Advertisement

International Journal of Information Security

, Volume 14, Issue 4, pp 319–334 | Cite as

Towards safer information sharing in the cloud

  • Marco Casassa-Mont
  • Ilaria Matteucci
  • Marinella Petrocchi
  • Marco Luca Sbodio
Regular Contribution

Abstract

Web interactions usually require the exchange of personal and confidential information for a variety of purposes, including enabling business transactions and the provisioning of services. A key issue affecting these interactions is the lack of trust and control on how data are going to be used and processed by the entities that receive it. In the traditional world, this problem is addressed using contractual agreements, those are signed by the involved parties, and law enforcement. This could be done electronically as well but, in addition to the trust issue, there is currently a major gap between the definition of legal contracts regulating the sharing of data, and the software infrastructure required to support and enforce them. How to enable organisations to provide more automation in this process? How to ensure that legal contracts can be actually enforced by the underlying IT infrastructure? How to enable end-users to express their preferences and constraints within these contracts? This article describes our R&D work to make progress towards addressing this gap via the usage of electronic Data Sharing Agreements (e-DSA). The aim is to share our vision, discuss the involved challenges and stimulate further research and development in this space. We specifically focus on a cloud scenario because it provides a rich set of use cases involving interactions and information sharing among multiple stakeholders, including users and service providers.

Keywords

Data-centric information sharing Data sharing agreements Policy authoring Policy analysis Policy deployment Policy enforcement Cloud security  

Notes

Acknowledgments

The research leading to these results has been partially funded by the FP7 European project CoCo-Cloud (Grant 610853).

