Security, Trust and Privacy – A New Direction for Pervasive...

Security, Trust and Privacy – A New Direction for Pervasive

Computing

JAMALUL-LAIL AB MANAN1 MOHD FAIZAL MUBARAK

1, MOHD ANUAR MAT ISA

1

1Advanced Information Security Cluster, MIMOS Bhd,

57000 Technology Park Malaysia, Kuala Lumpur, MALAYSIA.

{jamalul.lail, faizal.mubarak, anuar.isa}@mimos.my

ZUBAIR AHMAD KHATTAK2

2 Universiti Teknologi PETRONAS, Department of Computer & Information Sciences,

Toronoh 31750 Perak, MALAYSIA

[email protected]

Abstract: -Information which used to be privileged only for the rich and powerful few has become crucial part

of our life. Everyone is now very aware of the need to protect sensitive and valuable information from

unintentionally being presented to other individuals or organizations. In the open environment such as the

internet, there are suspicious individuals with insincere motives who are cautiously trying to get personal gain

or trying to meet political propaganda. Clearly, there is a need for a framework for data to travel uninterrupted,

unchanged and unseen by unscrupulous recipients. This framework should address issues in security, trust and

privacy in a unified form. We present our proposed framework in a holistic approach. This paper discusses the

global phenomenon of information security divide, major security, trust and privacy (STP) challenges, related

works by past researchers and the proposed STP framework. The Framework, when implemented in pervasive

computing environment would address how sensitive personal data could travel uninterrupted, unchanged and

unseen by unscrupulous recipients.

Keywords: - Security, trust and privacy, Unified Framework

1 Introduction

Information which used to be privileged only for

the rich and powerful few has become crucial part

of our life. Everyone is now very aware of the need

to protect sensitive and valuable information from

unintentionally being presented to other individuals

or organizations. In the open environment such as

the internet, there are suspicious individuals with

insincere motives who are cautiously trying to get

personal gain or trying to meet political

propaganda. Clearly, there is a need for a

framework for data to travel uninterrupted,

unchanged and unseen by unscrupulous recipients.

While we do not have any Framework that address

security, trust and privacy, we should develop it

now so that future services can be rendered to users

with confidence.

In a future scenario whereby any two devices that

communicate over the public untrusted networks,

they are bound to face security, trust and privacy

issues. Questions such as the following will have to

be addressed:

Users:

• Do I know enough of this user? How does

he/she use any mechanism to secure

credential(s), so that I can trust him/her?

What application(s) do I allow him/her to

have access? Which privacy policy doe

he/she use?

Servers:

• Which and what type of server I am

connected to? Is the server security

enabled and trusted? Is there any trust or

privacy mechanism in place in the server?

Trusted Third Parties:

• Is the trusted third party for this

application behaving correctly and security

compliant? Is there any corporate privacy

compliance adopted by this third party?

Systems architect, engineers, designers and

developers constantly review these questions

because they are still struggling to create a secure,

trustworthy, and privacy preserved environment for

us to do business, transactions and collaborations.

In the case of security, we need to address

confidentiality, integrity and availability issues. In

the case of trust, we need to make sure that the

platform that we are working on and the

communication channels are indeed trusted. In the

case of privacy, it is crucial to protect sensitive and

Recent Researches in Computer Science

ISBN: 978-1-61804-019-0 56

valuable information from being handed over to

unintended individuals with insincere motive

Recent advances in networking, handheld

computing and sensor technologies have driven

forward research towards the realisation of

ubiquitous computing (variously called pervasive

computing, ambient computing, active spaces, the

disappearing computer or context

computing). These advances have led to the

emergence of smart environments with that is

extensively equipped with sensors, actuators and

computing components [1] as well as the need to

consider other factors such as security, trust and

privacy in critical and sensitive sectors such as

financial services[2] and business transactions. [

Most of existing security solution does not cater for

trust and privacy protection. This lead to the ever

growing and most unresolved problem of lost and

leakages of personalised and dynamic data that

contributes to the security and privacy problems.

