Technical Reports
HPL-2009-357R1
Click here for full text:
GEODAC:A Data Assurance Policy Specification and Enforcement Framework for Outsourced Services
Li, Jun; Stephenson, Bryan; Motahari-Nezhad, Hamid R; Singhal, Sharad
HP Laboratories
HPL-2009-357R1
Keyword(s): Security and Privacy in Services, Security and Privacy Management in Data Collection, Transformation and Dissemination, Service Oriented Computing, Software as Services, Services Delivery Platform and Methodology
Abstract: Many cloud service providers offer outsourcing capabilities to businesses using the software-as-a- service delivery model. However, challenges remain for widespread acceptance of this delivery model as it requires business critical data to be stored and processed outside the control of the business. The ability to manage data in compliance with regulatory and corporate policies, which we refer to as data assurance, is an essential success factor for this delivery model. The challenges include the ability to express service data assurance capabilities, capture customers' requirements and finally enforce these policies inside service providers' environments. This paper addresses these challenges by proposing GEODAC (Global Enforcement Of Data Assurance Controls), a policy framework that enables the expression of both service providers' capabilities and customers' requirements, and enforcement of the agreed-upon requirements in service providers' environments. High- level policy statements are backed in the service provider environment with a state machine-based representation of policies with each state representing a data lifecycle stage. Data assurance related policies including data retention, data migration, and data appropriateness for use can be described in this framework and enforced correspondingly. The approach has been implemented in a prototype tool and evaluated in a distributed services environment.
14 Pages
To be published in IEEE Transactions on Services Computing, Accepted in February 2010.
External Posting Date: April 30, 2010 [Fulltext]. Approved for External Publication
Internal Posting Date: April 30, 2010 [Fulltext]