Skip to main content
Log in

Towards safer information sharing in the cloud

  • Regular Contribution
  • Published:
International Journal of Information Security Aims and scope Submit manuscript

Abstract

Web interactions usually require the exchange of personal and confidential information for a variety of purposes, including enabling business transactions and the provisioning of services. A key issue affecting these interactions is the lack of trust and control on how data are going to be used and processed by the entities that receive it. In the traditional world, this problem is addressed using contractual agreements, those are signed by the involved parties, and law enforcement. This could be done electronically as well but, in addition to the trust issue, there is currently a major gap between the definition of legal contracts regulating the sharing of data, and the software infrastructure required to support and enforce them. How to enable organisations to provide more automation in this process? How to ensure that legal contracts can be actually enforced by the underlying IT infrastructure? How to enable end-users to express their preferences and constraints within these contracts? This article describes our R&D work to make progress towards addressing this gap via the usage of electronic Data Sharing Agreements (e-DSA). The aim is to share our vision, discuss the involved challenges and stimulate further research and development in this space. We specifically focus on a cloud scenario because it provides a rich set of use cases involving interactions and information sharing among multiple stakeholders, including users and service providers.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10

Similar content being viewed by others

References

  1. EU PRIME Project: Privacy Identity Management for Europe. http://www.prime-project.eu/, last checked 14 Feb 2014

  2. EU PrimeLife Project: Bringing sustainable privacy and identity management to future networks and services. http://primelife.ercim.eu/, last checked 14 Feb 2014

  3. EU Consequence Project: Context-aware data-centric information sharing. http://www.consequence-project.eu/, last checked 14 Feb 2014

  4. UK EnCoRe Project: The EnCoRe technical architecture D2.3. goo.gl/uYHgJH, last checked 14 Feb 2014

  5. Pearson, S., Casassa-Mont, M.: Sticky policies: an approach for managing privacy across multiple parties. IEEE Comput. 44(9), 60–68 (2011)

    Article  Google Scholar 

  6. Matteucci, I., Petrocchi, M., Sbodio, M.L.: CNL4DSA: a controlled natural language for data sharing agreements. In: Proceedings of SAC, ACM, pp. 616–620 (2010)

  7. Clavel, M., et al. (eds.): All About Maude: A High-Performance Logical Framework, How to Specify, Program and Verify Systems in Rewriting Logic, LNCS, vol. 4350. Springer, Berlin (2007)

  8. Larsen, K.G., Thomsen, B.: A modal process logic. In: Proceedings of LICS, pp. 203–210 (1988)

  9. UK EnCoRe Project: Ensuring consent and revocation. http://www.encore-project.info, last checked 14 Feb 2014

  10. OASIS: eXtensible Access Control Markup Language (XACML) Version 3.0 (2010)

  11. EU A4Cloud Project: Accountability for the cloud. http://www.a4cloud.eu/, last checked 19 Feb 2014

  12. EU CoCo-Cloud Project: Confidential and compliant cloud. http://www.coco-cloud.eu/, last checked 14 Feb 2014

  13. Robinson, N., et al.: The cloud: understanding the security, privacy and trust challenges. In: Proceedings of Technical Report, TR-933-EC, RAND Corporation (2011)

  14. Directive 95/46/EC. http://goo.gl/lho6dh, last checked 14 Feb 2014

  15. Hon, W.K., Millard, C., Walden, I.: The problem of personal data in cloud computing: what information is regulated? The cloud of unknowing. Int. Data Privacy Law 1(4), 211–228 (2011)

    Article  Google Scholar 

  16. Bradshaw, S., Millard, C., Walden, I.: Contracts for clouds: comparison and analysis of the terms and conditions of cloud computing services. Int. J. Law Inf. Technol. 19(3), 187–223 (2011)

    Article  Google Scholar 

  17. Balboni, P.: Data protection and data security issues related to cloud computing in the EU. In: Proceedings of Information Security Solutions Europe Conference (2010)

  18. Gilbert, F.: European Data Protection 2.0: New compliance requirements in sight, what the proposed EU data protection regulation means for US companies. Comput. High Technol. Law J. 28, 815 (2012)

    Google Scholar 

  19. Karat, J., et al.: Designing natural language and structured entry methods for privacy policy authoring. In: Proceedings of INTERACT, pp. 671–684 (2005)

  20. Brodie, C., et al.: An empirical study of natural language parsing of privacy policy rules using the SPARCLE policy workbench. In: Proceedings of SOUPS, ACM, pp. 8–19 (2006)

