Information Technology Reference
In-Depth Information
Furthermore, so-called obligation monitors
can be used to trigger the fulfillment of obligations
which are part of privacy policies. Obligations
can, among other goals, be used to restrict the PII
data retention, so, e.g., all user data has to be
deleted 90 days after the service usage has finished
and all invoices have been settled. Some imple-
mentations also allow the users to specify obliga-
tions, e.g., to be notified by email whenever one's
credit card is being charged by the SP, i.e., when
the credit card detail attributes are being accessed
for a purpose such as billing.
As an organization's privacy policies may
change over time, it is vital for the privacy man-
agement system to keep track of which version
of the policy was in use when a user signed up
for a service. The sticky policy paradigm (Mont,
Pearson, & Bramhall, 2003) glues the relevant
policies to the user data so they cannot be sepa-
rated anymore.
Protocols and log files of data access and us-
age are kept to support the organization's internal
auditing processes, which are a mandatory part of
legislative IT governance, risk management, and
compliance regulations. Parts of this information
can be made available to the user to prove that her
data has only been used for the intended purposes.
However, unless additional measures are taken, the
usefulness and reliability of this information for
the user is very limited, because malicious service
providers could arbitrarily falsify the presented
data. Thus, all recent approaches are based on
certified software running on trusted computing
platforms in order to guarantee the genuineness
of the information given to the users (see Mont
(2004)) as well as Bramhall and Mont (2005)).
However, the complexity and costs of such solu-
tions have so far impeded their wide-spread use.
In Grids, trusted computing has already been ap-
plied to user management from the SP perspective
(see Mao, Martin, Jin, & Zhang, 2009), but not
yet vice versa to rate the SP trustworthiness from
the users' perspective. Thus, having to trust SPs
regarding their claims about what they use (or do
not use) the PII for still remains a major challenge
in research and in practice. For this reason, man-
aging the initial data access phase and avoiding
to transfer user data to untrusted SPs a priori is
of high importance.
GRIDS AND THEIR REQUIREMENTS
FOR PRIVACY MANAGEMENT
On the technical level, Grid computing is based
on a Grid middleware which provides the required
transparency layers and tools for submitting Grid
jobs. Various Grid middleware implementations,
such as the Globus Toolkit (Sotomayor & Childers,
2006), exist and are in practical use. In the first
decade of Grid computing, the development of
Grid middleware has focused on the core function-
ality. However, with increasing use in production
environments and based on the goal of creating
an environment that is also attractive to industry,
the security and privacy properties finally get the
required attention (see also Demchenko, de Laat,
Koeroo, & Groep, 2008).
Because most of the organizations involved
in Grid projects have identity management sys-
tems deployed nowadays, there is an increasing
real-world demand to leverage the existing local
infrastructure when participating in Grid projects.
Concerning privacy management, however, this
is not just a programming interface and imple-
mentation effort issue regarding the middleware.
Grids have several characteristics and thus specific
requirements which were not yet met by the ap-
proaches discussed in the previous section; we
will discuss them next.
Starting with the technical aspects, which are
- unlike the organizational issues discussed be-
low - applicable to all Grids in general, it must be
considered that using a Grid infrastructure differs
from using other distributed systems and services
in the concept of
Grid jobs
. When submitting a
Search WWH ::
Custom Search