Embed Size (px)
Citation preview
Security and Privacy for Geospatial Data:Concepts and Research Directions
Inaugural Paper for the ACM SPRINGL Workshop
Elisa BertinoDepartment of Computer Science
Purdue University, [email protected]
Michael GertzInstitute of Computer Science
University of Heidelberg, [email protected]
Bhavani ThuraisinghamDepartment of Computer Science
University of Texas at Dallas, [email protected]
Maria Luisa DamianiDipartimento di Informatica e Comunicazione
Università degli Studi di Milano, [email protected]
ABSTRACTGeospatial data play a key role in a wide spectrum of criticaldata management applications, such as disaster and emer-gency management, environmental monitoring, land and cityplanning, and military operations, often requiring the coor-dination among diverse organizations, their data reposito-ries, and users with different responsibilities. Although avariety of models and techniques are available to manage,access and share geospatial data, very little attention hasbeen paid to addressing security concerns, such as accesscontrol, security and privacy policies, and the developmentof secure and in particular interoperable GIS applications.The objective of this paper is to discuss the technical chal-lenges raised by the unique requirements of secure geospatialdata management and to suggest a comprehensive frame-work for security and privacy for geospatial data and GIS.Such a framework is the first coherent architectural approachto the problem of security and privacy for geospatial data.
Categories and Subject DescriptorsH.2.8 [Database Management]: Database Applications—Spatial Databases and GIS ; K.6.5 [Management of Com-puting and Information Systems]: Security and Pro-tection; K.4.1 [Computers and Society]: Public PolicyIssues—Privacy
General TermsManagement, Security, Theory, Legal Aspects
KeywordsGIS, Geospatial Data, Security, Privacy
Permission to make digital or hard copies of all or part of this work forpersonal or classroom use is granted without fee provided that copies arenot made or distributed for profit or commercial advantage and that copiesbear this notice and the full citation on the first page. To copy otherwise, torepublish, to post on servers or to redistribute to lists, requires prior specificpermission and/or a fee.SPRINGL 2008 Irvine, CA, USACopyright 2008 ACM 978-1-60558-324-2/08/11 ...$5.00.
1. INTRODUCTIONAdvancements in sensor technology, satellite imagery, and
field surveys have made it possible to generate and collectlarge amounts of geospatial data, at an ever increasing levelof temporal coverage and spatial resolution. For example,thematic and topographical maps in support of disaster andemergency management, homeland security, and environ-mental crises provide geospatial data for various featuresof locations and facilities at very fine-grained levels of de-tail. These advancements have recently raised many datasecurity, privacy, and safeguarding concerns, not only bythe public but also by federal, state, and local governmentorganizations, which are concerned that publicly availablegeospatial information can be exploited by attackers for cor-rupting critical infrastructures and compromising the secu-rity and privacy of people, property, and systems.
National and international efforts, such as the NationalSpatial Data Infrastructure [49], the Global Earth Observa-tion System of Systems [8], and the Critical InfrastructureProtection Initiative [7], primarily focus on the coordinateddevelopment, use, sharing, and dissemination of geospatialdata among the wide range of federal government agenciesand offices. While consistent and reliable means to manage,share, and access geospatial data are available, very little at-tention has been given to addressing security concerns, suchas access control, security and privacy policies, and the de-velopment of secure interoperable GIS applications. This isdespite many reports, such as the RAND vulnerability re-port [15] and the NSDI Guidelines for Providing AppropriateAccess to Geospatial Data in Response to Security Concerns[48], which identify the various potential risks that arise dueto the production and (public) dissemination of geospatialinformation. These reports in particular call for mechanismsto safeguard the increasing amount of geospatial data.
To date, however, the problem of security and privacy forgeospatial data and GIS has not been much investigated andthere is not even a comprehensive understanding of all theissues that need to be addressed. The goal of this paper is toidentify and explore such issues and develop a comprehensiveframework for security and privacy for geospatial data andGIS.
The paper is organized as follows: Section 2 discusses
three real world scenarios; such scenarios provide concreteexamples motivating the needs for research in the area ofsecurity and privacy for geospatial data and GIS. The exam-ples also show that in most cases GIS and geospatial applica-tions need interoperable access to heterogeneous data repos-itories, which poses interesting security challenges. Section3 discusses security issues that are unique to geospatial dataand argues that current security and privacy solutions de-veloped for conventional data are not adequate. We thenproposes a comprehensive framework that is the first coher-ent architectural approach to the problem of security andprivacy for geospatial data. Any actual solution will likelyimplement most of the components of the suggested frame-work. Based on such a framework, in Section 6, the paperexplores research issues by discussing in detail requirements,shortcomings of current approaches, and possible solutions.Relevant issues include access control models for geospatialdata, privacy, and trust. Many relevant open issues are iden-tified throughout the discussion. The paper concludes byoutlining suitable evaluation metrics for the envisioned so-lutions and presenting concluding remarks.
2. CURRENT PRACTICES AND MOTIVA-TIONAL SCENARIOS
To better illustrate the diverse and complex security andprivacy requirements of geospatial data repositories and ap-plications, we outline some practically relevant GIS appli-cation scenarios increasingly complex in nature. The maintheme of the scenarios is to demonstrate the need for a secu-rity and privacy management framework in support of GISapplications typically used in disaster and emergency prepa-ration, mitigation, and response. The basis for our scenar-ios is a collection of GIS repositories available for NorthernCalifornia, directly accessible through the California SpatialInformation Library (CaSIL)1.
As illustrated in Fig.1, for particular geographic regions,several thematic layers of geospatial data are available. Acollection of layers is typically managed by a single federal,state, or local organization; there is no single organizationthat manages all geospatial data of interest for all regions.For example, water resource thematic layers, managed byan organization such as the U.S. Geological Survey (USGS),comprise information about streams, drainage areas, sur-face terrains, and rainfall responses for particular regions.Census unit and boundary layers manage information aboutadministrative units (e.g., blocks and tracts), streets and ad-dresses as well as municipal, county, state, and federal censusboundaries.
A base layer can be either an image, i.e., field-based datain the form of satellite imagery or a digitized map, or somevector data that represent particular geographic features ofinterest, such as roads, buildings, and particular public andprivate areas. Vector data may include fine-grained typeinformation, such as types of roads, buildings etc. In general,all data managed in a GIS repository is geo-referenced, thusproviding an easy way to stack layers in order to obtain new(derived) GIS layers and data products. The hybrid-viewfeature in Web map servers such as Google Maps, GoogleEarth, NASA World Wind, and Yahoo! Maps is a prominentexample of the overlay of satellite imagery with vector data,such as streets, boarders, and services.
1http://casil.ucdavis.edu or http://gis.ca.gov
Scenario I.Assume a single GIS data repository that manages infor-
mation about parcels (as basic units of geography for localgovernment) and cadastre, including land use and zoning,environmental areas, and municipal utility services. Suchtype of repository is typically used by public sector staff atthe municipal level to assist property owners and to sup-port emergency, fire, and police operations. The latter typeof usage includes identifying property structures and own-ers. Parcel maps in particular can be useful to do damageassessment after a disaster. They are also an important ac-cess point during emergencies for linking data from differentGIS repositories. While such types of geospatial are usedto serve the public, e.g., through Web-based interfaces, notall data layers are made publicly available. For example,fine-grained property owner demographic information is notpublicly accessible. A similar separation of public and pri-vate GIS data can be made for other types of themes. Forexample, environmental theme layers do not make informa-tion about locations of endangered species or nesting sitespublic.
Analysis: Based on this type of separation of GIS data,the following question arises: What security mechanisms areused to specify and enforce different types of access to datain a single GIS repository? In particular, what provisionsdo GIS data managers have to (1) give public sector staffonly access to GIS data relevant to their function, and (2)ensure that no sensitive geospatial data (e.g., parcel ownerinformation) is made public?
In current GIS practice, access control is typically real-ized at the theme layer level, not taking into account com-plex geospatial features, the composition of features throughtheme overlays and in particular the overlay of satellite im-agery with vector data. How can one blend out or obfuscateparticular geospatial features at one theme layer so that sen-sitive features at another layer cannot be derived by a simpleoverlay? Regarding satellite imagery, they are provided byGoogle Maps at a resolution of a few inches for some U.S.states. That is, fine-grained satellite imagery and aerial pho-tography is already publicly available. Therefore, while ac-cess control may not be an issue here, the more interestingsecurity aspect is the study of potential privacy threats thatmay occur when high-resolution satellite imagery is com-bined with vector data layers, in particular when the vec-tor data represent demographic (and possibly aggregated)data of people living in an area. Such aspects are key togeo-marketing. In general, privacy in GIS is not well under-stood (e.g., [31, 32, 50]), and thus requires a more thoroughinvestigation in the context of disaster and emergency man-agement.
