1,699 research outputs found
Service Level Agreement-based GDPR Compliance and Security assurance in (multi)Cloud-based systems
Compliance with the new European General Data Protection Regulation (Regulation (EU) 2016/679) and security
assurance are currently two major challenges of Cloud-based systems. GDPR compliance implies both privacy and security
mechanisms definition, enforcement and control, including evidence collection. This paper presents a novel DevOps
framework aimed at supporting Cloud consumers in designing, deploying and operating (multi)Cloud systems that include
the necessary privacy and security controls for ensuring transparency to end-users, third parties in service provision (if any)
and law enforcement authorities. The framework relies on the risk-driven specification at design time of privacy and security
level objectives in the system Service Level Agreement (SLA) and in their continuous monitoring and enforcement at runtime.The research leading to these results has received
funding from the European Union’s Horizon 2020 research
and innovation programme under grant agreement No 644429
and No 780351, MUSA project and ENACT project,
respectively. We would also like to acknowledge all the
members of the MUSA Consortium and ENACT Consortium
for their valuable help
Recommended from our members
Cyber insurance of information systems: Security and privacy cyber insurance contracts for ICT and helathcare organizations
Nowadays, more-and-more aspects of our daily activities are digitalized. Data and assets in the cyber-space, both for individuals and organizations, must be safeguarded. Thus, the insurance sector must face the challenge of digital transformation in the 5G era with the right set of tools. In this paper, we present CyberSure-an insurance framework for information systems. CyberSure investigates the interplay between certification, risk management, and insurance of cyber processes. It promotes continuous monitoring as the new building block for cyber insurance in order to overcome the current obstacles of identifying in real-time contractual violations by the insured party and receiving early warning notifications prior the violation. Lightweight monitoring modules capture the status of the operating components and send data to the CyberSure backend system which performs the core decision making. Therefore, an insured system is certified dynamically, with the risk and insurance perspectives being evaluated at runtime as the system operation evolves. As new data become available, the risk management and the insurance policies are adjusted and fine-tuned. When an incident occurs, the insurance company possesses adequate information to assess the situation fast, estimate accurately the level of a potential loss, and decrease the required period for compensating the insured customer. The framework is applied in the ICT and healthcare domains, assessing the system of medium-size organizations. GDPR implications are also considered with the overall setting being effective and scalable
Recommended from our members
Big Data Assurance Evaluation: An SLA-Based Approach.
The Big Data community has started noticing that there is the need to complete Big Data platforms with assurance techniques proving the correct behavior of Big Data
analytics and management. In this paper, we propose a Big Data assurance solution based on Service-Level Agreements (SLAs), focusing on a platform providing Model-based Big Data Analytics-as-a-Service (MBDAaaS)
An Integrated Framework for the Methodological Assurance of Security and Privacy in the Development and Operation of MultiCloud Applications
x, 169 p.This Thesis studies research questions about how to design multiCloud applications taking into account security and privacy requirements to protect the system from potential risks and about how to decide which security and privacy protections to include in the system. In addition, solutions are needed to overcome the difficulties in assuring security and privacy properties defined at design time still hold all along the system life-cycle, from development to operation.In this Thesis an innovative DevOps integrated methodology and framework are presented, which help to rationalise and systematise security and privacy analyses in multiCloud to enable an informed decision-process for risk-cost balanced selection of the protections of the system components and the protections to request from Cloud Service Providers used. The focus of the work is on the Development phase of the analysis and creation of multiCloud applications.The main contributions of this Thesis for multiCloud applications are four: i) The integrated DevOps methodology for security and privacy assurance; and its integrating parts: ii) a security and privacy requirements modelling language, iii) a continuous risk assessment methodology and its complementary risk-based optimisation of defences, and iv) a Security and Privacy Service Level AgreementComposition method.The integrated DevOps methodology and its integrating Development methods have been validated in the case study of a real multiCloud application in the eHealth domain. The validation confirmed the feasibility and benefits of the solution with regards to the rationalisation and systematisation of security and privacy assurance in multiCloud systems
Data Privacy and Trust in Cloud Computing
This open access book brings together perspectives from multiple disciplines including psychology, law, IS, and computer science on data privacy and trust in the cloud. Cloud technology has fueled rapid, dramatic technological change, enabling a level of connectivity that has never been seen before in human history. However, this brave new world comes with problems. Several high-profile cases over the last few years have demonstrated cloud computing's uneasy relationship with data security and trust. This volume explores the numerous technological, process and regulatory solutions presented in academic literature as mechanisms for building trust in the cloud, including GDPR in Europe. The massive acceleration of digital adoption resulting from the COVID-19 pandemic is introducing new and significant security and privacy threats and concerns. Against this backdrop, this book provides a timely reference and organising framework for considering how we will assure privacy and build trust in such a hyper-connected digitally dependent world. This book presents a framework for assurance and accountability in the cloud and reviews the literature on trust, data privacy and protection, and ethics in cloud computing
