Successfully reported this slideshow.
Your SlideShare is downloading. ×

Who has the data ... and will breach the duty of confidence

Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad

Check these out next

1 of 10 Ad
Advertisement

More Related Content

Slideshows for you (16)

Similar to Who has the data ... and will breach the duty of confidence (20)

Advertisement

Recently uploaded (20)

Who has the data ... and will breach the duty of confidence

  1. 1. ! Who has the data? ... and will breach the duty of confidence! Emil Lupu Imperial College London Panel: Key Challenges in Distributed Security 22nd IFIP WG 11.3 Working Conference on Data and Applications Security
  2. 2. Body Area Networks for eHealth Home Appliance Control Events Monitor Events Manager Agent Managed Objects Control actions Decisions Policies New functionality Body Area Networks Policies
  3. 3. Ad-hoc collaborations
  4. 4. Pervasive Spaces Events Monitor Events Manager Agent Managed Objects Control actions Decisions Policies New functionality Policies PAN Control Autonomous 
 Vehicles Personal Area Networks Home Appliance Control Events Monitor Events Manager Agent Managed Objects Control actions Decisions Policies New functionality Policies Intelligent Home Networks Pervasive Environments
  5. 5. Observations • Sensory data is continuously captured and aggregated. • Data is frequently exchanged at device level, at application level and at institutional level. • Data is often exchanged through intermediaries which may themselves have rights to access the data (and aggregate or modify it) and is stored at multiple locations. • Rights to access data are often determined by context which changes dynamically (in addition to longer lived attributes e.g., role, competency,...) • Decisions have to be made with intermittent network access, on devices with limited computational capabilities and based on incomplete information.
  6. 6. Goals • Retaining control over data usage once data has been exchanged remains an elusive goal that appears in many application scenarios with varying threats. • Different research topics aim to address variations of the problem: Document Protection Models, Privacy, UCON, DCON, DRM, ERM, Policy. • It’s not just about Access Control but includes obligations (both imperative and deontic), information filtering and/or transformation, monitored conditions, association between policy and data. • Access Control models such as RBAC do not easily distribute, scale down or combine with other concepts such as obligations.
  7. 7. Some lessons from elsewhere (non-security) • Data processing and device management must be done as close to the origin as possible. Protection? • (Constrained) Programmability is the most efficient way of achieving adaptation. • Agreements (Contracts) are often desired by all parties. • This would imply: • Protect data at source. Add layers e.g. when crossing domain boundaries • Policies (rules) follow data. Partially? enforced by the recepient; context. • Establish and enforce Data Sharing Agreements.
  8. 8. Consequence Data Sharing 
 Agreement Refinement Analysis
  9. 9. PRiMMA • Enforcing privacy policies on small devices • Learning privacy policies from user behaviour
  10. 10. Thank you!

×