2016 IEEE 40th Annual Computer Software and Applications Conference

Data Security and Privacy

Concepts, Approaches, and Research Directions

Elisa Bertino
Computer Science Department and CERIAS
Purdue University
West Lafayette, Indiana (USA)
[email protected]

Abstract—Data are today an asset more critical than ever for that by the year 2020 20.8 billions of IoT devices will be
all organizations we may think of. Recent advances and trends, installed. Such staggering numbers show that IoT will have
such as sensor systems, IoT, cloud computing, and data a major impact, especially when combined with powerful
analytics, are making possible to pervasively, efficiently, and data analytics and knowledge extraction techniques.
effectively collect data. However for data to be used to their The combination of big data and IoT technologies - that
full power, data security and privacy are critical. Even though we refer to as pervasive big data (PBD) technologies - will
data security and privacy have been widely investigated over
the past thirty years, today we face new difficult data security
push a novel generation of data-intensive applications and
and privacy challenges. Some of those challenges arise from move automation in a large number of domains, ranging
increasing privacy concerns with respect to the use of data and from manufacturing and energy management (e.g.
from the need of reconciling privacy with the use of data for SmartGrid), to healthcare management and urban life (e.g.
security in applications such as homeland protection, SmartCities). Applications range from monitoring the
counterterrorism, and health, food and water security. Other moisture in a field of crops, to tracking the flow of products
challenges arise because the deployments of new data collection through a factory, to remotely monitoring patients with
and processing devices, such as those used in IoT systems, chronic illnesses and remotely managing medical devices,
increase the data attack surface. In this paper, we discuss such as implanted devices and infusion pumps.
relevant concepts and approaches for data security and
privacy, and identify research challenges that must be
However, as our reliance on PBD technologies increases,
addressed by comprehensive solutions to data security and the security and privacy of data managed by PBD systems
privacy. become crucial. Damage and misuse of data affect not only
single individuals or organizations, but may have negative
Big Data; Internet of Things; Sensor Networks; Data impacts on entire social sectors and critical infrastructures.
Confidentiality; Data Trustworthiness; Application Security As data collection and processing are pervasive, such as in
sensor-based systems and recent fog computing systems [4],
I. INTRODUCTION data protection becomes much more complex compared
Data are today more critical and relevant than ever. with when data collection and processing were very much
Technological advances and novel applications, such as confined within organizations. Increasing numbers of
sensors, cyber-physical systems, smart mobile devices, attacks have been reported that aim at stealing data through
cloud systems, data analytics, social networks, Internet of sophisticated attacks, including insider attacks [5]. Data
Things (IoT), smart and connected healthcare, are making trustworthiness is another critical issue for several
possible to collect, store, and process huge amounts of data, applications, ranging from scientific research to industrial
referred to as big data, about everything from everywhere control systems [6]. Finally recent tensions between the use
and at any time [1]. However not only today we have of data for security tasks and data privacy have added yet
technology, such as cloud and high-performance computing another dimension to the problem of data security [7].
systems, for storing and processing huge data sets, we also The problem of data security is not a new problem;
have sophisticated data analytics capabilities that allow one research addressing this problem dates back from the early
to extract useful knowledge from data and predict trends and 70’s [8]. An early paper by Bertino and Sandhu [9] provides
events [2]. a short history of research efforts on data security focusing
Recent advances toward the widespread deployment of especially on access control techniques, such as
sensors, actuators, and embedded computing devices in the discretionary and mandatory access control techniques, as
physical environment and into physical objects – referred to these techniques represent a fundamental building block for
as Internet of Things (IoT) – will further multiply our ability data security. However early access control techniques were
to collect data and also act on the physical environment.
designed for data stored in corporate database systems and
Forecasts by McKinsey&Company estimate that the
therefore today we need to complement such early
economic impact of IoT technology by year 2025 will range
from 2.7 to 6.2 trillion dollars [3]. Gartner forecasts predict techniques with other techniques in order to provide full
spectrum data protection. Early research on statistical