Cloud technology options towards Free Flow of Data
This whitepaper collects the technology solutions that the projects in the Data Protection, Security and Privacy Cluster propose to address the challenges raised by the working areas of the Free Flow of Data initiative. The document describes the technologies, methodologies, models, and tools researched and developed by the clustered projects mapped to the ten areas of work of the Free Flow of Data initiative. The aim is to facilitate the identification of the state-of-the-art of technology options towards solving the data security and privacy challenges posed by the Free Flow of Data initiative in Europe. The document gives reference to the Cluster, the individual projects and the technologies produced by them
MSL Framework: (Minimum Service Level Framework) for cloud providers and users
Cloud Computing ensures parallel computing and emerged as an efficient technology to meet
the challenges of rapid growth of data that we experienced in this Internet age. Cloud
computing is an emerging technology that offers subscription based services, and provide
different models such as IaaS, PaaS and SaaS among other models to cater the needs of
different user groups. The technology has enormous benefits but there are serious concerns
and challenges related to lack of uniform standards or nonexistence of minimum benchmark
for level of services offered across the industry to provide an effective, uniform and reliable
service to the cloud users. As the cloud computing is gaining popularity, organizations and
users are having problems to adopt the service ue to lack of minimum service level
framework which can act as a benchmark in the selection of the cloud provider and provide
quality of service according to the user’s expectations. The situation becomes more critical
due to distributed nature of the service provider which can be offering service from any part
of the world. Due to lack of minimum service level framework that will act as a benchmark
to provide a uniform service across the industry there are serious concerns raised recently interms
of security and data privacy breaches, authentication and authorization issues, lack of
third party audit and identity management problems, integrity, confidentiality and variable
data availability standards, no uniform incident response and monitoring standards,
interoperability and lack of portability standards, identity management issues, lack of
infrastructure protection services standards and weak governance and compliance standards
are major cause of concerns for cloud users. Due to confusion and absence of universal
agreed SLAs for a service model, different quality of services is being provided across the
cloud industry. Currently there is no uniform performance model agreed by all stakeholders;
which can provide performance criteria to measure, evaluate, and benchmark the level of
services offered by various cloud providers in the industry. With the implementation of
General Data Protection Regulation (GDPR) and demand from cloud users to have Green
SLAs that provides better resource allocations mechanism, there will be serious implications
for the cloud providers and its consumers due to lack of uniformity in SLAs and variable
standards of service offered by various cloud providers. This research examines weaknesses in service level agreements offered by various cloud
providers and impact due to absence of uniform agreed minimum service level framework on
the adoption and usage of cloud service. The research is focused around higher education
case study and proposes a conceptual model based on uniform minimum service model that
acts as benchmark for the industry to ensure quality of service to the cloud users in the higher
education institution and remove the barriers to the adoption of cloud technology. The
proposed Minimum Service Level (MSL) framework, provides a set of minimum and
uniform standards in the key concern areas raised by the participants of HE institution which
are essential to the cloud users and provide a minimum quality benchmark that becomes a
uniform standard across the industry. The proposed model produces a cloud computing
implementation evaluation criteria which is an attempt to reduce the adoption barrier of the
cloud technology and set minimum uniform standards followed by all the cloud providers
regardless of their hosting location so that their performance can be measured, evaluated and
compared across the industry to improve the overall QoS (Quality of Service) received by the
cloud users, remove the adoption barriers and concerns of the cloud users and increase the
competition across the cloud industry.A computação em nuvem proporciona a computação paralela e emergiu como uma tecnologia
eficiente para enfrentar os desafios do crescimento rápido de dados que vivemos na era da
Internet. A computação em nuvem é uma tecnologia emergente que oferece serviços
baseados em assinatura e oferece diferentes modelos como IaaS, PaaS e SaaS, entre outros
modelos para atender as necessidades de diferentes grupos de utilizadores. A tecnologia tem
enormes benefícios, mas subsistem sérias preocupações e desafios relacionados com a falta
de normas uniformes ou inexistência de um referencial mínimo para o nível de serviços
oferecidos, na indústria, para proporcionar uma oferta eficaz, uniforme e confiável para os
utilizadores da nuvem. Como a computação em nuvem está a ganhar popularidade, tanto
organizações como utilizadores estão enfrentando problemas para adotar o serviço devido à
falta de enquadramento de nível de serviço mínimo que possa agir como um ponto de
referência na seleção de provedor da nuvem e fornecer a qualidade dos serviços de acordo
com as expectativas do utilizador. A situação torna-se mais crítica, devido à natureza
distribuída do prestador de serviço, que pode ser oriundo de qualquer parte do mundo.