Unfortunately the manner of tracking, collection

and analysis of these personalised and dynamic

data by bad guys will not be obvious or active.

Hence, the potential for collection and misuse of

information is massive. To resolve these issues,

guidelines have been produced. [4]

As shown in Figure 1, today’s security solution is

still non-unified in dealing with STP issues. Many

solutions address issues in silos, perhaps because of

STP complexities, non-compliance to

standards or gaps within these standards

such as identity management and

effect is non-unified compliance layers within the

solutions. There are also other areas not fully

covered, under international regulatory and legal

framework. Hence, Service Providers,

Collaborators and Trusted Third Parties are not

able to work in harmony to bring about the

confidence in using services in the open

environment such as the internet.

Figure 1: Today’s Security Solution

valuable information from being handed over to

unintended individuals with insincere motives.

nces in networking, handheld

computing and sensor technologies have driven

forward research towards the realisation of

ubiquitous computing (variously called pervasive

computing, ambient computing, active spaces, the

disappearing computer or context-aware

computing). These advances have led to the

emergence of smart environments with that is

extensively equipped with sensors, actuators and

] as well as the need to

consider other factors such as security, trust and

and sensitive sectors such as

] and business transactions. [3]

ost of existing security solution does not cater for

trust and privacy protection. This lead to the ever

growing and most unresolved problem of lost and

lised and dynamic data that

contributes to the security and privacy problems.

Unfortunately the manner of tracking, collection

and analysis of these personalised and dynamic

data by bad guys will not be obvious or active.

n and misuse of

information is massive. To resolve these issues,

As shown in Figure 1, today’s security solution is

unified in dealing with STP issues. Many

solutions address issues in silos, perhaps because of

to international

standards still exists,

such as identity management and privacy. The

unified compliance layers within the

There are also other areas not fully

covered, under international regulatory and legal

Hence, Service Providers,

Collaborators and Trusted Third Parties are not

able to work in harmony to bring about the

confidence in using services in the open

Today’s Security Solution

Figure 2 shows the Defence In

today’s technologies that address STP issues. In

general, STP issues are mitigated in silos, non

unified approach and focus very much

and network infrastructure level. Very little has

been done to protect user identity, data and

platform. The Defence In

towards service providers and computing hardware

and software providers.

We are going to face with

more complicated involving irregular policies

between cross border countries, more variants of

devices, sophisticated trust relationships, complex

ownership relationship, and with multi

composition. It is thus the intention

highlight the significance of a STP framework

It is the intention of this paper, to present a more

balanced STP Framework that provides

caters for user needs, such as user identity, data and

platform protection.

Figure 2: Today’s Defence In

The rest of this paper is organized as follows:

section 2, we present

research, and in Section 3 we propose the

preliminary STP Framework and finally we

conclude the paper with future work directio

2 Related Works

Trust in online transactions is vital for the sustained

progress and development of electronic commerce

(EC). Chellappa [5] proposed a combination of

security, trust and privacy that influence their trust

in online transactions. He showed that consumers

exhibit variability in their perceptions of privacy,

security and trust between online and offline

transactions even if it is

store. He then developed and validated measures of

consumers' perceived privacy and perceived

security of their online transactions which are then

theorized to influence their trust in EC transactions.

Figure 2 shows the Defence In-Depth Solution of

today’s technologies that address STP issues. In

general, STP issues are mitigated in silos, non-

unified approach and focus very much at the server

and network infrastructure level. Very little has

been done to protect user identity, data and

platform. The Defence In-Depth has been skewed

towards service providers and computing hardware

We are going to face with future which is even

more complicated involving irregular policies

between cross border countries, more variants of

devices, sophisticated trust relationships, complex

ownership relationship, and with multi-facet user

It is thus the intention of this paper to

highlight the significance of a STP framework.

intention of this paper, to present a more

balanced STP Framework that provides basis that

for user needs, such as user identity, data and

Today’s Defence In-Depth Solution

The rest of this paper is organized as follows: In

we present related works on STP

and in Section 3 we propose the

ramework and finally we

conclude the paper with future work directions.