0730-3157/16 $31.00 © 2016 IEEE 400

DOI 10.1109/COMPSAC.2016.89
databases [10, 11] pioneered initial data privacy techniques. different sources of data restrictions is by Ni et al. [12].
However such early approaches assumed data to be stored in Finally, it is important to mention that the integrity
controlled database systems only accessible through requirement has been generalized into the data
specialized interfaces supporting pre-defined statistical trustworthiness requirement. Data trustworthiness refers to
queries. Today, applications may need to access data at making sure not only that data are not modified by
record level – referred to as microdata access - and thus unauthorized subjects, but also that data are free from errors,
providing only access at aggregate level may be inadequate up to date, and originating from reputable sources. Assuring
for many data applications. data trustworthiness is thus a difficult problem which often
In this paper we continue the discussion on data security depends on the application domain [6]. Its solution requires
that we initiated more than 10 years ago [9], in order to combining different techniques, ranging from cryptographic
focus on recent relevant challenges and research directions. techniques, for digitally signing the data, and access control,
We first briefly discuss key security requirements. We then for checking that only authorized parties modify the data, to
focus on big data and identify key challenges in data data quality techniques, for automatically detecting and
privacy as today privacy represents a major concern given fixing data errors [13], provenance techniques [14], for
the widespread ubiquitous data collection by a large variety determining from which sources data originate, and
of organizations. We then focus on IoT which, if one side reputation techniques, for assessing the reputation of data
multiplies our abilities to collect and use data, on the other sources.
side greatly expands the data attack surface. We finally
outline a few concluding remarks. III. A CHARACTERIZATION OF BIG DATA
In order to discuss about privacy and security issues for
II. BASIC DATA SECURITY REQUIREMENTS big data management, it is crucial to better understand all
Our previous paper [9] had identified three basic data dimensions related to big data. In this respect four
security requirements: confidentiality, referring to data characteristics define big data [2]:
protection from unauthorized accesses; integrity, referring to • Volume – data sizes range from terabytes to
data protection from unauthorized modifications; and zettabytes (that is, 1021 bytes).
availability, referring to assuring that data be available to • Variety – data come in many different formats from
authorized users. These three requirements are still very structured data, organized according to some
critical today. However meeting those requirements is today structures like the data record, to unstructured data,
much more challenging because data attacks are more like images, sounds, and videos which are much
sophisticated and the data attack surface has expanded, due more difficult to search and analyze.
to increasing data collection activities from many different • Velocity – in many novel applications, like smart
sources and to data sharing. In addition to these three cities and smart planet, data continuously arrive at
requirements, privacy has emerged as a new critical possibly very high frequencies, resulting in
requirement. Very often data privacy is seen as the same continuous high-speed data streams. It is critical that
requirement as data confidentiality. There are however some the time required to act on these data be very small.
differences between the two requirements. Data privacy • Huge number of data sources – the real value of data
requires ensuring data confidentiality because if data are not sets is when these data sets are integrated and cross-
well protected against unauthorized accesses, privacy cannot correlated. Integration and cross-correlation among
be ensured. However privacy has additional issues deriving data sets from different sources allow one to uncover
from the need of taking into account requirements from information and trends that often cannot be
legal privacy regulations as well as individual privacy uncovered by looking at a data set in isolation. It is
preferences. For example, an individual may be fine with clear that such massive data integration can pose
sharing his/her own data for research purposes, whereas major privacy risks.
another individual may not be. Therefore, systems managing Our short characterization emphasizes that volume alone
privacy-sensitive data may have to collect and record the is perhaps the least difficult problem to address when
privacy preferences concerning the individuals to whom the dealing with big data privacy and security. The real
data refer to, referred to as data subjects. In other cases, challenge arises when we have big volumes of unstructured
privacy decisions about certain data must be taken by and structured data continuously arriving from a large
subjects other than the data subjects, as in the case of number of sources. Addressing such challenge requires a
minors. Also data subjects may change their privacy new generation of privacy-enhancing and security
preferences over time. Addressing privacy thus requires, techniques designed to ensure data privacy and security by
among other things, systems able to enforce not only the efficiently filtering and transforming large volumes of a
access control policies that an organization may have in wide variety of data.
place to govern accesses to the data, but also data subject
preferences and legal regulations. An example of an access
control system able to take into account all these three