Scenario II.Suppose California is preparing for a potential natural dis-
aster, say a major flooding in the Sacramento/San Joaquinarea. Geospatial data is clearly key to disaster preparationand response, which is conducted by various county andmunicipal emergency service teams. Information from au-tonomous GIS repositories, each managing geospatial datafor a particular thematic aspect such as hydrology, parcels,land use, health facilities etc., needs to be integrated to sim-ulate events over time and to plan the coordination of emer-gency mitigation tasks. Simulations address aspects such asassessment of potential damages to critical utility and trans-
Water Resources
Census unit & boundaries
Utility networksParcels & cadastre
Land use
Figure 1: Example of several GIS repositories and GIS themes/layers for Northern California
portation infrastructures or planning for the evacuation ofthe public in endangered areas, to name a few.
Analysis: If the entire body of geospatial data wouldbe made available by simply integrating the data from thedifferent repositories, there is clearly a potential for datamisuse and privacy violations. Sensitive information suchas building ownerships might be revealed or informationabout critical infrastructure could become publicly accessi-ble. Given the number of people and organizations involvedin a disaster preparation scenario, security measures must betaken to provide users and applications only with data on aneed-to-know basis. Building on the security and privacy re-quirements indicated in Scenario I, the question is how suchsecurity mechanisms, if present in individual should GIS,be extended to be applicable to interoperable GIS reposito-ries and applications? Assuming individual GIS repositorieshave been equipped with access controls and security mech-anisms, security policies now spanning several repositoriesneed to be integrated and analyzed to discover potential se-curity and privacy violations. Role-based access controls forinteroperable GIS repositories seem a desirable mechanismto address these important security requirements. However,none of these provisions are made in such types of GIS ap-plications, despite being strongly emphasized in the recentNSDI report [48]. A key question is How to set up a secureinteroperable GIS framework?
Scenario III.The above scenario presumably takes place in a static set-
ting. That is, geographic data sets and associated securitypolicies are integrated in a controlled and stepwise mannerto satisfy the diverse information requirements of applica-tions employed in the simulation. This changes once a dis-aster or emergency actually occurs. No simulation can an-ticipate all possible scenarios, required geographic data sets,and supporting GIS applications. Thus, in the event of anemergency, it is very likely that new data sets need to beintegrated in an ad-hoc fashion, data requirements of appli-cations change over time, GIS data sets need to be updatedto account for changes in the real-world, and in particularaccess and privacy policies need to be adjusted.
Analysis: While geospatial data integration approacheslikely suffice to integrate heterogeneous forms of geo-refer-enced data, it is not clear how security and privacy man-agement should occur. Many security principles are oftenabandoned in favor of timely access to mission critical data.
An important aspect often neglected in this approach is thata disaster causes changes to the transportation and utilityinfrastructure, building, geological properties of areas, andlocation of potentially large parts of the population in af-fected areas. A key question then is How the geographicdata used by GIS applications can be kept up-to-date, reli-able, and trustworthy while still enforcing basic security andprivacy needs? Ideally, security policies and mechanismsshould be more dynamic, context-dependent, and reactive.All this should happen with little intervention from GIS datamanagers and disaster response teams. For example, con-sider a team of first responders that reports a road beingdamaged. This information needs to be fed back into theinteroperable GIS infrastructure in a trustworthy manner.Also, teams might require immediate access to previously(because of security and privacy policies) restricted infor-mation, for example, in case another team is requesting helpin evacuating elderly people from some buildings. How canone still support appropriate levels of data privacy? How canone minimize the risk of misuse in such dynamic settings?Virtually no work has been carried out to address such press-ing security and privacy needs. Respective security models,techniques, and architectures are not yet established for evenindividual GIS data repositories.
3. SECURITY ISSUES UNIQUE TO GEO-SPATIAL DATA
Security issues for geospatial data are different and inmany ways more complex than security issues for relationaldata. These differences concern both the data organizationand structures, and in particular the ways the data are used.In a GIS, data is typically organized in different thematiclayers; these layers, which can be large in number, representdifferent aspects of an application domain. Also, the samespatial region can be represented by either field-based data,i.e., satellite imagery or map data, or by vector-based data,i.e., a collection of possibly complex geographic features. Be-cause of the organization in layers, the same geo-referencesfeature, e.g., a building or road, can be represented in dif-ferent layers and ways.
Geospatial data can be characterized as complex data ob-jects with complex relationships among them. Securing thistype of data poses challenges that are yet to be fully un-derstood and addressed. For example, integrity techniques(such as Merkle hash tree) have been developed for simpler
data structures, but not for complex objects with complexrelationships. Access control and privacy pose many issues,such as the unit of protection. Is such unit a layer, a por-tion of a layer, a geographic feature presented at a layer,a component of a feature, an application entity (indepen-dent from the layers in which it appears)? Are relationshipsalso to be protected by access control? How does one spec-ify and enforce content-based access control? The conven-tional view mechanisms developed for relational databaseswould not work here since diverse context information maynot be readily accessible in a view. In terms of data us-age, many applications generating and using geospatial dataare dynamic as the set of subjects and geographic featuresmay dynamically and rapidly change, as in the case of dy-namic GIS coalitions for emergency response. Moreover, insuch context, one may need to combine data from severalsources that are independently administered and thereforecharacterized by heterogeneous security policies. Such us-age requires different approaches to architecting the datasecurity solutions. For example, one may need to performdynamic security policy reconfiguration and merge possiblylarge numbers of heterogeneous security policies due to thecomplexity and diversity of geospatial features and opera-tions on such features.
Several questions need answers in order to appropriatelysecure geospatial data. Since geospatial data come in diverseformats, such as thematic maps or satellite imagery, what isan appropriate data model underlying a security frameworkto specify semantic-rich security policies and to reason aboutsuch policies? What constitutes the notion of a geospatialfeature, collections and compositions of features, and oper-ations on these features? What types of security policies forgeospatial data are necessary and how can such policies becomposed in a meaningful and consistent manner? How dowe integrate active aspects into policies, such as blending outor obfuscating particular features? How do reasoning tech-niques for security policies take advantage of topological andspatio-temporal properties of geospatial data? What con-stitutes a modular approach for a service-oriented securityarchitecture to manage geospatial data, and how does suchan infrastructure interact with diverse types of GIS datarepositories and applications? How will such an infrastruc-ture change the way practitioners and researchers managethe security and privacy of geospatial data? A better under-standing of these issues will provide insights to design andimplement modular, scalable, and service-oriented systemsfor the secure management of geospatial data.
4. RELATED WORKThere has been considerable work in building security in-
frastructures for relational data and, more recently, semi-structured data. Several access control models and securitypolicy frameworks have been developed (see, e.g., [23, 24, 37,36, 57]). Many of these techniques have been successfully de-ployed as part of database management systems. Relevantmodels also take into account organizational functions suchas role-based access control (e.g., [19, 55, 56]) and credential-based access control [22, 61]. Techniques for composing andreasoning about security policies (e.g., [20, 39, 42, 53, 58]) aswell as concepts for managing trust and privacy have beendeveloped. All these developments have led to principlesand paradigms for the secure management of data in thetraditional realm of relational and semi-structured data.
One approach would be to adopt and extend such securitymodels and techniques to geospatial data and GIS applica-tions. However, the complexity and heterogeneity of geospa-tial data as well as the various non-traditional (compared torelational) operations on geospatial data pose several chal-lenges, requiring research on the theory and the engineeringof geospatial security models, techniques, and tools. Somework on securing geospatial data systems has been reported.However, existing access control models and techniques forgeospatial data primarily consider only one type of data, ei-ther field-based data (e.g., [13, 14]) or feature-based data(e.g., [16, 21]). There is no framework that investigatesthe (dynamic) combination of field- and feature-based data,the required functionality of a uniform and comprehensivesecurity and privacy policy specification language, implica-tions on reasoning about policies, and realizing policies inpractical geographical application settings, including secu-rity mechanisms for GIS, service-oriented architectures, andWeb services. On the other hand, the emerging applicationand research areas of spatially-aware or location-based accesscontrol models [28, 41] do not address the issue of geospa-tial data protection, but rather focus on the use of positioninformation for strong access control, which is a differentobjective.
5. A COMPREHENSIVE FRAMEWORKFOR GEOSPATIAL DATA SECURITY
The development of a comprehensive and coherent frame-work for managing the security of interoperable GIS datarepositories and applications (see Fig. 2) requires investi-gating several issues and novel specialized tools, includingthe following.
