Privacy Evaluation Model for Personal Cloud Service

Privacy Evaluation Model for Personal Cloud Service

SANG-HO NA

EUI-NAM HUH

Computer Engineering, Electronic and Information College

KyungHee University, Global Campus

Seocheon-dong, Giheung-gu, Yongin-si, Gyeonggi-do

Korea

[email protected]

[email protected]

Abstract: - Personal cloud service allows consumers to get seamless “4S experiences”, desire to store, synch, stream, and share their content in regardless of device or platform. Personal cloud, we expect, integrate and federate cloud services and total manage user data. According to these needs, privacy problem also is issued, because of the main featuresof cloud computing such as outsourcing resources, etc. We propose definition of personal informationand discuss potential threats through data (Personal Information) flow in personal cloud service. Furthermore, upon the above idea, we will discuss key function and requirements to guarantee anonymity of user and providing user identifiable information to service provider at the same time. Finally, we propose privacy evaluation model and verify our discussion by simple scenario.

Key-Words: - Privacy Evaluation, Personal Cloud, Inter-Cloud, Anonymity, data life cycle, top 7 threats

1 Introduction

It was a device-centric age, 5-10 years ago, by getting diverse information using diverse performance-oriented devices. After that, web-based apps meet users’ needs like ubiquitous access, ease of sharing, convenient usage without install, with growing adoption of mobile and portable devices that have limited internal storage and performance. And then the limited processing and memory capabilities of mobile devices have always required some use of the “cloud” for delivery of mobile applications and services. According to the Gartner, the “cloud”allow consumers to get seamless “4s experiences”, desire to store, synch, stream, and share their content on regardless of device or platform. And cloud services to access content will be integrated into 90 percent of all connected consumer devices, according to technology research and advisory firm Gartner, Inc.It is called personal cloud.

Additionally, international standardization study group like ITU-T ostensibly addresses the cloud orchestration and broker. The middle functional domain [2]described by FG Cloud (Focus Group on Cloud) for cloud orchestration basically cares for policy driven automation of resource creation, allocation, tearing and operational optimization.This functionality of service orchestration domain is expanded to brokers (service brokers), they are one of component of the services orchestration architecture. It is an organization that sits between cloud providers and their customers, offering

services including integration, aggregation and customization with inter-cloud function [3] inCloud Ecosystem.

These directions in cloud service mean that sharing users’ personal identifiable information (PII) between cloud service providers is an inevitable consequence. As personal cloud services place 4s experiences above mentioned, our privacy is such in the past, more and unknown threats are lurking in the cloud services in the future. That is reason why privacy issue is emerged in cloud environments. As we have experienced, infrastructure and data security in personal cloud, for many organizations (e.g., large enterprises), likely to be less robust than their own current capabilities. With this security posture, it follows that the risk of privacy breach is also increased [11].

Actually, in accordance with countries, culture, and jurisdictions have the diverse concept of privacy. Privacy rights, however, in computer system are related to the collection, use, disclosure, storage, and destruction of personal data. Therefore we shall discuss how privacy can be preserved through the data flow when we use personal cloud. We will examine and discuss concept of privacy, how to preserve and what kind of threats we should consider for privacy protection, in particular of cloud environments including cloud orchestration and broker concept. We will attempt to evaluate privacy cost based upon vulnerability and data life cycle. The remainder of present paper is organized as follows:

In section 2, we provide an overview of various privacy related researches and personal information life cycle, and then we propose the privacy evaluation model for personal cloud in section 3. And we will verify our idea by evaluation using some scenario in section 4. Section 5 concludes present paper and provides future works.

2 Related Works

2.1 Cloud Architecture

Nowadays mobile devices, like smartphone or tablet, make usermore accessible to personal cloud. However, standardization on cloud ecosystem and architecture that absolutely support inter-cloud operation and orchestration might still in its early stage, I think. Above mentioned, cloud architecture of FG Cloud [2], basic concept, is expanded into highly-advanced cloud reference architecture [3] integrated with inter-cloud federation as figure 1. That figure describes a scenario where trusted CSPs (Cloud Service Providers) logically join together by integrating their resources.“Inter-cloud function” is described as follows:

Fig.1 Inter-Cloud Federation Option

“The Inter-cloud function can be implemented in different manners, including inter-cloud peering, inter-cloud service broker and inter-cloud federation.When a CSP plays the Inter-cloud Service Broker role, the requesting entity (Cloud Service User or CSP)continue to access the brokered services via the Endpoint Function, however the implementation of the Access Layer will decide whether to serve the request locally, or route them to external CSPs via the Inter-cloud function[3].”

