The Community for Technology Leaders
RSS Icon
Subscribe
Issue No.04 - October-December (2011 vol.4)
pp: 340-354
Jun Li , Hewlett-Packard Laboratories, Palo Alto
Bryan Stephenson , Hewlett-Packard Laboratories, Palo Alto
Hamid R. Motahari-Nezhad , Hewlett-Packard Laboratories, Palo Alto
Sharad Singhal , Hewlett-Packard Laboratories, Palo Alto
ABSTRACT
Many cloud service providers offer outsourcing capabilities to businesses using the software-as-a-service delivery model. In this delivery model, sensitive business data need to be stored and processed outside the control of the business. The ability to manage data in compliance with regulatory and corporate policies, which we refer to as data assurance, is an essential success factor for this delivery model. There exist challenges to express service data assurance capabilities, capture customers' requirements, and enforce these policies inside service providers' environments. This paper addresses these challenges by proposing Global Enforcement Of Data Assurance Controls (GEODAC), a policy framework that enables the expression of both service providers' capabilities and customers' requirements, and enforcement of the agreed-upon data assurance policies in service providers' environments. High-level policy statements are backed in the service environment with a state machine-based representation of policies in which each state represents a data lifecycle stage. Data assurance policies that define requirements on data retention, data migration, data appropriateness for use, etc. can be described and enforced. The approach has been implemented in a prototype tool and evaluated in a services environment.
INDEX TERMS
Security and privacy in services; security and privacy management in data collection, transformation and dissemination; service oriented computing; software as a service; services delivery platform and methodology.
CITATION
Jun Li, Bryan Stephenson, Hamid R. Motahari-Nezhad, Sharad Singhal, "GEODAC: A Data Assurance Policy Specification and Enforcement Framework for Outsourced Services", IEEE Transactions on Services Computing, vol.4, no. 4, pp. 340-354, October-December 2011, doi:10.1109/TSC.2010.53
REFERENCES
[1] Amazon Web Services: Overview of Security Processes, http://s3.amazonaws.com/aws_blogAWS_Security_Whitepaper_2008_ 09.pdf , 2008.
[2] S. Ayed et al., "Deploying Security Policy in Intra and Inter Workflow Management Systems," Proc. Int'l Conf. Availability, Reliability and Security (ARES '09), pp. 58-65, 2009.
[3] S. Bajaj et al., "Web Services Policy 1.2 - Framework (WS-Policy)," http://www.w3.org/SubmissionWS-Policy, Apr. 2006.
[4] A. Baldwin and S. Shiu, "Enabling Shared Audit Data," Int'l J. Information Security, vol. 4, no. 4, pp. 263-276, 2005.
[5] P.A. Bonatti et al., "Rule-Based Policy Specification: State of the Art and Future Work," technical report, Working Group I2, EU NoE REWERSE, http://rewerse.net/deliverablesi2-d1.pdf , Aug. 2004.
[6] M.C. Mont and F. Beato, "On Parametric Obligation Policies: Enabling Privacy-Aware Information Lifecycle Management in Enterprises," Proc. IEEE Int'l Workshop Policies for Distributed Systems and Networks (POLICY '07), pp. 51-55, 2007.
[7] E. Damiani et al., "Selective Data Encryption in Outsourced Dynamic Environments," Electronic Notes in Theoretical Computer Science, vol. 168, pp. 127-142, 2007.
[8] E. Damiani et al., "Metadata Management in Outsourced Encrypted Databases," Proc. Second VLDB Workshop Secure Data Management, pp. 16-32, 2005.
[9] N. Damianou et al., "A Survey of Policy Specification Approaches," http://www.doc.ic.ac.uk/~mss/PapersPolicySurvey.pdf , 2002.
[10] "Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data," http://www.cdt.org/privacy/ eudirectiveEU_Directive_.html , 2011.
[11] M. Fratto, "Internet Evolution - Cloud Control," Information Week, Jan. 2009.
[12] C. Gutiérrez, E. Fernández-Medina, and M. Piattini, "A Survey of Web Services Security," Proc. Int'l Conf. Computational Science and Its Applications (ICCSA '04), vol. 1, 2004.
[13] R. Hamadi et al., "Conceptual Modeling of Privacy-Aware Web Service Protocols," Proc. Int'l Conf. Advanced Information Systems Eng. (CAiSE '07), 2007.
[14] D. Harel, "Statecharts: A Visual Formalism for Complex Systems," Science of Computer Programming, vol. 8, no. 3, pp. 231-274, June 1987.
[15] Hibernate, http:/www.hibernate.org, 2011.
[16] U.S. Department of Health & Human Services, "Health Information Privacy," http://www.hhs.gov/ocr/privacyindex.html , 2011.