Trust in online transactions is vital for the sustained

progress and development of electronic commerce

proposed a combination of

security, trust and privacy that influence their trust

in online transactions. He showed that consumers

exhibit variability in their perceptions of privacy,

security and trust between online and offline

conducted with the same

store. He then developed and validated measures of

consumers' perceived privacy and perceived

security of their online transactions which are then

theorized to influence their trust in EC transactions.


ISBN: 978-1-61804-019-0 57

Riguidel [6] discussed the relationship between

Security, Trust and privacy in future internet which

must be solved by further research. He showed that

security and trust are mutually influencing each

other in e-commerce, similarly security and privacy

are mutually influencing. However, there is no

attempt to combine all the three

security, trust and privacy together. Lakshmi

Eswari et. al. [7] described the security and trust

management issues, and their respective models,

but no attempt to include privacy in their ana

In reference [8], the authors put forward the

following challenges in Security, Trust and Privacy

research:

• Understanding and developing privacy

friendly identity management schemes;

• Rethinking privacy and trust in future ambient

environments (incl. networked sensor

environments and the Internet of Things): new

privacy models and information control

paradigms; privacy enhancing technologies;

• New frameworks and reference architectures

integrating fragmented approaches for

managing personal information and for data

sharing and exchange under users' control;

• Understanding how trust emerges and evolves,

and the related notions of reputation

formation, monitoring, evolution and

management;

• Developing novel trustworthy and usable

means, including trust services, that take

account of the situation and context and help

users make informed decisions about which

information, services and systems they can

trust;

From all the above discussions, we can safely say

that we need an overall framework that combin

security, trust and privacy. Following the early

publication on Analysis of Privacy Principles

2007, International Security Trust Privacy Alliance

(ISTPA), produced another document that

describes Privacy Management Framework

which includes a Privacy Reference Model.

Huanchun Peng et. al. [10] has produced a

framework with the goal of privacy promise

compliance and accountability, which may help

such situation before sound privacy answers may

be realized. The authors have also discussed

relevant technical and non-technical components

which are needed in the privacy scenario

some research challenges towards the

implementation of the framework. Their work is

relationship between

Security, Trust and privacy in future internet which

must be solved by further research. He showed that

security and trust are mutually influencing each

commerce, similarly security and privacy

ver, there is no

attempt to combine all the three areas, namely

security, trust and privacy together. Lakshmi

described the security and trust

management issues, and their respective models,

but no attempt to include privacy in their analysis.

, the authors put forward the

following challenges in Security, Trust and Privacy

Understanding and developing privacy-

friendly identity management schemes;

Rethinking privacy and trust in future ambient

(incl. networked sensor

environments and the Internet of Things): new

privacy models and information control

paradigms; privacy enhancing technologies;

New frameworks and reference architectures

integrating fragmented approaches for

mation and for data

sharing and exchange under users' control;

Understanding how trust emerges and evolves,

and the related notions of reputation

formation, monitoring, evolution and

Developing novel trustworthy and usable

t services, that take

account of the situation and context and help

users make informed decisions about which

information, services and systems they can

From all the above discussions, we can safely say

that we need an overall framework that combines

Following the early

on Analysis of Privacy Principles in

2007, International Security Trust Privacy Alliance

(ISTPA), produced another document that

describes Privacy Management Framework [9]

vacy Reference Model.

has produced a

framework with the goal of privacy promise

compliance and accountability, which may help

such situation before sound privacy answers may

. The authors have also discussed some

technical components

which are needed in the privacy scenario as well as

research challenges towards the

Their work is

our main reference in developing the proposed

Security, Trust and Privacy

paper.

3 Security Trust and Privacy

Framework

3.1 Overview The main goal of this STP

the objective of combining Security, Trust

Privacy into one Framework.

assumptions that STP policies, technologies,

processes and law are merged together in

presenting to the users the right ecosystem that

enhances STP requirements.

