International Journal of Computer Science Engineering and Information Technology Research (IJCSEITR) ISSN 2249-6831 Vol.

3, Issue 2, Jun 2013, 37-46 TJPRC Pvt. Ltd.

A QUESTIONNAIRE BASED TOOL FOR EVALUATING THE IMPACT OF PRIVACY DECISIONS IN CLOUD COMPUTING
ISHAN RASTOGI, ADESH CHANDRA & ANURAG SINGH Department of MS-Cyber Law & Information Security, Indian Institute of Information Technology, Allahabad, India

ABSTRACT
Privacy Impact Assessment is a systematic process for evaluating the possible future effects that a particular activity or proposal may have on an individuals privacy. A PIA permits organizations to design privacy into new systems during the design and development stages, reducing the risk that costly retrofitting of privacy safeguards will be required after implementation. This paper talks about developing a PIA decision support tool for a cloud environment. An architecture and knowledge representation is being discussed in the paper along with various questionnaires for administrator, stakeholder, and customer for the deployment of PIA tool in cloud environment.

KEYWORDS: Cloud Computing, Privacy, Privacy Impact, Privacy Issues INTRODUCTION

Current cloud services pose an inherent challenge to data privacy because they typically result in data being exposed in an unencrypted form on a machine owned and operated by a different organization form the data owner. Some major privacy issues in cloud computing environment are: Lack of user control Lack of expertise Potential unauthorized secondary usage Regulatory complexity Litigation Legal uncertainty[1] A Privacy Impact Assessment (PIA) is a systematic policy process for identifying, assessing, and mitigating the possible privacy risksthat a particular activity or proposal may have on an individuals privacy. PIAs usually take the form of a series of steps, posing and answering questions and considering options, although they can be very holistic.[2] PIAs vary across jurisdictions, sometimes substantially, and there are many inter-related dimensions. Within different jurisdictions there are different reasons for conducting a PIA viz. the PIA may be required by the legislation, prescribed by the binding policy or recommended by those with legal authority. PIAs can even be conducted in the absence of any level of prescription based upon self-regulation. The applications of PIA in public sector are different than that in the private sector as a result of longer history of regulation within organizations in the public sector than in the private sector. Organizations can conduct PIAs themselves or hire someone to do it for them. Some organizations in UK employ external consultants to carry out PIA either because

38

Ishan Rastogi, Adesh Chandra & Anurag Singh

they do not possess the necessary skills in-house or because they with the PIA to be perceived as being as independent as possible from potential influences within the organization. Security officers sometimes considered PIAs to be a threat to their expertise, and consequently, employees in that position in the organization or acting as external stakeholders may often be reluctant to engage with an organization conducting a PIA. This is through the lack of interest, trust, or resources. Commonly, an initial screening exercise is conducted to determine if a PIA should be completed according to rules or recommendations in the jurisdiction. Two Different Types of PIAs are Conducted in All Jurisdictions. In UK, Processes Involved in Conducting a PIA are Initial assessment Small-scale PIA Full-scale PIA Preliminary Preparation Consultation and Analysis Documentation Review and Audit

Privacy Law Compliance Check Data Protection Compliance Check PIAs are usually conducted by senior analyst or manager with on-going programme administration

responsibilities. There are a few PIA tools which are currently available viz. E-learning tool provided by TBS in Canada. Privacy Threshold Analysis provided by Department of Homeland Security (DHS) United States of America. Screening questions to decide whether to go for small-scale PIA or full-scale PIA in United Kingdom. All these tool use decision-tree model for evaluation process.

ISSUES FOR PIAS IN THE CLOUD

Data proliferations, trans-border data flow, dynamic provisioning and virtualization are very important to PIAs in the cloud. The movement of data, governance and accountability of the PIA tools becomes more complex when it moves onto the cloud and potentially across and between legal jurisdictions. Virtualization introduces similar concerns due to the separation of legal entities being assessed from the underlying physical resources.

