Journal of the Korea Institute of Information Security & Cryptology (정보보호학회논문지)

Korea Institute of Information Security and Cryptology (한국정보보호학회)
권호 표지
DOI QR코드

DOI QR Code

MyData Cloud: Secure Cloud Architecture for Strengthened Control Over Personal Data

MyData Cloud: 개인 정보 통제 강화를 위한 안전한 클라우드 아키텍쳐 설계

  • Seungmin Heo (Korea University) ;
  • Yonghee Kwon (Korea University) ;
  • Beomjoong Kim (Korea University) ;
  • Kiseok Jeon (Korea University) ;
  • Junghee Lee (Korea University)
  • 허승민 (고려대학교) ;
  • 권용희 (고려대학교) ;
  • 김범중 (고려대학교) ;
  • 전기석 (고려대학교) ;
  • 이중희 (고려대학교)
  • Received : 2024.04.29
  • Accepted : 2024.06.14
  • Published : 2024.08.31
Download PDF
⟨ Previous Next ⟩

Abstract

MyData is an approach of personal data management, which grants data subjects the right to decide how to use and where to provide their data. With the explicit consent of the subjects, service providers can collect scattered data from data sources and offer personalized services based on the collected data. In existing service models, personal data saved in data storage can be shared with data processors of service providers or third parties. However, once personal data are transferred to third-party processors, it is difficult for data subjects to trace and control their personal data. Therefore, in this paper, we propose a cloud model where both data storage and processor are located within a single cloud, ensuring that data do not leave the cloud.

마이데이터는 개인데이터 활용 체계의 새로운 패러다임으로, 데이터 주체가 자신의 데이터를 어떻게 사용하고 어디에 제공할 것인지 결정할 수 있다. 데이터 주체의 동의 하에 서비스 제공자는 여러 서비스에 걸쳐 흩어져있는 고객의 데이터를 수집하고 이를 바탕으로 고객 맞춤화된 서비스를 제공한다. 기존의 마이데이터 서비스 모델들에서, 데이터 주체는 데이터 스토리지에 저장된 자신의 개인 정보를 서비스 제공자 또는 제3자의 데이터 프로세서에게 판매할 수 있다. 하지만 개인정보가 한 번 제3자의 프로세서에게 판매되어 그들의 프로세서에 의해 처리될 경우 그 순간부터 데이터를 추적하고 통제할 수 없다는 문제가 발생한다. 따라서 본 논문에서는 기존 마이데이터 운영 모델들의 문제점들을 개선하여 데이터 주체에게 더 높은 통제권을 부여하는 클라우드 모델을 제시한다. 동시에, 클라우드 모델과 같이 데이터 스토리지, 컨트롤러, 프로세서가 모두 한 곳에 모여있는 경우 클라우드가 침해될 시 모든 데이터가 한 번에 침해될 수 있다는 점을 고려하여, 이러한 위험을 줄일 수 있도록 클라우드-디바이스 간 협력적 암호화와 클라우드 컴포넌트들 간 격리 기술을 적용한 클라우드 모델 아키텍쳐를 함께 제시한다.

Keywords

Acknowledgement

이 논문은 2021년도 정부(과학기술정보통신부)의 재원으로 정보통신기획평가원의 지원을 받아 수행된 연구 결과임(No. RS-2021-II210528, 하드웨어 중심 신뢰계산기반과 분산데이터보호박스를 위한 표준 프로토콜 개발)