Devido à falta de enquadramento de nível de serviço mínimo que irá agir como um
benchmark para fornecer um serviço uniforme em toda a indústria, existem sérias
preocupações levantadas recentemente em termos de violações de segurança e privacidade de
dados, autenticação e autorização, falta de questões de auditoria de terceiros e problemas de
gestão de identidade, integridade, confidencialidade e disponibilidade de dados, falta de
uniformidade de normas, a não resposta a incidentes e o monitoramento de padrões, a
interoperabilidade e a falta de padrões de portabilidade, questões relacionadas com a gestão
de identidade, falta de padrões de serviços de proteção das infraestruturas e fraca governança
e conformidade de padrões constituem outras importantes causas de preocupação para os
utilizadores. Devido à confusão e ausência de SLAs acordados de modo universal para um
modelo de serviço, diferente qualidade de serviços está a ser fornecida através da nuvem, pela
indústria da computação em nuvem. Atualmente, não há desempenho uniforme nem um
modelo acordado por todas as partes interessadas; que pode fornecer critérios de desempenho
para medir, avaliar e comparar o nível de serviços oferecidos por diversos fornecedores de
computação em nuvem na indústria. Com a implementação do Regulamento Geral de Protecção de Dados (RGPD) e a procura da
nuvem com base no impacto ambiental (Green SLAs), são acrescentadas precupações
adicionais e existem sérias implicações para os forncedores de computação em nuvem e para
os seus consumidores, também devido à falta de uniformidade na multiplicidade de SLAs e
padrões de serviço oferecidos. A presente pesquisa examina as fraquezas em acordos de nível
de serviço oferecidos por fornecedores de computação em nuvem e estuda o impacto da
ausência de um quadro de nível de serviço mínimo acordado sobre a adoção e o uso no
contexto da computação em nuvem. A pesquisa está orientada para a adoção destes serviços
para o caso do ensino superior e as instituições de ensino superior e propõe um modelo
conceptualt com base em um modelo de serviço mínimo uniforme que funciona como
referência para a indústria, para garantir a qualidade do serviço para os utilizadores da nuvem
numa instituição de ensino superior de forma a eliminar as barreiras para a adoção da
tecnologia de computação em nuvem. O nível de serviço mínimo proposto (MSL), fornece
um conjunto mínimo de normas uniformes e na áreas das principais preocupações levantadas
por responsáveis de instituições de ensino superior e que são essenciais, de modo a fornecer
um referencial mínimo de qualidade, que se possa tornar um padrão uniforme em toda a
indústria. O modelo proposto é uma tentativa de reduzir a barreira de adoção da tecnologia de
computação em nuvem e definir normas mínimas seguidas por todos os fornecedores de
computação em nuvem, independentemente do seu local de hospedagem para que os seus
desempenhos possam ser medidos, avaliados e comparados em toda a indústria, para
melhorar a qualidade de serviço (QoS) recebida pelos utilizadores e remova as barreiras de
adoção e as preocupações dos utilizadores, bem como fomentar o aumento da concorrência
em toda a indústria da computação em nuvem
MSL Framework: (Minimum Service Level Framework) for Cloud Providers and Users
Cloud Computing ensures parallel computing and emerged as an efficient technology to meet
the challenges of rapid growth of data that we experienced in this Internet age. Cloud
computing is an emerging technology that offers subscription based services, and provide
different models such as IaaS, PaaS and SaaS among other models to cater the needs of
different user groups. The technology has enormous benefits but there are serious concerns
and challenges related to lack of uniform standards or nonexistence of minimum benchmark
for level of services offered across the industry to provide an effective, uniform and reliable
service to the cloud users. As the cloud computing is gaining popularity, organizations and
users are having problems to adopt the service ue to lack of minimum service level
framework which can act as a benchmark in the selection of the cloud provider and provide