DEVELOPMENT OF PIA TOOL FOR CLOUD COMPUTING

The tool addresses the complexity of privacy compliance requirements for organizations, by highlighting within the organizations who are not experts in privacy and security, so they can identify solutions in a given situation. User input for the PIA tool contains project information such as project name, organization name, region, brief project description, project lead and contact details. This is followed by descriptive analysis of the project such as

A Questionnaire Based Tool for Evaluating the Impact of Privacy Decisions in Cloud Computing

39

outlining project documents, identifying stakeholders and identifying early privacy risks in order to determine if a PIA is required. The PIA tool provides detailed information about policies in relation to which the project is not compliant or is only partially compliant. Output for the tool is a report displaying information in several sections: introduction, project and contact details, summary of findings (indicates if the project has found project compliant or not), and details of other compliance/ non-compliance issues, such as security, transparency, and transborder data flows. Recommendations are displayed indicating what the organization must do to resolve these issues. Throughout the report, clear visual indicators are displayed; these indicate the issues that appear to be compliant with the requirements, require further attention, or have failed. Architecture and Knowledge Representation The approach for the PIA tool is a decision support system (DSS) which is based on a type of expert system. The tool has a knowledge base (KB) that is created and updated by privacy experts on an on-going basis. Experts can be within organization (in-house) or can be outsourced externally (external consultants). Generic rules for privacy and data protection legislation from a number of jurisdictions are created and entered into the knowledge base by the experts using a specific user interface. The tool supports two types of users: end-users (who fill in the questionnaire) and domain experts (who create and maintain the knowledge base).The tool is developed to support multi-tenancy. It is possible to have different knowledge bases for different departments. The decision making engine makes inferences by deciding which rules are satisfied by facts or objects, prioritizes the satisfied rules, and executes the rule with the highest priority. The decision making engine used two models: forward chaining (data-driven) and backward chaining (goaldriven). In forward chaining, the engine searches the rules until it finds one in which the IF condition is knows to be true. It concludes the THEN condition and adds this information to its data and continues in thi s way until a goal or conclusion is reached. In backward chaining, the engine searches for the top-level goals, which are possible answers to the problem or potential recommendations. Cloud Deployment of PIA Tool While Deploying the Tool on the Cloud, there are Three Cloud Services Models to Consider Software-as-a-Service (SaaS) Platform-as-a-Service (Paas) Infrastructure-as-a-Service (IaaS)

For this Tool SaaS Appears to be Appropriate. However, there are Some Common Technological Challenges with SaaS, Like User Interface Flexibility Productivity Operational Excellence

40

Ishan Rastogi, Adesh Chandra & Anurag Singh

Security and Compliance Multi-tenancy Integration Personalisation Costs Also, since we want our tool to support multi-tenancy we have several options including:

Isolated tenancy: tool, databases and infrastructure are isolated and are hosted per tenant as separate instances. Infrastructure tenancy: tool and databases are isolated, although infrastructure is shared and hosted in virtual environment. Application tenancy: tool and infrastructure are shared, databases are isolated. Shared tenancy: tool, database and infrastructure are all shared. For our tool, application multi-tenancy model is more suited because of reasonably low initial costs, high

scalability, and similar nature of target tenants. Also, since the deployment models (private, public, and community) have different characteristics and different business drivers, the best solution for our PIA tool may be a hybrid solution that involves all three models. User Interfaces of the PIA Tool This section briefly describes the appearances and functionalities of some of the user interfaces of the PIA tool. The first screen of the tool consists of a log-in screen. Different user access modes for the tool (administrator, customer and stakeholder) are allowed by the log-in system for different usernames and passwords. Administrator Mode An administrator can view different projects, the customers and stakeholders in a particular project. Administrator can also use some specific utilities that help in maintaining the tool. Projects are Listed in a Table that Displays Information Including The overall status of the project Project name Organization name Contact name Completion or last-modified date of a project. Person who completed or modified the project. Project description

Stakeholder Mode This mode allows stakeholders to view completed reports for some particular projects and also to provide feedback without going through the main questionnaire. In order to restrict stakeholders to access only those particular database tables where the project name is same as the stakeholder ID, permissions are set in the database via the GRANT option. The organizations can also control permissions and access to reports by exclusively setting the IP addresses to individual or group computers.