3.2 Scope The scope of the STP Framework is to cover areas

that will make future solutions realizable in

of implementing user and system security

mechanisms, platform trust and privacy preserving

mechanisms for protecting user personal and

working data. We assume that the legislative aspect

of the STP Framework will also be covered in Data

Protection Law and implemented in each

participating countries or regions.

the necessary balance between

through generally accepted principles.

the R&D on STP Framework i

3. As it can be seen from the figure, we need to be

able to combine STP requirements in a unified

manner, so that there is

between them. In reality and practically, this means

some compromising has to be done.

Figure 3: The Scope for

3.3 Objectives The STP framework will help to

managing and developing elements of

technologies that will promote

business, e-government and national defence in

trust-based privacy-enabling ways. It

cover the necessary STP

ecology for user centric e

in developing the proposed

Privacy Framework in this

Security Trust and Privacy (STP)

STP Framework is to fulfil

combining Security, Trust and

into one Framework. It is based on the

assumptions that STP policies, technologies,

processes and law are merged together in

presenting to the users the right ecosystem that

requirements.

Framework is to cover areas

future solutions realizable in terms

of implementing user and system security

mechanisms, platform trust and privacy preserving

mechanisms for protecting user personal and

We assume that the legislative aspect

ramework will also be covered in Data

Protection Law and implemented in each

participating countries or regions. This will include

between STP are achieved

through generally accepted principles. The scope of

ramework is as shown in Figure

As it can be seen from the figure, we need to be

able to combine STP requirements in a unified

is some kind of balance

In reality and practically, this means

some compromising has to be done.

The Scope for STP Framework

will help to support for

managing and developing elements of STP

technologies that will promote e-transactions, e-

government and national defence in

enabling ways. It will also

STP enhanced balanced

e-business, pervasive and


ISBN: 978-1-61804-019-0 58

mobile computing, knowledge management

others.

There are three main objectives

technology, process and social aspect

Technology To develop new

privacy technologies, services and

products

Process To achieve balance of current

opposing requirements of

Social To achieve a balance

STP through laws, enhanced by

assurances where

procedures and audits where it is

not.

Figure 4: Future STP Scenario

Figure 4 shows the targeted future STP scenario.

Besides being able to handle STP Compliance

Regulatory and Legal layers, we aim to be able to

achieve STP compliance between

Providers, Collaborators and Trusted Third Parties.

Another crucial aspect is to enhance client e

STP enhanced platform, besides the necessary STP

Authentication, Authorization and Accountability.

Figure 5: Future Defence In-Depth Solutio

Figure 5 shows the targeted outcome of the

Defence In-Depth Solution based on STP

Framework. Our main target is to enhance Defence

In-Depth at the client end, in line with

enhancement at server and infrastructure.

omputing, knowledge management and

There are three main objectives that cover

aspects as follows:

To develop new STP-based

privacy technologies, services and

To achieve balance of current

opposing requirements of STP

a balance between

through laws, enhanced by

assurances where possible

procedures and audits where it is

Scenario

Figure 4 shows the targeted future STP scenario.

Besides being able to handle STP Compliance

Regulatory and Legal layers, we aim to be able to

achieve STP compliance between Service

Providers, Collaborators and Trusted Third Parties.

r crucial aspect is to enhance client end with

STP enhanced platform, besides the necessary STP

Authentication, Authorization and Accountability.

Depth Solution

Figure 5 shows the targeted outcome of the

Depth Solution based on STP

Framework. Our main target is to enhance Defence

Depth at the client end, in line with

enhancement at server and infrastructure.

Figure 6: Relationships between STP

Figure 6 shows the expected relationship between

STP systems based on the works of Zheng Yan &

Ronan MacLaverty [11].

3.4 High level Goals

The overall expected high level

achieved are as shown in Figure 7

consists of three models, namely, Security, trust

and privacy models all combined together to form a

unified STP architecture. In this figure, Security

Model consists of a layered model of the Security

Defence In-Depth. The same layered model is

applied to Trust and Privacy. Hence, a final version

of the STP framework would consist of all the three

models combined together.

