Provenance, or information about the origin, derivation, or history of data, is becoming an important topic especially for shared scientific or public data on the Web. It clearly has implications on security (and vice versa) yet these implications are not well-understood. A great deal of work has focused on mechanisms for recording, managing or using some kind of provenance information, but relatively little progress has been made on foundational models that define provenance and relate it to security goals such as availability, confidentiality or privacy. We argue that such foundations are essential to making meaningful progress on these problems and should be developed. In this paper, we outline a formal model of provenance, propose formalizations of security properties for provenance such as disclosure and obfuscation, and explore their implications in domains based on automata, database queries and workflow provenance graphs.