[17] M. Jensen and S. Feja, "A Security Modeling Approach for Web-Service-Based Business Processes," Proc. Ann. IEEE Int'l Conf. and Workshop Eng. of Computer Based Systems (ECBS '09), pp. 340-347, 2009.
[18] Keynote Systems, http:/www.keynote.com, 2011.
[19] P. Krishna and K. Karlapalem, "Electronic Contracts," IEEE Internet Computing, vol. 12, no. 4, pp. 60-68, July/Aug. 2008.
[20] J. Li et al., "A Data Assurance Policy Specification and Enforcement Framework for Outsourced Services," Technical Report HPL 2009-357, 2009.
[21] J. Li et al., "A Policy Framework for Data Management in Services," Proc. Fourth Int'l Workshop Dependability Aspects on Data Warehousing and Mining Applications, Mar. 2009.
[22] R.W. Lucky, "Cloud Computing," IEEE Spectrum, vol. 46, no. 5, p. 27, May 2009.
[23] M. Menzel et al., "Security Requirements Specification in Service-Oriented Business Process Management," Proc. Int'l Conf. Availability, Reliability and Security (ARES '09), 2009.
[24] F. Montagut and R. Molva, "Traceability and Integrity of Execution in Distributed Workflow Management Systems," Proc. European Symp. Research In Computer Security (ESORICS '07), 2007.
[25] Nat'l Inst. of Standards and Technology, "Recommended Security Controls for Federal Information Systems and Organizations," NIST Special Publication 800-53 Rev. 3, 2009.
[26] OASIS, WS-BPEL 2.0, 2007.
[27] OASIS, XACML, Version 2.0, Feb. 2005.
[28] OASIS, WS-SecurityPolicy 1.2, July 2007.
[29] Object Constraint Language (OCL), OMG, Version 2.0, May 2006.
[30] J. Park and R. Sandhu, "The UCON ABC Usage Control Model," ACM Trans. Information and Systems Security, vol. 7, pp. 128-174, 2004.
[31] PCI Security Standards Council, PCI DSS (1.2), Oct. 2008.
[32] T. Phan et al., "Quality-Driven Business Policy Specification and Refinement for Service-Oriented Systems," Proc. Int'l Conf. Service-Oriented Computing (ICSOC '08), 2008.
[33] A. Pretschner, M. Hilty, and D. Basin, "Distributed Usage Control," Comm. ACM, vol. 49, no. 9, pp. 39-44, Sept. 2006.
[34] PRIME Project, https:/www.prime-project.eu, 2011.
[35] Rackspace, "Intrusion Detection Systems (IDS)," http://www. rackspace.com/downloads/pdfs IDSOverview.pdf, 2011.
[36] P. Resnick et al., "Reputation Systems: Facilitating Trust in Internet Interactions," Comm. ACM, vol. 43, no. 12, pp. 45-48, 2000.
[37] C. Roth, D. Carroll, and N. Tran, Creating On-Demand Applications: An Introduction to the Apex Platform, http:/developer.force.com, 2011.
[38] Safe Harbor, http://www.export.gov/safeharborindex.asp , 2011.
[39] D. Shukla and B. Schmidt, Essential Windows Workflow Foundation. Addison Wesley, 2006.
[40] D. Sims, "Gartner Finds SaaS Market to Hit $19.3 Billion by 2011," http://www.tmcnet.com/usubmit/2007/03/07 2398768.htm, 2011.
[41] A. Singhal, T. Winograd, and K. Scarfone, "Guide to Secure Web Services: Recommendations of the National Institute of Standards and Technology," pp. 800-95, NIST Special Publication, Aug. 2007.
[42] H. Skogsrud et al., "Trust-Serv: Model-Driven Lifecycle Management of Trust Negotiation Policies for Web Services," Proc. Int'l Conf. World Wide Web (WWW '04), 2004.
[43] American Institute of Certified Public Accountants (AICPA), Statement on Auditing Standards No. 70 (SAS 70), 2011.
[44] The Breach Blog, "BNY Mellon Shareowner Services Loses Backup Tape," http://breachblog.com/2008/03/27bny.aspx , 2011.
[45] United States Nat'l Information Assurance Glossary, http://www.cnss.gov/Assets/pdfcnssi_4009.pdf , 2009.
[46] E. Uzun and B. Stephenson, "Security of Relational Databases in Business Outsourcing," Technical Report HPL-2008-168, HP Labs, p. 168, 2008.
[47] W3C, Platform for Privacy Preferences (P3P) Project, http://www.w3.orgP3P, 2011.
[48] M. Xie, H. Wang, J. Yin, and X. Meng, "Integrity Auditing of Outsourced Data," Proc. Int'l Conf. Very Large Data Bases (VLDB '07), pp. 782-793, 2007.
6 ms
(Ver 2.0)

Marketing Automation Platform Marketing Automation Tool