A Questionnaire Based Tool for Evaluating the Impact of Privacy Decisions in Cloud Computing

41

An in-depth analysis is provided by the report to help stakeholders and the decision makers to determine whether a full-scale PIA is required or not. Specific reasons are provided by the report for the current compliance status, advice to the users is also provided. Once stakeholders have read a report, they can complete a questionnaire about it. Customer Mode The Initial Screen in the Customer Mode Provides the Following Options To view feedback provided by a stakeholder. To conduct a new privacy impact assessment. To edit or modify an existing privacy impact assessment. The Tool Provides the Functionality that Allows Customers to Quit Mid-Session after Answering Some Questions, with the Ability to Come Back to the Same Question Later. This Facility Can be Very Useful for Various Situations Including When there are some questions in the questionnaire that requires long time on the users behalf to answer. When there are some questions in the questionnaire that a user finds difficult to answer immediately. When there are some questions in the questionnaire that requires different users to provide their input, and each user provides different answers to some questions. Other than these, Buttons are Present on the Navigation bar to Provide Users with a Number of Activities and Information Including Projects PIA Handbooks UK Legal Topics European Law Legal Organizations Contact Us At various stages of the assessment, as help, current risk status and progress pages appear. Various rules are used by the tool to generate the output results page and an audit trail. The output obtained from the questionnaire is matched against the THEN condition of business rules. Risks are assessed and output is grouped into characteristics and categories by the code contained in the corresponding action within the rules. After the results page is generated, the PIA tool makes the decision regarding a full-scale PIA should continue to the data protection compliance checks and the privacy law, or whether the organization should conduct an initial smallscale PIA. Development Suite and Expert Mode The development suite for the PIA tool has such been modified into an external file so that can reside outside the infrastructure on the experts c omputer.

42

Ishan Rastogi, Adesh Chandra & Anurag Singh

Easy Access to the Internal Processes of the PIA Tool is Incorporated in the Development Suite. This Has Been Achieved by Accessing the Internal Blocks by the Expert Including Logic blocks: the blocks which are made up of rules which can be defined by the help of tree diagrams or can be stated as individual rules. Action blocks: the blocks which describe the logic of the PIA tool processes by using a spread sheet style approach. Command blocks: the blocks which control how the PIA tool operates.

Confidence Variable The intention is to calculate the overall confidence value for a variable. This confidence variable is the confidence or likelihood that the recommendation or solution provided by the PIA tool for a particular situation is appropriate. Here, this variable is being used to measure the probability of selection of a particular answer in the questionnaire by the user. The value of the confidence variable in the tool is calculated by using the sum method, i.e. the single value of the answer for each question is added together; thus, the confidence is increased by positive values and decreased by negative values. The confidence variable is also used to find the project completion status out of three possibilities (high, medium and low), based on best fit strategy. The confidence variable is used in the decision making for full-scale PIA. If the confidence value assigned to each question is modified as per the needs of an organization, the results of the PIA and the report following it will reflect the change. Thus, different knowledge bases can be created for different organizations that have different values for each question, and therefore different results and reports. Decision Making in the Tool The tool is capable of handling very complex problem-solving tasks which involve probabilistic reasoning and folds together many factors responsible in reaching to a conclusion and recommendation. Such reasoning and decision making ability in the tool is achieved by the Inference Engine (IE). Inference Engine utilizes the backward chaining method, to determine what is required to meet a particular goal. This includes determining when that goal is met, or if a that goal cant be met. Inference Engine also uses the forward chaining method , wherein the required data is already present within the logic of the rules. Here, the rules are sequentially tested to find out what the conclusions result. The tool uses a combination of backward and forward chaining. The forward chaining method is used to run the top-level rules and the backward chaining method is used for deriving the needed values from other rule modules like the confidence variable. Sensitive Data in the Cloud and the PIA Tool This section discusses sensitive data storage in the cloud and how the PIA tool may help in minimizing the risk.

A Questionnaire Based Tool for Evaluating the Impact of Privacy Decisions in Cloud Computing

43

Sensitive data includes a wide range of information including political opinion, race, ethnicity, mental or physical health details, religious beliefs, criminal or civil offences, memberships, and also any personally identifiable information that may relate to customer and contact details. The input of the PIA tool includes information including project lead name, contact name, stakeholder details and telephone number. However, if any organization wishes so, it may leave out this information at the time of registration, by simply omitting the variables. The PIA tool, to protect the sensitive data, can make use of a network device known as Cloud Storage Gateway (CSG). A Cloud Storage Gateway is used to provide encryption, authentication and authorization. It is a server which resides inside the premises of the customer and exposes cloud storage services like they were some local storage devices. Another reason for using a cloud storage gateway for the PIA tool is to update, at any time, the main files of the PIA tool which are stored in the cloud. Many cloud storage gateways also facilitate the use of encryption, whereby the gateway does not have any access to customer data, since the encryption and decryption process takes place at the user site. The data at rest which is used by the PIA tool cannot generally be encrypted as encryption limits data usage.

