security, trust and privacy – a new direction for pervasive...
TRANSCRIPT
Security, Trust and Privacy – A New Direction for Pervasive
Computing
JAMALUL-LAIL AB MANAN1 MOHD FAIZAL MUBARAK
1, MOHD ANUAR MAT ISA
1
1Advanced Information Security Cluster, MIMOS Bhd,
57000 Technology Park Malaysia, Kuala Lumpur, MALAYSIA.
{jamalul.lail, faizal.mubarak, anuar.isa}@mimos.my
ZUBAIR AHMAD KHATTAK2
2 Universiti Teknologi PETRONAS, Department of Computer & Information Sciences,
Toronoh 31750 Perak, MALAYSIA
Abstract: -Information which used to be privileged only for the rich and powerful few has become crucial part
of our life. Everyone is now very aware of the need to protect sensitive and valuable information from
unintentionally being presented to other individuals or organizations. In the open environment such as the
internet, there are suspicious individuals with insincere motives who are cautiously trying to get personal gain
or trying to meet political propaganda. Clearly, there is a need for a framework for data to travel uninterrupted,
unchanged and unseen by unscrupulous recipients. This framework should address issues in security, trust and
privacy in a unified form. We present our proposed framework in a holistic approach. This paper discusses the
global phenomenon of information security divide, major security, trust and privacy (STP) challenges, related
works by past researchers and the proposed STP framework. The Framework, when implemented in pervasive
computing environment would address how sensitive personal data could travel uninterrupted, unchanged and
unseen by unscrupulous recipients.
Keywords: - Security, trust and privacy, Unified Framework
1 Introduction
Information which used to be privileged only for
the rich and powerful few has become crucial part
of our life. Everyone is now very aware of the need
to protect sensitive and valuable information from
unintentionally being presented to other individuals
or organizations. In the open environment such as
the internet, there are suspicious individuals with
insincere motives who are cautiously trying to get
personal gain or trying to meet political
propaganda. Clearly, there is a need for a
framework for data to travel uninterrupted,
unchanged and unseen by unscrupulous recipients.
While we do not have any Framework that address
security, trust and privacy, we should develop it
now so that future services can be rendered to users
with confidence.
In a future scenario whereby any two devices that
communicate over the public untrusted networks,
they are bound to face security, trust and privacy
issues. Questions such as the following will have to
be addressed:
Users:
• Do I know enough of this user? How does
he/she use any mechanism to secure
credential(s), so that I can trust him/her?
What application(s) do I allow him/her to
have access? Which privacy policy doe
he/she use?
Servers:
• Which and what type of server I am
connected to? Is the server security
enabled and trusted? Is there any trust or
privacy mechanism in place in the server?
Trusted Third Parties:
• Is the trusted third party for this
application behaving correctly and security
compliant? Is there any corporate privacy
compliance adopted by this third party?
Systems architect, engineers, designers and
developers constantly review these questions
because they are still struggling to create a secure,
trustworthy, and privacy preserved environment for
us to do business, transactions and collaborations.
In the case of security, we need to address
confidentiality, integrity and availability issues. In
the case of trust, we need to make sure that the
platform that we are working on and the
communication channels are indeed trusted. In the
case of privacy, it is crucial to protect sensitive and
Recent Researches in Computer Science
ISBN: 978-1-61804-019-0 56
valuable information from being handed over to
unintended individuals with insincere motive
Recent advances in networking, handheld
computing and sensor technologies have driven
forward research towards the realisation of
ubiquitous computing (variously called pervasive
computing, ambient computing, active spaces, the
disappearing computer or context
computing). These advances have led to the
emergence of smart environments with that is
extensively equipped with sensors, actuators and
computing components [1] as well as the need to
consider other factors such as security, trust and
privacy in critical and sensitive sectors such as
financial services[2] and business transactions. [
Most of existing security solution does not cater for
trust and privacy protection. This lead to the ever
growing and most unresolved problem of lost and
leakages of personalised and dynamic data that
contributes to the security and privacy problems.