References

  1. S. Alessi, "Eternal Sunshine: The Right to be Forgotten in the European Union after the 2016 General Data Protection Regulation," Emory International Law Review, vol. 32(1), pp. 145-171, 2017.
  2. G. Malgieri and G. Comande, "Why a right to legibility of automated decision-making exists in the general data protection regulation," International Data Privacy Law, vol. 7(4), pp. 243-265, 2017.
  3. C. B. Olsen, "To track or not to track? Employees' data privacy in the age of corporate wellness, mobile health, and GDPR," International Data Privacy Law, vol. 10(3), pp. 236-252, 2020.
  4. J. Sim, B. Kim, K. Jeon, M. Joo, J. Lim, J. Lee, and K. K. R. Choo, "Technical Requirements and Approaches in Personal Data Control," ACM Computing Surveys, vol. 55(9), 2023.
  5. ACCOUNTKILLER, "AccountKiller: A Service for Deleting Online Accounts," https://www.accountkiller.com/en/, April 17, 2024.
  6. Eliminalia, "Eliminalia: Online Reputation and Privacy Services," https://eliminalia.com/en/, April 17, 2024.
  7. RemoveOnlineInformation, "#1 Online Information Removal Solution," https://removeonlineinformation.com/, April 17, 2024.
  8. Mydex, "Mydex: Personal Data Management," https://mydex.org/, April 17,2024.
  9. Cookie Information, "The cookie banner that supports your marketing goals," https://cookieinformation.com/, April 17, 2024.
  10. CookieFirst, "Cookie Consent GDPR, ePR, CCPA, LGPD compliant," https://cookiefirst.com/, April 17, 2024.
  11. digi.me, "Medical Records Viewer," https://digi.me/, April 17, 2024.
  12. SNPLab, "SNPLab Service," https://snplab.io/service, April 17, 2024.
  13. Meeco, "Meeco: Personal Data Management," https://www.meeco.me/, April 17, 2024.
  14. L. Brodsky and L. Oakes, "Data sharing and open banking," McKinsey & Company, pp. 1105, 2017.
  15. Konsentus, "GDPR, PSD2, andOpenBanking: Navigating Regulatory Waters," https://www.konsentus.com/insights/articles/gdpr-psd2-and-open-banking/, April 17, 2024.
  16. Openbanking, https://developer.openbanking.privatebank.jpmorgan.com,April 17, 2024.
  17. BNY Mellon Marketplace, "Open Banking APIs Payment Service Directive(PSD2)," https://marketplace.bnymellon.com/app/open/solutions-set/detail/psd2-open-api, April 17, 2024.
  18. GOV.UK, "The midata vision of consumer empowerment," https://www.gov.uk/government/news/the-midata-vision-of-consumer-empowerment, April 17,2024
  19. D. S. Sayogo, J. Zhang, T. A. Pardo,G. K. Tayi, J. Hrdinova, D. F.Andersen, and L. F. Luna-Reyes,"Going beyond open data: Challenges and motivations for smart disclosure in ethical consumption," Journal of Theoretical and Applied Electronic Commerce Research, vol. 9(2), pp. 3-4, 2014.
  20. W. Choi, J. W. Chun, S. J. Lee, S. H. Chang, D. J. Kim, and I. Y. Choi, "Development of a MyData platform based on the personal health record data sharing system in Korea," Applied Sciences, vol. 11(17), p. 8208, 2021.
  21. Mint, "Budget Tracker & Planner | Free Online Money Management," https://mint.intuit.com/, April 17, 2024.
  22. PYMNTS, "FinTech BankSalad Launches HealthTech Service," https://www.pymnts.com/healthcare/2022/korean-fintech-banksalad-launches-healthtech-service/, April 17, 2024.
  23. XDA Developers, "What is Health Connect: How Google combines fitness data from Samsung, Fitbit and others," https://www.xda-developers.com/health-connect/, April 17, 2024.
  24. Computer Weekly, "Most firms will not be GDPR-ready by compliance deadline," https://www.computerweekly.com/news/252439872/Most-firms-will-not-be-GDPR-ready-by-compliance-deadline, April 17, 2024.
  25. P. Antonopoulos, A. Arasu, K. D. Singh, K. Eguro, N. Gupta, R. Jain, R. Kaushik, H. Kodavalla, D. Kossmann, N. Ogg, R. Ramamurthy, J. Szymaszek, J. Trimmer, K. Vaswani, R. Venkatesan, and M. Zwilling, "Azure SQL Database Always Encrypted," Proceedings of the ACM SIGMOD International Conference on Management of Data, pp. 1511-1525, 2020.
