The enforcement of sensitive policies in untrusted environments is still an open challenge for policy-based systems. On the one hand, taking any appropriate security decision re- quires access to these policies. On the other hand, if such access is allowed in an untrusted environment then confidential information might be leaked by the policies. The key chal- lenge is how to enforce sensitive policies and protect data in untrusted environments. This challenge arises from a fundamental question, i.e., how can we establish trust in untrusted environments? By establishing trust in untrusted environments, we will enable individu- als and enterprises to leverage business models based on untrusted environments. At the
2 1.1. MOTIVATION AND PROBLEM STATEMENT same time, we would be fostering trust of end-users by ensuring privacy and security of their personal data.
According to Gartner, the cloud-based security (including access management) services market will be worth $2.1 billion in 2013 and it will rise to $3.1 billion in 2015 [4]. This im- plies that security (access management in particular) of outsourced data is a key problem from a business analyst’s point of view. It is important to know that outsourced envi- ronments are naturally untrusted. In the context of untrusted environments, we mainly distinguish two scenarios: (i) outsourced environments and (ii) distributed environments. The most attractive paradigms concerning outsourced and distributed environments are cloud computing and opportunistic networks, respectively.
1.1.1 Cloud Computing
Cloud computing is an emerging paradigm offering outsourced services to enterprises for storing and processing a huge amount of data at very competitive costs. It promises higher availability, scalability and more effective quality of service than in-house solutions. In cloud computing, the outsourced piece of data is within easy reach of cloud service providers. Unfortunately, one of the strong obstacles in widespread adoption of the cloud is to preserve confidentiality of the data [5]. There are several techniques that can guarantee confidentiality of data stored in outsourced environments while supporting basic search capabilities [6–15]. However, they do not support access control policies to regulate access to a particular subset of the stored data. State-of-the-art policy based mechanisms can work only when they are deployed and operated within a trusted domain [16]. In an untrusted environment, access policies may reveal sensitive information about the data they aim to protect.
To understand how access policies may reveal sensitive information in outsourced environments, let us imagine a scenario where a healthcare provider has outsourced its health record management services to a third party service provider. In this scenario, we do not trust the service provider to preserve data confidentiality. Therefore, we can encrypt health records before storing them in the outsourced environment. Furthermore, health records are associated with an access policy in order to prevent any unintended access. Let us consider the following access policy: only a Cardiologist may access the health record, which is attached to the health record. Even if the data is encrypted, a curious service provider may still infer private information about the patient’s medical conditions. In the example policy, a curious service provider may easily deduce that the patient could have heart problems. A misbehaving service provider may sell this information to banks that could deny the patient a loan given her health conditions.
in outsourced environments [17–20]. However, those solutions are not suitable for scenarios where administrative actions are taken dynamically; this is because any administrative actions including updating access rights, adding users (or resources) and removing users (or resources) require re-distribution of new keys, as well as re-encryption of existing data with those keys. The core research issue is to develop an efficient scheme with flexible key management that can enforce expressive access control policies in outsourced environments without revealing private information to service providers.
1.1.2 Opportunistic Networks
Opportunistic networks are an emerging paradigm that has enabled individuals and enter- prises to offer new services instantaneously. The fundamental reason behind this flexibility is that this paradigm aims at providing services without requiring any in-house Informa- tion Technology (IT) infrastructure [21]. Basically, opportunistic networks eliminate the need of any Internet connectivity.
In opportunistic networks, nodes can publish their own content and subscribe to others’ content by indicating their interest. Any node can also act as a broker (also called a relay) that opportunistically receives content and interest, matches them and possibly delivers that content to other nodes. These opportunistic networks could be applied to the exchange of information in a wide range of domains from social media to military applications. Like cloud service providers, unauthorised brokers in opportunistic networks may infer private information from cleartext policies even when contents are encrypted.
Let us consider a battlefield scenario where soldiers are interested in sharing or ac- quiring sensitive information. We assume that there is no Internet connectivity in the battlefield. However, soldiers can exchange information via the short-range communica- tion offered by smartphones. Soldiers can publish their content and subscribe for content of their interest. There are soldiers, known as brokers, who help to exchange content from one place to another. However, those soldiers must not be able to get access to content. For regulating access to content, a soldier, who is publishing, can encrypt content us- ing state-of-the-art encryption techniques and specify an access policy describing which group of soldiers can get access. For instance, the policy could be either a Soldier from the Infantry unit or a Major can get access. Although the content is encrypted, soldiers serving as brokers and attackers (enemy having access to smartphones of brokers), may infer private information from cleartext policies, i.e., who will receive this content. Fur- thermore, subscription information (containing interest of subscribers) might compromise privacy of subscribers.
There are schemes that preserve predicate privacy [22, 23] and assume that the pred- icate is evaluated at the receiver’s end. Shikfa et al. [24] propose a method that pro-
4 1.2. RESEARCH CONTRIBUTIONS