Analysis of Data Sharing Agreements

Gianpiero Costantino, Fabio Martinelli, Ilaria Matteucci, Marinella Petrocchi

2017

Abstract

An electronic Data Sharing Agreement (DSA) is the machine-processable transposition of a traditional paper contract regulating data sharing among different organizations. DSA conveys different information, like the purpose of data sharing, the parties stipulating the contract, the kind of data, and a set of rules stating which actions are authorized, prohibited, and obliged on such data. Possibly edited by different actors from various perspectives - such as the legal and the business ones - a DSA could quite naturally include conflictual data sharing rules: the same data access request could be permitted according to some rules and denied according to others. Starting from the DSA definition, this paper describes the design of a DSA analysis framework and the development of the associated analysis tool. The DSA-Analyser proposed here evaluates the DSA rules by simulating all the possible contextual conditions, which may occur at access request time and which are linked to the vocabulary associated to the rules themselves. The output of the tool conveniently guides the editor, pointing to those rules, which are potentially conflicting, and highlighting the reasons leading to those conflicts. We have experimented the DSA-Analyser performances in terms of execution time, by varying the number of rules in the DSA, as well as the terms in the DSA vocabulary. Our findings highlight the capability of the analyser to deal with hundreds of rules and dozens of contexts in a reasonable amount of time. These results pave the way to the employment of the analyser in a real-use context.

References

  1. Arenas, A. et al. (2010). An Event-B Approach to Data Sharing Agreements. In Integrated Formal Methods, pages 28-42. Springer.
  2. Bicarregui, J. et al. (2008). Towards Modelling Obligations in Event-B. In ABZ, pages 181-194.
  3. Casassa Mont, M., Matteucci, I., Petrocchi, M., and Sbodio, M. L. (2015). Towards safer information sharing in the cloud. Int. J. Inf. Sec., 14(4):319-334.
  4. Clavel, M. et al., editors (2007). All About Maude - A High-Performance Logical Framework, How to Specify, Program and Verify Systems in Rewriting Logic, volume 4350 of LNCS. Springer.
  5. Damianou, N., Dulay, N., Lupu, E., and Sloman, M. (2001). The Ponder policy specification language. In Policies for Distributed Systems and Networks, POLICY 7801, pages 18-38. Springer-Verlag.
  6. De Nicola, R., Ferrari, G. L., and Pugliese, R. (2000). Programming access control: The KLAIM experience. In CONCUR 2000 - Concurrency Theory, pages 48-65.
  7. Ferraiolo, D. and Kuhn, R. (1992). Role-based access control. In NIST-NCSC National Computer Security Conference, pages 554-563.
  8. Hansen, R. R., Nielson, F., Nielson, H. R., and Probst, C. W. (2008). Static Validation of Licence Conformance Policies. In ARES, pages 1104-1111.
  9. Huang, H. and Kirchner, H. (2011). Formal specification and verification of modular security policy based on colored Petri nets. IEEE Trans. Dependable Secur. Comput., 8(6):852-865.
  10. Jin, J., Ahn, G.-J., Hu, H., Covington, M. J., and Zhang, X. (2011). Patient-centric authorization framework for electronic healthcare services. Computers & Security, 30(2-3):116-127.
  11. Lazouski, A., Martinelli, F., Mori, P., and Saracino, A. (2014). Stateful usage control for Android mobile devices. In Security and Trust Management, pages 97- 112. Springer International Publishing.
  12. Liang, X. et al. (2013). A conflict-related rules detection tool for access control policy. In Frontiers in Internet Technologies, pages 158-169. Springer.
  13. Lunardelli, A., Matteucci, I., Mori, P., and Petrocchi, M. (2013). A prototype for solving conflicts in XACMLbased e-Health policies. In 26th IEEE Symposium on Computer-Based Medical Systems, pages 449-452.
  14. Lupu, E. C. and Sloman, M. (1999). Conflicts in policybased distributed systems management. IEEE Trans. Softw. Eng., 25(6):852-869.
  15. Martinelli, F., Matteucci, I., Petrocchi, M., and Wiegand, L. (2012). A formal support for collaborative data sharing. In Availability, Reliability, and Security, pages 547-561.
  16. Matteucci, I., Mori, P., and Petrocchi, M. (2012a). Prioritized execution of privacy policies. In Data Privacy Management, pages 133-145.
  17. Matteucci, I., Mori, P., Petrocchi, M., and Wiegand, L. (2011a). Controlled data sharing in e-health. In SocioTechnical Aspects in Security and Trust, pages 17-23.
  18. Matteucci, I., Petrocchi, M., and Sbodio, M. L. (2010). CNL4DSA: a controlled natural language for data sharing agreements. In Symposium on Applied Computing, pages 616-620.
  19. Matteucci, I., Petrocchi, M., Sbodio, M. L., and Wiegand, L. (2011b). A design phase for data sharing agreements. In Data Privacy Management, pages 25-41.
  20. Matteucci, I., Petrocchi, M., Sbodio, M. L., and Wiegand, L. (2012b). A design phase for data sharing agreements. In 6th International Workshop on Data Privacy Management, pages 25-41. Springer Berlin Heidelberg.
  21. OASIS (2010). eXtensible Access Control Markup Language (XACML) Version 3.0.
  22. Park, J. and Sandhu, R. (2004). The UCON-ABC usage control model. ACM Trans. Inf. Syst. Secur., 7(1):128- 174.
  23. Pretschner, A., Hilty, M., and Basin, D. (2006). Distributed usage control. Commun. ACM, 49(9):39-44.
  24. Saaty, T. L. (1990). How to make a decision: the analytic hierarchy process. European journal of operational research, 48(1):9-26.
  25. Scalavino, E., Gowadia, V., and Lupu, E. C. (2009). PAES: policy-based authority evaluation scheme. In Data and Applications Security XXIII, pages 268-282.
  26. Scalavino, E., Russello, G., Ball, R., Gowadia, V., and Lupu, E. C. (2010). An opportunistic authority evaluation scheme for data security in crisis management scenarios. In Information, Computer and Communications Security, pages 157-168. ACM.
Download


Paper Citation


in Harvard Style

Costantino G., Martinelli F., Matteucci I. and Petrocchi M. (2017). Analysis of Data Sharing Agreements . In Proceedings of the 3rd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP, ISBN 978-989-758-209-7, pages 167-178. DOI: 10.5220/0006207501670178


in Bibtex Style

@conference{icissp17,
author={Gianpiero Costantino and Fabio Martinelli and Ilaria Matteucci and Marinella Petrocchi},
title={Analysis of Data Sharing Agreements},
booktitle={Proceedings of the 3rd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,},
year={2017},
pages={167-178},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0006207501670178},
isbn={978-989-758-209-7},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 3rd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,
TI - Analysis of Data Sharing Agreements
SN - 978-989-758-209-7
AU - Costantino G.
AU - Martinelli F.
AU - Matteucci I.
AU - Petrocchi M.
PY - 2017
SP - 167
EP - 178
DO - 10.5220/0006207501670178