GEODAC: A Data Assurance Policy Specification and Enforcement Framework for Outsourced Services

Many cloud service providers offer outsourcing capabilities to businesses using the software-as-a-service delivery model. In this delivery model, sensitive business data need to be stored and processed outside the control of the business. The ability to manage data in compliance with regulatory and corporate policies, which we refer to as data assurance, is an essential success factor for this delivery model. There exist challenges to express service data assurance capabilities, capture customers' requirements, and enforce these policies inside service providers' environments. This paper addresses these challenges by proposing Global Enforcement Of Data Assurance Controls (GEODAC), a policy framework that enables the expression of both service providers' capabilities and customers' requirements, and enforcement of the agreed-upon data assurance policies in service providers' environments. High-level policy statements are backed in the service environment with a state machine-based representation of policies in which each state represents a data lifecycle stage. Data assurance policies that define requirements on data retention, data migration, data appropriateness for use, etc. can be described and enforced. The approach has been implemented in a prototype tool and evaluated in a services environment.

[1]  Marco Casassa Mont,et al.  On Parametric Obligation Policies: Enabling Privacy-Aware Information Lifecycle Management in Enterprises , 2007, Eighth IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY'07).

[2]  Sushil Jajodia,et al.  Metadata Management in Outsourced Encrypted Databases , 2005, Secure Data Management.

[3]  Lawrence O Gostin,et al.  Health information privacy. , 1995, Cornell law review.

[4]  Karen A. Scarfone,et al.  Guide to Secure Web Services , 2007 .

[5]  Brian Hayes,et al.  What Is Cloud Computing? , 2019, Cloud Technologies.

[6]  Sharad Singhal,et al.  A Policy Framework for Data Management in Services Marketplaces , 2009, 2009 International Conference on Availability, Reliability and Security.

[7]  Ersin Uzun,et al.  Security of Relational Databases in Business Outsourcing , 2008 .

[8]  Susan W. Berson HIPAA , 2003 .

[9]  Valtteri Niemi,et al.  Distributed Usage Control , 2011, ANT/MobiWIS.

[10]  Kamalakar Karlapalem,et al.  Electronic Contracts , 2008, IEEE Internet Computing.

[11]  Jun Han,et al.  Quality-Driven Business Policy Specification and Refinement for Service-Oriented Systems , 2008, ICSOC.

[12]  Fabio Casati,et al.  Trust-serv: model-driven lifecycle management of trust negotiation policies for web services , 2004, WWW '04.

[13]  Refik Molva,et al.  Traceability and Integrity of Execution in Distributed Workflow Management Systems , 2007, ESORICS.

[14]  Paul Resnick,et al.  Reputation systems , 2000, CACM.

[15]  小池 雄一 P3P(Platform for Privacy Preferences) , 2001 .

[16]  Simon Shiu,et al.  Enabling shared audit data , 2004, International Journal of Information Security.

[17]  Herbert Burkert,et al.  Some Preliminary Comments on the DIRECTIVE 95/46/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. , 1996 .

[18]  SandhuRavi,et al.  The UCONABC usage control model , 2004 .

[19]  Emil C. Lupu,et al.  A Survey of Policy Specification Approaches , 2002 .

[20]  Chris Hoffman Safe Harbor , 2000, The Journal of perinatal education.

[21]  Paul Resnick,et al.  Reputation Systems: Facilitating Trust in Internet Interactions , 2000 .

[22]  Nora Cuppens-Boulahia,et al.  Deploying Security Policy in Intra and Inter Workflow Management Systems , 2009, 2009 International Conference on Availability, Reliability and Security.

[23]  Alberto Martelli,et al.  Rule-based Policy Specification : State of the Art and Future Work , 2004 .

[24]  Peter Mell,et al.  Intrusion Detection Systems , 2001 .

[25]  Robert W. Lucky,et al.  Cloud computing [Reflections] , 2009 .

[26]  Mario Piattini,et al.  A Survey of Web Services Security , 2004, ICCSA.

[27]  Marianne M. Swanson,et al.  Recommended Security Controls for Federal Information Systems , 2005 .

[28]  Sushil Jajodia,et al.  Selective Data Encryption in Outsourced Dynamic Environments , 2007, Electron. Notes Theor. Comput. Sci..

[29]  Hye-Young Paik,et al.  Conceptual Modeling of Privacy-Aware Web Service Protocols , 2007, CAiSE.

[30]  David Harel,et al.  Statecharts: A Visual Formalism for Complex Systems , 1987, Sci. Comput. Program..

[31]  K. PandeyR. Object constraint language (OCL) , 2011 .

[32]  Prashant Pandey,et al.  Cloud computing , 2010, ICWET.

[33]  J. Dumortier Directive 98/48/EC of the European Parliament and of the Council , 2006 .

[34]  Meiko Jensen,et al.  A Security Modeling Approach for Web-Service-Based Business Processes , 2009, 2009 16th Annual IEEE International Conference and Workshop on the Engineering of Computer Based Systems.

[35]  Joint Task Force Recommended Security Controls for Federal Information Systems and Organizations , 2009 .

[36]  Christoph Meinel,et al.  Security Requirements Specification in Service-Oriented Business Process Management , 2009, 2009 International Conference on Availability, Reliability and Security.

[37]  Xiaofeng Meng,et al.  Integrity Auditing of Outsourced Data , 2007, VLDB.