David S. Allison, Miriam A. M. Capretz, Hany F. EL Yamany, Shuying Wang
Department of Computer and Electrical Engineering, The University of Western Ontario, London, Canada.
Department of Computer Science, Suez Canal University, The Old Campus, Ismailia, Egypt.
DOI: 10.4236/jsea.2012.53026   PDF    HTML   XML   6,682 Downloads   10,099 Views   Citations

Abstract

Service-Oriented Architecture (SOA) is a computer systems design concept which aims to achieve reusability and integration in a distributed environment through the use of autonomous, loosely coupled, interoperable abstractions known as services. In order to interoperate, communication between services is very important due to their autonomous nature. This communication provides services with their functional strengths, but also creates the opportunity for the loss of privacy. In this paper, a Privacy Protection Framework for Service-Oriented Architecture (PPFSOA) is described. In this framework, a Privacy Service (PS) is used in combination with privacy policies to create privacy contracts that outline what can and cannot be done with a consumer’s personally identifiable information (PII). The privacy policy consists of one-to-many privacy rules, with each rule created from a set of six privacy elements: collector, what, purpose, retention, recipient and trust. The PS acts as an intermediary between the service consumer and service provider, to establish an unbiased contract before the two parties begin sending PII. It is shown how many Privacy Services work together to form the privacy protection framework. An examination of what current approaches to protecting privacy in an SOA environment is also presented. Finally, the operations the PS must perform in order to fulfill its tasks are outlined.

Keywords

Privacy; Service-Oriented Architecture; Web Services; Fair Information Practices; Policies; Contracts

Share and Cite:

Conflicts of Interest

The authors declare no conflicts of interest.

