PACE: Privacy-aware Cloud Ecosystems

Lead Research Organisation: CARDIFF UNIVERSITY
Department Name: Computer Science

Abstract

With increasing take up of externally provisioned and managed services (from government, finance, entertainment), often hosted over Cloud computing infrastructure, there is a realisation that on-line electronic services can involve an interlinked range of providers. Gartner forecasts that cloud computing market will grow at a compound annual growth rate of 32% (2016-2019), with the potential for additional providers to emerge in the market place. Ofcom's "Communication Market Report" indicates total UK telecoms business revenue were 37.5bn in 2015, indicating significant contribution of mobile services to the UK economy. With the availability of additional mobile services and infrastructure, there is interest in new business models that can facilitate additional subscribers to make use of these services. However, from a user's perspective, trust in the use of these services remains limited, as highlighted in the Pew Research Centre report ("The Fate of Online Trust in the Next Decade", August 2017), which surveyed 1,233 respondents - 24% of these respondents predicted that trust in on-line services is likely to diminish over time. The report revealed that although billions of people use "cellphones" and the internet now, many still do not use that connectivity for shopping, banking, and other important transactions due to limited trust in on-line providers. Some of the respondents surveyed indicated that the use of new technology (such as Blockchains) and regulatory compliance (and industry changes) will help increase trust in on-line services.

As more people move online globally over the next decade, both opportunities and threats grow. It is now likely that due to the wide adoption of Cloud based provisioning, some of these mobile services will exist at the network edge. Consider, for instance, a coffee chain that initially provided Wifi services to customers, now working in collaboration with data centre providers to offer additional services to users (e.g. edge data storage, multimedia caching, etc). Such scenarios have been proposed by a number of organisations involved in Mobile Edge Computing (e.g. the European ETSI and the NIST "Big Data" Working Group). This project addresses security and privacy requirements of such environments, where multiple Cloud computing providers need to work collaboratively to offer services to a user. Users of these services only interact with a Web interface rather than the larger, distributed service ecosystem, and are often unfamiliar with the "ecosystem" of providers that are involved in offering them a particular capability. Their visibility beyond the first service provider is often missing, requiring them to "trust" the provider in handling and managing their data. This is a significant challenge, and according to a recent report from the Pew Research Centre, often deters the use of on-line services (especially for data providers which are new in the market place).

They often entrust their data and identity without realising that the service provider may share their data with several back-end services (Cloud hosted analytics, advertisers). While this has been a problem in the past, it will be greatly exacerbated by the expansion of internet connected devices. In order to address this, the General Data Protection Regulation (GDPR) will be implemented to ensure that non-expert users can make informed decisions about their privacy and thereby give 'informed consent' to the use, sharing and re-purposing of their personal data. There are a number of challenges to facilitating this, both for individuals who need to provide consent and for data controllers who need to obtain it. As a means of addressing this, we propose a technological solution in the form of a mobile software "container" that will ensure that all access instances are securely logged. This will improve transparency, enable an audit trail of providers and facilitate greater trust between users and service providers.

Planned Impact

The proposed project addresses cutting edge research problems with immediate economic benefits. We seek transformational impact on the target scientific community, while benefiting users in multiple sectors (core ICT, industry process management, and law) who deal with cloud services. We adopt a multi-faceted impact strategy, which will involve the following strands:

1. We will demonstrate the societal and industrial impact of the research by showcasing the development and implementation of real-world use cases made available by industry partner such as the Airbus Group.

2. We will establish an International Advisory Board involving industrial and academic leaders, to support and foster end user engagement, feedback, dissemination and exploitation.

3. We will jointly develop an industrial technology transfer strategy through our industry partners including Flexiops, T-Systems, and Simudyne.

4. We will jointly showcase the outcomes of the project to developers and practitioners in industry with the Data Innovation Research Institute, Cardiff, National Innovation Centre for Data, Newcastle, and PETRAS IoT Hub via Cardiff/UCL.

