Authorization system, access control, data location, XACML, Cloud computing
A data location control model for Cloud services is presented that uses an authorization system as its core
control element. The model is intended for use by enterprises that collect personal data from end users that can
potentially be stored and processed at multiple geographic locations. By adhering to the model’s authorization
decisions, the enterprise can address end users’ concerns about the location of their data by incorporating their
preferences about the location of their personal data into an authorization policy. The model also ensures
that the end users have visibility into the location of their data and are informed when the location of their
data changes. A prototype of the model has been implemented that provides the data owner with an interface
that allows their location preferences to be expressed. These preferences are stored internally as XACML
policy documents. Thereafter, movements or remote duplications of the data must be authorized by submitting
requests to an ISO/IEC 10181-3:1996 compliant policy enforcement point. End users can, at any time, view
up-to-date information on the locations where their data is stored via a web interface. Furthermore, XACML
obligations are used to ensure that end users are informed whenever the location of their data changes.
1 INTRODUCTION
Cloud Computing offers a new style of computing
that allows consumers to pay only for the services
used and frees them from the management
overhead of the underlying infrastructure. Although
Cloud Computing has gained significant traction in
recent years, surveys have consistently shown that
consumers’ concerns around security and loss of control
over data are hindering adoption (Subashini and
Kavitha, 2011; Chen and Zhao, 2012). Additionally,
the physical location of data can have an impact on its
vulnerability to disclosure and can have implications
for service quality and legal consequences (Albeshri
et al., 2012; Gondree and Peterson, 2013). Many regulations
such as HIPAA and the EU Data Protection
Directive impose restrictions on the movement of data
between geographical locations. Data location therefore
represents a sensitive issue for enterprises that
offer cloud services. Existing and potential customers
seek assurance that the enterprise will act as faithful
stewards of information entrusted to them, and the enterprise
itself wishes to avoid falling foul of data protection
rules and other regulations.
However, these concerns must be balanced against
the enterprise’s desire to maintain redundancy and operational
efficiency. There are a number of valid rea-
sons for copying data to geographically dispersed locations.
These may include:
• Risk Mitigation Copying data to more than one
physical location provides a hedge against localised
catastrophic events such as fires and natural
disasters.
• Operational Expenditure Due to the geographically
variable nature of overheads, such as energy
costs, it may be cheaper to store and/or process
data at a location other than where it was stored
originally.
• Storage Capacity If a data centre has limited capacity
it might be helpful to offload some storage
to another location.
• Maintenance Data may sometimes need to be
moved temporarily in order to facilitate data centre
maintenance, upgrade or relocation.
• Localised Caching Content delivery networks,
such as Akamai and Amazon CloudFront, replicate
data to edge servers in order to improve users’
quality of experience.
Enterprises that offer Cloud services must therefore
balance the benefits of migrating data against concerns
relating to trustworthiness in the eyes of users
and regulatory compliance.