Figure 7: Holistic STP Framework

Take the special case for implementation in

government services. The Government requirement

should address all for

citizens perform transactions with government

services. Let us discuss how STP framework would

be helpful in achieving the above stated objectives.

From security point of view, users need to be

authenticated adequately to ensure that personal

Identifications (IDs) are not hijacked by hackers

who would do more harm either to the person’s

private data or to the entire service

point of view, the client platform, host platform and

entire infrastructure on which services and

Relationships between STP Systems

Figure 6 shows the expected relationship between

STP systems based on the works of Zheng Yan &

The overall expected high level goals to be

as shown in Figure 7. The Framework

ree models, namely, Security, trust

and privacy models all combined together to form a

unified STP architecture. In this figure, Security

Model consists of a layered model of the Security

Depth. The same layered model is

vacy. Hence, a final version

of the STP framework would consist of all the three

models combined together.

Holistic STP Framework

Take the special case for implementation in

government services. The Government requirement

should address all for STP protections when

citizens perform transactions with government

services. Let us discuss how STP framework would

he above stated objectives.

From security point of view, users need to be

authenticated adequately to ensure that personal

are not hijacked by hackers

who would do more harm either to the person’s

private data or to the entire service. From trust

point of view, the client platform, host platform and

entire infrastructure on which services and


ISBN: 978-1-61804-019-0 59

applications run, must be trusted (perform

according to the expected way), which means that

trust foundations of trusted computing must be in

place. From privacy point of view, we should

review how information about citizen is handled

within government services when they use

information technology (IT) to collect new

information, or when agencies develop or buy new

IT systems to handle collections

identifiable information. It also involves how the

system handles information that individuals

provide electronically, so that the public has

assurances that personal information is protected

through privacy preserving technologies.

Figure 8: Implementation Strategy for STP

4 Preliminary Studies Our work has just started last year and we decided

to focus on trying to achieve some kind of

integration between STP Models as shown in

Figure 8. In this diagram we decided to apply the

STP concept on a particular environment, such as

Analysis of Open Environment Sign

Privacy Enhanced & Trustworthy Approach

5 Conclusions This paper discusses the global phenomenon of

information security divide, major security, trust

and privacy (STP) challenges, related works by

past researchers and the proposed STP framework

We have presented the STP concept and framework

and we hope that it can be considered as a step

towards implementation of a better Security, Trust

and Privacy environment which is necessary in

future pervasive computing. We present

proposed framework in a holistic approach.

Framework, when implemented

computing environment would address how

sensitive personal data could travel uninterrupted,


applications run, must be trusted (perform

according to the expected way), which means that

trust foundations of trusted computing must be in

ce. From privacy point of view, we should

review how information about citizen is handled

within government services when they use

information technology (IT) to collect new

information, or when agencies develop or buy new

IT systems to handle collections of personally

identifiable information. It also involves how the

system handles information that individuals

provide electronically, so that the public has

assurances that personal information is protected

through privacy preserving technologies.

STP Framework

and we decided

to focus on trying to achieve some kind of

integration between STP Models as shown in

Figure 8. In this diagram we decided to apply the

STP concept on a particular environment, such as

Analysis of Open Environment Sign-in Schemes-

anced & Trustworthy Approach [12].

discusses the global phenomenon of

major security, trust

, related works by

past researchers and the proposed STP framework.

oncept and framework

can be considered as a step

towards implementation of a better Security, Trust

and Privacy environment which is necessary in

We presented our

istic approach. The

Framework, when implemented in pervasive

would address how

sensitive personal data could travel uninterrupted,


References

[1] P A Nixon, W. Wagealla, C.