Unfortunately the manner of tracking, collection
and analysis of these personalised and dynamic
data by bad guys will not be obvious or active.
Hence, the potential for collection and misuse of
information is massive. To resolve these issues,
guidelines have been produced. [4]
As shown in Figure 1, today’s security solution is
still non-unified in dealing with STP issues. Many
solutions address issues in silos, perhaps because of
STP complexities, non-compliance to
standards or gaps within these standards
such as identity management and
effect is non-unified compliance layers within the
solutions. There are also other areas not fully
covered, under international regulatory and legal
framework. Hence, Service Providers,
Collaborators and Trusted Third Parties are not
able to work in harmony to bring about the
confidence in using services in the open
environment such as the internet.
Figure 1: Today’s Security Solution
valuable information from being handed over to
unintended individuals with insincere motives.
nces in networking, handheld
computing and sensor technologies have driven
forward research towards the realisation of
ubiquitous computing (variously called pervasive
computing, ambient computing, active spaces, the
disappearing computer or context-aware
computing). These advances have led to the
emergence of smart environments with that is
extensively equipped with sensors, actuators and
] as well as the need to
consider other factors such as security, trust and
and sensitive sectors such as
] and business transactions. [3]
ost of existing security solution does not cater for
trust and privacy protection. This lead to the ever
growing and most unresolved problem of lost and
lised and dynamic data that
contributes to the security and privacy problems.
Unfortunately the manner of tracking, collection
and analysis of these personalised and dynamic
data by bad guys will not be obvious or active.
n and misuse of
information is massive. To resolve these issues,
As shown in Figure 1, today’s security solution is
unified in dealing with STP issues. Many
solutions address issues in silos, perhaps because of
to international
standards still exists,
such as identity management and privacy. The
unified compliance layers within the
There are also other areas not fully
covered, under international regulatory and legal
Hence, Service Providers,
Collaborators and Trusted Third Parties are not
able to work in harmony to bring about the
confidence in using services in the open
Today’s Security Solution
Figure 2 shows the Defence In
today’s technologies that address STP issues. In
general, STP issues are mitigated in silos, non
unified approach and focus very much
and network infrastructure level. Very little has
been done to protect user identity, data and
platform. The Defence In
towards service providers and computing hardware
and software providers.
We are going to face with
more complicated involving irregular policies
between cross border countries, more variants of
devices, sophisticated trust relationships, complex
ownership relationship, and with multi
composition. It is thus the intention
highlight the significance of a STP framework
It is the intention of this paper, to present a more
balanced STP Framework that provides
caters for user needs, such as user identity, data and
platform protection.
Figure 2: Today’s Defence In
The rest of this paper is organized as follows:
section 2, we present
research, and in Section 3 we propose the
preliminary STP Framework and finally we
conclude the paper with future work directio
2 Related Works
Trust in online transactions is vital for the sustained
progress and development of electronic commerce
(EC). Chellappa [5] proposed a combination of
security, trust and privacy that influence their trust
in online transactions. He showed that consumers
exhibit variability in their perceptions of privacy,
security and trust between online and offline
transactions even if it is
store. He then developed and validated measures of
consumers' perceived privacy and perceived
security of their online transactions which are then
theorized to influence their trust in EC transactions.
Figure 2 shows the Defence In-Depth Solution of
today’s technologies that address STP issues. In
general, STP issues are mitigated in silos, non-
unified approach and focus very much at the server
and network infrastructure level. Very little has
been done to protect user identity, data and
platform. The Defence In-Depth has been skewed
towards service providers and computing hardware
We are going to face with future which is even
more complicated involving irregular policies
between cross border countries, more variants of
devices, sophisticated trust relationships, complex
ownership relationship, and with multi-facet user
It is thus the intention of this paper to
highlight the significance of a STP framework.
intention of this paper, to present a more
balanced STP Framework that provides basis that
for user needs, such as user identity, data and
Today’s Defence In-Depth Solution
The rest of this paper is organized as follows: In
we present related works on STP
and in Section 3 we propose the
ramework and finally we
conclude the paper with future work directions.
