Existing access control models to protect data are user-centric and do not consider additional context describing the data or the users. These types of access control models include, for example, mandatory access control (MAC), discretionary access control (DAC), mandatory integrity control, and role-based access control (RBAC). Attribute-based access control (ABAC) models define access control based on combining attributes, e.g., user attributes, resource attributes, or environment attributes. However, these models are limited in practical use by the combinatorial growth of user roles, complexity of determining and assessing the results of combinations of attributes, as well as performance demands and complexity of data processes at large scale. The technical challenges of combining disparate data across sources are barriers to efficient data management operations and broader discovery of new research opportunities.
Traditionally, applying security policies across multiple technologies is difficult because data owners need to coordinate encoding of rules for each of different technology for runtime enforcement. The rules are often communicated informally and ad-hoc through instructions that are disconnected from the data, which increases the risk of both inappropriate use and over-caution by users. As a result, sensitive data may be improperly exposed and other high value data be become underused due to restricted access. It is desirable to maintain an up-to-date environment that includes many types of data sets and approved uses.
The figures depict various embodiments of the present invention for purposes of illustration only. One skilled in the art will readily recognize from the following discussion that alternative embodiments of the structures and methods illustrated herein may be employed without departing from the principles of the invention described herein.