401
 IV. BIG DATA CONFIDENTIALITY AND PRIVACY access control is required, manual administration on large
Many privacy enhancing techniques have been proposed data sets is not feasible. We need techniques by which
over the last fifteen years, ranging from cryptographic authorizations can be automatically granted, possibly
techniques, such as oblivious data structures [15] that hide based on the user digital identity, profile, and context, and
data access patterns, to data anonymization techniques that on the data contents and metadata. A first step towards the
transform the data to make more difficult to link specific development of machine learning techniques to support
data records to specific individuals [16]. The problem of automatic permission assignments to users is by Ni et al.
location privacy has also been the focus of extensive [29]. However more advanced approaches are needed to
research both in the past and presently [17, 18, 19]. More deal with dynamically changing contexts and situations.
recently, research efforts have been devoted to investigate ƒ Enforcing access control policies on heterogeneous multi-
privacy-preserving techniques for data on the cloud [20, 21], media data. Content-based access control is an important
on smart phones [22], and on social networks [23]. However type of access control by which authorizations are granted
it is important to note that most proposed privacy-enhancing or denied based on the content of data. Content-based
techniques only focus on privacy and do not address the key access control is critical when dealing with video
problem of reconciling data privacy with an effective use of surveillance applications which are important for security.
data, especially when the use is for security applications, Supporting content-based access control requires
including cyber security, homeland protection, health understanding the contents of the protected data and this is
security. The problem of how to reconcile privacy and very challenging when dealing with large multimedia data
security is today a major challenge [24]. However to date sets.
very few approaches have been proposed that are suitable ƒ Enforcing access control policies in big data stores. Some
for large scale datasets. An example of an initial approach of the recent big data systems allow their users to submit
along such direction is the scalable protocol for privacy- arbitrary jobs encoded in general programming languages.
preserving data matching by Cao et al. [25] which combines For example, in Hadoop, users can submit arbitrary
secure multiparty computation (SMC) techniques and MapReduce jobs written in Java. This creates significant
differential privacy [26] to address scalability issues. challenges in order to efficiently enforce fine grained
However, just addressing scalability is not sufficient for access control for different users. Although there is some
big data privacy. Comprehensive solutions for big data initial work [30] that tries to inject access control policies
privacy require addressing many other research challenges. into submitted jobs, more research is needed on how to
In what follows, we outline relevant research directions. efficiently enforce such policies in recently developed big
data stores, especially if access control policies are
Data Confidentiality: Data confidentiality is a critical
enforced though the use of fine-grained encryption.
requirement for data privacy. Several data confidentiality
techniques and mechanisms exist – the most notable being Data Privacy: a major issue arising from big data is that by
access control and encryption. Both have been widely correlating many (big) data sets one can extract
investigated. However with respect to access control unanticipated information. Relevant issues and research
systems for big data we need approaches for: directions that need to be investigated include:
ƒ Merging large numbers of access control policies. In ƒ Techniques to control what is extracted and to check that
many cases, big data entails integrating data sets data are used for the intended purpose. Content-based
originating from multiple sources; these data sets may be access control is one such technique in that it allows one
associated with their own access control policies, referred to return certain data to a given user based on the contents
to as “sticky policies”, and these policies must be enforced of the data [31]. Content-based access control is typically
even when a data set is integrated with other data sets. supported in DBMS through the use of view mechanisms
Therefore policies need to be integrated and conflicts [32] or query modifications. Supporting content-based
solved possibly by using some automated or semi- access control stored by systems other than DBMS is
automated policy integration system [27]. Policy much more difficult because of the difficulty of
integration and conflict resolution are, however, much characterizing the conditions that the data contents must
more complex when dealing with privacy-aware access verify in order to be returned to a user. In relational
control models, such as PRBAC [28], as these models DBMS such conditions are easily expressed as SQL
allow one to specify policies that include the purpose for queries. Research is needed to design techniques able to
which the access to a protected data item is allowed, support content-based access control for a variety of data
obligations arising from the use of data, and special management systems. Another more difficult question to
privacy-related conditions that must be meet in order to address is how to verify that data, returned to a user, are
access the data. Automatically integrating such type of used for the intended purpose. An initial pioneering
policies and solving conflicts is a major challenge. approach was proposed that associates with each data item
ƒ Automatically administering authorizations for big data a set of possible purposes, from an ontology of purposes,
and in particular for granting permissions. If fine-grained for which the data can be used [33]. When a user accesses

