Cambronero, María Emilia; Martínez, Miguel A.; Llana, Luis; Rodríguez, Ricardo J.; Russo, Alejandro
Towards a GDPR-compliant cloud architecture with data privacy controlled through sticky policies Journal Article
In: PeerJ Computer Science, vol. 10:e1898, pp. 1–44, 2024.
Abstract | Links | BibTeX | Tags: Cloud computing, Data privacy, Datatracking, General data protection regulation, Model validation, Object Constraint Language, Sticky policies, UMLprofiling, Unified Modeling Language
@article{CMLRR-PeerJ-24,
title = {Towards a GDPR-compliant cloud architecture with data privacy controlled through sticky policies},
author = {María Emilia Cambronero and Miguel A. Martínez and Luis Llana and Ricardo J. Rodríguez and Alejandro Russo},
url = {http://webdiis.unizar.es/~ricardo/files/papers/CMLRR-PeerJ-24.pdf},
doi = {10.7717/peerj-cs.1898},
year = {2024},
date = {2024-03-01},
journal = {PeerJ Computer Science},
volume = {10:e1898},
pages = {1–44},
abstract = {Data privacy is one of the biggest challenges facing system architects at the systemdesign stage. Especially when certain laws, such as the General Data ProtectionRegulation (GDPR), have to be complied with by cloud environments. In this article,we want to help cloud providers comply with the GDPR by proposing aGDPR-compliant cloud architecture. To do this, we use model-driven engineeringtechniques to design cloud architecture and analyze cloud interactions. In particular,we develop a complete framework, called MDCT, which includes a Unified ModelingLanguage profile that allows us to define specific cloud scenarios and profilevalidation to ensure that certain required properties are met. The validation processis implemented through the Object Constraint Language (OCL) rules, which allow usto describe the constraints in these models. To comply with many GDPR articles, theproposed cloud architecture considers data privacy and data tracking, enabling safeand secure data management and tracking in the context of the cloud. For thispurpose, sticky policies associated with the data are incorporated to definepermission for third parties to access the data and track instances of data access. As aresult, a cloud architecture designed with MDCT contains a set of OCL rules tovalidate it as a GDPR-compliant cloud architecture. Our tool models key GDPRpoints such as user consent/withdrawal, the purpose of access, and data transparencyand auditing, and considers data privacy and data tracking with the help of stickypolicies.},
keywords = {Cloud computing, Data privacy, Datatracking, General data protection regulation, Model validation, Object Constraint Language, Sticky policies, UMLprofiling, Unified Modeling Language},
pubstate = {published},
tppubtype = {article}
}
Data privacy is one of the biggest challenges facing system architects at the systemdesign stage. Especially when certain laws, such as the General Data ProtectionRegulation (GDPR), have to be complied with by cloud environments. In this article,we want to help cloud providers comply with the GDPR by proposing aGDPR-compliant cloud architecture. To do this, we use model-driven engineeringtechniques to design cloud architecture and analyze cloud interactions. In particular,we develop a complete framework, called MDCT, which includes a Unified ModelingLanguage profile that allows us to define specific cloud scenarios and profilevalidation to ensure that certain required properties are met. The validation processis implemented through the Object Constraint Language (OCL) rules, which allow usto describe the constraints in these models. To comply with many GDPR articles, theproposed cloud architecture considers data privacy and data tracking, enabling safeand secure data management and tracking in the context of the cloud. For thispurpose, sticky policies associated with the data are incorporated to definepermission for third parties to access the data and track instances of data access. As aresult, a cloud architecture designed with MDCT contains a set of OCL rules tovalidate it as a GDPR-compliant cloud architecture. Our tool models key GDPRpoints such as user consent/withdrawal, the purpose of access, and data transparencyand auditing, and considers data privacy and data tracking with the help of stickypolicies.