Security, Privacy and Trust Issues in Smart

Environments, 2004

[2] S Karnouskos, A Hondroudaki, A Vilmos, B

Csik, Security, Trust and Privacy in the

SEcure MObile Payment Service, 3rd

International Conference on Mobile Business

2004, New York City, USA, 12

[3] S K Katsikas, J Lopez, G Pernul, Trust, Privacy

and Security in E-Business: Requirements and

Solutions, PCI 2005, LNCS 3746, pp. 548

558, 2005.

[4] International Security Trust Privacy Alliance

(ISTPA), Analysis o

Making Privacy Operational, Version 2.0,

May 2007

[5] R K Chellappa, Consumers’ Trust in Electronic

Commerce Transactions: The Role of

Perceived Privacy and Perceived Security,

2007

[6] M Riguidel, Security, Privacy & Trust in the

Future Internet, The future of the Internet,

Bled, Slovenia, April 2, 2008

[7] Lakshmi Eswari et.al, A Comprehensive

Security, Privacy & Trust Management

Framework for Ubiquitous Computing

Environment, UbiComp India 2008.

[8] Security, Privacy and Trust i

Internet, Issues for Discussions, 2008


(ISTPA), Privacy Management Reference

Model, A framework for resolving privacy

policy requirements into operational privacy

services and functions, Versi

[10] H Peng, J Gu, X Ye, Towards Compliance

and Accountability: a Framework for Privacy

Online, Journal of Computers, Vol. 4, No. 6,

June 2009 [11] Zheng Yan and Silke Holtmanns, “Trust

Modeling and Management: from Social Trust

to Digital Trust”, book chapter of Computer

Security, Privacy and Politics: Current Issues,

Challenges and Solutions, IGI Global, 2007

[12] Zubair Ahmad Khattak, Jamalul

Manan, Suziah Sulaiman

Environment Sign

Enhanced & Trustworthy Approach

of Advances in Information Technology, Vol

2, No 2 (2011), 109-121, May 2011

[1] P A Nixon, W. Wagealla, C. English, S. Terzis,

Security, Privacy and Trust Issues in Smart

[2] S Karnouskos, A Hondroudaki, A Vilmos, B

Csik, Security, Trust and Privacy in the

SEcure MObile Payment Service, 3rd

International Conference on Mobile Business

New York City, USA, 12-13 July 2004

[3] S K Katsikas, J Lopez, G Pernul, Trust, Privacy

Business: Requirements and

Solutions, PCI 2005, LNCS 3746, pp. 548 –


(ISTPA), Analysis of Privacy Principles:

Making Privacy Operational, Version 2.0,

R K Chellappa, Consumers’ Trust in Electronic

Commerce Transactions: The Role of

Perceived Privacy and Perceived Security,

M Riguidel, Security, Privacy & Trust in the

Future Internet, The future of the Internet,

Bled, Slovenia, April 2, 2008

Lakshmi Eswari et.al, A Comprehensive

Security, Privacy & Trust Management

Framework for Ubiquitous Computing

Environment, UbiComp India 2008.

Security, Privacy and Trust in the Future

Internet, Issues for Discussions, 2008

International Security Trust Privacy Alliance

(ISTPA), Privacy Management Reference

Model, A framework for resolving privacy

policy requirements into operational privacy

services and functions, Version 2.0, 2009

Ye, Towards Compliance

and Accountability: a Framework for Privacy

Online, Journal of Computers, Vol. 4, No. 6,

Zheng Yan and Silke Holtmanns, “Trust

Modeling and Management: from Social Trust

st”, book chapter of Computer

Security, Privacy and Politics: Current Issues,

Challenges and Solutions, IGI Global, 2007 Zubair Ahmad Khattak, Jamalul-lail Ab

Manan, Suziah Sulaiman, Analysis of Open

Environment Sign-in Schemes-Privacy

Trustworthy Approach, Journal

of Advances in Information Technology, Vol

121, May 2011


ISBN: 978-1-61804-019-0 60

Security, Trust and Privacy – A New Direction for Pervasive...

Documents

Transcript of Security, Trust and Privacy – A New Direction for Pervasive...