We present a novel approach for the specification and
enforcement of authorizations that enables controlled
data sharing for collaborative queries
in the cloud. Data authorities can establish
authorizations regulating access to their data
distinguishing three visibility levels (no visibility,
encrypted visibility, and plaintext visibility).
Authorizations are enforced accounting for the
information content carried in the computation to
ensure no information is improperly leaked and
adjusting visibility of data on-the-fly. Assignment of
operations to subjects takes into
consideration the cost of operation execution as well as
of the encryption/decryption operations needed to
make the assignment authorized. Our
approach enables users and data authorities to fully
enjoy the benefits and economic savings of the
competitive open cloud market, while
maintaining control over data.