Trust Domains - A framework for modelling and designing e-service infrastructures for controlled sharing of information

Lead Research Organisation: University of Oxford
Department Name: Computer Science


Ensuring flows of information to the right people over multiple collaborating organisations is becoming increasingly important for both business and government. There are, however, trade-offs between the productivity and functional gains from sharing information, on the one hand, and the risks of leakage and opening up IT systems, on the other. Recent developments in trusted computing and virtualization can address these trade offs in a flexible manner, as they allow for the creation of policy controlled IT systems with configurable security properties. Collaborative, secure sharing solutions can be realized through the creation of dynamic 'Trust Domains' --- a notion that we propose to explore at and between all levels of the policy-service-infrastructure stack --- that enforce information flow and configuration policies. We propose a customer-driven project that starts out from examples of information sharing within police forces and agencies they work with. Based on a practical understanding of the required flows and policies, we will develop an abstract framework for qualifying types of and flows of information and a corresponding model of the associated risks. This allows process owners to describe their requirements and concerns. We will research how to qualify and map information flows to Trust Domain configurations, derive guidelines and templates for supporting solution architects in building IT services, and extend our set of analytics and modelling tools to help stakeholders gain an understanding of the risks associated with information flows and enforcement mechanisms.There are business opportunities for creating and operating new e-services with enhanced trust and security properties based on new methodologies and toolsets. The framework we suggest takes a business driven approach to risk, trust and security and covers aspects of process and system analysis, design, configuration, security policy, human roles, and operational management. We create a value proposition by having the models, tools and methodologies that allows us to bridge the current gap between business level risk and system configuration and policy design. Hence mapping service needs onto trusted platforms, domains, and infrastructureThe project complements and expands ongoing, TSB-funded work on trust economics as well as on complexity, risk, and resilience management pioneered and exploited by HP's UK Enterprise Services. Both HP Enterprise Services and HP Labs, Bristol believe that bridging high-level incentive models and systems design for trust domains would be a unique global differentiator, not only aligned with US-NITRD 'game-changing' themes, but ahead of them in suggesting an integrated approach. The academic components of this project will contribute the following developments in support of this programme: - The concept of Trust Domain, at and between the various levels of the socio-technical system stack (policy-service-infrastructure); - Mathematical systems modelling technologies to support tools and methodologies for reasoning about the properties, dynamics, and applications of the Trust Domain concept; - A thorough taxonomy of technical, design, and architectural properties which give rise to different trust characteristics in deployed services; - Modelling the quality of trust and expectations among components, to the extent of being able to make a meaningful comparison of solutions based on different architectural paradigms, within a given context.Targeted market: intra-corporate and intra-governmental data centres and 'clouds' whose stringent information flow control requirements cannot be met by today's providers.

Planned Impact

The pathways to impact for this project can be summarized conveniently under the following three headings: Academic Impact - Research: influencing and challenging a range of academic disciplines in computing, mathematics, and management. - Education and Training: New Master's degree programmes combining the relevant technological and management skills. Industrial and Commercial Impact - Hewlett--Packard: - HP's UK-based research effort - HP's UK-based IT services and security businesses - HP's UK customers - Perpetuity: a client- and problem-base, encompassing questions such as access control and trust in the context of both corporate/physical security and information security will provide a rich collection of challenges for our conceptual work and tool/methodology development. - The wider security ecosystem: the community that is touched by this project, via academic research, industrial research, education/training, and as customers of HP and Perpetuity, will influence systems policy and implementation in academia, industry, and government. Impact in RCUK Priorities and in UK Society - Fostering global economic performance, and specifically the economic competitiveness of the United Kingdom The delivery of systems and services with appropriate levels of security - that is, systems that generate value whilst remaining sufficiently secure, robust, and flexible to cope with perturbations, be they internally (design changes) or externally (changes in the environment) generated - is a challenge to corporations and economies around the world. De- veloping robust, mathematically based technologies will allow the UK to lead in this respect. - Increasing the effectiveness of public services and policy. Public services are delivered by sys- tems that are based on complex technological substrates. These systems support services - to citizens, government, companies, charities, etc. - that are intended to implement society's agreed policies. At each of these three (infrastructure, service, policy) layers, groups of system components, be they individuals, organizations, or technology elements, need to form groups within which mutually understood and/or rep- resented levels of trust obtain. - Enhancing quality of life, health, and creative output. Citizens' quality of life will be enhanced by better, more secure services, more readily and appropriately trustable services, be they delivered by government or the private sector. Moreover, improved cost-effectiveness will tend to reduce the taxation burden and encourage reinvestment by service-providers.


10 25 50

publication icon
Crane, S (2015) The Trust-Domains Guide

publication icon
Martin A (2012) Provenance as a Security Control in TaPP'12: the 4th USENIX Workshop on the Theory and Practice of Provenance

publication icon
Nalin Asanka Gamagedara Arachchilage (2013) Developing a Trust Domain Taxonomy for Securely Sharing Information Among Others in International Journal for Information Security Research

Description With our partners, we developed an extensive understanding of the trust domains which arise when people collaborate on projects through electronic means. This is a very general model - which has previously been well-elaborated in a few limited cases.

Our main areas of research and results are in two main areas:

First, an exploration of the role of "digital provenance" in the development of trust. When people collaborate using digital artifacts (documents, posts, other data) it is important to know where those digital items came from, who has edited them, and who has seen them. This is a development and extension of work done elsewhere on digital provenance: we explored particularly how this can contribute to the overall trustworthiness and security of those artifacts, and how to make mathematical models for evaluating this trustworthiness in a precise and rigorous way.

Second, we developed a general-purpose taxonomy of trust domains. This drew on the work of others in the project, and was designed to provide a consistent and comprehensive way for those building or supporting trust domains to understand and document the interactions of people, processes, and technologies in those domains. Not least, this complicated assembly of features turned out for us to have an important role in defining what a trust domain actually is: it can also form the basis of information systems to support trust domains, and of a digital provenance model (see above) for data associated with a particular application area. We validated this model through some interviews and empirical investigations.
Exploitation Route Our work on provenance and modelling has potential to be applied by practitioners developing systems (processes or information systems) supporting cross-organisation projects. Such systems are customarily bespoke and difficult to construct: our findings suggest a practical way to build a more generic solution which could be specialized to a particular context. Further research could validate that hypothesis more fully than we were able to in the time available.
Sectors Aerospace, Defence and Marine,Digital/Communication/Information Technologies (including Software),Government, Democracy and Justice,Manufacturing, including Industrial Biotechology

Description This was constructed as a collaborative project - with other Universities and with commercial partners, so it would necessariliy have non-academic impacts in the commercial partners. One commercial partner - Hewlett Packard - involved practitioners as well as researchers throughout the life of the project, and incorporated its ideas into their service offerings as they developed. This was anticipated to be through service and software offerings, as well as more generally through consultancy: we are not party to the confidential details of these arrangements. Clearly. the research of the project also formed the basis for further research and development within Hewlett Packard.
First Year Of Impact 2014
Sector Digital/Communication/Information Technologies (including Software)
Impact Types Economic

Description Shonan event on Grid and Cloud Security 
Form Of Engagement Activity Participation in an activity, workshop or similar
Part Of Official Scheme? No
Geographic Reach International
Primary Audience Professional Practitioners
Results and Impact Work related to the project prompted considerable discussion.

None so far.
Year(s) Of Engagement Activity 2014