Qompliance: Declarative Data-Centric Policy Compliance on SQL-based Data Movements

Abstract

Data compliance is essential for ensuring that organizations do not run afoul of data protection and privacy legislation. Geographically distributed data is an especially relevant topic because of recent developments in cross-border data protection agreements between the United States and the European Union. We introduce Qompliance, a novel system for automated data-centric compliance evaluation in cloud environments. This approach fills a gap in the research for higher-level data-centric compliance systems with a particular focus on geographically distributed data. Its declarative and extensible policy model allows for defining policies that can govern data movements across borders and is intended to be understandable without explicit knowledge of the governed data by employing a tag-based abstraction layer. The particular challenge is to automate data-centric policy compliance on data movements in a maintainable manner. Qompliance analyzes SQL-defined data movements to extract what data is being addressed and combines this information with additional attributes to match policies in a static manner. Policies can decide whether data movements are allowed and specify requirements on the query and the execution that should be enforced. We provide a qualitative comparison between our approach and related work, and we performed a performance analysis that shows that compliance evaluation can be done in seconds for large sets of policies.