402
 some data items, the user indicates in the access request acquiring data when in certain locations [22] or notify
the purpose(s) for which the data items are being accessed. a user that recording devices are around. We also
The query purposes are then matched against the purposes need techniques by which each recorded subject may
associated with the data items to verify that the query be able to express his/her preferences about the use of
purposes comply with the intended use associated with the the data.
requested data items. Such an approach needs to be ¾ Data sharing. Users need to be informed about data
complemented with techniques for automatically and sharing/transfer to other parties. Always informing
securely identifying the data access purposes, instead of users is, however, not always possible as sometimes
relying on indications given by users as part of their information about data transfer and use is confidential
access requests. to the organization’s missions. It is thus critical to
ƒ Support for both personal privacy and population privacy. devise legal guidelines on such issue based on which
In the case of population privacy, it is important to technical mechanisms can be designed.
understand what is extracted from the data as this may
lead to discrimination. Also when dealing with security V. IOT RISKS
with privacy, it is important to understand the tradeoff of IoT represents an important emerging trend that
personal privacy and collective security. according to various forecasts (see [3] for one such forecast)
ƒ Usability of data privacy policies. Policies must be easily will have a major economic impact. However, as discussed
understood by users. We need tools for the average users in [34], while on one side, IoT will make many novel
and we need to understand user expectations in terms of applications possible; on the other side IoT increases the
privacy. risks of cyber security attacks to data. In addition, because
ƒ Privacy implications on data quality. Recent studies have of its fine-grained, continuous, and pervasive capabilities for
shown that people lie especially in social networks data acquisition and control/actuation capabilities, IoT raises
because they are not sure that their privacy is preserved. concerns about privacy and safety. A study by HP about the
This results in a decrease in data quality that then affects most popular devices in some of the most common IoT
decisions and strategies based on these data. application domains show a high average number of
ƒ Risk models. Different types of relationship of risks with vulnerabilities per device [35]. On average, 25
big data can be identified: (a) big data can increase vulnerabilities were found per device. For example, 80% of
privacy risks; (b) big data can reduce risks in many devices failed to require passwords of sufficient complexity
domains (e.g. national security). The development of and length, 70% did not encrypt local and remote traffic
models for these two types of risk is critical in order to communications, and 60% contained vulnerable user
identify suitable tradeoff and privacy-enhancing interfaces and/or vulnerable firmware [35].
techniques to be used. IoT systems are at high risks for several reasons [34].
ƒ Data ownership. The question about who is the owner of a They do not have well defined perimeters, are highly
piece of data is often a difficult question. It is perhaps dynamic, and continuously change because of mobility. IoT
better to replace this concept with the concept of systems are also highly heterogeneous with respect to
stakeholder. Multiple stakeholders can be associated with communication medium and protocols, platforms, and
each data item. The concept of stakeholder ties well with devices. IoT systems may also include “objects” not
risks. Each stakeholder would have different (possibly designed to be connected to the Internet. Finally, IoT
conflicting) objectives and this can be modeled according systems, or portions of them, may be physically unprotected
to multi-objective optimization. In some cases, a and/or controlled by different parties. Attacks, against which
stakeholder may not be aware of the others. For example a there are established defense techniques in the context of
user to whom a data item pertains (and thus a stakeholder conventional information systems and mobile environments,
for the data item) may not be aware that a law are thus much more difficult to protect against in the IoT.
enforcement agency is using this data item. Technological The OWASP Internet of Things Project [36] has shown that
solutions need to be investigated to eliminate conflicts. many IoT vulnerabilities arise because of the lack of
ƒ Data lifecycle framework. A comprehensive approach to adoption of well-known security techniques, such as
privacy for big data needs to be based on a systematic data encryption, authentication, access control, and role-based
lifecycle approach. Phases in the lifecycle need to be access control. Lack of security techniques adoption may
identified and their privacy requirements and implications certainly be due to security unawareness by IT companies
need to be identified. Relevant phases include: involved in the IoT space and by end-users or to cost
¾ Data acquisition. We need mechanisms and tools to reasons. However another reason is that existing security
prevent devices from acquiring data about other techniques, tools, and products may not be easily deployed
individuals when devices like Google glasses are to IoT devices and systems, for reasons such as the variety
used. For example we need mechanisms able to of hardware platforms and limited computing resources of
automatically prevent devices from recording/ many types of IoT devices.

