Lecture Notes in Computer Science 5185

More documents

Recommendations

Info

178 S. Alcalde Bagüés et al. Fig. 3. Agreement Negotiation with the obligation is almost impossible. The concept of Non-observable Obligations is described in the work of Hilty et al. [9], they suggest that a possible solution is the use of nontechnical means, such as audits or legal means. We propose instead the idea of employing observable bindings between personal and enterprise frameworks. This is realized by introducing an agreement negotiation protocol together with a trusted notification mechanism, both detailed below. The agreement negotiation protocol, cf. Fig. 3, starts after the evaluation of a service request within a SenTry instance. If the rule effect compiled contains obligations, the Policy Enforcement Point (PEP) queries the OM for an agreement over the pending obligations, step 3 in Figure 3, and the OM launches the negotiation, steps 4 to 9. This protocol enables per-service and per-user resource agreements negotiations that are guaranteed to terminate after at most three negotiation rounds. The Obligation Manager makes a first proposal in the “Negotiating Optimum” stage. The enterprise side cannot make any counter-proposal at this stage, since the user should not be involved during the negotiation. Therefore, it is limited to check the list of obligations attached and to reject or bind them. If the agreement is denied by the enterprise, which means that one or more obligations are rejected, the OM issues the second proposal: “Negotiating Acceptable” stage. It includes a new set of obligations where the rejected obligations of the first set are replaced by their acceptable equivalents. The enterprise service may accept the second proposal, or start the third and last round: “Negotiating Minimum” stage, in which a new set of obligations classified as minimum replaces those rejected. The goals of this negotiation strategy are: i) to allow more than “take or leave” situations, ii) to enable an automatic setup of user’s privacy preferences, and iii) to execute the obligation binding process transparent to the user. In a situation where an enterprise does not accept the third and last proposal, no agreement is reached and the priority of the rejected agreement is taken into account by the OM. Each agreement is labeled with a priority value, one, two or three. Priority one means that the service (enterprise) MUST accept the agreement otherwise permission
Obligations: Building a Bridge between Personal and Enterprise Privacy 179 Fig. 4. Notification Schemes will be denied (step 10). Priority two means that the service SHOULD accept the agreement otherwise data quality will decrease in accuracy. A priority of three means that the service MIGHT accept the agreement and entails the disclosure of the requested data anyway but the user will be notified that no agreement was reached. A user may modify his privacy settings based on the obligations rejected. Our approach to establish a trusted relationship between an enterprise service and the UCPF is based on the possibility to subscribe to notifications about the use of disclosed data. We introduce two complementary notification types as shown in Fig. 4. The notification template shown on the left hand side is used for notifying the UCPF (as subscriber) about the fulfillment or violation of an obligation by the service provider. We have defined seven notifications types, namely: DELETION, ACCESS, LEAKING, REPOSITORY, REQUEST, DISCLOSURE and POLICY. Depending on the notification type used, further parameters need to be provided. E.g. a DELETION notification does not have any parameter, on the other hand, a DISCLOSURE notification should include at least the Subject or Service, recipient of the data, and the Purpose of such disclosure. The use of notifications allows for monitoring the status of the active obligations and to define actions (penalties) in case of a violation. We introduced the tag if Violated (cf. Fig. 3) for this case. It describes the sanctions to be carried out once the OM observes such a violation. The template on the right hand side of Fig. 4 is the notification scheme used by the UCPF to request a report on the state of or a list of the operations on a particular resource. In summary, notifications are leveraged for: i) enabling monitoring of active obligations, ii) auditing the enterprise service, iii) getting access to personal data in the service’s repository (with REPOSITORY notification), iv) knowing when the service’s obligation policy changes in order to re-negotiate agreements, and v) controlling when an active obligation is violated. 4.1 Model of Privacy Obligations in the UCPF In collaboration with the IST project CONNECT, we created a set of 16 obligations as shown in Figure 5. They represent the privacy constraints that a user may impose on
Page 1 and 2:
Lecture Notes in Computer Science 5
Page 3 and 4:
Volume Editors Steven Furnell Unive
Page 5 and 6:
Program Committee General Chairpers
Page 7 and 8:
Invited Lecture Table of Contents B
Page 9 and 10:
Biometrics - How to Put to Use and
Page 11 and 12:
Biometrics-HowtoPuttoUseandHowNotat
Page 13 and 14:
Biometrics-HowtoPuttoUseandHowNotat
Page 15 and 16:
7 Outlook Biometrics-HowtoPuttoUsea
Page 17 and 18:
A Map of Trust between Trading Part
Page 19 and 20:
Page 21 and 22:
Page 23 and 24:
Page 25 and 26:
Page 27 and 28:
Implementation of a TCG-Based Trust
Page 29 and 30:
Page 31 and 32:
Page 33 and 34:
Page 35 and 36:
Page 37 and 38:
A Model for Trust Metrics Analysis
Page 39 and 40:
Page 41 and 42:
Page 43 and 44:
Page 45 and 46:
Page 47 and 48:
Patterns and Pattern Diagrams for A
Page 49 and 50:
Page 51 and 52:
Policy Model AC model Patterns and
Page 53 and 54:
Broker Investor Doctor Patient 1
Page 55 and 56:
Page 57 and 58:
A Spatio-temporal Access Control Mo
Page 59 and 60:
Page 61 and 62:
Page 63 and 64:
Page 65 and 66:
Page 67 and 68:
A Mechanism for Ensuring the Validi
Page 69 and 70:
Page 71 and 72:
Page 73 and 74:
Page 75 and 76:
Page 77 and 78:
Multilateral Secure Cross-Community
Page 79 and 80:
Page 81 and 82:
Page 83 and 84:
Page 85 and 86:
Page 87 and 88:
Fairness Emergence through Simple R
Page 89 and 90:
Page 91 and 92:
Page 93 and 94:
Page 95 and 96:
Page 97 and 98:
Page 99 and 100:
Combining Trust and Reputation Mana
Page 101 and 102:
Page 103 and 104:
Page 105 and 106:
Page 107 and 108:
Page 109 and 110:
Controlling Usage in Business Proce
Page 111 and 112:
Page 113 and 114:
Page 115 and 116:
Page 117 and 118:
Page 119 and 120:
Page 121 and 122:
Page 123 and 124:
A Semantics Rules for POLPA-Control
Page 125 and 126:
Page 127 and 128:
Spatiotemporal Connectives for Secu
Page 129 and 130:
Page 131 and 132:
Page 133 and 134:
5.2 Expressiveness Spatiotemporal C
Page 135 and 136: Acknowledgement Spatiotemporal Conn
Page 137 and 138: BusiROLE: A Model for Integrating B
Page 147 and 148: The Problem of False Alarms: Evalua
Page 149 and 150: The Problem of False Alarms 141 pro
Page 151 and 152: The Problem of False Alarms 143 To
Page 153 and 154: The Problem of False Alarms 145 mad
Page 155 and 156: The Problem of False Alarms 147 Des
Page 157 and 158: The Problem of False Alarms 149 3.
Page 159 and 160: A Generic Intrusion Detection Game
Page 171 and 172: On the Design Dilemma in Dining Cry
Page 181 and 182: Obligations: Building a Bridge betw
Page 185: Obligations: Building a Bridge betw
Page 193 and 194: A User-Centric Protocol for Conditi
Page 199 and 200: Identity Escrow: A User-Centric Pro
Page 203 and 204: Preservation of Privacy in Thwartin
Page 213: Agudo, Isaac 28 Aich, Subhendu 118
show all

Lecture Notes in Computer Science 5185

Create successful ePaper yourself

Delete template?

Save as template?