GEODAC: A Data Assurance Policy Specification and Enforcement Framework for Outsourced Services

Abstract

Many cloud service providers offer outsourcing capabilities to businesses using the software-as-a-service delivery model. In this delivery model, sensitive business data need to be stored and processed outside the control of the business. The ability to manage data in compliance with regulatory and corporate policies, which we refer to as data assurance, is an essential success factor for this delivery model. There exist challenges to express service data assurance capabilities, capture customers' requirements, and enforce these policies inside service providers' environments. This paper addresses these challenges by proposing Global Enforcement Of Data Assurance Controls (GEODAC), a policy framework that enables the expression of both service providers' capabilities and customers' requirements, and enforcement of the agreed-upon data assurance policies in service providers' environments. High-level policy statements are backed in the service environment with a state machine-based representation of policies in which each state represents a data lifecycle stage. Data assurance policies that define requirements on data retention, data migration, data appropriateness for use, etc. can be described and enforced. The approach has been implemented in a prototype tool and evaluated in a services environment.