Thursday, March 31, 2011

Opinions about ActiveBase webcast

I attended the ActiveBase webcast just now. The brief introduction of their product can be found here: link. Here's a quick summary of their product,

ActiveBase, currently support oracle and sql server, provides sql proxies based on query rewriting to dynamiclly anonymize data. There's no need of change to application and db. The product can be installed 1. on each database server. 2. dedicated app servers as proxies/firewall.

The protection solutions they provide: masks, scrambles, hides, audits, blocks fields. They adopt Role Based Access Aontrol to determine the anonymization methods and results returned to user.

Major concerns I have about their product:

- It seems the query rewritting technique needs a lot of manual effort, for each type of query. It is hard to automate for ad hoc queries. So there's big maintaince cost.

- They don't have any privacy guarantee on their solution. Specificly, they use the query proxy technique and dynamiclly rewrite each query and return answers. Will the attacker be able to design queries carefully, and get multi versions of the anonymized data, make comparisons and thus lead to information leakage?

- What's the usability of the anonymized dataset? For simple masking, the data doesn't have much usability after anonymization.

Anyway, I'm still glad to see privacy and anonymization are getting more and more attention, and new products being developed. An interesting future work would be: what are the special techniques needed to provide anonymity to no-sql databases and cloud db?

Labels: , ,


Post a Comment

<< Home