Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Who has the data ... and will breach the duty of confidence

1,117 views

Published on

Panel Statement: Key Challenges in Distributed Security
22nd Conference on Data and Applications Security

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Who has the data ... and will breach the duty of confidence

  1. 1. ! Who has the data? ... and will breach the duty of confidence! Emil Lupu Imperial College London Panel: Key Challenges in Distributed Security 22nd IFIP WG 11.3 Working Conference on Data and Applications Security
  2. 2. Body Area Networks for eHealth Home Appliance Control Events Monitor Events Manager Agent Managed Objects Control actions Decisions Policies New functionality Body Area Networks Policies
  3. 3. Ad-hoc collaborations
  4. 4. Pervasive Spaces Events Monitor Events Manager Agent Managed Objects Control actions Decisions Policies New functionality Policies PAN Control Autonomous 
 Vehicles Personal Area Networks Home Appliance Control Events Monitor Events Manager Agent Managed Objects Control actions Decisions Policies New functionality Policies Intelligent Home Networks Pervasive Environments
  5. 5. Observations • Sensory data is continuously captured and aggregated. • Data is frequently exchanged at device level, at application level and at institutional level. • Data is often exchanged through intermediaries which may themselves have rights to access the data (and aggregate or modify it) and is stored at multiple locations. • Rights to access data are often determined by context which changes dynamically (in addition to longer lived attributes e.g., role, competency,...) • Decisions have to be made with intermittent network access, on devices with limited computational capabilities and based on incomplete information.
  6. 6. Goals • Retaining control over data usage once data has been exchanged remains an elusive goal that appears in many application scenarios with varying threats. • Different research topics aim to address variations of the problem: Document Protection Models, Privacy, UCON, DCON, DRM, ERM, Policy. • It’s not just about Access Control but includes obligations (both imperative and deontic), information filtering and/or transformation, monitored conditions, association between policy and data. • Access Control models such as RBAC do not easily distribute, scale down or combine with other concepts such as obligations.
  7. 7. Some lessons from elsewhere (non-security) • Data processing and device management must be done as close to the origin as possible. Protection? • (Constrained) Programmability is the most efficient way of achieving adaptation. • Agreements (Contracts) are often desired by all parties. • This would imply: • Protect data at source. Add layers e.g. when crossing domain boundaries • Policies (rules) follow data. Partially? enforced by the recepient; context. • Establish and enforce Data Sharing Agreements.
  8. 8. Consequence Data Sharing 
 Agreement Refinement Analysis
  9. 9. PRiMMA • Enforcing privacy policies on small devices • Learning privacy policies from user behaviour
  10. 10. Thank you!

×