Abstract
In recent years, enterprise applications have begun to migrate from a local hosting to a cloud provider and may have established a business-to-business relationship with each other manually. Adaptation of existing applications requires substantial implementation changes in individual architectural components. On the other hand, users may store their Personal Identifiable Information (PII) in the cloud environment so that cloud services may access and use it on demand. Even if cloud services specify their privacy policies, we cannot guarantee that they follow their policies and will not (accidentally) transfer PII to another party. In this paper, we present Identity-as-a-Service (IDaaS) as a trusted Identity and Access Management with two requirements: Firstly, IDaaS adapts trust between cloud services on demand. We move the trust relationship and identity propagation out of the application implementation and model them as a security topology. When the business comes up with a new e-commerce scenario, IDaaS uses the security topology to adapt a platform-specific security infrastructure for the given business scenario at runtime. Secondly, we protect the confidentiality of PII in federated security domains. We propose our Purpose-based Encryption to protect the disclosure of PII from intermediary entities in a business transaction and from untrusted hosts. Our solution is compliant with the General Data Protection Regulation and involves the least user interaction to prevent identity theft via the human link. The implementation can be easily adapted to existing Identity Management systems, and the performance is fast.
Highlights
In a local hosting environment, traditional applications have their own implementations for authentication and authorisation
Purpose-based Encryption: In [34], we proposed a broader solution to solve the privacy issues above: We protect Personal Identifiable Information (PII) over an intended channel, as well as an unintended channel, and against an untrusted host
We proposed a new approach to Purpose-based Encryption (PBE)
Summary
In a local hosting environment, traditional applications have their own implementations for authentication and authorisation. After a user authenticates successfully at Telekom (step 1), he can access cloud services at Salesforce (step 2). This is a typical solution for a local company that uses a SaaS provider [10]. The disadvantage is that Telekom must completely trust and delegate the control for disclosing its employee’s data to Salesforce This scenario raises a question: how do we protect PII when we disseminate it from a trusted domain to an honest-but-curious one in identity federation? This scenario raises a question: how do we protect PII from an untrusted host?
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