According to the requirements of the Inter-Cloud Service Broker (ISB) capability in [3], the ISB provides and executes services of three categories, which are service intermediation, service aggregation, and service arbitrage. Especially interesting from our point of view is role of “Security & Privacy Function” in cross-layer function. Of particular important in this regard is access control in access layer, which chime in well with the architecture, should consider how to get access right of other CSPs and which information are allowed for sharing between entities inside scope of privacy preserving.

2.2 Privacy

In recent years, numerous studies have attempted to protect and preserve privacy in internet-based computing such as web service, online storage (cloud), SNS, etc. These researches [4-7] focus on finding out below concepts:

a. How could user share their content among of many collaborative groups?

b. How could privacy be aware of risk or breach by systems or services?

c. How could personal information be protected? Some researches [8, 9], furthermore, addresses the question of what the privacy is and how privacy be managed. In [8], author gives convincing answers to below goal in regard to privacy:

• Those different technologies for distributed computing essentially try to solve the same basic problems.

• Those protocols for privacy and non-repudation can be designed for a generalized distributed environment, and easily be adapted to the different distributed computing environment.

• Those protocols can be analysed with formal methods.

For considering the above goal, author provided primary basic concept of relationship between privacy and accountability as follow figure 2.

Fig.2 Privacy vs. Accountability

The author said that privacy and accountability are obviously not opposing extremes, but rather two non-trivial goals that are not easy to reach in complex environments.

A Life cycle of personal data (or personal identifiable information, PII) is presented in [9]. This work describes personal information should be managed as part of the data used by the organizations, which are cloud service provides. Thus, they consider the impact of the cloud on each of the 7 phases, which are generation, use, transfer, transformation, storage, archival, destruction, about protection of personal information.

3 Proposed Scheme

Section 2 is devoted to recent researches of cloud architecture and privacy. In this section, we describe our proposal with privacy evaluation model for personal cloud. As we mentioned, the key of privacy preserving is to focus on segregation of personal data (or personal identifiable information), which is used for recognizing user in systems or services, from each layer [2, 3] when we use cloud. For the purposes of this discussion, we classify personal data into two types.

 Given Information - it is user information that is voluntarily given, when we join some services, to service providers such as name, id, email address, etc.



Generated Information - when we use service, the system generate some user related information for serving or managing. Usually system, for example, generates user activity log file, collect user related information, and store in system. Sometimes service providers require ‘input’ for additional service. Generally, generated information with some of given information can identify certain user.

3.1 Privacy Threats and Requirements

For the purpose of our privacy evaluation model, our primary question is what kind of user information is given to the system (or service provider). Then, dose required information from system is necessarily given information which is above mentioned? Our answer is NO. As you know, top 7 threats of cloud computing are abuse and nefarious use of cloud computing, insecure interfaces and APIs, malicious insiders, shared technology issues, data loss or leakage, account or service hijacking, unknown risk profile according to

Cloud Security Alliance[11]. Other threats, however, except malicious insider can be solved using present security technology, if we do not consider performance of cloud. Hence, we consider how can we evaluate vulnerability of each processes or layer for privacy. Then, we propose simplified privacy evaluation model upon data life cycle and threats.

For the privacy evaluation, we consider the cost of each threatregarding data life cycle [9] based on the top 7 threats of cloud computing [11]. The cost evaluation method is illustrated in subsection 3.2.And the key requirement, to be exact, is confidentiality of generated information. But, encryption of all generated information overloads system and performance. Thus, we propose segregation of generated information of each layer in figure 1. The requirements are as follows:

a. Given information is securely stored in access control layer.

b. Each layer use locally generated

information for identifying certain user. It means that malicious insider of each layer cannot guess specific user from getting generated information or stored data.

c. Access control scheme is based upon context that include pseudo-identity, role based information, and situation description in which the request was made.