DEVELOPMENT METHODOLOGY FOR THE PIA TOOL IN CLOUD COMPUTING

This section discusses the methodology used for software development, data collection and analysis, modelling and results for the PIA tool. The requirement gathering for the tool is done by using MoSCoW rules. Dynamic Systems Development Method (DSDM) framework is chosen as the software methodology for the development of the PIA tool. The main reason for choosing this method over the traditional Waterfall method is that the DSDM framework provides a flexible but controlled process which can be used to deliver solutions when the project timelines are tight. Data Collection, Data Analysis and Findings This section considers data collection and analysis and provides summary of findings of the PIA tools requirements. Before the collection of any data, the MoSCoW values were set to these agreed upon values: Must have => 4 points Should have =< 3 points Could have => 2 points Wont have =< 1 point The collection of data consists of a questionnaire which is used to extract the emotional opinions about privacy, privacy impact assessments and the requirements for the tool from the target audience. The analysis of the raw data shows a significant difference in the opinions and perspectives of the discussed topics between the interested parties.

44

Ishan Rastogi, Adesh Chandra & Anurag Singh

Conversion of raw data into requirements is done with the help of MoSCoW. Also, correlation techniques like pattern matching are applied to find similar stakeholder words and phrases. User Requirements Modelling for the PIA Tool This section discusses the modelling of user requirements for the PIA tool, with the help of use-case diagram and activity diagram.

Figure 1: Use-Case Diagram for the Project Information Interface

Figure 2: Activity Diagram for the Project Name Use-Case Validation of the PIA Tool Testing and validation of a tool is very essential as it helps in providing quality assurance, reliability estimation and validity and verification. The PIA tool is tested by automating a very large number of tests including various warning tests to check for certain specific issues in the system. Any warnings, errors, problems if generated are detected and logged in a file.

RELATED WORK
Accountability as a way forward for privacy protection in the cloud is considered by Pearson and Charlesworth. Obfuscation as a first line of defence is described by Pearson et al.

A Questionnaire Based Tool for Evaluating the Impact of Privacy Decisions in Cloud Computing

45

Hewlett-Packards Privacy Advisor (HPPA) is an expert system that captures data about business processes to determine their privacy compliance.

FUTURE WORK
Conducting a round of stakeholder meetings that includes a presentation of working tool Developing tool further, to include all necessary and preferable requirements Consider a cloud storage gateway provider.

CONCLUSIONS The tool addresses the inherent complexity and helps both expert and non-expert end users with identifying and addressing privacy requirements for a given context. If the PIA tool is used as a SaaS application itself, regulatory issues can be involved.

REFERENCES
1. Pearson, S. (2012). Privacy, Security and Trust in Cloud Computing. Privacy and Security for Cloud Computing, 3-42. 2. Tancock, D., Pearson, S., &Charlesworth, A. (2010, November). A privacy impact assessment tool for cloud computing. In Cloud Computing Technology and Science (CloudCom), 2010 IEEE Second International Conference on (pp. 667-676).IEEE.

AUTHORS DETAILS

IshanRastogi He completed his B.Tech in Computer Science and Engineering from Jaypee Institute of Information. Technology, Noida in 2011. He is currently pursuing M.S in Cyber Law and Information Security from Indian Institute of Information Technology, Allahabad. He is an EC Council Certified Ethical Hacker v6, a CISCO Certified Network Associate and Microsoft Certified Professional. He secured 10th Rank in ACM ICPC Kanpur Gwalior Regionals 2009.His area of interest is Cloud Computing, Cryptography and Cyber Forensics.

46

Ishan Rastogi, Adesh Chandra & Anurag Singh

Adesh Chandra He completed his B.Tech in Information Technology from Dr. K. N. Modi Institute of Engineering and Technology, Ghaziabad in 2011. He is currently pursuing M.S in Cyber Law and Information Security from Indian Institute of Information Technology, Allahabad. His Area of interest are Risk management, ITIL and Computer networks.

Anurag Singh He completed his B.Tech in Information Technology from Dr. Ram ManoharLohiaAvadh University Faizabad in 2011. He is currently pursuing M.S in Cyber Law and Information Security from Indian Institute of Information Technology, Allahabad. His Area of interest are Risk management, ISO, PCI-DSS & Knowledgebase.