Security Policy Specification and Reasoning. Mostgeospatial applications require fine-grained and flexible ac-cess to geospatial data. Building ad-hoc data sets for eachtype of access and application is not suitable when the usercommunity is large and dynamic, and access control policieschange in the case of certain events, such as those dealt within emergency situations. Relevant components of a securitypolicy specification and reasoning framework include:
• A comprehensive geospatial data model that is able toexpress different types of geospatial and spatio-temporaldata (geographic features and field-based data), andthat provides a rich set of typical operations on geospa-tial data (image operations and spatial transforms).
• A security policy specification tool supporting multi-ple geospatial data representations and granularities,feature and policy grouping mechanisms, diverse dataaccess and modification rights, active policies, and dy-namic application contexts and user populations.
• A security policy reasoning tool able to determine in-consistent and redundant policies at policy compiletime and/or data access time. One approach towardthe development of such tool is to extend existing logic-based reasoning approaches to incorporate specifics ofgeospatial data, such as topological and temporal prop-erties.
• Access control modules organized as service to GISrepositories, applications, and Web services, to verify
Access Control Mechanisms
GIS Interoperation Services & GIS Data Repository Access
DATA INTEROPERATION & ACCESS LAYER
Policy Specifications
Policy ReasoningEngine
Trust & Privacy Management
Authentic Data Publication
SECURITY LAYER
OGCFramework
Core &ApplicationSchemas
GeospatialFeatures
GML
Metadata
GIS Web ServicesTraditional GIS
Wrapper
GIS Data Repositories
DATA PRESENTATION LAYER
Figure 2: Components of the proposed security and privacy framework
accesses to and operations on (possibly distributed andheterogeneous) GIS repositories.
Interoperability of Security Policies. Many emergingGIS applications and services rely on standards developedby the Open Geospatial Consortium (OGC) [3]. In orderto provide a feasible security and privacy approach that canbe applied in practical settings and real-world applications,one should:
• Incorporate components of the adopted geospatial datamodel and security policy specification language intostandards such as the Geography Markup Language(GML) [9] based application schemas, Web Feature/Coverage Services, and Web Map Services.
• Develop mapping techniques specialized for the inte-gration and translation of security policies and amongheterogeneous and distributed GIS repositories.
Trust, Privacy and Integrity. Data privacy and trustplay a crucial role in GIS applications that deal with privateand mission critical data. It is important to have mecha-nisms that detect tampering with the data or the release ofprivate data, thus undermining their integrity and privacy.To address such concerns, services need to be developed thatprovide a modular extension of the policy specification andreasoning framework. More specifically, activities should:
• Design and implement a trust management componentto enforce trust-based policies that describe what levelof trust should be placed on users and geospatial datasets in dynamic and context-based scenarios, in par-ticular those in the context of dynamic GIS repositorycoalitions.
• Develop a privacy-centric security policy and enforce-ment component that will handle both trusted and un-trusted GIS applications that require exact geospatialdata for a service.
• Develop mechanisms and techniques that allow usersto verify the trustworthiness of geospatial data throughauthentic data publication schemes, ideally in combi-nation with GIS Web Services.
6. RESEARCH DIRECTIONSWe now discuss research directions concerning individual
components of the security framework proposed in the pre-vious section, and we illustrate how to integrate them into ascalable, coherent and flexible architecture. For each of thecomponents, we outline some of the requirements, currentstate-of-the-art approaches and their limitations, and somepossible approaches.
6.1 Geospatial Data Model:Conceptual Framework and Realization
Requirements. A fundamental requirement for the spec-ification of security and privacy policies for different repre-sentations of geospatial data and for reasoning about suchpolicies is a geospatial data model (GDM). Such a modeldefines different types of spatially referenced objects and aprecise semantics for operations on these objects. In partic-ular, it provides the basic vocabulary for specifying securitypolicies.
Current approaches and limitations. Existing GDMseither deal only with feature-based (also known as object-based) data, such as vector data, maps, or thematic lay-ers [52], or field-based data, such as satellite imagery andaerial photography [40, 45]. There is no model that com-bines feature-based and field-based data in a single coher-ent and semantic rich framework as basis for the securityrequirements outlined in Section 5. What does it mean todiscuss geospatial features in a layer that is a combination ofa satellite imagery overlaid with some vector data? A com-prehensive GDM is crucial to specify meaningful securitypolicies for geospatial data and to reason about such poli-
cies. For example, if field-based data can easily be overlaidwith vector data in an application but there is no provisionin terms of security policy and access control for restrict-ing such operations, sensitive information might be revealedto users, thus potentially violating privacy policies. Thesetypes of operations are typically supported by most GIS andWeb Services, and several security threat scenarios are con-ceivable that cannot be dealt with using existing technologyand security mechanisms.
Approach: The Core Geospatial Data Model. In or-der to address the pressing needs for a comprehensive GDMas basis for our proposed geospatial security framework, asuitable approach is to extend the Layered Spatial DataModel (LSDM) [17], which is a reference framework for mul-tiple representations of geographic maps and supports point,line, and region data. To be viable for security and privacy,such an extension, that we refer to as Generalized LSDM,has to integrate field-based data into LSDM and provide arich set of operations on feature- and field-based data aswell as combinations thereof. Fig. 3 illustrates the layering.In addition, such a model should support temporal features(time-stamped data, events, and moving objects), featurecomposition, grouping of features - the latter two aspectsbeing an important functionality for specifying security poli-cies at different levels of object granularity. Operations onfeatures in GLSDM should include: feature selections (basedon non-spatial feature properties), spatial and temporal se-lections, spatial transforms for both feature- and field-baseddata (map and spatial re-projections, zooming, general affinetransformations [34, 45], and map algebra operations [59],neighborhood operations, traditional GIS theme operations(theme selection, overlay, union, merger), and insertions,deletions, and modifications of features.
Figure 3: GIS data layers (themes)
Conceptually, GLSDM can be designed as a logic-basedlanguage, primarily to allow for effective policy reasoningtechniques and tools. That is, a logic-based language canbe used to describe geospatial features and operations onthe features in the context of the security layer (see Fig. 2).In such context, the OGC framework and the GeographicMarkup Language (GML) [6, 43] can be used to draw fea-ture types and operations on (collections of) features fromGML core and application schemas. These schemas serveas main vocabularies to specify security and privacy poli-cies. GML offers several components for modeling geometry,topology, temporal elements, dynamic features, and coordi-nate reference systems. These core components thus needto be mapped into GLSDM; approaches to perform a one-to-one mapping between a GML application schema and aninstance of GLSDM thus need to be investigated. Further-
more, in order to integrate field-based data into such a map-ping, one possibility is to investigate the recently proposedJPEG 2000 standard2, which can be used as reference formatfor satellite imagery and aerial photography. In fact, OGCrecently initiated the support of GML metadata encoding inJPEG 2000 Image files, thus providing the proposed frame-work and model with a coherent framework to draw uponboth feature- and field-based data and object types. Thus,by mapping GML features and metadata specifications intoGLSDM, one can describe security policies that are tightlyintegrated with GML application schemas and services usingthese schemas, such as Web Feature Services, Web CoverageServices, and Web Map Services.
6.2 Policy Specification and ReasoningFramework
Requirements. The development of a policy specificationand reasoning framework for geospatial data and applica-tions poses a number of challenging requirements, arisingfrom the richness and multiplicity of data representations,the dynamic and mobile user populations, and dynamic ap-plication contexts as illustrated in the scenarios. Relevantrequirements include:
(i) the specification of authorizations against geospatialobjects at flexible granularity levels, and for the vari-ous spatial representations, object dimensions, and res-olution;
(ii) a variety of object grouping mechanisms, based notonly on feature types, but also on object content andmetadata, and spatial position;
(iii) a variety of access rights corresponding to operationsthat can be executed on data;
(iv) mechanisms for dynamically generating modified rep-resentations of protection objects, through, for exam-ple, obfuscation and blurring, depending of the privi-leges of the subject accessing the objects and the con-tents of the objects; we refer to such mechanisms asactive authorizations;
(v) attribute-based and profile-based user specification andauthorization;
(vi) event-based activation/deactivation of policies.