Trust in online transactions is vital for the sustained
progress and development of electronic commerce
proposed a combination of
security, trust and privacy that influence their trust
in online transactions. He showed that consumers
exhibit variability in their perceptions of privacy,
security and trust between online and offline
conducted with the same
store. He then developed and validated measures of
consumers' perceived privacy and perceived
security of their online transactions which are then
theorized to influence their trust in EC transactions.
Recent Researches in Computer Science
ISBN: 978-1-61804-019-0 57
Riguidel [6] discussed the relationship between
Security, Trust and privacy in future internet which
must be solved by further research. He showed that
security and trust are mutually influencing each
other in e-commerce, similarly security and privacy
are mutually influencing. However, there is no
attempt to combine all the three
security, trust and privacy together. Lakshmi
Eswari et. al. [7] described the security and trust
management issues, and their respective models,
but no attempt to include privacy in their ana
In reference [8], the authors put forward the
following challenges in Security, Trust and Privacy
research:
• Understanding and developing privacy
friendly identity management schemes;
• Rethinking privacy and trust in future ambient
environments (incl. networked sensor
environments and the Internet of Things): new
privacy models and information control
paradigms; privacy enhancing technologies;
• New frameworks and reference architectures
integrating fragmented approaches for
managing personal information and for data
sharing and exchange under users' control;
• Understanding how trust emerges and evolves,
and the related notions of reputation
formation, monitoring, evolution and
management;
• Developing novel trustworthy and usable
means, including trust services, that take
account of the situation and context and help
users make informed decisions about which
information, services and systems they can
trust;
From all the above discussions, we can safely say
that we need an overall framework that combin
security, trust and privacy. Following the early
publication on Analysis of Privacy Principles
2007, International Security Trust Privacy Alliance
(ISTPA), produced another document that
describes Privacy Management Framework
which includes a Privacy Reference Model.
Huanchun Peng et. al. [10] has produced a
framework with the goal of privacy promise
compliance and accountability, which may help
such situation before sound privacy answers may
be realized. The authors have also discussed
relevant technical and non-technical components
which are needed in the privacy scenario
some research challenges towards the
implementation of the framework. Their work is
relationship between
Security, Trust and privacy in future internet which
must be solved by further research. He showed that
security and trust are mutually influencing each
commerce, similarly security and privacy
ver, there is no
attempt to combine all the three areas, namely
security, trust and privacy together. Lakshmi
described the security and trust
management issues, and their respective models,
but no attempt to include privacy in their analysis.
, the authors put forward the
following challenges in Security, Trust and Privacy
Understanding and developing privacy-
friendly identity management schemes;
Rethinking privacy and trust in future ambient
(incl. networked sensor
environments and the Internet of Things): new
privacy models and information control
paradigms; privacy enhancing technologies;
New frameworks and reference architectures
integrating fragmented approaches for
mation and for data
sharing and exchange under users' control;
Understanding how trust emerges and evolves,
and the related notions of reputation
formation, monitoring, evolution and
Developing novel trustworthy and usable
t services, that take
account of the situation and context and help
users make informed decisions about which
information, services and systems they can
From all the above discussions, we can safely say
that we need an overall framework that combines
Following the early
on Analysis of Privacy Principles in
2007, International Security Trust Privacy Alliance
(ISTPA), produced another document that
describes Privacy Management Framework [9]
vacy Reference Model.
has produced a
framework with the goal of privacy promise
compliance and accountability, which may help
such situation before sound privacy answers may
. The authors have also discussed some
technical components
which are needed in the privacy scenario as well as
research challenges towards the
Their work is
our main reference in developing the proposed
Security, Trust and Privacy
paper.
3 Security Trust and Privacy
Framework
3.1 Overview The main goal of this STP
the objective of combining Security, Trust
Privacy into one Framework.
assumptions that STP policies, technologies,
processes and law are merged together in
presenting to the users the right ecosystem that
enhances STP requirements.
