A-PPL: An Accountability Policy Language

  • Monir Azraoui
  • Kaoutar Elkhiyaoui
  • Melek Önen
  • Karin Bernsmed
  • Anderson Santana De Oliveira
  • Jakub Sendor
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8872)

Abstract

Cloud Computing raises various security and privacy challenges due to the customers’ inherent lack of control over their outsourced data. One approach to encourage customers to take advantage of the cloud is the design of new accountability solutions which improve the degree of transparency with respect to data processing. In this paper, we focus on accountability policies and propose A-PPL, an accountability policy language that represents machine-readable accountability policies. A-PPL extends the PPL language by allowing customers to define additional rules on data retention, data location, logging and notification. The use of A-PPL is illustrated with a use case where medical sensors collect personal data which are then stored and processed in the cloud. We define accountability obligations related to this use case and translate them into A-PPL policies as a proof of concept of our proposal.

Keywords

Personal Data Policy Language Cloud Provider Data Controller Cloud Service Provider 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Notes

Acknowledgments

This work was supported by the European Commission’s Seventh framework A4Cloud (http://www.a4cloud.eu/) project. We thank Dimitra Stefanatou for her help on the analysis of accountability obligations.

References

  1. 1.
    Azraoui, M., Elkhiyaoui, K., Önen, M., Bernsmed, K., de Oliveira, A.S., Sendor, J.: A-PPL: An Accountability Policy Language. Technical report (2014)Google Scholar
  2. 2.
    Bernsmed, K., Felici, M., de Oliveira, A.S., Sendor, J., Moe, N.B., Rübsamen, T., Tountopoulos, V., Hasnain, B.: Use case descriptions. Deliverable, Cloud Accountability (A4Cloud) Project (2013)Google Scholar
  3. 3.
    Bernsmed, K., Kuan, H., Millard, C.: Deploying Medical Sensor Networks in the Cloud - Accountability Obligations from a European Perspective. Submitted for publication (2014)Google Scholar
  4. 4.
    Butin, D., Chicote, M., Le Métayer, D.: Log design for accountability. In: 2013 IEEE Security and Privacy Workshops (SPW), pp. 1–7. IEEE (2013)Google Scholar
  5. 5.
    Cherrueau, R.-A., Douence, R., Grall, H., Royer, J.-C., Sellami, M., Südholt, M., Azraoui, M., Elkhiyaoui, K., Molva, R., Önen, M., Garaga, A., de Oliveira, A.S., Sendor, J., Bernsmed, K.: Policy representation framework. Deliverable (to be published), Cloud Accountability (A4Cloud) Project (2013)Google Scholar
  6. 6.
    Cuppens, F., Cuppens-Boulahia, N.: Modeling contextual security policies. Int. J. Inf. Secur. 7(4), 285–305 (2008)CrossRefGoogle Scholar
  7. 7.
    European Parliament. Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (1995)Google Scholar
  8. 8.
    Henze, M., Großfengels, M., Koprowski, M., Wehrle, K.: Towards data handling requirements-aware cloud computing. In: 2013 IEEE International Conference on Cloud Computing Technology and Science (CloudCom) (2013)Google Scholar
  9. 9.
    HERAS AF team. HERAS AF (Holistic Enterprise-Ready Application Security Architecture Framework). http://herasaf.org/
  10. 10.
    Li, N., Chen, H., Bertino, E.: On practical specification and enforcement of obligations. In: Proceedings of the Second ACM Conference on Data and Application Security and Privacy, pp. 71–82. ACM (2012)Google Scholar
  11. 11.
    Lin, A., Chen, N.-C.: Cloud computing as an innovation: percepetion, attitude, and adoption. Int. J. Inf. Manage. 32(6), 533–540 (2012)CrossRefGoogle Scholar
  12. 12.
    OASIS Standard. eXtensible Access Control Markup Language (XACML) Version 3.0. 22 January 2013. http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.html
  13. 13.
    Papagiannakopoulou, E.I., et al.: Leveraging ontologies upon a holistic privacy-aware access control model. In: Danger, J.L., Debbabi, M., Marion, J.-Y., Garcia-Alfaro, J., Heywood, N.Z. (eds.) FPS 2013. LNCS, vol. 8352, pp. 209–226. Springer, Heidelberg (2014)CrossRefGoogle Scholar
  14. 14.
    Pearson, S., Tountopoulos, V., Catteddu, D., Sudholt, M., Molva, R., Reich, C., Fischer-Hubner, S., Millard, C., Lotz, V., Jaatun, M., Leenes, R., Rong, C., Lopez, J.: Accountability for cloud and other future internet services. In: 2012 IEEE 4th International Conference on Cloud Computing Technology and Science (CloudCom), pp. 629–632 (2012)Google Scholar
  15. 15.
    Trabelsi, S., Neven, G., Raggett, D., Ardagna, C., Bournez, C., Bussard, L., Bezzi, M., Camenisch, J., de Capitani di Vimercati, S., Gey, F., Kuczerawy, A., Meissner, S., Neven, G., Njeh, A., Paraboschi, S., Pedrini, E., Foresti, S., Pinsdorf, U., Preiss, F.-S., Sendor, J., Tziviskou, C., Raggett, D., Roessler, T., Samarati, P., Schallaboeck, J., Short, S., Sommer, D., Verdicchio, M., Wenning, R.: D5.3.4 - report on design and implementation of the primelife policy language and engine. Deliverable, Primelife Project (2011)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  • Monir Azraoui
    • 1
  • Kaoutar Elkhiyaoui
    • 1
  • Melek Önen
    • 1
  • Karin Bernsmed
    • 2
  • Anderson Santana De Oliveira
    • 3
  • Jakub Sendor
    • 3
  1. 1.EURECOMBiot Sophia AntipolisBiotFrance
  2. 2.SINTEF ICTTrondheimNorway
  3. 3.SAP Labs FranceMougins Sophia AntipolisAntipolisFrance

Personalised recommendations