QOMPLIANCE: Declarative Data-Centric Policy Compliance

Abstract

Data compliance is essential in industry applications to ensure that organizations do not run afoul of data protection and privacy legislation. Geographically distributed data is an especially relevant topic because of recent developments in crossborder data protection agreements, e.g., between the United States and the European Union. We report our experience of designing and implementing QOMPLIANCE, a system for automated data-centric compliance evaluation in cloud environments. Our approach fills a gap in the research for higher-level data-centric compliance systems with a particular focus on geographically distributed data. Its declarative and extensible policy model allows for defining policies that can govern data movements across borders and is intended to be understandable without explicit knowledge of the governed data by employing a tag-based abstraction layer. The particular challenge is to automate datacentric policy compliance on data movements in a maintainable manner. QOMPLIANCE analyzes SQL-defined data movements to extract what data is being addressed and combines this information with additional attributes to statically match policies. Policies decide whether data movements are allowed and specify requirements on the query and the execution that should be enforced. We provide a qualitative comparison between our approach and related work, and we performed a performance analysis that shows that compliance evaluation can be done in seconds for large sets of policies.