Current approaches and limitations. Despite the rele-vance of access control in the context of high-assurance se-curity for geospatial data, no comprehensive approach existsaddressing these requirements. Current approaches can becategorized in two broad classes, based on whether they aremore focused on geospatial representation of data, as in spa-tial data infrastructures [14, 16, 21, 46], or user mobility, asin location-based services [25, 27, 38, 41]. These approachessuffer from several shortcomings, such as lack of integrationwith current standards for geospatial data, limited set of ac-cess rights, limited support in access control rules for the richand complex structures, no support for dynamic policies,active authorization and modularization, and no reasoningmechanisms. Notably the GeoXACML model [46] has re-cently acquired the status of an OGC standard [1]. Yet the
2http://www.jpeg.org/jpeg2000/
model only provides some basic functionality for integratingspatial data and functions into XACML.
Approach: The policy model and language. The coreof any suitable approach to security for geospatial data isrepresented by a semantically rich logical model for accesscontrol; this model is the basis on which access control deci-sions are made and reasoning is performed. The core model,however, is not intended to be used by users or applicationsand a concrete syntax of the model would also need to be de-veloped based on GML and other relevant standards, such asXACML. The policy model must support a broad spectrumof dimensions in access control policies, including:
• Deny/allow policies with flexible granularity, groupingmechanisms for protected objects, and space-related ac-cess restrictions. Deny/allow policies can be supportedthrough the use of positive/negative authorizations;negative authorizations are crucial in order to supportexceptions by which, for example, an authorization isassigned to all objects in a set but one. In our con-text, this paradigm is complicated by the larger op-tions that we provide for denoting protected objectsand by the presence of different object representationsand dimensions. A possible main mechanism that wepropose to support flexible grouping is based on the no-tions of object-locator and spatial window. An object-locator is a query expression that may include predi-cates against properties of feature types, metadata andprovenance data. Predicates may also refer to topolog-ical relationships holding among the data objects, suchas Within and Touches. An example of a policy usingTouches is the one allowing a subject, which has accessto information on a particular land parcel, to access in-formation about all adjacent land parcels. The queryexpression may also include a projection componentto specify an object representation and components.A spatial window is simply a spatial region in the ref-erence space and denotes the set of objects that areinside the boundary of the region. By combining twosuch mechanisms, one can specify sets of objects suchas all shelters occupying an area greater than 3000sf inYolo County ; in this case Yolo County represents theauthorization window. The use of spatial windows isparticularly important to give/deny authorizations toinsert or modify features in a given spatial region.
• Active policies. These are policies that, when appliedto a protected object, perform certain transformationson the object before returning it to the requester. Tworelevant classes are filtering policies and obfuscatingpolicies. Filtering policies refer to policies that filterout some portions of the objects before returning themto the users. These policies are directly supported bythe suggested object locator mechanisms. Obfuscat-ing policies act like filter policies except that they donot simply select objects but perform possibly com-plex computations on the feature(s) to be returned.Typical examples include computing a lower resolutionimage, and distorting some vector data (but preserv-ing topological relationships). In our proposed modelthese policies are supported by the projection compo-nent, suitably extended with the possibility of invokingfunctions of the object locator. We expect that such
functions can be provided as part of a pre-defined li-brary.
• Context-dependent access control policies. Under suchpolicies, information from the environment is takeninto account by the access control module when takingdecisions about access requests. Typical contextual in-formation includes time and subject location. Subjectlocation information is used to specify policies allowinga subject to access a resource only if the current loca-tion of the subject verifies certain spatial constraints.Context-dependent access policies can be supported bythe introduction of a context component, as part of au-thorization rules, and by attribute-based specificationof subjects in authorization rules.
• Event-based access control policies. Event-based accesscontrol policies are novel and are based on the idea thatpolicies can be enabled/disabled depending on the oc-currence of specified events. Events can include datamodifications, very much like in database triggers, orapplication-dependent events, such as an emergency.We notice that current sensor networks and intelligentappliances make it very easy for a computer systemto detect events arising in the environments. It is im-portant that such capabilities be exploited as part ofa model like the one envisioned here.
Authorization Model. The basic element of the envi-sioned logical access control model is represented by the no-tion of authorization, which is a 7-tuple of the form
{Ev, Co, Sj, Op, Ol, Sw, Ef}
whose components represent the Event (Ev), the Context(Co), the Subject (Sj), the Operation (Op), the ObjectLocator (Ol), the Spatial Window (Sw), and the Effect(Ef).
The Effect component specifies the intended effect of theauthorization, that is, Permit to give access, Deny to denyaccess, Partial Permit to give access under the conditionthat the object is modified according to the functions spec-ified in the Object Locator component of the authorization.Authorizations having as effect Partial Permit are active au-thorizations in that they dynamically modify the objects re-turned to the application. Different active authorizationscan be specified for the same protected objects and differ-ent subjects, thus allowing different subjects to see differentrepresentations of the protected objects, according to theirneed to know. The Object Locator component of an au-thorization thus consists of the specification of a protectedobject, or set of protected objects, according to the GLSDMlanguage (or to the language used for spatial data represen-tation), and of an optional transformation function.
In addition to what we have already discussed, it is impor-tant to point out that the Subject can be not only a userid or a (possibly spatial) role, but also a Boolean combina-tion of predicates against subject attributes; in such case,the authorization applies to all users verifying such Booleancombination. The Operation component of the authoriza-tion specifies the type of operation that can be executed onthe protected object; such specification may also include adimension specification to denote that the operation has tobe restricted only to the specified dimension. For example, auser can view objects of feature type residential buildings in
maps where they appear but only with dimension 0 (theseobjects will be indicated as points in the maps that suchusers will view). It is important to note that not all opera-tions can be applied to all objects. Therefore, the envisionedauthorization model needs to be complemented by a set ofconditions ensuring that each authorization be consistent;we refer to this form of consistency as well-formedness.
The authorization model needs also to include some deriva-tion rules supporting the automatic inference of additionalauthorizations, referred to as derived authorizations, fromother authorizations. Derivation rules can be further catego-rized as: structural derivation rules, defined over object rela-tionships, and application-defined derivation rules. The setof authorizations and derivation rules comprises the geospa-tial authorization base, whereas the set of authorizations andall authorizations that can be derived from this set accord-ing to the derivation rules comprises the entailed geospatialauthorization base. The mechanism supporting the variousconsistency checks, such as well-formedness and authoriza-tion derivation, is referred to as policy reasoner. An impor-tant question is related to the consistency of the geospatialauthorization base and the entailed authorization base; be-cause of negative authorizations and the fact that differentadministrative authorities may exist, such bases may con-tain conflicting authorizations. It is, however, important tonotice that the notion of consistency, due to the various rep-resentations of objects and conflict resolution techniques forgeospatial authorizations, may be far more complex than inthe case of conventional authorizations. For example, solv-ing a conflict between two authorizations may require mod-ifying, through filtering/obfuscating techniques, the repre-sentation of the objects being accessed.
Reasoning. A spatial policy reasoner typically exploitstechniques proposed for spatial reasoning, such as reasoningon direction relations [51] and on topological relations [18].Such techniques exploit properties typical of spatial objects,for example, if a certain direction relation holds among tworegions, then it holds for all the points inside of these regions.This type of knowledge could be expressed as structuralderivation rules defined as part of the GLSDM language. Inorder to provide support for additional application-dependentknowledge, it is however crucial to identity a general knowl-edge representation tool and develop a mapping from theknowledge encoded in terms of the GLSDM structural deriva-tion rules onto the language of the identified knowledge rep-resentation tool. Suitable candidates for such tools are thosebased on descriptions in that these logics directly supportthe representation of complex objects and would directlysupport features that have complex structures.
The reasoner is crucial not only for checking the consis-tency of authorizations, but also to prevent possible infer-ences, which is important in order to achieve strong pro-tection. In particular when dealing with diverse data sets,describing different aspects of the same set of entities, con-trolling access to one data set only is not enough, in thatby accessing information from the other datasets, a subjectmay still be able to infer the content of the protected dataset.As an example suppose that there are small airfields insidea forest; suppose that a subject is given access to a map ofthe area in order to see which are the available roads buthe is not supposed the know the location of these airfields;then one can provide him with a view of this map where theairfields are not shown. Suppose now that a thematic map
reporting the types of trees in the area is available. This isuseful in the context of fire emergencies. If this map showsthat the area covered by the forest has large holes in whichthere are no trees, the subject may infer the presence ofthe airfields and may easily locate them. This means thatthe thematic map should not show those holes. Similar ex-amples can be found concerning underground objects. Inorder to detect such possible inferences, an approach is tointroduce the notion of strongly protected objects; protect-ing these objects would require making sure that all theirfeatures be hidden from all possible layers in which the ob-jects may appear. It would also require determining whethertheir presence can be inferred from the presence or absenceof other spatial objects; in our example, the presence of anarea without trees inside a forest may denote the presence ofan airfield in this area. Being able to support such types ofinference requires encoding domain-dependent knowledge,in addition to basic knowledge about direction and topo-logical relations. This domain-dependent knowledge can betypically encoded as a set of application-defined derivationrules, which is part of the proposed framework.
