Information Flow Audit for Transparency and Compliance in the Handling of Personal Data

The adoption of cloud computing is increasing and its use is becoming widespread in many sectors. As the proportion of services provided using cloud computing increases, legal and regulatory issues are becoming more significant. In this paper we explore how an Information Flow Audit (IFA) mechanism, that provides key data regarding provenance, can be used to verify compliance with regulatory and contractual duty, and survey potential extensions. We explore the use of IFA for such a purpose through a smart electricity metering use case derived from a French Data Protection Agency recommendation.

[1]  Christoph Bier How Usage Control and Provenance Tracking Get Together - A Data Protection Perspective , 2013, 2013 IEEE Security and Privacy Workshops.

[2]  David M. Eyers,et al.  Twenty Security Considerations for Cloud-Supported Internet of Things , 2016, IEEE Internet of Things Journal.

[3]  R. K. Shyamasundar,et al.  Realizing Purpose-Based Privacy Policies Succinctly via Information-Flow Labels , 2014, 2014 IEEE Fourth International Conference on Big Data and Cloud Computing.

[4]  Thomas Moyer,et al.  Take Only What You Need: Leveraging Mandatory Access Control Policy to Reduce Provenance Storage Costs , 2015, TaPP.

[5]  Thomas Moyer,et al.  Trustworthy Whole-System Provenance for the Linux Kernel , 2015, USENIX Security Symposium.

[6]  Yogesh L. Simmhan,et al.  A survey of data provenance in e-science , 2005, SGMD.

[7]  Kevin R. B. Butler,et al.  Towards secure provenance-based access control in cloud environments , 2013, CODASPY.

[8]  Patrick D. McDaniel,et al.  Hi-Fi: collecting high-fidelity whole-system provenance , 2012, ACSAC '12.

[9]  Vern Paxson,et al.  The Matter of Heartbleed , 2014, Internet Measurement Conference.

[10]  Crispin Cowan,et al.  Linux security modules: general security support for the linux kernel , 2002, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[11]  Krzysztof Z. Gajos,et al.  Evaluation of Filesystem Provenance Visualization Tools , 2013, IEEE Transactions on Visualization and Computer Graphics.

[12]  Margo I. Seltzer,et al.  A primer on provenance , 2014, CACM.

[13]  Thomas F. J.-M. Pasquier,et al.  Expressing and Enforcing Location Requirements in the Cloud Using Information Flow Control , 2015, 2015 IEEE International Conference on Cloud Engineering.

[14]  Jatinder Singh,et al.  Camflow: Managed Data-Sharing for Cloud Services , 2015, IEEE Transactions on Cloud Computing.

[15]  Byung-Gon Chun,et al.  TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones , 2010, OSDI.

[16]  Bu Sung Lee,et al.  From system-centric to data-centric logging - Accountability, trust & security in cloud computing , 2011, 2011 Defense Science Research Conference and Expo (DSR).

[17]  Geoff Holmes,et al.  Security and Data Accountability in Distributed Systems: A Provenance Survey , 2013, 2013 IEEE 10th International Conference on High Performance Computing and Communications & 2013 IEEE International Conference on Embedded and Ubiquitous Computing.

[18]  Margo I. Seltzer,et al.  Provenance-Aware Storage Systems , 2006, USENIX ATC, General Track.

[19]  Rodrigo Fonseca,et al.  Pivot tracing , 2018, USENIX Annual Technical Conference.

[20]  Jatinder Singh,et al.  Clouds of Things Need Information Flow Control with Hardware Roots of Trust , 2015, 2015 IEEE 7th International Conference on Cloud Computing Technology and Science (CloudCom).

[21]  David M. Eyers,et al.  Information Flow Audit for PaaS Clouds , 2016, 2016 IEEE International Conference on Cloud Engineering (IC2E).

[22]  Bruno Defude,et al.  Document Provenance in the Cloud: Constraints and Challenges , 2010, EUNICE.

[23]  Jatinder Singh,et al.  Data Flow Management and Compliance in Cloud Computing , 2015, IEEE Cloud Computing.

[24]  Yogesh L. Simmhan,et al.  The Open Provenance Model core specification (v1.1) , 2011, Future Gener. Comput. Syst..

[25]  Eddie Kohler,et al.  Information flow control for standard OS abstractions , 2007, SOSP.

[26]  Margo I. Seltzer,et al.  Issues in Automatic Provenance Collection , 2006, IPAW.

[27]  Yurdaer N. Doganata,et al.  Business Provenance - A Technology to Increase Traceability of End-to-End Operations , 2008, OTM Conferences.