Abstract
Companies are taking more and more advantage of cloud architectures for their IT systems. By combining private and public cloud resources, it is possible to facilitate data submissions by customers and processing with third parties, among other advantages. But this represents also a potential threat to personal data’s privacy and confidentiality. Even if legal obligations regulate the usage of personal data, for example requiring to disclose them in anonymised form, users do not have any visibility or control on data disclosure operations, nor on anonmymisation policies used by companies. To this extent, we propose a solution to establish and enforce data-centric security policies, in order to enable secure and compliant data processing operations. Our proposal is particularly fit for cloud architectures as it supports multiple actors with different roles, responsibilities and obligations. We also present a use case to demonstrate the peculiarities of our proposition.
Keywords
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
European Parliament. Directive 95/46/EC of the european parliament and of the council of 24 october 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. Technical Report EUR-Lex - 31995L0046, European Parliament (November 1995)
Godik, S., Anderson, A., Parducci, B., Humenn, P., Vajjhala, S.: OASIS eXtensible access control 2 markup language (XACML) 3. Technical report, OASIS (2002)
Jansen, W., Grance, T.: Guidelines on security and privacy in public cloud computing. Technical Report NIST SP 800-144, National Institute of Standards and Technology (December 2011)
Kamateri, E., Kalampokis, E., Tambouris, E., Tarabanis, K.: The linked medical data access control framework. Journal of Biomedical Informatics 50, 213–225 (2014)
Kerschbaum, F.: Searching over encrypted data in cloud systems. In: Conti, M., Vaidya, J., Schaad, A. (eds.) SACMAT, pp. 87–88. ACM (2013)
Malin, B., Karp, D., Scheuermann, R.H.: Technical and policy approaches to balancing patient privacy and data sharing in clinical and translational research. Journal of Investigative Medicine: The Official Publication of the American Federation for Clinical Research 58(1), 11–18 (2010), 00046 PMID: 20051768
Mell, P., Grance, T.: The NIST definition of cloud computing. Technical Report NIST SP 800-145, National Institute of Standards and Technology (September 2011)
Murphy, S.N., Chueh, H.C.: A security architecture for query tools used to access large biomedical databases. In: Proceedings of the AMIA Symposium, pp. 552–556 (2002), 00059 PMID: 12463885
Murphy, S.N., Weber, G., Mendis, M., Gainer, V., Chueh, H.C., Churchill, S., Kohane, I.: Serving the enterprise and beyond with informatics for integrating biology and the bedside (i2b2). Journal of the American Medical Informatics Association 17(2), 124–130 (2010)
Park, J., Sandhu, R.: The UCON ABC usage control model. ACM Transactions on Information and System Security (TISSEC) 7(1), 128–174 (2004), 00158
Pretschner, A., Hilty, M., Basin, D.: Distributed usage control. Communications of the ACM 49(9), 39–44 (2006), 00784
Samarati, P., Sweeney, L.: Protecting privacy when disclosing information: k-anonymity and its enforcement through generalization and suppression. Technical report, Technical report, SRI International, 00705 (1998)
SAP. the FI-WARE Data Handling Generic Enabler, http://wiki.fi-ware.org/FIWARE.OpenSpecification.Security.Data_Handling_Generic_Enabler (accessed on June 25, 2014)
SAP. the FI-WARE Database Anonymizer Generic Enabler, http://wiki.fi-ware.org/FIWARE.OpenSpecification.Security.Optional_Security_Enablers.DBAnonymizer (accessed on June 25, 2104)
Trabelsi, S., Njeh, A., Bussard, L., Neven, G.: The ppl engine: A symmetric architecture for privacy policy handling. In: W3C Workshop on Privacy and data usage control, vol. 4 (2010)
Trabelsi, S., Salzgeber, V., Bezzi, M., Montagnon, G.: Data disclosure risk evaluation. In: Kalam, A.A.E., Deswarte, Y., Mostafa, M. (eds.) CRiSIS, pp. 35–72. IEEE (2009)
Trabelsi, S., Sendor, J.: Sticky policies for data control in the cloud. In: 2012 Tenth Annual International Conference on Privacy, Security and Trust (PST), pp. 75–80. IEEE (2012)
Trabelsi, S., Sendor, J., Reinicke, S.: Ppl: Primelife privacy policy engine. In: 2011 IEEE International Symposium on Policies for Distributed Systems and Networks (POLICY), pp. 184–185. IEEE (2011)
U.S. Department of Health and Human Services. Standards for privacy of individually identifiable health information, final rule. Technical Report 67(157), 53182–53273, Federal Register (2002)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Di Cerbo, F., Trabelsi, S. (2014). Re-Identification Risk Based Security Controls. In: Meersman, R., et al. On the Move to Meaningful Internet Systems: OTM 2014 Workshops. OTM 2014. Lecture Notes in Computer Science, vol 8842. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-45550-0_14
Download citation
DOI: https://doi.org/10.1007/978-3-662-45550-0_14
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-662-45549-4
Online ISBN: 978-3-662-45550-0
eBook Packages: Computer ScienceComputer Science (R0)