TY - GEN

T1 - QOMPLIANCE

T2 - 2023 IEEE Asia-Pacific Conference on Computer Science and Data Engineering, CSDE 2023

AU - Oudejans, Daan

AU - Zorin, Anton

AU - Rellermeyer, Jan S.

N1 - Publisher Copyright: © 2023 IEEE.

PY - 2023

Y1 - 2023

N2 - Data compliance is essential in industry applications to ensure that organizations do not run afoul of data protection and privacy legislation. Geographically distributed data is an especially relevant topic because of recent developments in cross-border data protection agreements, e.g., between the United States and the European Union. We report our experience of designing and implementing QOMPLIANCE, a system for automated data-centric compliance evaluation in cloud environments. Our approach fills a gap in the research for higher-level data-centric compliance systems with a particular focus on geographically distributed data. Its declarative and extensible policy model allows for defining policies that can govern data movements across borders and is intended to be understandable without explicit knowledge of the governed data by employing a tag-based abstraction layer. The particular challenge is to automate data-centric policy compliance on data movements in a maintainable manner. QOMPLIANCE analyzes SQL-defined data movements to extract what data is being addressed and combines this information with additional attributes to statically match policies. Policies decide whether data movements are allowed and specify requirements on the query and the execution that should be enforced. We provide a qualitative comparison between our approach and related work, and we performed a performance analysis which shows that compliance evaluation can be done in seconds for large sets of policies.

AB - Data compliance is essential in industry applications to ensure that organizations do not run afoul of data protection and privacy legislation. Geographically distributed data is an especially relevant topic because of recent developments in cross-border data protection agreements, e.g., between the United States and the European Union. We report our experience of designing and implementing QOMPLIANCE, a system for automated data-centric compliance evaluation in cloud environments. Our approach fills a gap in the research for higher-level data-centric compliance systems with a particular focus on geographically distributed data. Its declarative and extensible policy model allows for defining policies that can govern data movements across borders and is intended to be understandable without explicit knowledge of the governed data by employing a tag-based abstraction layer. The particular challenge is to automate data-centric policy compliance on data movements in a maintainable manner. QOMPLIANCE analyzes SQL-defined data movements to extract what data is being addressed and combines this information with additional attributes to statically match policies. Policies decide whether data movements are allowed and specify requirements on the query and the execution that should be enforced. We provide a qualitative comparison between our approach and related work, and we performed a performance analysis which shows that compliance evaluation can be done in seconds for large sets of policies.

KW - compliance

KW - data processing

KW - policies

UR - http://www.scopus.com/inward/record.url?scp=85190604997&partnerID=8YFLogxK

U2 - 10.1109/CSDE59766.2023.10487688

DO - 10.1109/CSDE59766.2023.10487688

M3 - Conference contribution

AN - SCOPUS:85190604997

SN - 979-8-3503-4108-9

BT - Proceedings of the 2023 IEEE Asia-Pacific Conference on Computer Science and Data Engineering, CSDE 2023

PB - Institute of Electrical and Electronics Engineers Inc.

Y2 - 4 December 2023 through 6 December 2023

ER -