  26. U. T. Mattsson, "A practical implementation of transparent encryption and separation of duties in enterprise databases: protection against external and internal attacks on databases," in Proceedings of the Seventh IEEE International Conference on E-Commerce Technology(CEC'05), pp. 559-565, Jul. 2005. IEEE.
  27. V. Sidorov and W. K. Ng,"Transparent data encryption for data-in-use and data-at-rest in a cloud-based database-as-a-service solution," in Proceedings of the 2015IEEE World Congress on Services, pp.221-228, Jun. 2015. IEEE.
  28. N. Kumar, V. Katta, H. Mishra, andH. Garg, "Detection of data leakage in cloud computing environment," inProceedings of the 2014 International Conference on Computational Intelligence and Communication Networks,pp. 803-807, Nov. 2014. IEEE.
  29. C. Yang, L. Tan, N. Shi, B. Xu, Y.Cao, and K. Yu, "AuthPrivacyChain:A blockchain-based access control framework with privacy protection in cloud," IEEE Access, vol. 8, pp.70604-70615, 2020.
  30. A. Lounis, A. Hadjidj, A.Bouabdallah, and Y. Challal, "Healing on the cloud: Secure cloud architecture for medical wireless sensor networks," Future Generation Computer Systems, vol. 55, pp. 266-277, 2016.
  31. Y. J. Ong, M. Qiao, R. Routray, andR. Raphael, "Context-aware data loss prevention for cloud storage services," in Proceedings of the 2017 IEEE 10th International Conference on Cloud Computing (CLOUD), pp. 399-406,Jun. 2017. IEEE.
  32. P. Han, C. Liu, J. Cao, S. Duan, H.Pan, Z. Cao, and B. Fang,"CloudDLP: Transparent and scalable data sanitization for browser-based cloud storage," IEEE Access, vol. 8, pp. 68449-68459, 2020.
  33. A. Kumar, B. G. Lee, H. Lee, and A. Kumari, "Secure storage and access of data in cloud computing," in Proceedings of the 2012 International Conference on ICT Convergence (ICTC), pp. 336-339, Oct. 2012. IEEE.
  34. A. Alsirhani, P. Bodorik, and S. Sampalli, "Improving database security in cloud computing by fragmentation of data," in Proceedings of the 2017 International Conference on Computer and Applications (ICCA), pp. 43-49, Sep. 2017. IEEE.
  35. C. J. Chae, Y. Shin, K. Choi, K. B. Kim, and K. N. Choi, "A privacy data leakage prevention method in P2P networks," Peer-to-Peer Networking and Applications, 9(3), pp. 508-519, 2016.
  36. X. Zhao, M. Li, E. Feng, and Y. Xia, "Towards a secure joint cloud with confidential computing," in Proceedings of the 2022 IEEE International Conference on Joint Cloud Computing (JCC), pp. 79-88, Aug. 2022. IEEE.
  37. W. Qiang, Z. Dong, and H. Jin, "Se-lambda: Securing privacy-sensitive serverless applications using SGX enclave," in Security and Privacy in Communication Networks: 14th International Conference, SecureComm 2018, pp. 451-470, Aug. 2018. Springer International Publishing.
  38. Alder, F., Asokan, N., Kurnikov, A.,Paverd, A., & Steiner, M. (2019).S-FaaS: Trustworthy and accountable function-as-a-service using Intel SGX.Proceedings of the ACM Conference on Computer and Communications Security, 185-199.
  39. P. Padma and S. Srinivasan, "DAuth-Delegated Authorization Framework for Secured Serverless Cloud Computing," Wireless Personal Communications, vol. 129, no. 3, pp. 1563-1583,2023.
  40. A. Koo, Y.-G. Kim, and S. H. Lee,"Design of Security Architecture for the Cloud-Based Korea Military Command and Control System," The Journal of Korean Institute of Communications and Information Sciences,vol. 45, no. 2, pp. 400-408, 2020.
  41. OpenStack Documentation, https://docs.openstack.org/2024.1/, April 17, 2024.
  42. QEMU, "QEMU documentation," https://www.qemu.org/docs/master/, April 17, 2024.
  43. MyData Korea, "Standard API Specification of MyData in Financial Scope," https://developers.mydatakorea.org/m, April 17, 2024