5. We will enhance academic impact by disseminating research results through papers in high quality conferences and journals, such as IEEE Trans. on Cloud Computing, IEEE Trans. on Services Computing, IEEE Trans. on Parallel and Distributed Systems, ACM CCS, IEEE/ACM CCGRID, etc.

6. We will build a community of practice around the techniques (e.g. Blockchain based immutable recording and container-based event management) developed in this project by making the resultant software framework accessible in Open Source form.

7. We will maximise national economic benefits from public investment in research through liaison with research commercialisation offices at Cardiff, Newcastle, and UCL.

8. We will enrich existing teaching and research programs at Cardiff, Newcastle, and UCL in the cross-disciplinary field of research targeted by this proposal.

9. We will bridge the gap between technology, law and public policy to fully explore the challenges of consent in data flows for the promotion of a resilient society and economy in the UK.

The research is supported by strategic industry partners:
(a) Airbus Group Limited: multinational corporation that designs, manufactures, and sells aeronautical, access to multi-cloud hosted application service for fleet maintenance, logistics, and supply chain; supporting strands 1, 2; (b) Flexiops: pioneers in developing cloud and IoT software platform, feedback on research directions and milestones; supporting strands 2, 3, 4; (c) T-Systems: expertise in production-scale cloud and experience in investigating migration of organisations to cloud computing, feedback on research directions and milestones; supporting strands 2, 3, 4; (d) Simudyne: expertise in developing cloud-based computational simulation models targeting diverse sectors, feedback on research directions and milestones, supporting strands 2, 3, 4. (e) Muckle LLP: UK's leading solicitor firm, feedback on research directions and milestones, supporting strands 2, 3, 4.

The project will also maintain a web and social media presence, and disseminate the outcome of the work through interaction with local organisations at both Newcastle, Cardiff and UCL through our existing collaborations (such as Newcastle University's Digital Institute (http://www.ncl.ac.uk/digitalinstitute/), Cardiff University's Data Innovation Institute/Innovation Network (http://www.cardiff.ac.uk/data-innovation-research-institute)).

Publications

10 25 50

publication icon
Ahmed U (2022) Aggregated Capability Assessment (AgCA) For CAIQ Enabled Cross-cloud Federation in IEEE Transactions on Services Computing

publication icon
Akhtar A (2020) Blockchain Based Auditable Access Control for Distributed Business Processes. in Proceedings. International Conference on Distributed Computing Systems

publication icon
Akhtar A (2024) Blockchain Based Auditable Access Control For Business Processes With Event Driven Policies in IEEE Transactions on Dependable and Secure Computing

publication icon
Alhirabi N (2023) PARROT Interactive Privacy-Aware Internet of Things Application Design Tool in Proceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies

publication icon
Alhirabi N (2021) Security and Privacy Requirements for the Internet of Things A Survey in ACM Transactions on Internet of Things

 
Description The ubiquitous connectivity of people to the Internet have emphasised concerns over the degree to which devices ensure information privacy and security. Perceived privacy is an individual's belief about how their personal information is acquired, controlled, stored and used. This forms the key focus of this contribution-i.e. to what extent do users consider the utility and benefit of privacy-preserving technologies, including support provided by legislation such as the General Data Protection Regulation (GDPR). We motivate this work by two questions:

Q1: how do users perceive benefit in using privacy technologies to support GDPR legislation, particularly in the context of cloud hosted services?
Q2: is GDPR seen as a barrier to making more effective use of cloud services, i.e. do users consider GDPR as a barrier to more effective use of services from a cloud provider, or as an important requirement that needs to be fulfilled before initiating any interaction with a cloud provider?

In the context of Q1, we also inquire if providing user consent for cloud providers to use their personal data (Art. 6 of GDPR), a key tenet of many articles within the GDPR legislation, is fully understood by users.

In the ongoing pandemic, which has forced us to increase our reliance on digital and on-line technologies (especially cloud hosted services) to conduct our lives, the notion of individual control of user data has become more significant. For example, imagine you want to have a meal in your local restaurant -upon entering the premises you realise there is no 'traditional' customer service; rather, you need to download a booking and payment app., entering personal details to register. However, registration cannot be completed, and therefore you cannot be served, until you tick a box signalling consent to terms and conditions that allow for extensive processing of personal data based on several legal basis, for multiple purposes unrelated to the transaction you had in mind (i.e. having a simple meal). Any consent given as a result is invalid under the GDPR, as the consent request involved no real choice.