3.2 Scope The scope of the STP Framework is to cover areas
that will make future solutions realizable in
of implementing user and system security
mechanisms, platform trust and privacy preserving
mechanisms for protecting user personal and
working data. We assume that the legislative aspect
of the STP Framework will also be covered in Data
Protection Law and implemented in each
participating countries or regions.
the necessary balance between
through generally accepted principles.
the R&D on STP Framework i
3. As it can be seen from the figure, we need to be
able to combine STP requirements in a unified
manner, so that there is
between them. In reality and practically, this means
some compromising has to be done.
Figure 3: The Scope for
3.3 Objectives The STP framework will help to
managing and developing elements of
technologies that will promote
business, e-government and national defence in
trust-based privacy-enabling ways. It
cover the necessary STP
ecology for user centric e
in developing the proposed
Privacy Framework in this
Security Trust and Privacy (STP)
STP Framework is to fulfil
combining Security, Trust and
into one Framework. It is based on the
assumptions that STP policies, technologies,
processes and law are merged together in
presenting to the users the right ecosystem that
requirements.
Framework is to cover areas
future solutions realizable in terms
of implementing user and system security
mechanisms, platform trust and privacy preserving
mechanisms for protecting user personal and
We assume that the legislative aspect
ramework will also be covered in Data
Protection Law and implemented in each
participating countries or regions. This will include
between STP are achieved
through generally accepted principles. The scope of
ramework is as shown in Figure
As it can be seen from the figure, we need to be
able to combine STP requirements in a unified
is some kind of balance
In reality and practically, this means
some compromising has to be done.
The Scope for STP Framework
will help to support for
managing and developing elements of STP
technologies that will promote e-transactions, e-
government and national defence in
enabling ways. It will also
STP enhanced balanced
e-business, pervasive and
Recent Researches in Computer Science
ISBN: 978-1-61804-019-0 58
mobile computing, knowledge management
others.
There are three main objectives
technology, process and social aspect
Technology To develop new
privacy technologies, services and
products
Process To achieve balance of current
opposing requirements of
Social To achieve a balance
STP through laws, enhanced by
assurances where
procedures and audits where it is
not.
Figure 4: Future STP Scenario
Figure 4 shows the targeted future STP scenario.
Besides being able to handle STP Compliance
Regulatory and Legal layers, we aim to be able to
achieve STP compliance between
Providers, Collaborators and Trusted Third Parties.
Another crucial aspect is to enhance client e
STP enhanced platform, besides the necessary STP
Authentication, Authorization and Accountability.
Figure 5: Future Defence In-Depth Solutio
Figure 5 shows the targeted outcome of the
Defence In-Depth Solution based on STP
Framework. Our main target is to enhance Defence
In-Depth at the client end, in line with
enhancement at server and infrastructure.
omputing, knowledge management and
There are three main objectives that cover
aspects as follows:
To develop new STP-based
privacy technologies, services and
To achieve balance of current
opposing requirements of STP
a balance between
through laws, enhanced by
assurances where possible
procedures and audits where it is
Scenario
Figure 4 shows the targeted future STP scenario.
Besides being able to handle STP Compliance
Regulatory and Legal layers, we aim to be able to
achieve STP compliance between Service
Providers, Collaborators and Trusted Third Parties.
r crucial aspect is to enhance client end with
STP enhanced platform, besides the necessary STP
Authentication, Authorization and Accountability.
Depth Solution
Figure 5 shows the targeted outcome of the
Depth Solution based on STP
Framework. Our main target is to enhance Defence
Depth at the client end, in line with
enhancement at server and infrastructure.
Figure 6: Relationships between STP
Figure 6 shows the expected relationship between
STP systems based on the works of Zheng Yan &
Ronan MacLaverty [11].
3.4 High level Goals
The overall expected high level
achieved are as shown in Figure 7
consists of three models, namely, Security, trust
and privacy models all combined together to form a
unified STP architecture. In this figure, Security
Model consists of a layered model of the Security
Defence In-Depth. The same layered model is
applied to Trust and Privacy. Hence, a final version
of the STP framework would consist of all the three
models combined together.