quality of service according to the user’s expectations. The situation becomes more critical
due to distributed nature of the service provider which can be offering service from any part
of the world. Due to lack of minimum service level framework that will act as a benchmark
to provide a uniform service across the industry there are serious concerns raised recently interms
of security and data privacy breaches, authentication and authorization issues, lack of
third party audit and identity management problems, integrity, confidentiality and variable
data availability standards, no uniform incident response and monitoring standards,
interoperability and lack of portability standards, identity management issues, lack of
infrastructure protection services standards and weak governance and compliance standards
are major cause of concerns for cloud users. Due to confusion and absence of universal
agreed SLAs for a service model, different quality of services is being provided across the
cloud industry. Currently there is no uniform performance model agreed by all stakeholders;
which can provide performance criteria to measure, evaluate, and benchmark the level of
services offered by various cloud providers in the industry. With the implementation of
General Data Protection Regulation (GDPR) and demand from cloud users to have Green
SLAs that provides better resource allocations mechanism, there will be serious implications
for the cloud providers and its consumers due to lack of uniformity in SLAs and variable
standards of service offered by various cloud providers. This research examines weaknesses in service level agreements offered by various cloud
providers and impact due to absence of uniform agreed minimum service level framework on
the adoption and usage of cloud service. The research is focused around higher education
case study and proposes a conceptual model based on uniform minimum service model that
acts as benchmark for the industry to ensure quality of service to the cloud users in the higher
education institution and remove the barriers to the adoption of cloud technology. The
proposed Minimum Service Level (MSL) framework, provides a set of minimum and
uniform standards in the key concern areas raised by the participants of HE institution which
are essential to the cloud users and provide a minimum quality benchmark that becomes a
uniform standard across the industry. The proposed model produces a cloud computing
implementation evaluation criteria which is an attempt to reduce the adoption barrier of the
cloud technology and set minimum uniform standards followed by all the cloud providers
regardless of their hosting location so that their performance can be measured, evaluated and
compared across the industry to improve the overall QoS (Quality of Service) received by the
cloud users, remove the adoption barriers and concerns of the cloud users and increase the
competition across the cloud industry.A computação em nuvem proporciona a computação paralela e emergiu como uma tecnologia
eficiente para enfrentar os desafios do crescimento rápido de dados que vivemos na era da
Internet. A computação em nuvem é uma tecnologia emergente que oferece serviços
baseados em assinatura e oferece diferentes modelos como IaaS, PaaS e SaaS, entre outros
modelos para atender as necessidades de diferentes grupos de utilizadores. A tecnologia tem
enormes benefícios, mas subsistem sérias preocupações e desafios relacionados com a falta
de normas uniformes ou inexistência de um referencial mínimo para o nível de serviços
oferecidos, na indústria, para proporcionar uma oferta eficaz, uniforme e confiável para os
utilizadores da nuvem. Como a computação em nuvem está a ganhar popularidade, tanto
organizações como utilizadores estão enfrentando problemas para adotar o serviço devido à
falta de enquadramento de nível de serviço mínimo que possa agir como um ponto de
referência na seleção de provedor da nuvem e fornecer a qualidade dos serviços de acordo
com as expectativas do utilizador. A situação torna-se mais crítica, devido à natureza
distribuída do prestador de serviço, que pode ser oriundo de qualquer parte do mundo.