3.2 Privacy Evaluation Modeling

We propose privacy evaluation model based on data life cycle and threats. We work on the below assumption and notations.

Table 1. Notation

Notation

Meaning

PI

given

Given Information

PI

gen

Generated Information

PII

Personal Identifiable Information

C(Layer)

The cost of each layer (fig.1)

G, U, T,

TF, S, A, D

Life Cycle - Generation, Use,

Transfer, Transformation, Store,

Archival, Destruction

W

x

A weight value of life cycle x

UL

User Layer, Access Layer,

Service Layer, Resource &

Network Layer in reference

architecture

AL

SL

RNL

Assumption



Personal Information is kind of data and

is classified as given informationand

generated information.



ProbabilityPII

PII = PI

given

*N + PI

gen

*M = 1(3.1)

PI is personal information. The N and M are a number of information. If PII = 1, then it means invasion of privacy.

 General PIgen is specific information related with managing service

PIgen * m <1(3.2)

The generated information cannot be used to identify specific person. It means quite a few

PIgivenare needed for identifying specific person.

 All personal information is managed by data life cycle – generation, use, transfer, transformation, store, archival, destruction in each layer (fig. 1) of cloud computing.

The Cost of Privacy is evaluated based on the below (3.3) equation.

(3.3)

Each life cycle have potential vulnerability regarding top 7 threats in cloud computing. Therefore, we calculate the each weight value (table 2) using below equation (3.4) and table 3.

(3.4)

Table 2. Weight Value

Table 3. Top 7 Threats [11]

No. Threats

1 abuse and nefarious use

2 insecure interfaces and APIs

3 malicious insiders

4 shared technology issues

5 data loss or leakage

6 account or service hijacking

7 unknown risk profile

We, here, might discuss one important thing of our assumption that PIgenmight have same weight value with PIgiven. As you know, PIgenis just generated for managing service and user. Upon our definition of PIgen, it cannot include identifiable information of specific user. Even though there are thousands of PIgen, if there are no PIgiven could be integrated for restructuring personal information, then PIgen is useless. We add and modify therefore weight value of Wg as below.

Table 4. Weight Value of Generation

And each value of [Layer, Life Cyle] can be calculated using below question. Actually these kinds of questions have various answers depend on service architecture. We can know, to be exact, how many processes are running and how much personal information is shared inside each service. Hence, we simplify specific process for modelling from the life cycle’s viewpoint.

- How many PIgivens are generated?

- How many processes are related with each life cycle?, where processes mean that all processed for use, transfer, destruction, etc.

- How many memories which could store personal information temporary or permanently are there? The cost of user layer C(UL), for example,

Weight Value Related Threats

Wg 3/7 2, 6, 7 Wu 5/7 1, 3, 4, 5, 7 Wt 4/7 2, 4, 6, 7 Wtf 4/7 2, 3, 5, 7 Ws 5/7 1, 2, 3, 4, 7 Wa 4/7 1, 3, 5, 7 Wd 3/7 2, 3, 7

Weight Value Related Threats

Wg

Wgiven 3/7 2, 6, 7

, where α is a number of transfer, βis a number of derived information by transformation process, γis a number of memoryand ρ is a number of archival information. Because the user layer should not use,transform, store, and hold (archival) personal information, [UL, U] = [UL, TF] = [UL, D] is 0. The γ and ρ is less than number of PIgiven.

Fig. 3 Scenario

Total Cost of Specific User

,

(3.5)

,

which is sum of cost in each layer – User Layer, Access Layer, Service Layer, Resource and Network Layer – and we add Scnt because “Inter-Cloud Function(Federation)” mentioned above [2, 3] provide collaborated cloud service by sharing users’ personal information, if we agreed that. The Scnt is a number of user services among inter-cloud services.

4. Evaluation

Using our privacy evaluation model in section 3, we can evaluate privacy quantitatively. According to our privacy evaluation model, each layer in personal cloud provides “Inter-Cloud Function” should use locally generated information for identifying specific user. Otherwise, the total cost is increased because PIgiven has bigger weight value than PIgen and the cost of [L, G] has linear perspective by the

PIgiven. The generated information of specific user

for identifying can be provide access layer and that is more secure way because we assume that users’ personal information are secure in access layer. It can provide anonymity to user and also identifiable information to service layer.

