Abstract
Data and access to data are becoming more and more a product or service to be sold. In order to deal with data access, this paper presents a marketplace for trading data. Within the marketplace, producers can present their offerings for data access and algorithms, whereas consumers are able to browse through the offerings, to subscribe to corresponding services, and to use them after being approved. As a specific property, the presented approach allows to control data access at a fine-granular level. This supports use cases where different consumers should see different portions of data according to subscribed price models and/or Service Level Agreements (SLAs). The approach takes benefit from API management, particularly the tool WSO2. The paper discusses possible architectures to combine API Management with user-specific filtering and control of SLAs, and illustrates in detail how the features of WSO2 help ease implementation and reduce effort on the one hand. On the other hand, the paper elaborates upon several technical challenges to overcome.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Abramov, J., Anson, O., Dahan, M., et al.: A methodology for integrating access control policies within database development. Comput. Secur. 31(3), 299–314 (2012)
Balazinska, M., Howe, B., Suciu, D.: Data markets in the cloud: an opportunity for the fatabase community. Proc. VLDB Endow. 4(12), 1482–1485 (2011)
Barker, S.: Dynamic meta-level access control in SQL. In: Atluri, V. (ed.) DBSec 2008. LNCS, vol. 5094, pp. 1–16. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-70567-3_1
Bertino, E., Jajodia, S., Samarati, P.: A flexible authorization mechanism for relational data management systems. ACM Trans. Inf. Syst. 17(2), 101–140 (1999)
Caires, L., Pérez, J.A., Seco, J.C., Vieira, H.T., Ferrão, L.: Type-based access control in data-centric systems. In: Barthe, G. (ed.) ESOP 2011. LNCS, vol. 6602, pp. 136–155. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-19718-5_8
Chaudhuri, S., Dutta, T., Sudarshan, S.: Fine grained authorization through predicated grants. In: 23rd International Conference on Data Engineering (ICDE), pp. 1174–1183. IEEE (2007)
Chlipala, A., Impredicative, L.: Static checking of dynamically-varying security policies in database-backed applications. In: The USENIX Conference on Operating Systems Design and Implementation, pp. 105–118 (2010)
Corcoran, B., Swamy, N., Hicks, M.: Cross-tier, label-based security enforcement for web applications. In: Proceedings of the 2009 ACM SIGMOD International Conference on Management of Data, pp. 269–282. ACM (2009)
Fischer, J., Marino, D., Majumdar, R., Millstein, T.: Fine-grained access control with object-sensitive roles. In: Drossopoulou, S. (ed.) ECOOP 2009. LNCS, vol. 5653, pp. 173–194. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03013-0_9
Fuchs, L., Pernul, G., Sandhu, R.: Roles in information security – a survey and classification of the research area. Comput. Secur. 30(8), 748–769 (2011)
Hohenstein, U., Zillner, S., Biesdorf, A.: Architectural considerations for a data access marketplace. In: Proceedings of the 7th International Conference on Data Science, Technology and Applications (DATA 2018), Porto (Portugal), pp. 323–333 (2018)
Jayaraman, K., Tripunitara, M., Ganesh, V., et al.: Mohawk: abstraction-refinement and bound-estimation for verifying access control policies. ACM Trans. Inf. Syst. Secur. (TISSEC) 15(4), 1–28 (2013). Article No. 18
LeFevre, K., Agrawal, R., Ercegovac, V., et al.: Limiting disclosure in hippocratic databases. In: Proceedings of the 13th VLDB, pp. 108–119 (2004)
Oracle: Using Oracle Virtual Private Database to Control Data Access. https://docs.oracle.com/cd/B28359_01/network.111/b28531/vpd.htm#DBSEG007
Pereira, O., Regateiro, D., Aguiar, R.: Distributed and typed role-based access control mechanisms driven by CRUD expressions. Int. J. Comput. Sci. Theor. Appl. 2(1), 1–11 (2014)
Rizvi, S., Mendelzon, A., Sudarshan, S., Roy, P.: Extending query rewriting techniques for fine-grained access control. In: ACM SIGMOD Conference, pp. 551–562 (2004)
Rjaibi, W.: Data security best practices: a practical guide to implementing row and column access control. https://www.ibm.com/developerworks/community/wikis/home?lang=en#!/wiki/Wc9a068d7f6a6_4434_aece_0d297ea80ab1/page/A%20practical%20guide%20to%20implementing%20row%20and%20column%20access%20control
Roichman, A., Gudes, E.: Fine-grained access control to web databases. In: Proceedings of the 12th ACM Symposium on Access Control Models and Technologies, pp. 31–40. ACM (2007)
Roman, D., Paniagua, J., Tarasova, T., et al.: proDataMarket: a data marketplace for monetizing linked data. In: Demo Paper at 16th International Semantic Web Conference (ISWC 2017), Vienna (2017)
Sonntag, D., Tresp, V., Zillner, S., Cavallaro, A., et al.: The clinical data intelligence project. Informatik-Spektrum 39, 1–11 (2015)
Wang, Q., Yu, T., Li, N., et al.: On the correctness criteria of fine-grained access control in relational databases. In: Proceedings of the 33rd International Conference on Very Large Data Bases, pp. 555–566 (2007)
Zarnett, J., Tripunitara, M., Lam, P.: Role-based access control (RBAC) in Java via proxy objects using annotations. In: Proceedings of the 15th ACM Symposium on Access Control Models and Technologies, pp. 79–88. ACM (2010)
XACML: XACML – eXtensible Access Control Markup Language. http://www.oasisopen.org/committees/tchome.php?wgabbrev=xacml
Acknowledgements
This research has been supported in part by the KDI project, which is funded by the German Federal Ministry of Economics and Technology under grant number 01MT14001 and by the EU FP7 Diachron project (GA 601043).
Author information
Authors and Affiliations
Corresponding authors
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Hohenstein, U., Zillner, S., Biesdorf, A. (2019). Architectural Considerations for a Data Access Marketplace Based upon API Management. In: Quix, C., Bernardino, J. (eds) Data Management Technologies and Applications. DATA 2018. Communications in Computer and Information Science, vol 862. Springer, Cham. https://doi.org/10.1007/978-3-030-26636-3_5
Download citation
DOI: https://doi.org/10.1007/978-3-030-26636-3_5
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-26635-6
Online ISBN: 978-3-030-26636-3
eBook Packages: Computer ScienceComputer Science (R0)