Devido à falta de enquadramento de nível de serviço mínimo que irá agir como um
benchmark para fornecer um serviço uniforme em toda a indústria, existem sérias
preocupações levantadas recentemente em termos de violações de segurança e privacidade de
dados, autenticação e autorização, falta de questões de auditoria de terceiros e problemas de
gestão de identidade, integridade, confidencialidade e disponibilidade de dados, falta de
uniformidade de normas, a não resposta a incidentes e o monitoramento de padrões, a
interoperabilidade e a falta de padrões de portabilidade, questões relacionadas com a gestão
de identidade, falta de padrões de serviços de proteção das infraestruturas e fraca governança
e conformidade de padrões constituem outras importantes causas de preocupação para os
utilizadores. Devido à confusão e ausência de SLAs acordados de modo universal para um
modelo de serviço, diferente qualidade de serviços está a ser fornecida através da nuvem, pela
indústria da computação em nuvem. Atualmente, não há desempenho uniforme nem um
modelo acordado por todas as partes interessadas; que pode fornecer critérios de desempenho
para medir, avaliar e comparar o nível de serviços oferecidos por diversos fornecedores de
computação em nuvem na indústria. Com a implementação do Regulamento Geral de Protecção de Dados (RGPD) e a procura da
nuvem com base no impacto ambiental (Green SLAs), são acrescentadas precupações
adicionais e existem sérias implicações para os forncedores de computação em nuvem e para
os seus consumidores, também devido à falta de uniformidade na multiplicidade de SLAs e
padrões de serviço oferecidos. A presente pesquisa examina as fraquezas em acordos de nível
de serviço oferecidos por fornecedores de computação em nuvem e estuda o impacto da
ausência de um quadro de nível de serviço mínimo acordado sobre a adoção e o uso no
contexto da computação em nuvem. A pesquisa está orientada para a adoção destes serviços
para o caso do ensino superior e as instituições de ensino superior e propõe um modelo
conceptualt com base em um modelo de serviço mínimo uniforme que funciona como
referência para a indústria, para garantir a qualidade do serviço para os utilizadores da nuvem
numa instituição de ensino superior de forma a eliminar as barreiras para a adoção da
tecnologia de computação em nuvem. O nível de serviço mínimo proposto (MSL), fornece
um conjunto mínimo de normas uniformes e na áreas das principais preocupações levantadas
por responsáveis de instituições de ensino superior e que são essenciais, de modo a fornecer
um referencial mínimo de qualidade, que se possa tornar um padrão uniforme em toda a
indústria. O modelo proposto é uma tentativa de reduzir a barreira de adoção da tecnologia de
computação em nuvem e definir normas mínimas seguidas por todos os fornecedores de
computação em nuvem, independentemente do seu local de hospedagem para que os seus
desempenhos possam ser medidos, avaliados e comparados em toda a indústria, para
melhorar a qualidade de serviço (QoS) recebida pelos utilizadores e remova as barreiras de
adoção e as preocupações dos utilizadores, bem como fomentar o aumento da concorrência
em toda a indústria da computação em nuvem
Using the blockchain to enable transparent and auditable processing of personal data in cloud- based services: Lessons from the Privacy-Aware Cloud Ecosystems (PACE) project
The architecture of cloud-based services is typically opaque and intricate. As a result, data subjects cannot exercise adequate control over their personal data, and overwhelmed data protection authorities must spend their limited resources in costly forensic efforts to ascertain instances of non-compliance. To address these data protection challenges, a group of computer scientists and socio-legal scholars joined forces in the Privacy-Aware Cloud Ecosystems (PACE) project to design a blockchain-based privacy-enhancing technology (PET). This article presents the fruits of this collaboration, highlighting the capabilities and limits of our PET, as well as the challenges we encountered during our interdisciplinary endeavour. In particular, we explore the barriers to interdisciplinary collaboration between law and computer science that we faced, and how these two fields’ different expectations as to what technology can do for data protection law compliance had an impact on the project's development and outcome. We also explore the overstated promises of techno-regulation, and the practical and legal challenges that militate against the implementation of our PET: most industry players have no incentive to deploy it, the transaction costs of running it make it prohibitively expensive, and there are significant clashes between the blockchain's decentralised architecture and GDPR's requirements that hinder its deployability. We share the insights and lessons we learned from our efforts to overcome these challenges, hoping to inform other interdisciplinary projects that are increasingly important to shape a data ecosystem that promotes the protection of our personal data
- …