403
 Data privacy is particularly critical in the context of IoT. Therefore it is crucial that authentication operations both at
As medical and well-being devices are increasingly been the sender and the receivers have minimal overhead. To
adopted by users, and personalized medicine and health care address such requirement, the implementation of the
applications are being designed and deployed that rely on authentication operations takes advantage of the GPU
continuous fine-grained data acquisition from these devices, usually present in systems-on-chips today used in vehicles.
the human body is becoming a rich source of information. Finally another interesting project focuses on encryption
Such information is typically collected from devices and protocols for networks consisting of small sensors and
then uploaded to some cloud and/or transmitted to other drones. In such networks, sensors are on the ground and
devices, such as mobile phones, which in turn may forward acquire data of interest from the environment and drones fly
the information to other parties. The collected information is over the sensors to collect and aggregate data from sensors
typically very rich and often includes meta-data, such as [40]. The main issue here is to save energy and to make sure
location, time, and context, thus making possible to easily that drones do not have to wait too long for sensors to start
infer personal habits, behaviors, and preferences of generating encryption keys. To address such requirement,
individuals. It is thus clear that on one side such information the approach is to use low power listening (LPL) techniques
has to be carefully protected by all parties involved in its [41] at the sensors and dual radio channels at the drones. In
acquisition, management, and use, but also that users should this way, the sensors can timely start generating the
be provided with suitable, easy to use tools for protecting cryptographic keys when drones approach.
their privacy and support anonymity depending on specific Results from those projects show that a careful
contexts [22]. engineering of cryptographic protocols is critical to the
effective deployment of cryptographic protocols in IoT. In
VI. IOT DATA SECURITY – INITIAL EFFORTS particular, it is critical to analyze in details the protocols in
Addressing IoT data security requires extending or re- order to determine the expensive operations so to replace or
engineering existing security solutions as well as to develop optimize them, and to understand how to take advantage of
new solutions to fit the specific requirements of IoT. Such specific hardware features of the devices in order to enhance
solutions must ensure protection while data are transmitted the implementation of the different steps of the protocols.
and processed at the devices. In addition, in many cases, Application Security. Protecting applications is crucial
data availability is critical and therefore solutions for data security as attacks to steal data often use application
minimizing data losses must be devised. In what follows, vulnerabilities as stepping stones. It is important to notice
we survey some projects that cover different aspects of data that even though today we have several techniques for
security solutions and report experience from these projects. program analysis and hardening, such techniques need
Cryptographic Protocols. The area of encryption substantial extensions to fit IoT devices.
techniques is an active and important research area. A first example is represented by techniques to protect
However, just devising new encryption techniques is not programs against code injection attacks and code reuse
sufficient to secure data. As pointed out by Schneier [37], attacks [42]. Both those attacks aim at modifying the
strong security can be achieved only if cryptographic execution flow of applications in order to, for example,
protocols are implemented and deployed correctly. The modify data acquired from the external environment [43].
limitation of device computing resources and the differences An approach to protect against those attacks is to instrument
in such resources across different devices make performance the application binary code by inserting a static check
an additional critical challenge. Also, when dealing with statement before any instruction that modifies the program
very large IoT systems, efficient encryption key counter. Such check verifies that the target’s address, to
management is critical. Recently an efficient certificate-less which the program execution has to move, is the correct
signencryption protocol, that is, a protocol not requiring key address, that is, that the next instruction to be executed is the
certificates and supporting both message encryption and expected one and not an instruction to which the attacker is
authentication, has been proposed and compared with other trying to redirect the execution. Such technique has been
protocols on different devices, including Raspberry Pi2, and shown to be quite efficient as the run-time overhead
Android [38]. As this protocol does not use expensive introduced by these additional checks ranges between
pairing operations, it is highly efficient compared to other 0.51% and 12.22% based on the benchmarked applications
similar protocols. [42]. However the application of this technique requires
Another interesting project is related to techniques and identifying for each platform the critical instructions, that is,
protocols for efficient authentication operations for the instructions that can modify the program counter. These
networked vehicles [39]. The main requirement is that instructions are different for different platforms; such
multiple concurrent authentication operations have to be variations thus require devising specific instrumentation
supported with real-time response time. Response time is techniques for specific platforms.
critical in that, if a vehicle has to stop suddenly, information Another approach to application security focuses on
about this event has to reach the other vehicles in a very protecting against memory vulnerabilities [44] for
short time so that these vehicles have enough time to break. applications written in variant of the C language specific for