The authorization model suggested in this paper also needsto include a suitable administration model, supported by ahigh level tool, stating which subjects can grant, revoke, andmodify authorizations. Because geospatial applications mayconsist of diverse data and support a variety of applications,a suitable administration model should support multiple ad-ministration authorities. In some cases, for a user to accessa complex geospatial object, several authorizations by pos-sibly different authorities may be required. Mechanisms areneeded to streamline the authorization acquisition processby the users, without undermining the autonomy of the var-ious administration authorities involved.
Architectural Organization. The proposed logical modelcan be represented as a GML application schema. An impor-tant question is whether the GML access control applicationschema must be integrated with the application schema ofthe actual application or can the two schemas be kept sepa-rated. In general, the latter approach has advantages, suchas modularity. However, because the proposed access controlsystem will support fine access control granularities, autho-rizations may directly reference specific objects. An impor-tant open issue is How to support object references acrossdifferent GML application schemas?. A respective architec-ture should include a tool for authorization administration,the reasoner, and functions related to authorization enforce-ment.
A possible approach to integrate the access control systemwith other components of the data management infrastruc-ture is based on an extension of the conceptual approachdefined in the context of the XACML standard. Such an ap-proach decomposes the functions related to the managementof access control into four components: Policy EnforcementPoint (PEP) that receives the access request and returnsauthorization decisions to the external environment; PolicyDecision Point (PDP) that evaluates the applicable policiesand renders an authorization decision to the PEP; the PolicyInformation Point that serves as source of data required forpolicy evaluation, for example location of users; the PolicyAdministration Point that supports the policy definitionsand stores them in the appropriate repository. All the datarequired by these components, such as authorizations, canbe represented according to the GML access control applica-
tion schema. A major difference with respect to the case ofconventional applications for which XACML was designedis that in geospatial applications objects and subjects maybe mobile and data and applications have strong integrityand privacy requirements; access control may thus have tobe performed not only before the access takes place but alsowhile the access is being executed and possibly after it hasbeen completed. This calls for a continuous interaction ofthe PEP with rest of the data management infrastructureand requires the PDP to keep track how the status of theexecution of the various access requests. Any suitable so-lution thus requires revisiting and extending the conceptualarchitecture of XACML.
6.3 Policy InteroperabilityRequirements. As illustrated in the scenarios, geospatialdata from heterogeneous sources often have to be integratedin a secure fashion. Industry and federal geospatial clear-inghouses are collaboratively standardizing the geospatialdata integration process (see [2, 5, 33]). This process doesnot address security. While there are many aspects to inte-grating heterogeneous GIS repositories, in the following, wewill focus on policy integration [11, 12]. Since the individualagencies implement their own security policies to protect thedata, some issues arise during policy integration.
The first issue is the mismatch of policy rule semantics.When policies are integrated, attributes and targets of thepolicies should be interpreted consistently. For example, iftwo policies from separate agencies use manager and super-visor respectively, to specify the same role attribute, theintegration algorithm should interpret this equivalence.
The second issue is rules mismatch where attribute set andtargets of separate policies have to be matched properly.Note that in our envisioned 7-tuple logical access model,the attributes are represented by the subset {Ev, Co, Sj}(i.e., Effect, Contex, Subject} and targets are specified by{Ol, Sw} (i.e., {ObjectLocator, SpatialWindow}.Current approaches and limitations. Current policyintegration algorithms (e.g., [47, 44]) attempt to solve therules mismatch problem. However, there are several short-comings in these approaches with respect to geospatial dataintegration. First, they require prior coordination amongthe agencies. Geospatial integrated environments are usu-ally based on autonomous agencies, which manage their se-curity policies independently of each other. As a result, priorcoordination to integrate security policies may not be fea-sible. Second, existing models assume that target resources(i.e., {Ol, Sw}) are the same for the policies to be integrated.However, one or more subjects in the {Sj} element can re-quest a hybrid-view of some data where the target from oneagency is field-based and the other is vector-based.
An approach: Geo-referencing. A suitable integrationand interoperation approach is based on the notion of geo-referencing, in that it is often the case that geospatial datasetsto be integrated contain data items that are geo-referencedwith respect to a coordinate system. This way one can tiediffering targets from separate policies using {Ol, Sw}. Inthe hybrid-view raster/vector example, if a subject does nothave access to part of the vector dataset, the coordinatesrepresenting the restricted part allows the integration algo-rithm to prevent access to corresponding map areas. A pos-sible approach is based on an algorithm consisting of two
stages: disambiguating naming heterogeneity and resolvingpolicy mismatch.
Naming heterogeneity can be addressed by utilizing a com-mon vocabulary that will include rules such as administra-tor and manager are different roles. This vocabulary maybe generated from the GML schemas and the GIS reposi-tories (see Fig. 2). Policy mismatch heterogeneity problemcan be addressed by measuring rule similarity and policyunification. We illustrate the envisioned approach using thefollowing example.
Consider two geospatial repositories A and B and userJohn who is associated with B. A carries raster data whereasB contains thematic data about census units for a particularcity. Suppose A and B enforce respective policies P1 andP2:
P1: IF {Subject} ! = Admin & Event(Resolution < 6) &Event(Alert level < 5) &Context(Location(33.41 −82.91, 33.43 −82.904))THEN Effect=Deny onSpatialWindow(RegionA(33.40 −82.91, 33.43 −82.9101,33.4301 −82.9103, 33.43 −82.9103 ))
P2: IF {Subject} = Manager & Event(Resolution < 5) &Event(Alert level < 4) &Context(Location(33.39 -82.91, 33.43 -82.904))THEN Effect = Allow onObjectLocator(All Features in Zip(79900))
P1 specifies that only an Administrator with a certainresolution at or above specific alert level can access the mapregion represented by an array of latitude/longitude coor-dinate pairs. P2 specifies that if a manager is at a specificlocation, she can access all census data including highways,streets and addresses for zip code 79900. Now, if we matchthese two policies, we will observe two types of heterogene-ity. The first one is naming heterogeneity. In P1, the Sub-ject value (i.e., Admin) is different from P2’s Subject (i.e.,Manager). Once we address this naming heterogeneity, rulemismatch heterogeneity may occur. Here, the second at-tribute of the rule in P1 (i.e., Event) is different from P2sattributes.
Disambiguating naming heterogeneity. Naming het-erogeneity in policies can be resolved by exploiting a concept-based model using domain-dependent common vocabularies(from GML schemas and repositories) that may be part ofGIS repositories. In our envisioned approach, for {Subject},we define a set of abstract roles with various high and lowlevel concepts that will help to resolve naming heterogene-ity. Therefore, if there is an ambiguity in {Subject}, itcan be resolved through the correct interpretation providedby the vocabulary based on semantic distance. Examplesof {Subject} concepts on the first level are Admin, Man-ager, Facility Personnel etc. We assume agency B createsa role called Emergency Operation Commander (EOC) bytaking the union of Manager and Facility Personnel andassigns it to John. While processing P1 and P2, a vo-cabulary manager would detect that EOC is made up ofroles that are siblings of Admin. Therefore, the condition{Subject}! = Admin in P1 is satisfied for John. In othercases, a new role such as EOC could be made up of conceptsbelow the Admin level, and we then consider the separationbetween the roles to resolve naming heterogeneity.
Resolving policy rule mismatches. To address policy
rule mismatch, one possible approach is to first measure thesimilarity of rules across policies and next to apply policyunification by aligning similar policies.
Policy Similarity Evaluation: Once the semantic hetero-geneity of attribute terms (e.g., subjects) across policies isresolved, policies have to be aligned. We consider each 7-tuple entry as a rule and we calculate the similarity of therules across policies. As a result, some rule may be ex-tended, restricted, etc. by other rules. Consider the abovepolicies, P1 and P2 consisting of rules r1 and r2, respec-tively. P1 belongs to the resource holder and P2 belongs tothe agency the requester belongs to. We illustrate the inte-gration of P1 and P2 with geospatial data. The integrationcases reflect the unique characteristics for geospatial datadiscussed in section 1. For example, rules have attributesthat correspond to geospatial objects such as features orlayers. There can be one attribute whose value represents abridge feature, while another attribute value represents thecenter-line of the bridge. Although the attributes are sepa-rately specified, from their geo-references we can determinetheir geospatial relationship. This helps us to determinewhich integration case the attributes falls under. We haveidentified five integration cases including:
Case C1 : If attribute values of r1 are matched by r2 andr1 > r2 (r1 has more attributes than r2) then r1 issaid to extend r2. If the attributes of r1 and r2 aredifferent, then r1 and r2 are said to diverge.
