A User Data Location Control Model for Cloud Services

Kaniz Fatema, Philip Healy, Vincent C. Emeakaroha, John P. Morrison, Theo Lynn

2014

Abstract

A data location control model for Cloud services is presented that uses an authorization system as its core control element. The model is intended for use by enterprises that collect personal data from end users that can potentially be stored and processed at multiple geographic locations. By adhering to the model’s authorization decisions, the enterprise can address end users’ concerns about the location of their data by incorporating their preferences about the location of their personal data into an authorization policy. The model also ensures that the end users have visibility into the location of their data and are informed when the location of their data changes. A prototype of the model has been implemented that provides the data owner with an interface that allows their location preferences to be expressed. These preferences are stored internally as XACML policy documents. Thereafter, movements or remote duplications of the data must be authorized by submitting requests to an ISO/IEC 10181-3:1996 compliant policy enforcement point. End users can, at any time, view up-to-date information on the locations where their data is stored via a web interface. Furthermore, XACML obligations are used to ensure that end users are informed whenever the location of their data changes.

References

  1. Albeshri, A., Boyd, C., and Nieto, J. (2012). Geoproof: Proofs of geographic location for cloud computing environment. In Distributed Computing Systems Work-
  2. Ashley, P., Hada, S., Karjoth, G., Powers, C., and Schunter, M. (2003). Enterprise privacy authorization language (epal 1.2). Submission to W3C.
  3. Basescu, C., Carpen-Amarie, A., Leordeanu, C., Costan, A., and Antoniu, G. (2011). Managing data access on clouds: A generic framework for enforcing security policies. In Advanced Information Networking and Applications (AINA), 2011 IEEE International Conference on, pages 459-466.
  4. Benson, K., Dowsley, R., and Shacham, H. (2011). Do you know where your cloud files are? In Proceedings of the 3rd ACM workshop on Cloud computing security workshop, pages 73-82. ACM.
  5. Chadwick, D., Zhao, G., Otenko, S., Laborde, R., Su, L., and Nguyen, T. A. (2008). PERMIS: a modular authorization infrastructure. Concurrency and Computation: Practice and Experience, 20(11):1341-1357.
  6. Chadwick, D. W. and Fatema, K. (2012). A privacy preserving authorisation system for the cloud. Journal of Computer and System Sciences, 78(5):1359-1373.
  7. Chen, D. and Zhao, H. (2012). Data security and privacy protection issues in cloud computing. In Computer Science and Electronics Engineering (ICCSEE), 2012 International Conference on, volume 1, pages 647- 651. IEEE.
  8. Cranor, L. F. (2003). P3P: Making privacy policies more useful. Security & Privacy, IEEE, 1(6):50-55.
  9. Demchenko, Y., Koeroo, O., de Laat, C., and Sagehaug, H. (2008). Extending XACML authorisation model to support policy obligations handling in distributed application. In Proceedings of the 6th international workshop on Middleware for grid computing, page 5. ACM.
  10. di Vimercati, S. D. C., Samarati, P., and Jajodia, S. (2005). Policies, models, and languages for access control. In Databases in Networked Information Systems, pages 225-237. Springer.
  11. Fatema, K., Chadwick, D. W., and Lievens, S. (2011). A multi-privacy policy enforcement system. In Privacy and Identity Management for Life, pages 297-310. Springer.
  12. Godik, S., Anderson, A., Parducci, B., Humenn, P., and Vajjhala, S. (2002). Oasis extensible access control 2 markup language (xacml) 3. Technical report, Tech. rep., OASIS.
  13. Gondree, M. and Peterson, Z. N. (2013). Geolocation of data in the cloud. In Proceedings of the third ACM conference on Data and application security and privacy, pages 25-36. ACM.