Figure 7: Holistic STP Framework
Take the special case for implementation in
government services. The Government requirement
should address all for
citizens perform transactions with government
services. Let us discuss how STP framework would
be helpful in achieving the above stated objectives.
From security point of view, users need to be
authenticated adequately to ensure that personal
Identifications (IDs) are not hijacked by hackers
who would do more harm either to the person’s
private data or to the entire service
point of view, the client platform, host platform and
entire infrastructure on which services and
Relationships between STP Systems
Figure 6 shows the expected relationship between
STP systems based on the works of Zheng Yan &
The overall expected high level goals to be
as shown in Figure 7. The Framework
ree models, namely, Security, trust
and privacy models all combined together to form a
unified STP architecture. In this figure, Security
Model consists of a layered model of the Security
Depth. The same layered model is
vacy. Hence, a final version
of the STP framework would consist of all the three
models combined together.
Holistic STP Framework
Take the special case for implementation in
government services. The Government requirement
should address all for STP protections when
citizens perform transactions with government
services. Let us discuss how STP framework would
he above stated objectives.
From security point of view, users need to be
authenticated adequately to ensure that personal
are not hijacked by hackers
who would do more harm either to the person’s
private data or to the entire service. From trust
point of view, the client platform, host platform and
entire infrastructure on which services and
Recent Researches in Computer Science
ISBN: 978-1-61804-019-0 59
applications run, must be trusted (perform
according to the expected way), which means that
trust foundations of trusted computing must be in
place. From privacy point of view, we should
review how information about citizen is handled
within government services when they use
information technology (IT) to collect new
information, or when agencies develop or buy new
IT systems to handle collections
identifiable information. It also involves how the
system handles information that individuals
provide electronically, so that the public has
assurances that personal information is protected
through privacy preserving technologies.
Figure 8: Implementation Strategy for STP
4 Preliminary Studies Our work has just started last year and we decided
to focus on trying to achieve some kind of
integration between STP Models as shown in
Figure 8. In this diagram we decided to apply the
STP concept on a particular environment, such as
Analysis of Open Environment Sign
Privacy Enhanced & Trustworthy Approach
5 Conclusions This paper discusses the global phenomenon of
information security divide, major security, trust
and privacy (STP) challenges, related works by
past researchers and the proposed STP framework
We have presented the STP concept and framework
and we hope that it can be considered as a step
towards implementation of a better Security, Trust
and Privacy environment which is necessary in
future pervasive computing. We present
proposed framework in a holistic approach.
Framework, when implemented
computing environment would address how
sensitive personal data could travel uninterrupted,
unchanged and unseen by unscrupulous recipients.
applications run, must be trusted (perform
according to the expected way), which means that
trust foundations of trusted computing must be in
ce. From privacy point of view, we should
review how information about citizen is handled
within government services when they use
information technology (IT) to collect new
information, or when agencies develop or buy new
IT systems to handle collections of personally
identifiable information. It also involves how the
system handles information that individuals
provide electronically, so that the public has
assurances that personal information is protected
through privacy preserving technologies.
STP Framework
and we decided
to focus on trying to achieve some kind of
integration between STP Models as shown in
Figure 8. In this diagram we decided to apply the
STP concept on a particular environment, such as
Analysis of Open Environment Sign-in Schemes-
anced & Trustworthy Approach [12].
discusses the global phenomenon of
major security, trust
, related works by
past researchers and the proposed STP framework.
oncept and framework
can be considered as a step
towards implementation of a better Security, Trust
and Privacy environment which is necessary in
We presented our
istic approach. The
Framework, when implemented in pervasive
would address how
sensitive personal data could travel uninterrupted,
unchanged and unseen by unscrupulous recipients.
References
[1] P A Nixon, W. Wagealla, C.
