A Unified Framework for GDPR Compliance in Cloud Computing
Authors: 
Argyri Pattakou, Vasiliki Diamantopoulou, Christos Kalloniatis, Stefanos GritzalisAuthors Info & Claims
Argyri Pattakou, Vasiliki Diamantopoulou, Christos Kalloniatis, Stefanos GritzalisAuthors Info & ClaimsARES '24: Proceedings of the 19th International Conference on Availability, Reliability and Security
Article No.: 177, Pages 1 - 9
Abstract
In parallel with the rapid development of Information and Communication technologies and the digitization of information in every aspect of daily life, the enforcement of the GDPR, in May 2018, brought significant changes to the processes that organisations should follow during collecting, processing, and storing personal data and revealed the immediate need for integrating the Regulation’s requirements for integrating into organisational activities that process personal and sensitive data. On the other hand, cloud computing is a cutting-edge technology that is widely used in order to support most, if not every, organisational activities. As a result, such infrastructure constitutes huge pools of personal data and, in this context, a careful consideration and implementation of the rules imposed by the Regulation is considered crucial. In this paper, after highlighting the need to consider the GDPR requirements when designing cloud-based systems, we determined those GDPR compliance controls that should be incorporated at the early stages of the system design process. As a next step, those compliance controls were integrated into a holistic framework that considers both the security and privacy aspects of a cloud-based system as well as the requirements arising from the Regulation during the design of such systems.
References
[1]
2016. European Parliament: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
[2]
Ian Alexander. 2003. Misuse cases: Use cases with hostile intent. IEEE software 20, 1 (2003), 58–66.
[3]
Annie I Antón and Julia B Earp. 2001. Strategies for developing policies and requirements for secure and private electronic commerce. In E-commerce security and privacy. Springer, 67–86.
[4]
Malik Nadeem Anwar Mohammad, Mohammed Nazir, and Khurram Mustafa. 2019. A systematic review and analytical evaluation of security requirements engineering approaches. Arabian Journal for Science and Engineering 44 (2019), 8963–8987.
[5]
Nikolaos Argyropoulos, Shaun Shei, Christos Kalloniatis, Haralambos Mouratidis, Aidan Delaney, Andrew Fish, and Stefanos Gritzalis. 2017. A semi-automatic approach for eliciting cloud security and privacy requirements. (2017).
[6]
Fabricio A Braz, Eduardo B Fernandez, and Michael VanHilst. 2008. Eliciting security requirements through misuse activities. In 2008 19th International Workshop on Database and Expert Systems Applications. IEEE, 328–333.
[7]
Edna Dias Canedo, Ian Nery Bandeira, Angelica Toffano Seidel Calazans, Pedro Henrique Teixeira Costa, Emille Catarine Rodrigues Cançado, and Rodrigo Bonifácio. 2023. Privacy requirements elicitation: a systematic literature review and perception analysis of IT practitioners. Requirements Engineering 28, 2 (2023), 177–194.
[8]
Jaelson Castro, Manuel Kolp, and John Mylopoulos. 2002. Towards requirements-driven information systems engineering: the Tropos project. Information systems 27, 6 (2002), 365–389.
[9]
Pietro Colombo and Elena Ferrari. 2012. Towards a modeling and analysis framework for privacy-aware systems. In 2012 International Conference on Privacy, Security, Risk and Trust and 2012 International Confernece on Social Computing. IEEE, 81–90.
[10]
Robert Darimont, Emmanuelle Delor, Philippe Massonet, and Axel van Lamsweerde. 1997. GRAIL/KAOS: an environment for goal-driven requirements engineering. In Proceedings of the 19th international conference on Software engineering. 612–613.
[11]
Folker Den Braber, Ida Hogganvik, M Soldal Lund, Ketik Stølen, and Fredrik Vraalsen. 2007. Model-based security analysis in seven steps?a guided tour to the CORAS method. BT Technology Journal 25, 1 (2007), 101–117.
[12]
Mina Deng, Kim Wuyts, Riccardo Scandariato, Bart Preneel, and Wouter Joosen. 2011. A privacy threat analysis framework: supporting the elicitation and fulfillment of privacy requirements. Requirements Engineering 16, 1 (2011), 3–32.
[13]
Vasiliki Diamantopoulou, Christos Kalloniatis, Stefanos Gritzalis, and Haralambos Mouratidis. 2017. Supporting privacy by design using privacy process patterns. In ICT Systems Security and Privacy Protection: 32nd IFIP TC 11 International Conference, SEC 2017, Rome, Italy, May 29-31, 2017, Proceedings 32. Springer, 491–505.