Addressing issues of privacy specifically in cloud hosted services raises a serious question about how cloud providers need to handle personal (or sensitive) data that users entrust upon them while accessing cloud services. Due to the complexity of the cloud hosting process, cloud providers may host data and services at different global locations. Additionally, the user base can also be scattered across the globe, eventually leading to loopholes due to different data privacy regulations (at some locations, no regulations). This address has considered the following critical challenges related to the use of GDPR legislation for cloud services include:

-- How does a cloud provider understand what constitutes "personal data"?

-- How do we design a compliance-aware platform to host cloud services? Compliance-aware implies that GDPR legislation is automatically enforced across such a platform, providing greater trust to a user that service access and sharing of personal data will automatically preserve their privacy.

-- How can we identify and map data privacy regulations to monitoring granularity (i.e. what should a cloud provider monitor and at what frequency to support privacy audits) while provisioning cloud services?

-- How do we verify compliance in an automatic manner and ensure the `right to be informed' obligation in GDPR?

-- How do we equip existing cloud platforms with a monitoring strategy for logging information required for verifying GDPR compliance? This monitoring should not impede the performance of the service hosted by the platform but still ensure compliance with privacy legislation.

-- How do we confirm GDPR compliance and provide a trusted solution to securely log what personal data is processed by which provider -especially where multiple providers are involved in offering a particular service to a user?

-- What approach(es) ensures the translation of GDPR obligations (e.g. data protection and data transfer) into smart contracts and supports an automated verification of GDPR obligations over the activities of providers?

-- The "right to be forgotten" requirement in GDPR can be difficult to realise, as user data may be fragmented across multiple services. How can cloud hosted services, which may involve invocation and interaction across a number of distributed platforms, ensure that this requirement can be achieved and verified?

-- How can we consider the preference of users for verifying GDPR obligations (an essential requirement to ensure scalability of the approach)? This approach assumes that not all users care about privacy, or some users may have greater preference of privacy across a subset of their data.

-- Increasing use of mobile devices and their integration with cloud platforms also poses scalability challenges for automated GDPR compliance checking. The transaction rate from devices can increase in frequency and complexity. If a blockchain based approach is to employed, the transaction rate of such a system needs to be scaled also.
Exploitation Route Our next step is to consider how the outcome of this project could be made more widely available -- as part of Privacy Enhancing Technologies (PET) industry. We have developer a Minimum Viable Product (MVP) to demonstrate to various industry partners. The GDPR compliance mechanism being developed in this project can be applied across a number of other applications -- including takeup by other students at Cardiff, Newcastle and UCL.
Sectors Digital/Communication/Information Technologies (including Software)

Education

Energy

Government

Democracy and Justice

Security and Diplomacy

URL https://sites.google.com/view/pace-cloud-iot-privacy-epsrc/home
 
Description I was invited by the French government to contribute to the consultation on the PEPR Initiative on "SecNum Cloud" -- this is a French-German initiative focusing on the use of cloud computing to support public services. The consultation was aimed at identifying requirements for cloud hosting companies operating in France -- and specific requirements that such cloud hosting companies should meet to address GDPR compliance.
First Year Of Impact 2023
Sector Digital/Communication/Information Technologies (including Software),Education,Government, Democracy and Justice
Impact Types Societal

Economic

Policy & public services

 
Description Contribution to cloud-based provision and private regulation in Malaysia
Geographic Reach Asia 
Policy Influence Type Participation in a guidance/advisory committee
Impact The discussion led to a better understanding of how cloud providers make use of personal data acquired in Malaysia. This also included discussion with local government on how GDPR compliance can be developed to support the provision of public services hosted on cloud infrastructure.
 