References

  1. 1.
    EU PRIME Project: Privacy Identity Management for Europe. http://www.prime-project.eu/, last checked 14 Feb 2014
  2. 2.
    EU PrimeLife Project: Bringing sustainable privacy and identity management to future networks and services. http://primelife.ercim.eu/, last checked 14 Feb 2014
  3. 3.
    EU Consequence Project: Context-aware data-centric information sharing. http://www.consequence-project.eu/, last checked 14 Feb 2014
  4. 4.
    UK EnCoRe Project: The EnCoRe technical architecture D2.3. goo.gl/uYHgJH, last checked 14 Feb 2014Google Scholar
  5. 5.
    Pearson, S., Casassa-Mont, M.: Sticky policies: an approach for managing privacy across multiple parties. IEEE Comput. 44(9), 60–68 (2011)CrossRefGoogle Scholar
  6. 6.
    Matteucci, I., Petrocchi, M., Sbodio, M.L.: CNL4DSA: a controlled natural language for data sharing agreements. In: Proceedings of SAC, ACM, pp. 616–620 (2010)Google Scholar
  7. 7.
    Clavel, M., et al. (eds.): All About Maude: A High-Performance Logical Framework, How to Specify, Program and Verify Systems in Rewriting Logic, LNCS, vol. 4350. Springer, Berlin (2007)Google Scholar
  8. 8.
    Larsen, K.G., Thomsen, B.: A modal process logic. In: Proceedings of LICS, pp. 203–210 (1988)Google Scholar
  9. 9.
    UK EnCoRe Project: Ensuring consent and revocation. http://www.encore-project.info, last checked 14 Feb 2014
  10. 10.
    OASIS: eXtensible Access Control Markup Language (XACML) Version 3.0 (2010)Google Scholar
  11. 11.
    EU A4Cloud Project: Accountability for the cloud. http://www.a4cloud.eu/, last checked 19 Feb 2014
  12. 12.
    EU CoCo-Cloud Project: Confidential and compliant cloud. http://www.coco-cloud.eu/, last checked 14 Feb 2014
  13. 13.
    Robinson, N., et al.: The cloud: understanding the security, privacy and trust challenges. In: Proceedings of Technical Report, TR-933-EC, RAND Corporation (2011)Google Scholar
  14. 14.
    Directive 95/46/EC. http://goo.gl/lho6dh, last checked 14 Feb 2014
  15. 15.
    Hon, W.K., Millard, C., Walden, I.: The problem of personal data in cloud computing: what information is regulated? The cloud of unknowing. Int. Data Privacy Law 1(4), 211–228 (2011)CrossRefGoogle Scholar
  16. 16.
    Bradshaw, S., Millard, C., Walden, I.: Contracts for clouds: comparison and analysis of the terms and conditions of cloud computing services. Int. J. Law Inf. Technol. 19(3), 187–223 (2011)CrossRefGoogle Scholar
  17. 17.
    Balboni, P.: Data protection and data security issues related to cloud computing in the EU. In: Proceedings of Information Security Solutions Europe Conference (2010)Google Scholar
  18. 18.
    Gilbert, F.: European Data Protection 2.0: New compliance requirements in sight, what the proposed EU data protection regulation means for US companies. Comput. High Technol. Law J. 28, 815 (2012)Google Scholar
  19. 19.
    Karat, J., et al.: Designing natural language and structured entry methods for privacy policy authoring. In: Proceedings of INTERACT, pp. 671–684 (2005)Google Scholar
  20. 20.
    Brodie, C., et al.: An empirical study of natural language parsing of privacy policy rules using the SPARCLE policy workbench. In: Proceedings of SOUPS, ACM, pp. 8–19 (2006)Google Scholar
  21. 21.
    Reeder, R.W., Karat, C.M., Karat, J., Brodie, C.: Usability challenges in security and privacy policy-authoring interfaces. In: Proceedings of INTERACT, Springer, Berlin, pp. 141–155 (2007)Google Scholar
  22. 22.
    Brodie, C., George, D., Karat, C.-M., Karat, J., Lobo, J., Beigi, M., Wang, X., Calo, S., Verma, D., Schaeffer-Filho, A., Lupu, E., Sloman, M.: The coalition policy management portal for policy authoring, verification, and deployment. Policies for distributed systems and networks, POLICY, IEEE Workshop. pp. 247–249 (2008). doi: 10.1109/POLICY.2008.25
  23. 23.
    Johnson, M., Karat, J., Karat, C.M., Grueneberg, K.: Optimizing a policy authoring framework for security and privacy policies. In: Proceedings of SOUPS, ACM, pp. 8:1–8:9 (2010) Google Scholar
  24. 24.
    Axiomatics.com: Policy administrator point. In: Proceedings of http://goo.gl/A5OEHW, last checked 17 Jan 2014
  25. 25.
    Wishart, R., et al.: Collaborative privacy policy authoring in a social networking context. In: Proceedings of POLICY, IEEE, pp. 1–8 (2010)Google Scholar
  26. 26.
    Conti, R., Matteucci, I., Mori, P., Petrocchi, M.: An expertise-driven authoring tool of privacy policies for e-Health. In: Proceedings of Computer-Based Medical Systems, IEEE (2014, to appear)Google Scholar
  27. 27.
    Matteucci, I., Petrocchi, M., Sbodio, M.L., Wiegand, L.: A design phase for data sharing agreements. In: Proceedings of DPM/SETOP, Springer, Berlin, pp. 25–41 (2011)Google Scholar
  28. 28.
    Matteucci, I., Mori, P., Petrocchi, M., Wiegand, L.: Controlled data sharing in e-health. In: Proceedings of STAST, pp. 17–23 (2011)Google Scholar
  29. 29.
    Martinelli, F., Matteucci, I., Petrocchi, M., Wiegand, L.: A formal support for collaborative data sharing. In: Proceedings of CD-ARES, pp. 547–561 (2012)Google Scholar
  30. 30.
    Bicarregui, J., et al.: Towards modelling obligations in event-B. In: Proceedings of ABZ, pp. 181–194 (2008)Google Scholar
  31. 31.
    Arenas, A., et al.: An event-B approach to data sharing agreements. In: Proceedings of Integrated Formal Methods, Springer, Berlin, pp. 28–42 (2010)Google Scholar
  32. 32.
    Ni, Q., et al.: Privacy-aware role-based access control. In: Proceedings of ACM Transactions on Information and System Security, vol. 13 (2010). doi: 10.1145/1805974.1805980
  33. 33.
    IBM: Policy Design Tool. goo.gl/5zJXJH, last checked 14 Feb 2014Google Scholar
  34. 34.
    De Nicola, R., Ferrari, G.L., Pugliese, R.: Programming access control: the KLAIM experience. In: Proceedings of CONCUR, pp. 48–65 (2000)Google Scholar
  35. 35.
    Hansen, R.R., Nielson, F., Nielson, H.R., Probst, C.W.: Static validation of licence conformance policies. In: Proceedings of ARES, pp. 1104–1111 (2008)Google Scholar
  36. 36.
    Al-Shaer, E.S., Hamed, H.H.: Firewall policy advisor for anomaly discovery and rule editing. In: Proceedings of IFIP/IEEE Integrated Network Management, pp. 17–30 (2003)Google Scholar
  37. 37.
    Hall-May, M., Kelly, T.P.: Towards Conflict Detection and Resolution of Safety Policies. In: Proceedings of 24th International System Safety Conference. System Safety Society, Albuquerque (2006)Google Scholar
  38. 38.
    Jin, J., Ahn, G.J., Hu, H., Covington, M.J., Zhang, X.: Patient-centric authorization framework for electronic healthcare services. Comput. Secur. 30(2–3), 116–127 (2011)CrossRefGoogle Scholar
  39. 39.
    Mori, P., Matteucci, I., Petrocchi, M.: Prioritised execution of privacy policies. In: Proceedings of DPM, Springer, Berlin (2012)Google Scholar
  40. 40.
    Lunardelli, A., Matteucci, I., Mori, P., Petrocchi, M.: A prototype for solving conflicts in XACML-based e-Health policies. In: Proceedings of Computer-Based Medical Systems, IEEE (2013)Google Scholar
  41. 41.
    The Consequence Team: D2.2: Infrastructure for data sharing agreements. http://www.consequence-project.eu/Deliverables_Y3/D2.2 (2011)

Copyright information

© Springer-Verlag Berlin Heidelberg 2014

Authors and Affiliations

  • Marco Casassa-Mont
    • 1
  • Ilaria Matteucci
    • 2
  • Marinella Petrocchi
    • 2
  • Marco Luca Sbodio
    • 3
  1. 1.Hewlett-Packard Labs, Cloud & Security LabBristolUK
  2. 2.Consiglio Nazionale delle RicercheIstituto di Informatica e TelematicaPisaItaly
  3. 3.Innovation CenterHewlett-Packard ItalyTorinoItaly

Personalised recommendations