Then, even though personal information is leaked by vulnerabilities of each layer regarding top 7 threats, PII cannot be 1 - it means invasion of privacy- in accordance with equation (3.2).We provide one example of privacy evaluation result under below scenario.

Scenario:

The personal cloud service1 (S1) usesID, which is given by user; generally service do such, for identifying user between layers. And the personal cloud service2 (S2) uses pesudoID, which is generatedinaccess layer after user joined as in fig. 3. That describes difference things between two services regarding PI.

We assume that these two services have same environments regarding parameters in equation (3.3)~(3.5). Hence, the other cost values in each service, except generation, transfer and store; these processes are related with managing PI, arealmost same.

When each total cost can be illustrated is

C(U)S1and C(U)S2, the cost of user layer are

(4.1)

According to the scenario, C(AL)S1 and C(AL)S2 are described as follows:

(4.2)

(4.3)

, where [ ]x is equal each to each and the n, m and l are constants. And according to the equation (3.2), if the PIgen has sufficiently low value (<1), then

(4.4)

Therefore,

(4.5)

Through same procedure,the C(SL) and C(RNL)

of each service could be calculated and the difference of each cost value as follows:

(4.6)

Finally, C(U)S1 - C(U)S2 is shown as follow:

(4.7)

It means that the difference of total cost of privacy get an increase linearly by the number of shared given information between layers and number of user’s integrated services.Consequently, in accordance with above evaluation result, the efficient way to reduce potential privacy threat is, as we know, guaranteeing anonymity.

4 Conclusion

In this paper, we propose simplified privacy evaluation model based on the life cycle and top 7 threats. And upon the model, we discuss which function is needed for privacy preserving in personal cloud and how can we provide anonymity to user. This novel research is initial try for modeling and evaluation of privacy in our work. In future works, we will analyze and define the

relationship between PIgiven and PIgen in detail. Based

on the idea, we will propose more precise evaluation model, access control and sharing scheme in personal cloud.

Acknowledgment

This research was supported by Next-Generation Information Computing Development Program through the National Research Foundation of Korea(NRF) funded by the Ministry of Education, Science and Technology (2012- 0006418) and by the MKE(The Ministry of Knowledge Economy), Korea, under the ITRC(Information Technology Research Center) support program supervised by the NIPA(National IT Industry Promotion Agency)" (NIPA-2012-(H0301-12-2001)

References:

[1] Gartner, Inc., www.gartner.com

[2] ITU-T Focus Group on Cloud Computing, cloud-reference_architecture_draft, 2010. 12. [3] ITU-T Focus Group on Cloud, Computing

,cloud-o-0080-reference_architecture, 2011, 12.

[4] HassinaMeziane and SalimaBenbernou, A dynamic privacy model for web services,

Comput. Stand. Interfaces 32, 5-6 (October 2010), p.288-304.

[5] Hui Wang, Privacy-preserving data sharing in cloud computing, JOURNAL OF COMPUTER SCIENCE AND TECH-NOLOGY, 25(3), p.401-414(2010)

[6] Cheng, Fa-Chang, Lai, Wen-Hsing, The Impact of Cloud Computing Technology on Legal Infrastructure within Internet—Focusing on the Protection of Information Privacy, Procedia Engineering, 2012, Vol.29, p.241-251.

[7] Xiang Zou, Bing Chen, and Bo Jin, Cloud-Based Identity Attribute Service with Privacy Protection in Cyberspace, Procedia Engineering, Vol.29, p.1160-1164(2012)

[8] EspenTorseth, Editor, Privacy and

Accountability in the Cloud – Based on Exploring Private and Accountable Storage in Distributed and Dynamic Environments, VDM(2009)

[9] Tim Mather, SubraKumaraswamy and

ShahedLatif, Editor, cloud Security and Privacy – An Enterprise Perspective on Risks and Compliance, O’REOLLY(2009), p.145-165.

[10]Cloud Security Alliance, Top Threats To Cloud ComputingV1.0,http://www.cloudsecurityalliance. org/topthreats/csathreats.v1.0.pdf.