Case C2 : If only some of the attributes of r1 and r2match, but not all, then r1 and r2 are said to intersect.
In P1 and P2, the attributes are as follows: a {Subject},two events and a {Context}. The resolution event refers toa geospatial constraint on a particular map or image. The{Context} as defined in Section 6.2 introduces an extentconstraint by specifying the location coordinates that a userrequest has to satisfy. Even if P1 and P2 have same setof policies, the attribute values are different. Suppose P1allows a higher resolution than P2 and P1’s {Context} con-tains P2 ’s {Context} location. To illustrate the use of theintegration cases we note that the values for two event at-tributes in P1 subsume those in P2. Also, since the geospa-tial extent of {Context} in P1 confines that in P2, we sayP1 extends P2, which falls under case C1. If {Context}of P1 were contained in P2s {Context}, they would haveintersected (i.e., case C2 ). Therefore, geospatial data deter-mines the specific case a rule mismatch resolution algorithmhas to follow.
Policy Unification: We factor in the policy combinationalgorithms. We consider action/consequent of similar rulesand exploit deny-override and permit-override strategies. Thedeny or permit is referred to as policy {Effect} that impliesthe final decision on the rule. Since there could be multiplepolicies protecting a particular target (i.e., map resource),one could run into a conflicting scenario where some effectscorrespond to deny and others to permit. At this stage,anomaly/conflict in policies will be detected. Manually de-tecting and resolving these anomalies is a critical but tediousand error prone task. For firewall policy rules, prior researchhas focused on the analysis and detection of anomalies. Forexample, possible relations between rules as well as anoma-lies are defined in terms of the relations and algorithms todetect the anomalies by analyzing the rules have been given.
Approaches proposed for the analysis of firewall rules [10]can be extended to support to account for aspects specificto geospatial data.
6.4 Trust and Privacy ManagementAs illustrated in Fig. 2, the suggested security framework
also includes components for trust and privacy management,because these are important goals of any data security solu-tion.
Requirements. The trust and privacy problems in geospa-tial databases require comprehensive solutions that can han-dle the potential richness of the data types, nature of thedynamic access and mobile user populations. Since geospa-tial data is used for critical applications such as emergencyresponse, it is important that users can trust the retrievedgeospatial data. On the other hand, the unauthorized accessand misuse of geospatial data can lead to privacy violations.In order to address these challenges, systems are needed withthe following capabilities: (i) mechanisms for dynamic ver-ification of the source of the data, and (ii) privacy policiesthat address the dynamic and complex nature of potentialGIS applications as illustrated in the scenarios.
Current approaches and limitations. In terms of trust,current XML standards provide mechanisms for attachingdigital signatures to the documents. Unfortunately, currentsignature standards do not provide semantics to make trustdecisions given the digital signatures [4]. Also, the newJPEG standard provides mechanisms for attaching digitalsignatures to the images but this may not be directly usedfor supporting different geospatial data types. Regardingprivacy, although approaches have been proposed to enforceprivacy policies (e.g., [26]), there is no comprehensive solu-tion covering all types of geospatial data and their use. Moreimportantly, an understanding of privacy in geospatial datais needed before we propose solutions.
Proposed approach I: Trust management. Maps, satel-lite images and other geospatial data used during an emer-gency must be trusted. In other words, the users must beconfident about the freshness and the correctness of thegeospatial data. Even worse, in some cases, an adversarymay try to deliberately submit incorrect data to the sys-tem. For example, a developer may want to modify demo-graphic information related to some county to coerce cityplaners into giving more construction permits. To protectagainst such malicious intent or honest mistakes, we proposeto add two components to the suggested security framework.The first component will provide services to maintain logsto verify the source and the submission date of the geospa-tial data and other provenance data. In a typical databasesystem, the database may create and store such logs. Inthis framework, the geospatial data may need to be com-bined on demand by using various sources. Therefore, logsmaintained by a single geospatial database may not be suffi-cient. Instead, an alternative approach is to extend LSDM,or whichever model is used to represent the spatial data ofinterest, to automatically incorporate the necessary meta-data and semantics to reason about the trust associatedwith metadata and XML digital signatures. For example,an emergency responder who reaches an accident scene first,may update some geospatial information about the roads. Ifanother team approaching the scene requires the road infor-mation, the system must ensure that this team receives the
latest information. By adding necessary digital signaturesand attributes about the trusted system logs, the secondteam may verify the source, freshness and correctness ofdata.
After the verification, trust must be evaluated. For ex-ample, trust could be calculated by taking into account thepast feedback related to the source (i.e., how accurate wasthe geospatial data provided in the past), the creation time(i.e., how fresh is the geospatial data) and the contents ofthe data (i.e., how likely is it that someone may tamper withthe geospatial data). The applicability of different trust cal-culation techniques for GIS applications [60] must certainlybe investigated. After the trust calculation, based on theestimated trust value, the system typically needs to validatethe correctness of the data through other sources. Sincegeospatial data such as satellite images and maps may beretrieved through other sources, one has to exploit the avail-ability of such sources and specify verification policies basedon the underlying trust of the data. If the verification timeis longer than what can be tolerated by an emergency, firstresponders may be better off with no validation. Cost effec-tive validation procedure for critical geospatial data mustbe investigated to take such conflicting requirements intoaccount.
Proposed approach II: Privacy management. As dis-cussed in the scenarios, geospatial repositories are used tostore high resolution satellite images, the location of indi-viduals, their demographic information, resulting in privacyconcerns. However, the definition of privacy in the contextof geospatial data is highly subjective [62]. For example, aperson may not want the image of his house accessible. How-ever, these images are already publicly available. Therefore,unless effective laws are enacted, this situation cannot be aprivacy concern. Due to this subjectivity, it is crucial to firstdevelop a better understanding of privacy issues in geospa-tial data based for example on the scenarios described inSection 2 as well as reviewing various privacy related doc-uments for geospatial data. Next one has to explore howto implement the common requirements from different pri-vacy definitions. These requirements may include: collectingonly the necessary information, giving control over informa-tion about one’s self and preventing misuse of collected data[62].
To address the collecting only the necessary informationrequirement, a possible approach is to develop filters for dif-ferent geospatial data types. For example, to store highresolution satellite images for city planning purposes, oneshould not store the portions of the images that accuratelyshow the communication infrastructure on top of buildingsas such an infrastructure could be used to identify say mil-itary buildings. Filtering tools need to be developed thatautomatically remove security and privacy sensitive geospa-tial data.
To address the giving control over information about one’sself requirement, an approach is to extend the envisionedaccess control tool to support privacy policies also. Each in-dividual, when providing privacy sensitive geospatial data,may be notified about the privacy policies of the GIS datarepository. Such preferences specify who can access the dataunder what conditions and for what purposes. Suppose thatan elderly person enrolls in a location-based geospatial ser-vice that can send an ambulance automatically to the lo-cation of the individual during an emergency. Therefore,
privacy policy for such a service can state that in case of anemergency, only first responders can access his address in-formation for sending help. Clearly, this approach assumesthat the user trusts the system with respect to policy en-forcement.
To address the preventing misuse of collected data, a pos-sible approach is to develop techniques to enforce privacypolicies. For example, for emergency planning in the case ofan E.coli outbreak in a city water system, geospatial datarelated to water pipe system could be combined with demo-graphic and health-care related data. Such integration ofdifferent geospatial data sources could create privacy prob-lems. First, we should enforce the privacy policies of differ-ent sites during the integration. If a GIS repository has aprivacy policy that states that individual’s exact addressescan be only released during an emergency, then for planningpurposes, we may need to use some carefully aggregateddemographic data. Note that different sites may enforcedifferent privacy policies. Therefore, we need to integratethese policies using the integration techniques discussed inSection 6.3. In addition, access to certain combinations ofgeospatial data may be restricted. For example, an indi-vidual may allow his demographic and health-care data tobe accessed separately for city planning purposes. However,the same individual may not allow his health care and de-mographic data to be combined unless it is an emergency.This requires extending the privacy policies to include sepa-ration of duties for different geospatial data types. In somesituations, queried geospatial data may need to be alteredfor preventing privacy/security violations. For example, acity planning expert may be given access to high resolutionsatellite images that do not show say the military facilities.Therefore, we need to filter out the parts of the satellite im-ages that have the sensitive data. Such filtering of geospatialdata should be carried out on the fly based on the privacyor security requirements.