  21. Reeder, R.W., Karat, C.M., Karat, J., Brodie, C.: Usability challenges in security and privacy policy-authoring interfaces. In: Proceedings of INTERACT, Springer, Berlin, pp. 141–155 (2007)

  22. Brodie, C., George, D., Karat, C.-M., Karat, J., Lobo, J., Beigi, M., Wang, X., Calo, S., Verma, D., Schaeffer-Filho, A., Lupu, E., Sloman, M.: The coalition policy management portal for policy authoring, verification, and deployment. Policies for distributed systems and networks, POLICY, IEEE Workshop. pp. 247–249 (2008). doi:10.1109/POLICY.2008.25

  23. Johnson, M., Karat, J., Karat, C.M., Grueneberg, K.: Optimizing a policy authoring framework for security and privacy policies. In: Proceedings of SOUPS, ACM, pp. 8:1–8:9 (2010)

  24. Axiomatics.com: Policy administrator point. In: Proceedings of http://goo.gl/A5OEHW, last checked 17 Jan 2014

  25. Wishart, R., et al.: Collaborative privacy policy authoring in a social networking context. In: Proceedings of POLICY, IEEE, pp. 1–8 (2010)

  26. Conti, R., Matteucci, I., Mori, P., Petrocchi, M.: An expertise-driven authoring tool of privacy policies for e-Health. In: Proceedings of Computer-Based Medical Systems, IEEE (2014, to appear)

  27. Matteucci, I., Petrocchi, M., Sbodio, M.L., Wiegand, L.: A design phase for data sharing agreements. In: Proceedings of DPM/SETOP, Springer, Berlin, pp. 25–41 (2011)

  28. Matteucci, I., Mori, P., Petrocchi, M., Wiegand, L.: Controlled data sharing in e-health. In: Proceedings of STAST, pp. 17–23 (2011)

  29. Martinelli, F., Matteucci, I., Petrocchi, M., Wiegand, L.: A formal support for collaborative data sharing. In: Proceedings of CD-ARES, pp. 547–561 (2012)

  30. Bicarregui, J., et al.: Towards modelling obligations in event-B. In: Proceedings of ABZ, pp. 181–194 (2008)

  31. Arenas, A., et al.: An event-B approach to data sharing agreements. In: Proceedings of Integrated Formal Methods, Springer, Berlin, pp. 28–42 (2010)

  32. Ni, Q., et al.: Privacy-aware role-based access control. In: Proceedings of ACM Transactions on Information and System Security, vol. 13 (2010). doi:10.1145/1805974.1805980

  33. IBM: Policy Design Tool. goo.gl/5zJXJH, last checked 14 Feb 2014

  34. De Nicola, R., Ferrari, G.L., Pugliese, R.: Programming access control: the KLAIM experience. In: Proceedings of CONCUR, pp. 48–65 (2000)

  35. Hansen, R.R., Nielson, F., Nielson, H.R., Probst, C.W.: Static validation of licence conformance policies. In: Proceedings of ARES, pp. 1104–1111 (2008)

  36. Al-Shaer, E.S., Hamed, H.H.: Firewall policy advisor for anomaly discovery and rule editing. In: Proceedings of IFIP/IEEE Integrated Network Management, pp. 17–30 (2003)

  37. Hall-May, M., Kelly, T.P.: Towards Conflict Detection and Resolution of Safety Policies. In: Proceedings of 24th International System Safety Conference. System Safety Society, Albuquerque (2006)

  38. Jin, J., Ahn, G.J., Hu, H., Covington, M.J., Zhang, X.: Patient-centric authorization framework for electronic healthcare services. Comput. Secur. 30(2–3), 116–127 (2011)

    Article  Google Scholar 

  39. Mori, P., Matteucci, I., Petrocchi, M.: Prioritised execution of privacy policies. In: Proceedings of DPM, Springer, Berlin (2012)

  40. Lunardelli, A., Matteucci, I., Mori, P., Petrocchi, M.: A prototype for solving conflicts in XACML-based e-Health policies. In: Proceedings of Computer-Based Medical Systems, IEEE (2013)

  41. The Consequence Team: D2.2: Infrastructure for data sharing agreements. http://www.consequence-project.eu/Deliverables_Y3/D2.2 (2011)

Download references

Acknowledgments

The research leading to these results has been partially funded by the FP7 European project CoCo-Cloud (Grant 610853).

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Marinella Petrocchi.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Casassa-Mont, M., Matteucci, I., Petrocchi, M. et al. Towards safer information sharing in the cloud. Int. J. Inf. Secur. 14, 319–334 (2015). https://doi.org/10.1007/s10207-014-0258-5

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10207-014-0258-5

Keywords

Navigation