Title IoTSim-OSmosis 
Description Osmotic computing paradigm sets out the principles and algorithms for simplifying the deployment of Internet of Things (IoT) applications in integrated edge-cloud environments. Osmotic Computing focuses on strategies and mechanisms to extend the IoT capabilities by defining, designing, and implementing a modern computing model (IoT, edge, cloud, and SD-WAN). IoTSim-Osmosis is a simulation framework that supports the testing and validation of osmotic computing applications. In particular, it enables a unified modelling and simulation of complex IoT applications over heterogeneous edge-cloud SDN-aware environments. IoTSim-Osmosis is capable of capturing the key functions, characteristics, and behaviors of osmotic paradigm. A wide range of osmosis applications can be simulated and evaluated in IoTSim-Osmosis. To handle the complexity and diversity of osmotic applications, IoTSim-Osmosis provides an abstract mechanism called Microelements (MELs), which encapsulates services, resources and data. In particular, any IoT applications can be represented using a graph of MELs as shown in the figure below. 
Type Of Material Improvements to research infrastructure 
Year Produced 2021 
Provided To Others? Yes  
Impact The tool is being used by academic and industrial research communities. It has also motivated further research in this area. https://scholar.google.com/scholar?oi=bibs&hl=en&cites=17488445812004146680 
URL https://rajivranjan.net/iotsim/iotsim-release/
 
Description Cloud security presentation -- importance of cloud security and privacy during Covid19 
Form Of Engagement Activity A talk or presentation
Part Of Official Scheme? No
Geographic Reach International
Primary Audience Professional Practitioners
Results and Impact This was a presentation on the key findings of the project to an audience in Malaysia -- particularly focusing on how privacy legislation for cloud providers could apply in a Malaysia context. The relevance of GDPR compliance for providers based in South East Asia (Malaysia, Singapore) was discussed with the audience, focusing on how the results can be translated to the Malaysia context.
Year(s) Of Engagement Activity 2022
URL https://web.upm.edu.my/aktiviti/2022/lawatan_penilai_luar_prof_dr_omer_rana-25644?L=en
 
Description Creating a startup in Cloud Security and Privacy Technologies 
Form Of Engagement Activity A formal working group, expert panel or dialogue
Part Of Official Scheme? No
Geographic Reach National
Primary Audience Industry/Business
Results and Impact The focus of this event was to pitch to an audience in industry focusing on privacy enhancing technologies, and how the software implementation from the PACE project could be used to develop a commercial prototype.
Year(s) Of Engagement Activity 2022
 
Description Interview with PACCS Research Team: Malware Behaviours in a Changing Cyberthreat Landscape 
Form Of Engagement Activity A magazine, newsletter or online publication
Part Of Official Scheme? No
Geographic Reach International
Primary Audience Media (as a channel to the public)
Results and Impact Wider dissemination of the impact of findings from the project. The interview and article was intended for general dissemination.
Year(s) Of Engagement Activity 2021
URL https://www.paccsresearch.org.uk/blog/cybersecurity-in-the-cloud/
 
Description Joint Hackathon on Data Privacy and Cybersecurity 
Form Of Engagement Activity Participation in an activity, workshop or similar
Part Of Official Scheme? No
Geographic Reach International
Primary Audience Undergraduate students
Results and Impact This was a joint hackathon on cybersecurity and data privacy -- aligned with the focus of the PACE project, looking at Cloud security and privacy. The event was organised between Cardiff University and the University of Waikato. Preparation for this event involved interacting with undergraduate students at both institutions. Over 80 students from both institutions were involved.
Year(s) Of Engagement Activity 2022
URL https://cybersecuritychallenge.org.nz/
 
Description Privacy Preserving Technologies and Cloud Services 
Form Of Engagement Activity A talk or presentation
Part Of Official Scheme? No
Geographic Reach International
Primary Audience Professional Practitioners
Results and Impact This was a presentation at the Messina Digital Day (in Italy) to demonstrate how privacy preserving technologies could be used to enhance trust in cloud services by citizens
Year(s) Of Engagement Activity 2022
URL https://fcrlab.unime.it/ccgrid22/digital-day-in-messina/