DATA SECURITY AND PRIVACY

Degree course: 
Corso di Second cycle degree in COMPUTER SCIENCE
Academic year when starting the degree: 
2022/2023
Year: 
1
Academic year in which the course will be held: 
2022/2023
Course type: 
Compulsory subjects, characteristic of the class
Language: 
English
Credits: 
9
Period: 
Second semester
Standard lectures hours: 
80
Detail of lecture’s hours: 
Lesson (56 hours), Exercise (24 hours)
Requirements: 

Good knowledge of English. It is also recommended to have taken a basic security course.

Final Examination: 
Orale

The students learning extent is assessed through a written exam and a project. The written exam lasts approx. 1.45 hours. Students are not allowed to consult any text book or other learning material during the exam. The written exam is divided into two parts. The first part consists of 5 open questions on the conceptual aspects of the course, whereas the second part consists of 3/4 exercises whose main goal is to assess the ability of specifying access control/privacy policies with the models, languages, and tools learned during the course. The grade of each part of the written exam is given in thirtieths. The overall grade of the written exam is determined by the following formula: 1/3 * grade of the first part + 2/3 * grade of the second part. The written exam is passed if the student obtains a grade greater than or equal to 18 in both the parts.

The project has the goal of assessing what has been learned during the exercise classes. The grade of the project is given in thirtieths, and it is successful if it is greater than or equal to 18. The final score of the course will be determined by the following formula: 1/3 * grade of the project + 2/3 * grade of the written exam. To successfully pass the course, the student should have a grade greater or equal to 18 in both the project and the written exam.

Assessment: 
Voto Finale

The course has the main goal of illustrating the models, languages, and tools for data protection within a data management system. A part of the course will also be devoted to data protection in innovative contexts (such as for instance IoT and Big Data). More specifically, the main objectives of the course are the following:
1. Know the basic concepts and terminology related to cybersecurity and privacy.
2. Understand the main existing access control models and customize them according to the needs of specific application domains.
3. Know and be able to use the support provided by SQL for access control.
4. Have an in-depth look at the main access control services provided by the Oracle DBMS.
5. Know the main laws and regulations that pertain to data privacy.
6. Understand the differences between online and offline privacy and know the main techniques to achieve both of them.
7. Be aware of the main research trends and challenges in the field of cybersecurity and privacy.
Additionally, the expected course outcomes also include the ability to independently translate specific access control/privacy requirements with the languages/mechanisms seen in class, while also being able to choose the best solution for the considered domain when multiple options are possible. The knowledge provided by the course will facilitate individual deepening of student knowledge and development of new skills. For example, it should not be difficult for a student who has successfully followed the course, to independently learn the concepts underlying a new access control mechanism, or a new technique for privacy protection. This is also facilitated by the presentation of the main research trends in the area.

Lessons will cover the following topics:
Privacy and security in data management systems: basic concepts (6h, objective 1)
Access control within DBMSs (18 h, objective 2)
- basic concepts
- traditional access control models (DAC, MAC, RBAC)
- innovative access control models (e.g., ABAC, content-based, time-based, location-based)
Access control support in SQL (4h, objective 3)
Advanced access control services in Oracle (8 h, objective 4)
- VPD
- OLS
- Vault
Data privacy (16 h, objectives 5/6)
- basic concepts
- GDPR and US legislation
- off-line vs on-line privacy
- Hyppocratic DBs
- purpose-based access control
- data anonymization (k-anonimity, l-diversity, m-invariance, differential privacy)
Data privacy and security: research trends (4 h, objective 7)
- IoT
- Big Data

Exercises will cover the following topics
(24h, objectives 2,3,4):
- Specifying and implementing access control constraints in the Oracle DBMS: hands-on

See the Course content section.

Convenzionale

The course consists of lectures (56 hours) and exercises (24 hours).
The lessons illustrate the basic concepts of cybersecurity and privacy, present the main existing access control models, both for traditional settings and innovative ones, with a particular focus on commercial data management systems. A part of the course is devoted to data privacy and privacy preserving data management techniques able to comply with current legislation.
The exercises aim to provide practical examples of Oracle access control features. Through critical thinking, students learn how to configure and manage access control policies exploiting VPD, OLS, and Vault services.

During the period in which the course is held, students can meet with the instructor on class days at the end of the lessons. In the remainder of the year, the students need to contact the instructor by email to set up an appointment. The instructor will only answer to emails sent by the studenti.uninsubria.it domain.