Privacy and security by design is at the very heart of the GDPR. On paper, it’s a strong stance: It calls for businesses and organisations storing user data to integrate GDPR principles into new IT projects from the earliest stages of their conception. But the exponential growth of decentralised cloud services, with their constant morphing and evolution, could quickly sweep privacy by design into the dustbin of oblivion. Eliot Salant, project manager at IBM Haifa Research labs, has been aiming to provide a viable workaround under the RESTASSURED (Secure Data Processing in the Cloud) project. “Providing data protection and compliance with digital privacy regulations in a cloud environment is a challenging task. The public cloud is inherently untrusted, has a wide geographic distribution, and has a multi-stakeholder system where the data belongs neither to the cloud service provider nor to the stakeholder who orchestrates the computation. On top of that, we also have the highly dynamic changes in cloud services and infrastructures.” So how do we move on? “With mechanisms and cloud components for the runtime detection, prediction and prevention of data protection violations, as well as new techniques to secure data-at-rest in a cloud environment,” Salant says.
Five key innovations
RESTASSURED aimed to help data controllers – that is, the entities legally responsible for determining the reasons for processing and how to process personal data while ensuring compliance with data protection. To do so, it focused on five key innovations. The first is the use of emerging hardware solutions such as AMD SEV and Intel SGX to provide secure enclaves for data operation. The second is the development of encryption for parquet files, which allow for highly efficient storage and querying of data for big data analytics. Additionally, the team focused on: means to assess data protection compliance in the running system; automated risk management; and the implementation of sticky policies to define data access, usage and storage rules. “This is all very important,” Salant notes. “The use of sticky policies for instance will help create Policy Decision Points (PDPs) and Policy Enforcement Points (PEPs) to regulate the flow of data across applications in the cloud. Meanwhile, the strong data protection offered by both the use of Parquet Modular Encryption (PME) and secure hardware enclaves can help provide a protected, regulated flow of data across EU-based cloud environments.” According to Salant, the PME is easily the most important achievement from the project. It has been officially accepted as a standard by the Apache Parquet community and made its way into a number of IBM products.
Real-life test cases
RESTASSURED solutions were extensively tested in the fields of social care and Pay as You Drive insurance. “The social care use case was based on an actual product offering from a project partner, Oxford Computer Consultants (OCC). We wanted to see how this product, which focuses on both volunteers providing aid and those requesting it, could be migrated to the cloud,” explains Salant. “The distinct roles required strict role-based access enforcement for data. Meanwhile, the automated risk management developed in RESTASSURED was of great interest to OCC, both to analyse their current product and to find out the implications of bringing this product to a cloud environment.” The Pay as You Drive insurance, on the other hand, dealt with automobile telematics. The IoT personal data is captured on-premise and then transferred to the cloud, which implies GDPR restrictions on its processing, as well as restrictions on the data itself as the transmitting vehicle crosses national borders. The project ended in December 2019, but development has continued ever since. Work on the PME is being continued under a number of other H2020 projects, while several RESTASSURED partners have since proposed a follow-on project called FogProtect (Protecting Sensitive Data in the Computing Continuum). FogProtect is scheduled to run through to the end of 2022.
RESTASSURED, IBM, cloud, GDPR, big data, analytics, compliance, data protection, IoT