DATA SECURITY AND PRIVACY
- Overview
- Assessment methods
- Learning objectives
- Contents
- Full programme
- Bibliography
- Delivery method
- Teaching methods
- Contacts/Info
Good knowledge of English. It is also recommended to have taken a basic security course.
The students learning extent is assessed through a written exam and a project. The written exam lasts approx. 1.5 hours. Students are not allowed to consult any text book or other learning material during the exam. The written exam is divided into two parts. The first part consists of 5 open questions on the conceptual aspects of the course, whereas the second part consists of 3/4 exercises whose main goal is to assess the ability of specifying access control/privacy policies with the models, languages, and tools learned during the course. The grade of each part of the written exam is given in thirtieths. The overall grade of the written exam is determined by the following formula: 1/3 * grade of the first part + 2/3 * grade of the second part. The written exam is passed if the student obtains a grade greater than or equal to 18 in both the parts.
The project has the goal of assessing what has been learned during the exercise classes. The grade of the project is given in thirtieths, and it is successful if it is greater than or equal to 18. The final score of the course will be determined by the following formula: 1/3 * grade of the project + 2/3 * grade of the written exam. To successfully pass the course, the student should have a grade greater or equal to 18 in both the project and the written exam.
The course has the main goal of illustrating the models, languages, and tools for the management of access control and privacy policies within a data management system. A part of the course will also be devoted to access control and privacy issues in innovative contexts (such as for instance IoT, social networks, Big Data). More specifically, the main objectives of the course are the following:
1. Know the basic concepts and terminology related to data cybersecurity and privacy.
2. Understand the main existing access control models and customize them according to the needs of specific application domains.
3. Know and be able to use the support provided by SQL for access control.
4. Have an in-depth look at the main access control services provided by the Oracle DBMS.
5. Know the main laws and regulations that pertain to data privacy.
6. Understand the differences between online and offline privacy and know the main techniques to achieve both of them.
7. Be aware of the main research trends and challenges in the field of cybersecurity and privacy.
Additionally, the expected course outcomes also include the ability to independently translate specific access control/privacy requirements with the languages/mechanisms seen in class, while also being able to choose the best solution for the considered domain when multiple options are possible. The knowledge provided by the course will facilitate individual deepening of student knowledge and development of new skills. For example, it should not be difficult for a student who has successfully followed the course, to independently learn the concepts underlying a new access control mechanism, or a new technique for privacy protection. This is also facilitated by the presentation of the main research trends in the area.
Lessons will cover the following topics:
Privacy and security in data management systems: basic concepts (6h, objective 1)
Access control within DBMSs (18 h, objective 2)
- basic concepts
- traditional access control models (DAC, MAC, RBAC)
- innovative access control models (e.g., ABAC, content-based, time-based, location-based)
Access control support in SQL (4h, objective 3)
Advanced access control services in Oracle (8 h, objective 4)
- VPD
- OLS
- Vault
Data privacy (16 h, objectives 5/6)
- basic concepts
- GDPR and US legislation
- off-line vs on-line privacy
- Hyppocratic DBs
- purpose-based access control
- data anonymization (k-anonimity, l-diversity, m-invariance, differential privacy)
Data privacy and security: research trends (4 h, objective 7)
- IoT
- social networks
- Big Data
Exercises will cover the following topics
(24h, objectives 2,3,4):
- Specifying and implementing access control constraints in the Oracle DBMS: hands-on
See the Course content section.
Since the course is on innovative topics, there is no reference textbook but a set of recommended readings, each covering a part of the course.
Suggested textbooks:
B E. Ferrari. Access Control in Data Management Systems, Synthesis Lectures on Data Management, Morgan & Claypool, 2010.
B. Catania, E. Ferrari, e G. Guerrini. Sistemi di Gestione Dati: Concetti e Architetture, CittàStudi Edizioni, 2006 (only the chapter on data protection).
For the part of the course covering the Oracle DBMS, it is recommended to refer to the documentation made available online by Oracle.
Lessons and exercises slides (in pdf format), scientific articles and further suggested readings are made available on the university e-learning website, where students can also find the text of previous exams.
The course consists of lectures (56 hours) and exercises (24 hours).
The lessons illustrate the basic concepts of cybersecurity and privacy, present the main existing access control models, both for traditional settings and innovative ones, with a particular focus on commercial data management systems. A part of the course is devoted to data privacy and privacy preserving data management techniques able to comply with current legislation.
The exercises aim to provide practical examples of Oracle access control features. Through critical thinking exercises, students learn how to configure and manage access control policies exploiting VPD, OLS, and Vault services.
During the period in which the course is held, students can meet with the instructor on class days at the end of the lessons. In the remainder of the year, the students need to contact the instructor by email to set up an appointment. The instructor will only answer to emails sent by the studenti.uninsubria.it domain.