[14]
Axel Ekdahl and Lídia Nyman. 2019. A Methodology to Validate Compliance to the GDPR. (2019).
[15]
Hassan El-Hadary and Sherif El-Kassas. 2014. Capturing security requirements for software systems. Journal of advanced research 5, 4 (2014), 463–472.
[16]
Golnaz Elahi, Eric Yu, and Nicola Zannone. 2009. A modeling ontology for integrating vulnerabilities into security requirements conceptual foundations. In International Conference on Conceptual Modeling. Springer, 99–114.
[17]
Golnaz Elahi, Eric Yu, and Nicola Zannone. 2010. A vulnerability-centric requirements engineering framework: analyzing security attacks, countermeasures, and requirements based on vulnerabilities. Requirements engineering 15 (2010), 41–62.
[18]
Rune Fredriksen, Monica Kristiansen, Bjørn Axel Gran, Ketil Stølen, Tom Arthur Opperud, and Theo Dimitrakos. 2002. The CORAS framework for a model-based risk management process. In Computer Safety, Reliability and Security: 21st International Conference, SAFECOMP 2002 Catania, Italy, September 10–13, 2002 Proceedings 21. Springer, 94–105.
[19]
Paolo Giorgini, Haralambos Mouratidis, and Nicola Zannone. 2007. Modelling security and trust with secure tropos. In Integrating Security and Software Engineering: Advances and Future Visions. IGI Global, 160–189.
[20]
Johan Gregoire, Koen Buyens, Bart De Win, Riccardo Scandariato, and Wouter Joosen. 2007. On the secure software development process: CLASP and SDL compared. In Third International Workshop on Software Engineering for Secure Systems (SESS’07: ICSE Workshops 2007). IEEE, 1–1.
[21]
Seda F Gürses and Thomas Santen. 2006. Contextualizing security goals: A method for multilateral security requirements elicitation. (2006).
[22]
Charles Haley, Robin Laney, Jonathan Moffett, and Bashar Nuseibeh. 2008. Security requirements engineering: A framework for representation and analysis. IEEE Transactions on Software Engineering 34, 1 (2008), 133–153.
[23]
Charles B Haley, Jonathan D Moffett, Robin Laney, and Bashar Nuseibeh. 2006. A framework for security requirements engineering. In Proceedings of the 2006 international workshop on Software engineering for secure systems. 35–42.
[24]
Denis Hatebur, Maritta Heisel, and Holger Schmidt. 2007. A pattern system for security requirements engineering. In The Second International Conference on Availability, Reliability and Security (ARES’07). IEEE, 356–365.
[25]
Qingfeng He, Annie I Antón, 2003. A framework for modeling privacy requirements in role engineering. In Proc. of REFSQ, Vol. 3. 137–146.
[26]
Iliana Iankoulova and Maya Daneva. 2012. Cloud computing security requirements: A systematic review. In 2012 Sixth International Conference on Research Challenges in Information Science (RCIS). IEEE, 1–7.
[27]
Carlos Jensen, Joe Tullio, Colin Potts, and Elizabeth D Mynatt. 2005. STRAP: a structured analysis framework for privacy. Georgia Institute of Technology 1 (2005).
[28]
Jan Jürjens. 2005. Secure systems development with UML. Springer Science & Business Media.
[29]
Christos Kalloniatis, Evangelia Kavakli, and Stefanos Gritzalis. 2005. Pris methodology: incorporating privacy requirements into the system design process. In Proceedings of the SREIS 2005 13th IEEE International Requirements Engineering Conference–Symposium on Requirements Engineering for Information Security, J. Mylopoulos, G. Spafford (Eds.).
[30]
Christos Kalloniatis, Evangelia Kavakli, and Stefanos Gritzalis. 2008. Addressing privacy requirements in system design: the PriS method. Requirements Engineering 13 (2008), 241–255.
[31]
Christos Kalloniatis, Haralambos Mouratidis, and Shareeful Islam. 2013. Evaluating cloud deployment scenarios based on security and privacy requirements. Requirements Engineering 18 (2013), 299–319.
[32]
Christos Kalloniatis, Haralambos Mouratidis, Manousakis Vassilis, Shareeful Islam, Stefanos Gritzalis, and Evangelia Kavakli. 2014. Towards the design of secure and privacy-oriented information systems in the cloud: Identifying the major concepts. Computer Standards & Interfaces 36, 4 (2014), 759–775.
