Compliance Checking of Cloud Providers: Design and Implementation

Abstract

The recognition of capabilities supplied by cloud systems is presently growing. Collecting or sharing healthcare data and sensitive information especially during the Covid-19 pandemic has motivated organizations and enterprises to leverage the upsides coming from cloud-based applications. However, the privacy of electronic data in such applications remains a significant challenge for cloud vendors to adapt their solutions with existing privacy legislation standards such as general data protection regulation (GDPR). This article first proposes a formal model and verification for data usage requests of providers in a cloud composite service using a model checking tool. A cloud pharmacy scenario is presented to illustrate the connectivity of providers in the composite service and the stream of their requests for both collection and movement of patient data. A set of verifications is then undertaken over the pharmacy service in accordance with three significant GDPR obligations, namely user consent, data access, and data transfer. Following that, the article designs and implements a cloud container virtualization based on the verified formal model realizing GDPR requirements. The container makes use of some enforcement smart contracts to only proceed with the providers’ requests that are compliant with GDPR. Finally, several experiments are provided to investigate the performance of our approach in terms of time, memory, and cost.