6.5 Integrity: Authentic Data PublicationSchemes for Geospatial Data
Requirements. Often state/county organizations employthird-party data publishers to provide GIS data consumerswith access to large amounts of selected geospatial data setsand products collected by the organization (e.g., the CaSILrepository mentioned in Section 2 is such a third-party ser-vice). These publishers receive periodic copies and/or up-dates of the organization’s GIS data sets and answer queriesfrom GIS applications and Web services on behalf of the dataowner. Publishers relieve owners from maintaining a secure,fault-tolerant and often expensive data management infras-tructure, an important aspect of mission critical geospatialdata that need to be replicated.
Current approaches and limitations. For authenticdata publications, much of the work has focused on rela-tional data and XML data. These data publication schemesallow data consumers to efficiently verify the correctness andcompleteness of the data provided by the data publisher (see,e.g., [22, 29, 30, 35, 63]).
That is, data owners can verify whether the query resultprovided by the publisher is the same as the data ownerwould have provided. These approaches are based on hash-ing schemes over the owner’s data to compute a digital sig-nature to be (periodically) distributed to data consumers.Existing approaches have limitations, because they do not
take into consideration the complexity of GIS data.
Proposed approach: Authentication schemes. A pos-sible approach is to develop authentic data publication schemesfor diverse types of geospatial data. These schemes shouldallow data consumers to verify the correctness and complete-ness of both geographic features (e.g., vector data describingthematic maps) and field-based data (e.g., satellite imageryand aerial photography). The key challenge will be to de-velop space efficient hash structures that allow for small sig-nature objects to be computed by the owner and publisher,and to be evaluated by the data consumer. For vector data,a possible approach to develop and evaluate hashing schemeson commonly used spatial index structures, such as R-treesthat index point, line, and region data (see, e.g., [52]). Forimage data in GeoTIFF, JPEG, or PNG formats, one shouldinvestigate Quadtree-like structures [54] in combination withdigital signature schemes and the Digital Rights Manage-ment (GeoDRM) framework developed by OGC. In particu-lar, compression schemes for raster image data in combina-tion with Quadtrees seem to be good candidates for hashingschemes that allow scaling in terms of precision (e.g., basedon the spatial resolution). An authentic data publicationmodule should be developed that allows GIS Web Serviceto request verification objects in addition to the geospatialdata results, provided that an owner/publisher setting hasbeen established at the data access layer. A challenge here isa suitable extension of GML/GIS Web Service componentsto embed respective protocol information that allows the im-mediate verification of query results by the application andensures the maintenance of digital signatures periodicallydistributed by data owners.
7. EVALUATIONThe evaluation of techniques for securing geospatial data,
like those outlined in the previous section, requires devisingsuitable metrics. A suitable set of metrics should include:(1) cost and utility of the method, (2) integration into exist-ing GIS infrastructures, and (3) security and privacy threats.
(1) Cost and Utility of the Method. As the primary fo-cus of the outlined research directions is on developingnovel types of security and privacy specifications fordiverse types of geospatial data, an important metricis the expressiveness of policy specifications. Whilean expressive language itself is essential, it is equallyimportant to balance expressiveness of the languagewith the cost of performing reasoning (e.g., to whatextent can soundness and completeness properties beassured?). The expressiveness of the specification lan-guage also has an impact on its utility. That is, howeasy is it for GIS security managers to specify securityand privacy policies, not using a formal logic-basedlanguage but a language that resembles concepts ofGML application schemas? A similar approach to bal-ancing expressiveness, cost of reasoning, and utility ofthe method must be taken for security policies in thecontext of GIS interoperations, trust management ap-proaches, and data authentication.
(2) Integration into Existing GIS Infrastructures.Rather than developing security components in an ide-alized environment, any realistic solution must inte-grate these components into existing GIS infrastruc-
tures and applications. Such infrastructures includeGRASS, PostgreSQL, ArcGIS, and typical GIS WebServices, such as Web map services and Web featureservices. The effort to add security components such aspolicy-driven access control modules or data authenti-cation components to a system (e.g., in the form of awrapper or integral system component, Fig. 2), shouldbe minimal, requiring only minor extensions (not mod-ifications) to the system. Note that this metric needsto be considered in the context of the cost and utilitymetrics, as more functionality and better utility likelyrequires more integration efforts.
(3) Security and Privacy Threats. The incremental de-velopment of security components and their integra-tion into GIS infrastructures is accompanied with thedevelopment of security, privacy, and trust threat sce-narios. For each type of policy, one needs developthreat scenarios and security attacks. The availabilityof such scenarios will allow one to evaluate the cor-rectness of the security policies and investigate threatsto guide the development of more sophisticated policyspecifications, in particular those that deal with the fil-tering and obfuscation of geospatial features. The op-erations included in the data model (Section 6.1) canprovide the basis for constructing such threat scenar-ios, as these operations will be the basic means to selectand modify geospatial data from GIS layers, combina-tions of GIS layers, and from different GIS repositoriesin the context of GIS repository coalitions.
8. CONCLUDING REMARKSProtecting geospatial data includes several tasks that raise
a variety of technical and organizational problems and chal-lenges. In this paper, we have presented a comprehensiveview of such requirements and discussed major technical is-sues concerning policy specification, policy interoperability,and privacy and trust. We furthermore outlined importantdirections of research to address the numerous security as-pects of (interoperable) geospatial data and GIS applica-tions. In order to move from theory to practice, the avail-ability of standards for geospatial data representation anddata security is fundamental. Standards make the develop-ment of geospatial data protection techniques affordable andeffective for the deployment of those solutions. In that per-spective, contributing to the development of standards foradvanced geospatial data protection is another major goalto address.
9. REFERENCES[1] GeoXACML Implementation Specification,
http://www.opengeospatial.org/standards/geoxacml.
[2] Open GIS Consortium Interoperability DemonstrationFocuses on Emergency Response Situations,http://xml.coverpages.org/ogc-wsinterop.html.
[3] The Open Geospatial Consortium (OGC).http://www.opengeospatial.org.
[4] XML Signature Syntax and Processing, W3CRecommendation, June 2008.http://www.w3.org/TR/xmldsig-core/, 2008.
[5] Geospatial Interoperability Reference Model (GIRM,V 1.1). http://gai.fgdc.gov/, 2003.
[6] GML3.1 ISO/TC 211/WG 4/PT 19136 Geographicinformation, Geography Markup Language (GML),Committee Draft.http://portal.opengeospatial.org/files/?artifact id=4700,2004.
[7] OGC Critical Infrastructure Protection Initiative(CIPI),http://ip.opengis.org/cipi/, 2006.
[8] Global Earth Observation System of Systems(GEOSS). http://www.epa.gov/geoss/, 2006.
[9] OpenGIS Geography Language (GML) EncodingSpecification, version 3.1.1,http://www.opengeospatial.org/standards/gml, 2007.
[10] M. Abedin, S. Nessa, L. Khan, and B. M.Thuraisingham. Detection and resolution of anomaliesin firewall policy rules. In 20th Annual IFIP WG 11.3Working Conference on Data and ApplicationsSecurity (DBSec), 2006.
[11] A. Alam, G. Subbiah, and B. Thuraisingham.Reasoning with semantics-aware access control policiesfor geospatial Web services. In ACM Workshop onSecure Web Services (SWS), George MasonUniversity, Fairfax VA, USA, 2006.
[12] A. Alam and B. Thuraisingham. Geography resourcedescription framework (GRDF) and secure GRDF(S-GRDF). Technical report, The University of Texasat Dallas, 2006.
[13] V. Atluri and S. A. Chun. An authorization model forgeospatial data. IEEE Transactions on Dependableand Secure Computing, 1(4):238–254, 2004.
[14] V. Atluri and P. Mazzoleni. Uniform indexing forgeospatial data and authorizations. In ResearchDirections in Data and Applications Security, IFIPWG 11.3 Sixteenth International Conference on Dataand Applications Security, 2002.
[15] J. C. Baker, B. E. Lachman, D. R. Frelinger, K. M.O’Connell, and A. Hou. Mapping the risks: Assessingthe homeland security implications of publiclyavailable geospatial information. Technical Report,RAND National Defense Research Institute, 2004.
[16] A. Belussi, E. Bertino, B. Catania, M. L. Damiani, andA. Nucita. An authorization model for geographicalmaps. In 12th ACM International Workshop onGeographic Information Systems, (ACM-GIS), 2004.
[17] A. Belussi, B. Catania, and E. Bertino. A referenceframework for integrating multiple representations ofgeographical maps. In Proceedings of the EleventhACM International Symposium on Advances inGeographic Information Systems (ACM GIS), 2003.
