Towards a legislation driven framework for access control and privacy protection in public cloud

Abstract

Cloud computing is an emerging IT paradigm proving cost reduction and flexibility benefits. However security and privacy are serious issues challenging its adoption and sustainability in both social and commercial areas. Public clouds, in particular, present a controversial which is brought up by the need to exchange critical and protected data (even sensitive) between heterogeneous domains that are governed by multiple legislation. Access control is one of the essential and traditional security arms of data protection. However, in the context of open and dynamic environments such as clouds, access control becomes more complicated. This is because the security policies, models and related mechanisms have to be defined across various security domains and enforced in an integrated manner as required. Thus, improving the current access control paradigms is crucial in order to ensure privacy compliance in open and heterogeneous environments. In this paper, we propose a framework that is driven by legislation and which aims to assure an access control that preserves privacy while dealing with personal data hosted in public clouds. In addition, the proposed framework deals with the problem of interoperability between heterogeneous policies governing the processing of personal data on a cloud environment. In this regards, the need for access control delegation is also presented and tackled.