References

[1]	J. Epstein, S. Matsumoto and G. McGraw, “Software Security and SOA: Danger, Will Robinson,” IEEE of Security & Privacy, Vol. 4, No. 1, 2006, pp. 80-83. doi:10.1109/MSP.2006.23
[2]	H. F. EL Yamany, M. A. M. Capretz and D. S. Allison, “Intelligent Security and Access Control Framework for Service-Oriented Architecture,” Journal of Information and Software Technology, Vol. 52, No. 2, 2010, pp. 220-236. doi:10.1016/j.infsof.2009.10.005
[3]	R. Kanneganti, P. Chodavarapu, “SOA Security,” Manning Publications Co., Greenwich, 2008. http://www.manning.com/kanneganti/
[4]	G. Yee, “Privacy Protection for E-Services,” IGI Publishing, Hershey, 2006. doi:10.4018/978-1-59140-914-4
[5]	T. Shan and W. Hua, “Service-Oriented Solution Framework for Internet Banking,” International Journal of Web Services Research, Vol. 3, No. 1, 2006, pp. 29-48. doi:10.4018/jwsr.2006010102
[6]	J. Reagle and L. Cranor, “The Platform for Privacy Preferences,” Communications of the ACM, Vol. 32, No. 2, 1999, pp. 48-55. doi:10.1145/293411.293455
[7]	R. Dodge, C. Carver and A. Ferguson, “Phishing for User Security Awareness,” Computers & Security, Vol. 26, No. 1, 2007, pp. 73-80. doi:10.1016/j.cose.2006.10.009
[8]	B. Schneier, “Secrets and Lies: Digital Security in a Networked World,” Wiley Publishing, Toronto, 2000.
[9]	D. Allison, H. EL Yamany and M. Capretz, “Metamodel for Privacy Policies within Service-Oriented Architecture,” The Proceeding of the 5th IEEE International Workshop on Software Engineering for Secure Systems in Conjunction with the 31st IEEE International Conference of Software Engineering, Vancouver, 19 May 2009, pp. 40-46. doi:10.1109/IWSESS.2009.5068457
[10]	D. Allison, H. EL Yamany and M. Capretz, “A Privacy Service for Comparison of Privacy and Trust Policies within Service-Oriented Architecture,” In: M. Gupta, J. Walp, R. Sharman, Eds., Threats, Countermeasures, and Advances in Applied Information Security, IGI Global, New York, 2012, pp. 249-266. doi:10.4018/978-1-4666-0978-5.ch013
[11]	A. Cavoukian and T. Hamilton, “The Privacy Payoff: How Successful Businesses Build Customer Trust,” McGraw-Hill Ryerson Limited, Whitby, 2002.
[12]	G. Yee and L. Korba, “Semi-Automated Derivation and Use of Personal Privacy Policies in E-Business,” International Journal of E-Business Research, Vol. 1, No. 1, 2005, pp. 54-69. doi:10.4018/jebr.2005010104
[13]	N. Guermouche, S. Benbernou, E. Coquery and M. S. Hacid, “Privacy-Aware Web Service Protocol Replaceability,” Proceedings of the IEEE International Conference on Web Services, Salt Lake City, 9-13 July 2007, pp. 1048-1055. doi:10.1109/ICWS.2007.143
[14]	T. Erl, “Service-Oriented Architecture: Concepts, Technology and Design,” Prentice Hall PTR, Upper Saddle River, 2005.
[15]	A. Buecker, P. Ashley, M. Borrett, M. Lu, S. Muppidi and N. Readshaw, “Understanding Service-Oriented Architecture Security Design and Implementation” 2nd Edition, IBM Redbook, IBM Corp., 2007. http://www.redbooks.ibm.com/abstracts/SG247310.html
[16]	T. Moses, “eXtensible Access Control Markup Language Version 2.0,” Advancing Open Standards for the Information Society, 1 February 2005. http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-core-spec-os.pdf
[17]	R. Cover, “IBM Releases Updated Enterprise Privacy Authorization Language Specification,” Advancing Open Standards for the Information Society, 9 July 2003. http://xml.coverpages.org/ni2003-07-09-a.html
[18]	L. Cranor, M. Langheinrich, M. Marchiori, M. Presler- Marshall and J. Reagle, “The Platform for Privacy Preferences 1.0 Specification,” W3C Recommendation 16 April 2002. http://www.w3.org/TR/P3P/.
[19]	Organisation for Economic Co-Operation and Development, “OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data,” 23 September, 1980. http://www.oecd.org/document/18/0,3343,en_2649_34255_1815186_1_1_1_1,00.html.
[20]	P. Beatty, I. Reay, S. Dick and J. Miller, “P3P Adoption on E-Commerce Web Sites,” IEEE Internet Computing, Vol. 11, No. 2, 2007, pp. 65-71. doi:10.1109/MIC.2007.45
[21]	V. Cheng, P. Hung and D. Chiu, “Enabling Web Services Policy Negotiation with Privacy Preserved Using XACML,” Proceedings of the 40th Hawaii International Conference on System Sciences, Waikoloa, 3-6 January 2007, p. 33. doi:10.1109/HICSS.2007.207
[22]	M. Lorch, S. Proctor, R. Lepro, D. Kafura and S. Shah, “First Experiences Using XACML for Access Control in Distributed Systems,” The Proceeding of the 2003 ACM Workshop on XML Security, Fairfax, 31 October 2003, pp. 25-37. doi:10.1145/968559.968563
[23]	A. Anderson, “A Comparison of Two Privacy Policy Languages: EPAL and XACML,” Sun Microsystems, September 2005. http://labs.oracle.com/techrep/2005/smli_tr-2005-147/TRCompareEPALandXACML.html
[24]	A. Anderson, “Web Services Profile of XACML Version 1.0,” Advancing Open Standards for the Information Society, 10 August 2007. http://www.oasis-open.org/committees/download.php/24951/xacml-3.0-profile-webservices-spec-v1-wd-10-en.pdf
[25]	A. Anderson, “The Relationship between XACML and P3P Privacy Policies,” Sun Microsystems, 11, November 2004. http://labs.oracle.com/projects/xacml/XACML_P3P_Relationship.html
[26]	S. Dürbeck, R. Schillinger and J. Kolter, “Security Requirements for a Semantic Service-Oriented Architecture,” The Proceeding of the 2nd International Conference on Availability, Reliability and Security, Vienna, 10-13 April 2007, pp. 366-373. doi:10.1109/ARES.2007.138
[27]	P. Ashley, S. Hada, G. Karjoth, C. Powers and M. Schunter, “Enterprise Privacy Architecture Language,” W3C Member Submission, 10 November 2003. http://www.w3.org/Submission/2003/SUBM-EPAL-20031110/
[28]	Canadian Standards Association, “Model Code for the Protection of Personal Information (Q830-96),” March 1996. http://www.csa.ca/cm/ca/en/privacy-code/publications/view-privacy-code
[29]	C. Bennett, “Arguments for the Standardization of Privacy Protection Policy: Canadian Initiatives and American and International Responses,” Government Information Quarterly, Vol. 1, No. 4, 1997, pp. 351-362.
[30]	G. Yee, “Estimating the Privacy Protection Capability of a Web Service Provider,” International Journal on Web Services Research, Vol. 6, No. 2, pp. 20-41. doi:10.4018/jwsr.2009092202
[31]	Office of Security Management and Safeguards, “Further Amendment to EO 12958, as Amended, Classified National Security Information,” 25 March 2003. http://nodis3.gsfc.nasa.gov/displayEO.cfm?id=EO_13292
[32]	D. Bell and L. L. Padula, “Secure Computer Systems: Mathematical Foundations,” The Mitre Corporation Technical Report 2547, Vol. 1, The Mitre Corporation Corporation, 1 March 1973.
[33]	P. Massa and P. Avesani, “Trust-Aware Recommender Systems,” Proceedings of the 2007 ACM Conference on Recommender Systems, Minneapolis, 19-20 October 2007, pp. 17-24. doi:10.1145/1297231.1297235
[34]	Office of Public Sector Information, “The Privacy and Electronic Communications (EC Directive) Regulations 2003,” 26 September 2003. http://www.legislation.gov.uk/uksi/2003/2426/contents/made
[35]	Treasury Board of Canada Secretariat, “Canadian Privacy Legislation and Policy,” September 2003. http://www.tbs-sct.gc.ca/pgol-pged/piatp-pfefvp/course2/mod1/mod1-3-eng.asp
[36]	R. Thibadeau, “A Critique of P3P: Privacy on the Web,” The eCommerce Institute, School of Computer Science, Carnegie Mellon University, Pittsburgh, 24 August 2000.
[37]	L. Clement, A. Hately, C. von Riegen and T. Rogers, “UDDI Version 3.0.2,” Advancing Open Standards for the Information Society, 19 October 2004. http://www.uddi.org/pubs/uddi_v3.htm
[38]	M. Bartel, J. Boyer, B. Fox, B. LaMacchia and E. Simon, “XML Signature Syntax and Processing (Second Edition),” W3C, 10 June 2008. http://www.w3.org/TR/xmldsig-core/