.11 n.3, p.271-297, Dec. 1993 [doi>10.1016/0169-023X(93)90025-K]
	92	Jaideep Vaidya , Chris Clifton, Privacy preserving association rule mining in vertically partitioned data, Proceedings of the eighth ACM SIGKDD international conference on Knowledge discovery and data mining, July 23-26, 2002, Edmonton, Alberta, Canada [doi>10.1145/775047.775142]
	93	Jennifer Widom , Stefano Ceri , Umeshwar Dayal, Active Database Systems: Triggers and Rules for Advanced Database Processing, Morgan Kaufmann Publishers Inc., San Francisco, CA, 1994
	94	Jingzhu Wang , Sylvia L. Osborn, A role-based approach to access control for XML databases, Proceedings of the ninth ACM symposium on Access control models and technologies, June 02-04, 2004, Yorktown Heights, New York, USA [doi>10.1145/990036.990047]
	95	C. Wood and E.B. Fernandez, “Decentralized Authorization in a Database System,” <i>Proc. Conf. Very Large Databases,</i> 1979.
	96	World Wide Web Consortium, Extensible Markup Language (XML), 1.0, 1998, available at: http://www.w3.org/TR/REC-xml.
	97	World Wide Web Consortium, Platform for Privacy Preferences (P3P), available at www.w3.org/P3P, 1994.
	98	Tak W. Yan , Hector Garcia-Molina, The SIFT information dissemination system, ACM Transactions on Database Systems (TODS), v.24 n.4, p.529-565, Dec. 1999 [doi>10.1145/331983.331992]

CITED BY 11

	Belén Vela , Eduardo Fernández-Medina , Esperanza Marcos , Mario Piattini, Model driven development of secure XML databases, ACM SIGMOD Record, v.35 n.3, p.22-27, September 2006
	Massimo Mecella , Mourad Ouzzani , Federica Paci , Elisa Bertino, Access control enforcement for conversation-based web services, Proceedings of the 15th international conference on World Wide Web, May 23-26, 2006, Edinburgh, Scotland
	Ji-Won Byun , Yonglak Sohn , Elisa Bertino, Systematic control and management of data integrity, Proceedings of the eleventh ACM symposium on Access control models and technologies, June 07-09, 2006, Lake Tahoe, California, USA
	Sergej Zerr , Elena Demidova , Daniel Olmedilla , Wolfgang Nejdl , Marianne Winslett , Soumyadeb Mitra, Zerber: r-confidential indexing for distributed documents, Proceedings of the 11th international conference on Extending database technology: Advances in database technology, March 25-29, 2008, Nantes, France
	Qi Yu , Xumin Liu , Athman Bouguettaya , Brahim Medjahed, Deploying and managing Web services: issues, solutions, and directions, The VLDB Journal — The International Journal on Very Large Data Bases, v.17 n.3, p.537-572, May 2008
	Anne V. D. M. Kayem_ca , Selim G. Akl , Patrick Martin, On replacing cryptographic keys in hierarchical key management systems, Journal of Computer Security, v.16 n.3, p.289-309, August 2008
	Mario Guimaraes , Meg Murray , Richard Austin, Incorporating database security courseware into a database security class, Proceedings of the 4th annual conference on Information security curriculum development, September 28-28, 2007, Kennesaw, Georgia
	Elisa Bertino , Bhavani Thuraisingham , Michael Gertz , Maria Luisa Damiani, Security and privacy for geospatial data: concepts and research directions, Proceedings of the SIGSPATIAL ACM GIS 2008 International Workshop on Security and Privacy in GIS and LBS, November 04-04, 2008, Irvine, California
	Norjihan Abdul Ghani , Zailani Mohamed Sidek, Personal information privacy protection in e-commerce, WSEAS Transactions on Information Science and Applications, v.6 n.3, p.407-416, March 2009
	Kyu II Kim , Won Gil Choi , Eun Ju Lee , Ung Mo Kim, RBAC-based access control for privacy protection in pervasive environments, Proceedings of the 3rd International Conference on Ubiquitous Information Management and Communication, January 15-16, 2009, Suwon, Korea
	Norjihan Abdul Ghani , Zailani Mohamed Sidek, Personal information and privacy in E-commerce application, Proceedings of the 7th WSEAS international conference on Information security and privacy, p.28-32, December 29-31, 2008, Cairo, Egypt