  14. Iskander, M. K., Wilkinson, D. W., Lee, A. J., and Chrysanthis, P. K. (2011). Enforcing policy and data consistency of cloud transactions. In Distributed Computing Systems Workshops (ICDCSW), 2011 31st International Conference on, pages 253-262. IEEE.
  15. ISO (1996). Information technology - open systems interconnection - security frameworks for open systems: Access control framework.
  16. Jackson, K. (2012). OpenStack Cloud Computing Cookbook. Packt.
  17. Katz-Bassett, E., John, J. P., Krishnamurthy, A., Wetherall, D., Anderson, T., and Chawathe, Y. (2006). Towards IP geolocation using delay and topology measurements. In Proceedings of the 6th ACM SIGCOMM conference on Internet measurement, pages 71-84. ACM.
  18. Lynn, T., Healy, P., McClatchey, R., Morrison, J., Pahl, C., and Lee, B. (2013). The case for cloud service trustmarks and assurance-as-a-service. In Intl. Conference on Cloud Computing and Services Science Closer'13.
  19. Massonet, P., Naqvi, S., Ponsard, C., Latanicki, J., Rochwerger, B., and Villari, M. (2011). A monitoring and audit logging architecture for data location compliance in federated cloud infrastructures. In Parallel and Distributed Processing Workshops and Phd Forum (IPDPSW), 2011 IEEE International Symposium on, pages 1510-1517.
  20. Mohan, A. and Blough, D. M. (2010). An attribute-based authorization policy framework with dynamic conflict resolution. In Proceedings of the 9th Symposium on Identity and Trust on the Internet, pages 37-50. ACM.
  21. Noman, A. and Adams, C. (2012). DLAS: Data location assurance service for cloud computing environments. In Privacy, Security and Trust (PST), 2012 Tenth Annual International Conference on, pages 225-228. IEEE.
  22. Park, J. and Sandhu, R. (2004). The UCON ABC usage control model. ACM Transactions on Information and System Security (TISSEC), 7(1):128-174.
  23. Peterson, Z. N., Gondree, M., and Beverly, R. (2011). A position paper on data sovereignty: The importance of geolocating data in the cloud. In Proceedings of the 8th USENIX conference on Networked systems design and implementation.
  24. Ries, T., Fusenig, V., Vilbois, C., and Engel, T. (2011). Verification of data location in cloud networking. In Utility and Cloud Computing (UCC), 2011 Fourth IEEE International Conference on, pages 439-444. IEEE.
  25. Rissanen, E. (2013). OASIS extensible access control markup(XACML) version 3.0. OASIS Standard, 1.
  26. Spillner, J. and Schill, A. (2012). Flexible data distribution policy language and gateway architecture. In Cloud Computing and Communications (LATINCLOUD), 2012 IEEE Latin America Conference on, pages 1-6. IEEE.
  27. Subashini, S. and Kavitha, V. (2011). A survey on security issues in service delivery models of cloud computing. Journal of Network and Computer Applications, 34(1):1-11.
  28. Turkmen, F. and Crispo, B. (2008). Performance evaluation of XACML PDP implementations. In Proceedings of the 2008 ACM workshop on Secure web services, pages 37-44. ACM.
Download


Paper Citation


in Harvard Style

Fatema K., Healy P., C. Emeakaroha V., P. Morrison J. and Lynn T. (2014). A User Data Location Control Model for Cloud Services . In Proceedings of the 4th International Conference on Cloud Computing and Services Science - Volume 1: CLOSER, ISBN 978-989-758-019-2, pages 476-488. DOI: 10.5220/0004855404760488


in Bibtex Style

@conference{closer14,
author={Kaniz Fatema and Philip Healy and Vincent C. Emeakaroha and John P. Morrison and Theo Lynn},
title={A User Data Location Control Model for Cloud Services},
booktitle={Proceedings of the 4th International Conference on Cloud Computing and Services Science - Volume 1: CLOSER,},
year={2014},
pages={476-488},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0004855404760488},
isbn={978-989-758-019-2},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 4th International Conference on Cloud Computing and Services Science - Volume 1: CLOSER,
TI - A User Data Location Control Model for Cloud Services
SN - 978-989-758-019-2
AU - Fatema K.
AU - Healy P.
AU - C. Emeakaroha V.
AU - P. Morrison J.
AU - Lynn T.
PY - 2014
SP - 476
EP - 488
DO - 10.5220/0004855404760488