Security, Privacy and Trust Issues in Smart
Environments, 2004
[2] S Karnouskos, A Hondroudaki, A Vilmos, B
Csik, Security, Trust and Privacy in the
SEcure MObile Payment Service, 3rd
International Conference on Mobile Business
2004, New York City, USA, 12
[3] S K Katsikas, J Lopez, G Pernul, Trust, Privacy
and Security in E-Business: Requirements and
Solutions, PCI 2005, LNCS 3746, pp. 548
558, 2005.
[4] International Security Trust Privacy Alliance
(ISTPA), Analysis o
Making Privacy Operational, Version 2.0,
May 2007
[5] R K Chellappa, Consumers’ Trust in Electronic
Commerce Transactions: The Role of
Perceived Privacy and Perceived Security,
2007
[6] M Riguidel, Security, Privacy & Trust in the
Future Internet, The future of the Internet,
Bled, Slovenia, April 2, 2008
[7] Lakshmi Eswari et.al, A Comprehensive
Security, Privacy & Trust Management
Framework for Ubiquitous Computing
Environment, UbiComp India 2008.
[8] Security, Privacy and Trust i
Internet, Issues for Discussions, 2008
[9] International Security Trust Privacy Alliance
(ISTPA), Privacy Management Reference
Model, A framework for resolving privacy
policy requirements into operational privacy
services and functions, Versi
[10] H Peng, J Gu, X Ye, Towards Compliance
and Accountability: a Framework for Privacy
Online, Journal of Computers, Vol. 4, No. 6,
June 2009 [11] Zheng Yan and Silke Holtmanns, “Trust
Modeling and Management: from Social Trust
to Digital Trust”, book chapter of Computer
Security, Privacy and Politics: Current Issues,
Challenges and Solutions, IGI Global, 2007
[12] Zubair Ahmad Khattak, Jamalul
Manan, Suziah Sulaiman
Environment Sign
Enhanced & Trustworthy Approach
of Advances in Information Technology, Vol
2, No 2 (2011), 109-121, May 2011
[1] P A Nixon, W. Wagealla, C. English, S. Terzis,
Security, Privacy and Trust Issues in Smart
[2] S Karnouskos, A Hondroudaki, A Vilmos, B
Csik, Security, Trust and Privacy in the
SEcure MObile Payment Service, 3rd
International Conference on Mobile Business
New York City, USA, 12-13 July 2004
[3] S K Katsikas, J Lopez, G Pernul, Trust, Privacy
Business: Requirements and
Solutions, PCI 2005, LNCS 3746, pp. 548 –
[4] International Security Trust Privacy Alliance
(ISTPA), Analysis of Privacy Principles:
Making Privacy Operational, Version 2.0,
R K Chellappa, Consumers’ Trust in Electronic
Commerce Transactions: The Role of
Perceived Privacy and Perceived Security,
M Riguidel, Security, Privacy & Trust in the
Future Internet, The future of the Internet,
Bled, Slovenia, April 2, 2008
Lakshmi Eswari et.al, A Comprehensive
Security, Privacy & Trust Management
Framework for Ubiquitous Computing
Environment, UbiComp India 2008.
Security, Privacy and Trust in the Future
Internet, Issues for Discussions, 2008
International Security Trust Privacy Alliance
(ISTPA), Privacy Management Reference
Model, A framework for resolving privacy
policy requirements into operational privacy
services and functions, Version 2.0, 2009
Ye, Towards Compliance
and Accountability: a Framework for Privacy
Online, Journal of Computers, Vol. 4, No. 6,
Zheng Yan and Silke Holtmanns, “Trust
Modeling and Management: from Social Trust
st”, book chapter of Computer
Security, Privacy and Politics: Current Issues,
Challenges and Solutions, IGI Global, 2007 Zubair Ahmad Khattak, Jamalul-lail Ab
Manan, Suziah Sulaiman, Analysis of Open
Environment Sign-in Schemes-Privacy
Trustworthy Approach, Journal
of Advances in Information Technology, Vol
121, May 2011
Recent Researches in Computer Science
ISBN: 978-1-61804-019-0 60