Abstract
From the United States’ Health Insurance Portability and Accountability Act (HIPAA) to the European Union’s General Data Protection Regulation (GDPR), there has been an increased focus on individual data privacy protection. Because multiple enforcement agencies (such as legal entities and external governing bodies) have jurisdiction over data governance, it is possible for the same data value to be subject to multiple (and potentially conflicting) policies. As a result, managing and enforcing all applicable legal requirements has become a complex task. In this paper, we present a comprehensive overview of the steps to integrating data retention and purging into a database management system (DBMS). We describe the changes necessary at each step of the data lifecycle management, the minimum functionality that any DBMS (relational or NoSQL) must support, and the guarantees provided by this system. Our proposed solution is 1) completely transparent from the perspective of the DBMS user; 2) requires only a minimal amount of tuning by the database administrator; 3) imposes a negligible performance overhead and a modest storage overhead; and 4) automates the enforcement of both retention and purging policies in the database.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Amazon web services: Overview of security processes. https://d1.awsstatic.com/whitepapers/aws-security-whitepaper.pdf
Data deletion on google cloud documentation. https://cloud.google.com/docs/security
GCP object lifecycle management. https://cloud.google.com/storage/docs/lifecycle
IBM cloud object storage - overview, https://www.ibm.com/cloud/object-storage
Regulation (eu) 2016/679 of the European parliament and of the council (2020). Accessed June 2021. https://gdpr.eu/tag/gdpr/
Qcow (2022). https://en.wikipedia.org/wiki/Qcow
AAA (computer security) (2023). https://en.wikipedia.org/wiki/AAA_(computer_security)
Amazon: Aws s3 (2020). Accessed Aug 2020. https://aws.amazon.com/s3/
Ataullah, A.A., Aboulnaga, A., Tompa, F.W.: Records retention in relational database systems. In: Proceedings of the 17th ACM Conference on Information and Knowledge Management, pp. 873–882 (2008)
Carrier, B.: The sleuth kit (2011). http://www.sleuthkit.org/sleuthkit/
Chow, J., Pfaff, B., Garfinkel, T., Rosenblum, M.: Shredding your garbage: Reducing data lifetime through secure deallocation. In: USENIX Security Symposium, pp. 22–22 (2005)
Garfinkel, S.L., Shelat, A.: Remembrance of data passed: a study of disk sanitization practices. IEEE Secur. Priv. 99(1), 17–27 (2003)
Gutmann, P.: Secure deletion of data from magnetic and solid-state memory. In: Proceedings of the Sixth USENIX Security Symposium, vol. 14, pp. 77–89. San Jose, CA (1996)
Hsu, W.W., Smith, A.J., Young, H.C.: Characteristics of production database workloads and the TPC benchmarks. IBM Syst. J. 40(3), 781–802 (2001)
International Data Sanitization Consortium: Data sanitization terminology and definitions (2017). Accessed Feb 2021. https://www.datasanitization.org/data-sanitization-terminology/
Kamara, S., Lauter, K.: Cryptographic cloud storage. In: Sion, R., et al. (eds.) FC 2010. LNCS, vol. 6054, pp. 136–149. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14992-4_13
Lenard, B., Rasin, A., Scope, N., Wagner, J.: What is lurking in your backups? In: Jøsang, A., Futcher, L., Hagen, J. (eds.) SEC 2021. IAICT, vol. 625, pp. 401–415. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-78120-0_26
Lenard, B., Wagner, J., Rasin, A., Grier, J.: SysGen: system state corpus generator. In: Proceedings of the 15th International Conference on Availability, Reliability and Security, pp. 1–6 (2020)
National Institute of Standards and Technology: Guidelines for media sanitization (2006)
National Security Agency Central Security Service: NSA/CSS storage sanitization manual (2014)
Reardon, J., Basin, D., Capkun, S.: Sok: secure data deletion. In: 2013 IEEE Symposium on Security And Privacy, pp. 301–315. IEEE (2013)
Reardon, J., Capkun, S., Basin, D.: Data node encrypted file system: efficient secure deletion for flash memory. In: Proceedings of the 21st USENIX Conference on Security symposium, pp. 17–17. USENIX Association (2012)
Richard III, G.G., Roussev, V.: Scalpel: a frugal, high performance file carver. In: DFRWS. Citeseer (2005)
Scope, N., Rasin, A., Lenard, B., Heart, K., Wagner, J.: Harmonizing privacy regarding data retention and purging. In: Proceedings of the 34th International Conference on Scientific and Statistical Database Management, pp. 1–12 (2022)
Scope, N., Rasin, A., Lenard, B., Wagner, J., Heart, K.: Purging compliance from database backups by encryption. J. Data Intell. 3(1), 149–168 (2022)
Scope, N., Rasin, A., Wagner, J., Lenard, B., Heart, K.: Purging data from backups by encryption. In: Strauss, C., Kotsis, G., Tjoa, A.M., Khalil, I. (eds.) DEXA 2021. LNCS, vol. 12923, pp. 245–258. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-86472-9_23
SQLite: PRAGMA statements (2018). https://www.sqlite.org/pragma.html#pragma_secure_delete
Stahlberg, P., Miklau, G., Levine, B.N.: Threats to privacy in the forensic analysis of database systems. In: Proceedings of the 2007 ACM SIGMOD International Conference on Management of Data, pp. 91–102. ACM, Citeseer (2007)
The Office of the National Coordinator for Health Information Technology: State medical record laws: Minimum medical record retention periods for records held by medical doctors and hospitals (2022)
United States Congress: 28 U.S. code §1732 (1948). https://www.law.cornell.edu/uscode/text/28/1732
U.S. Internal Revenue Service: Media sanitization methods (2017). https://www.irs.gov/privacy-disclosure/media-sanitization-methods
Vliet, J.V., Paganelli, F., Geurtsen, J.: (2012). https://docs.aws.amazon.com/aws-backup/latest/devguide/deleting-backups.html
Wagner, J., Rasin, A., Grier, J.: Database forensic analysis through internal structure carving. Digit. Investig. 14, S106–S115 (2015)
Wagner, J., Rasin, A., Grier, J.: Database image content explorer: carving data that does not officially exist. Digit. Investig. 18, S97–S107 (2016)
Wagner, J., Rasin, A., Heart, K., Malik, T., Grier, J.: Df-toolkit: interacting with low-level database storage. Proc. VLDB Endowment 13(12) (2020)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Scope, N., Rasin, A., Lenard, B., Wagner, J. (2023). Compliance and Data Lifecycle Management in Databases and Backups. In: Strauss, C., Amagasa, T., Kotsis, G., Tjoa, A.M., Khalil, I. (eds) Database and Expert Systems Applications. DEXA 2023. Lecture Notes in Computer Science, vol 14146. Springer, Cham. https://doi.org/10.1007/978-3-031-39847-6_20
Download citation
DOI: https://doi.org/10.1007/978-3-031-39847-6_20
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-39846-9
Online ISBN: 978-3-031-39847-6
eBook Packages: Computer ScienceComputer Science (R0)