[33]
Alexei Lapouchnian. 2005. Goal-oriented requirements engineering: An overview of the current research. University of Toronto 32 (2005).
[34]
Luncheng Lin, Bashar Nuseibeh, Darrel Ince, and Michael Jackson. 2004. Using abuse frames to bound the scope of security problems. In Proceedings. 12th IEEE International Requirements Engineering Conference, 2004. IEEE, 354–355.
[35]
Luncheng Lin, Bashar Nuseibeh, Darrel Ince, Michael Jackson, and Jonathan Moffett. 2003. Introducing abuse frames for analysing security requirements. In Proceedings. 11th IEEE International Requirements Engineering Conference, 2003. IEEE, 371–372.
[36]
Lun-Cheng Lin, Bashar Nuseibeh, Darrel Ince, Michael Jackson, and Jonathan Moffett. 2003. Analysing security threats and vulnerabilities using abuse frames. (2003).
[37]
Lin Liu, Eric Yu, and John Mylopoulos. 2003. Security and privacy requirements analysis within a social setting. In Proceedings. 11th IEEE International Requirements Engineering Conference, 2003. IEEE, 151–161.
[38]
Torsten Lodderstedt, David Basin, and Jürgen Doser. 2002. SecureUML: A UML-based modeling language for model-driven security. In International Conference on the Unified Modeling Language. Springer, 426–441.
[39]
Nicolas Mayer. 2009. Model-based management of information system security risk. Ph. D. Dissertation. University of Namur.
[40]
Nicolas Mayer, Patrick Heymans, and Raimundas Matulevicius. 2007. Design of a Modelling Language for Information System Security Risk Management. In RCIS. 121–132.
[41]
Nancy R Mead and Ted Stehney. 2005. Security quality requirements engineering (SQUARE) methodology. ACM SIGSOFT Software Engineering Notes 30, 4 (2005), 1–7.
[42]
Daniel Mellado, Eduardo Fernández-Medina, and Mario Piattini. 2006. Applying a security requirements engineering process. In Computer Security–ESORICS 2006: 11th European Symposium on Research in Computer Security, Hamburg, Germany, September 18-20, 2006. Proceedings 11. Springer, 192–206.
[43]
Seiya Miyazaki, Nancy Mead, and Justin Zhan. 2008. Computer-aided privacy requirements elicitation technique. In 2008 IEEE Asia-Pacific Services Computing Conference. IEEE, 367–372.
[44]
Haralambos Mouratidis and Paolo Giorgini. 2007. Secure tropos: a security-oriented extension of the tropos methodology. International Journal of Software Engineering and Knowledge Engineering 17, 02 (2007), 285–309.
[45]
Haralambos Mouratidis and Paolo Giorgini. 2009. Enhancing secure tropos to effectively deal with security requirements in the development of multiagent systems. In Safety and Security in Multiagent Systems: Research Results from 2004-2006. Springer, 8–26.
[46]
Nicolás Notario, Alberto Crespo, Yod-Samuel Martín, Jose M Del Alamo, Daniel Le Métayer, Thibaud Antignac, Antonio Kung, Inga Kroener, and David Wright. 2015. PRIPARE: integrating privacy best practices into a privacy engineering methodology. In 2015 IEEE Security and Privacy Workshops. IEEE, 151–158.
[47]
European Data Protection Board note = https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-22020-articles-46-2-and-46-3-b-regulation_en, visited = 10-05-2024. [n. d.]. Guidelines 2/2020 on articles 46 (2) (a) and 46 (3) (b) of Regulation 2016/679 for transfers of personal data between EEA and non-EEA public authorities and bodies.
[48]
Argyri Pattakou, Christos Kalloniatis, and Stefanos Gritzalis. 2017. Security and privacy requirements engineering methods for traditional and cloud-based systems: a review. Cloud Comput 2017 (2017), 155.
[49]
Argyri Pattakou, Christos Kalloniatis, and Stefanos Gritzalis. 2018. Security and Privacy under a unified framework: a review. Inter. J. Adv. Sec 11, 1-2 (2018), 39–51.
[50]
Johan Peeters. 2005. Agile security requirements engineering. In Symposium on Requirements Engineering for Information Security, Vol. 12.