[18] F. L. Ber and A. Napoli. Design and comparison oflattices of topological relations for spatialrepresentation and reasoning. Journal of Experimental& Theoretical Artificial Intelligence, 15(3):331–371,2003.
[19] E. Bertino, P. A. Bonatti, and E. Ferrari. Trbac: Atemporal role-based access control model. ACMTransactions on Information and System Security,4(3):191–233, 2001.
[20] E. Bertino, B. Catania, E. Ferrari, and P. Perlasca. Alogical framework for reasoning about access controlmodels. ACM Transactions on Information andSystem Security, 6(1):71–127, 2003.
[21] E. Bertino, M. L. Damiani, and D. Momini. An access
control system for a web map management service. In14th International Workshop on Research Issues inData Engineering (RIDE-WS-ECEG 2004), WebServices for E-Commerce and E-GovernmentApplications, 2004.
[22] E. Bertino and E. Ferrari. Secure and selectivedissemination of xml documents. ACM Transactionson Information and System Security, 5(3):290–331,2002.
[23] E. Bertino, S. Jajodia, and P. Samarati. A flexibleauthorization mechanism for relational databasesystems. ACM Transactions on Information Systems,17(2):101–140, 1999.
[24] E. Bertino and R. S. Sandhu. Databasesecurity-concepts, approaches, and challenges. IEEETransactions on Dependable and Secure Computing,2(1):2–19, 2005.
[25] R. Bhatti, A. Ghafoor, E. Bertino, and J. Joshi.X-GTRBAC: an XML-based policy specificationframework and architecture for enterprise-wide accesscontrol. ACM Transactions on Information andSystem Security, 8(2):187–227, 2005.
[26] S. A. Chun and V. Atluri. Protecting privacy fromcontinuous high-resolution satellite surveillance. InData and Application Security, Development andDirections, IFIP TC11/ WG11.3 Fourteenth AnnualWorking Conference on Database Security, 2000.
[27] M. J. Covington, W. Long, S. Srinivasan, M. A. AnindK. Dey, and G. D. Abowd. Securing context-awareapplications using environment roles. In 6th ACMSymposium on Access Control Models andTechnologies, 2001.
[28] M. Damiani, E. Bertino, B.Catania, and P. Perlasca.Geo-RBAC: a spatially-aware RBAC. ACMTransactions on Information and System Security,10(1):2, 2007.
[29] P. Devanbu, M. Gertz, A. Kwong, C. Martel, andS. Stubblebine. Flexible authentication of XMLdocuments. Journal of Computer Security,12(6):841–864, 2004.
[30] P. Devanbu, M. Gertz, C. Martel, and S. Stubblebine.Authentic data publication over the Internet. Journalof Computer Security, 11(3):291–314, 2003.
[31] J. Dobson. Is GIS a privacy threat? GIS World, 1198.
[32] A. Entchev. GIS and privacy. Directions Magazine,2005.
[33] ESRI. OpenGIS Interoperability Add-ons for ArcGIS,http://www.esri.com/software/standards/ogc-download.html,2005.
[34] M. Gertz, Q. Hart, C. Rueda, S. Singhal, andJ. Zhang. A data and query model for streaminggeospatial image data. In 11th International Workshopon Foundations of Models and Languages for Data andObjects (Query Languages and Query Processing -QLQP), Revised Selected Papers. LNCS 4254,Springer, 687–699. 2006.
[35] M. Gertz, A. Kwong, C. Martel, G. Nuckolls,P. Devanbu, and S. Stubblebine. Databases that tellthe truth: Authentic data publication. Bulletin of theTechnical Committee on Data Engineering, 7(1):21–41,2004.
[36] M. Gertz and S. Jajodia (Editors). The Handbook of
Database Security: Applications and Trends. Springer,2007.
[37] M. Gertz and A. M. Rosenthal. Database Security. InBidgoli, H. (editor) Handbook of Information Security,Threats, Vulnerabilities, Prevention, Detection andManagement, pages 380–395, Wiley. 2006.
[38] F. Hansen and V. A. Oleshchuk. Spatial role-basedaccess control model for wireless networks. In IEEEVehicular Technology Conference VTC2003-Fall, 2003.
[39] S. Jajodia, P. Samarati, M. L. Sapino, and V. S.Subrahmanian. Flexible support for multiple accesscontrol policies. ACM Transactions on DatabaseSystems, 26(2):214–260, 2001.
[40] J. R. Jensen. Introductory Digital Image Processing.Third Edition, Prentice Hall, 2004.
[41] J. Joshi, E. Bertino, U. Latif, and A. Ghafoor. Ageneralized temporal role-based access control model.IEEE Transactions on Knowledge Data Eng,17(1):4–23, 2005.
[42] M. Koch, L. V. Mancini, and F. Parisi-Presicce. Onthe specification and evolution of access controlpolicies. In 6th ACM Symposium on Access ControlModels and Technologies (SACMAT 2001), 2001.
[43] R. Lake, D. S. Burggraf, M. Trninic, and L. Rae.Geography Markup Language-Foundation for theGeo-Web. Wiley, 2004.
[44] M. Lorch, S. Proctor, R. Lepro, D. Kafura, andS. Shah. Access control: First experiences usingXACML for access control in distributed systems. InACM workshop on XML security, 2003.
[45] P. M. Mather. Computer Processing ofRemotely-Sensed Images. Wiley, 2004.
[46] A. Matheus. Declaration and enforcement offine-grained access restrictions for a service-basedgeospatial data infrastructure. In 10th ACMSymposium on Access Control Models andTechnologies (SACMAT 2005), 2005.
[47] P. Mazzoleni, E. Bertino, and B. Crispo. XACMLpolicy integration algorithms: not to be confused withXACML policy combination algorithms! In SACMAT,2006.
[48] FGDC. Guidelines for providing appropriate access togeospatial data in response to security concerns.http://www.fgdc.gov/policyandplanning/Access Guidelines.pdf,June 2005.
[49] FGDC. National Spatial Data Infrastructure (NSDI).http://www.fgdc.gov/nsdi/nsdi.html.
[50] H. J. Onsrud, J. P. Johnson, and X. Lopez. Protectingpersonal privacy in using geographic informationsystems. Photogrammetic Engineering and ImageProcessing, 60(9):1083–1095, 1994.
[51] D. Papadias, M. J. Egenhofer, and J. Sharma.Hierarchical reasoning about direction relations. InProceedings of the 4th ACM international workshop onAdvances in geographic information systems, 1996.
[52] P. Rigaux, M. Scholl, and A. Voisard. SpatialDatabases: With Application to GIS. MorganKaufmann, 2002.
[53] P. Samarati and S. D. C. di Vimercati. Foundations ofSecurity Analysis and Design, Tutorial Lectures(FOSAD 2000), chapter Access Control: Policies,
Models, and Mechanisms, pages 137–196. LNCS 2171,Springer, 2001.
[54] H. Samet. Applications of Spatial Data Structures:Computer Graphics, Image Processing and GIS.Addison-Wesley, 1989.
[55] R. S. Sandhu, V. Bhamidipati, and Q. Munawer. TheARBAC97 model for role-based administration ofroles. ACM Transactions on Information and SystemSecurity, 2(1):105–135, 1999.
[56] R. S. Sandhu, E. J. Coyne, H. L. Feinstein, and C. E.Youman. Role-based access control models. IEEEComputer, 29(2):38–47, 1996.
[57] B. Thuraisingham. Database and ApplicationsSecurity, Integrating Data Management andApplications Security. CRC Press/Auerbach, 2005.
[58] B. Thuraisingham and W. Ford. Security constraintprocessing in a multilevel secure distributed databasesystem. IEEE Transactions on Knowledge and DataEngineering, 7(2):274–293, 1995.
[59] C.D. Tomlin. Geographic Information Systems andCartographic Modeling. Prentice-Hall, 1990.
[60] Y. Wang and J. Vassileva. Bayesian network trustmodel in peer-to-peer networks. In SecondInternational Workshop on Agents and Peer-to-PeerComputing (AP2PC 2003), 2003.
[61] M. Winslett, N. Ching, V. E. Jones, and I. Slepchin.Using digital credentials on the world wide web.Journal of Computer Security, 5(3):255–266, 1997.
[62] T. Wright. Geographic information systems. OntarioOffice of Information and Privacy Commissioner, 1997.
[63] Y. Yang, S. Papadopoulos, D. Papadias, andG. Kollios. Spatial outsourcing for location-basedservices. In Proceedings of the 24th InternationalConference on Data Engineering, ICDE 2008,1082–1091, 2008.