[51]
Maria Riaz, Jonathan Stallings, Munindar P Singh, John Slankas, and Laurie Williams. 2016. DIGS: A framework for discovering goals for security requirements engineering. In Proceedings of the 10th ACM/IEEE International Symposium on Empirical Software Engineering and Measurement. 1–10.
[52]
P Salini and S Kanmani. 2012. Security requirements engineering process for web applications. Procedia engineering 38 (2012), 2799–2807.
[53]
Sanjay Sharma. 2019. Data privacy and GDPR handbook. John Wiley & Sons.
[54]
Adam Shostack. 2008. Experiences Threat Modeling at Microsoft.MODSEC@ MoDELS 2008 (2008), 35.
[55]
Guttorm Sindre and Andreas L Opdahl. 2001. Capturing security requirements through misuse cases. NIK 2001, Norsk Informatikkonferanse 2001, http://www. nik. no/2001 74 (2001).
[56]
Husam Suleiman and Davor Svetinovic. 2013. Evaluating the effectiveness of the security quality requirements engineering (SQUARE) method: a case study using smart grid advanced metering infrastructure. Requirements Engineering 18 (2013), 251–279.
[57]
Colin Tankard. 2016. What the GDPR means for businesses. Network Security 2016, 6 (2016), 5–8.
[58]
Damiano Torre, Ghanem Soltana, Mehrdad Sabetzadeh, Lionel C Briand, Yuri Auffinger, and Peter Goes. 2019. Using models to enable compliance checking against the GDPR: an experience report. In 2019 ACM/IEEE 22nd International Conference on Model Driven Engineering Languages and Systems (MODELS). IEEE, 1–11.
[59]
Axel Van Lamsweerde. 2004. Elaborating security requirements by construction of intentional anti-models. In Proceedings. 26th International Conference on Software Engineering. IEEE, 148–157.
[60]
Axel Van Lamsweerde, Robert Darimont, and Emmanuel Letier. 1998. Managing conflicts in goal-driven requirements engineering. IEEE transactions on Software engineering 24, 11 (1998), 908–926.
[61]
John Viega. 2005. Building security requirements with CLASP. ACM SIGSOFT Software Engineering Notes 30, 4 (2005), 1–7.
[62]
Eric Yu and Lin Liu. 2001. Modelling trust for system design using the i* strategic actors framework. In Trust in Cyber-societies: Integrating the Human and Artificial Perspectives. Springer, 175–194.
Index Terms
- A Unified Framework for GDPR Compliance in Cloud Computing
Index terms have been assigned to the content through auto-classification.
Recommendations
Service level agreement‐based GDPR compliance and security assurance in(multi)Cloud‐based systems
Compliance with the new European General Data Protection Regulation (Regulation (EU) 2016/679, GDPR) and security assurance are currently two major challenges of Cloud‐based systems. GDPR compliance implies both privacy and security mechanisms definition, ...
GDPR Compliance: Proposed Guidelines for Cloud-Based Health Organizations
Computer SecurityAbstractIn this paper, we investigate the implications of the General Data Protection Regulation (GDPR) on the design of a Cloud-based Health System. Keeping secure healthcare information and protecting patients’ privacy is a major responsibility of all ...
A Study of GDPR Compliance under the Transparency and Consent Framework
WWW '24: Proceedings of the ACM Web Conference 2024This paper presents a study of GDPR compliance under the Interactive Advertising Bureau Europe's Transparency and Consent Framework (TCF). This framework provides digital advertising market participants a standard for sharing users' privacy consent ...
Comments
Information & Contributors
Information
Published In
July 2024
2032 pages
ISBN:9798400717185
DOI:10.1145/3664476
Copyright © 2024 Owner/Author.
This work is licensed under a Creative Commons Attribution International 4.0 License.
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 30 July 2024
Check for updates
Author Tags
Qualifiers
- Research-article
- Research
- Refereed limited
Conference
ARES 2024
ARES 2024: The 19th International Conference on Availability, Reliability and Security
July 30 - August 2, 2024
Vienna, Austria
Acceptance Rates
Overall Acceptance Rate 228 of 451 submissions, 51%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 229Total Downloads
- Downloads (Last 12 months)229
- Downloads (Last 6 weeks)47
Reflects downloads up to 28 Dec 2024
Other Metrics
Citations
View Options
View options
View or Download as a PDF file.
PDFeReader
View online with eReader.
eReaderHTML Format
View this article in HTML Format.
HTML FormatLogin options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in