404
TinyOS applications. Such an approach statically analyzes with costs and energy consumption [48]. Finally privacy
an application to identify memory vulnerabilities. As in introduces new challenges, including how to prevent
some cases it is not possible to statically determine if a personal devices from acquiring and/or transmitting
certain piece of code will lead to a vulnerability at run-time, information concerning the user location and other context
the approach adds some code to check at run-time whether a information.
vulnerability occurs. Also in this project, the main issue is to
minimize the run-time overhead as this is critical for devices VIII. CONCLUSIONS
with limited capabilities. This paper has discussed research directions in big data
Both those projects show that significant work is confidentiality and privacy, and IoT data security. Another
required to modify existing application program security relevant research area which has been the focus of intense
techniques for use in IoT systems. research in the past ten years is the area of data security and
Network Security. Security techniques at network level privacy on the cloud. This area has seen significant research
are critical in order to minimize data losses. Such in different directions, such as for example approaches to
minimization is crucial for many applications, such as support privacy-preserving fine-grained attribute-based
monitoring applications and control systems. In order to access control on the cloud [49, 50], and provable possession
minimize data losses, it is critical to be able to quickly of data on the cloud [51]. Also the area of data privacy in
social networks has received significant focus. One of the
diagnose the cause of data packet losses so to quickly repair
key issues emerging from such research is that in social
the network. A recent project [45] has addressed this
networks collaborative approaches are needed for access
requirement by developing a fine-grained analysis (FGA) control [52, 53]. The reason is that in social networks, a
tool that investigates packet losses and reports their most given piece of data, such as a picture, may refer to multiple
likely cause. Such FGA tool is based on profiling the social network users, and it is thus crucial that all such users
wireless links between the nodes as well as their be able to express their privacy preferences when sharing the
neighborhood, by leveraging resident parameters, such as piece of information.
RSSI and LQI, available within every received packet. By In addition, to the research directions mentioned so far in
using those profiles, the FGA tool is able to determine the paper, there are two other additional research directions
whether the cause of a packet loss is a link that has been that we would like to emphasize:
jammed or a sensor that has been compromised. In the • Data protection from insider threat - protection against
former case, the FGA tool is able to quite reliably detect the insider threat requires combining many different
source of interference. The design of the system is fully techniques, including context-based access control,
distributed and event-driven, and its low overhead makes it anomaly detection in data access and use [54], and user
suitable for resource-constrained entities such as wireless behavior monitoring. User behavior monitoring however
motes. may entail privacy issues and therefore it requires a
This project is however just an initial approach. careful trade-off between security risks and individual
Research is needed to develop more advanced FGA tools privacy.
able to deal with mobile systems and heterogeneous • Privacy-aware software engineering – engineering
communication technologies which may require using software to provide strong privacy assurance requires,
different profiling parameters. among other things, to identify the code portions that
deal with sensitive data, the ability of applications to
VII. IOT DATA SECURITY – RESEARCH DIRECTIONS work on anonymized data and to deal with lack of
permissions depending on specific spatial and temporal
Securing IoT data requires, however, the use of other contexts; also as forensic tools are today able to recover
techniques [34], in addition to the techniques discussed in memory contents after applications complete their
the previous sections. Data confidentiality requires access execution, it is critical that applications scrub memory to
control to govern access to the data by taking into account permanently delete sensitive data. Finally tools are
information on data provenance and metadata concerning needed able to create profiles of expected usage of
the data acquisition context, such as location and time. privacy-sensitive data by application programs and use
Therefore early work on temporal [46] and location [47] these profiles at run-time to detect anomalies in the data
based access control is today very relevant. Data use by the applications [55].
trustworthiness is particularly challenging in an IoT context As final remark we would like to mention that
as data acquired and transmitted by IoT devices may be of addressing the today and tomorrow challenges in data
poor quality. Reasons for poor quality include bad device security and privacy require multidisciplinary research
calibration, device errors, and deliberate data deception drawing from many different areas, including computer
attacks. Solutions like data fusion need to be revised and science and engineering, information systems, statistics, risk
extended to deal with dynamic environments and large-scale models, economics, social sciences, political sciences,
numbers of heterogeneous data sources. Understanding how human factors, psychology. We believe that all these
to deploy and configure security tools for IoT is also very perspectives are needed to achieve effective solutions to the
challenging as one has to optimally trade-off security risks problem of privacy in the era of big data and pervasive data

405
acquisition and use, and especially, to the problem of [14] S. Sultana, E.Bertino: A Distributed System for The Management of
Fine-grained Provenance. J. Database Manag. 26(2): 32-47 (2015)
reconciling security with privacy.
[15] H. X. Wang, K. Nayak, C. Liu, E. Shi, E. Stefanov, Y. Huang,
“Oblivious Data Structures”, IACR Cryptology ePrint Archive 2014:
ACKNOWLEDGMENTS 185.
The work reported in this paper has been partially funded by [16] J.-W. Byun, A. Kamra, E. Bertino, N. Li, “Efficiently k-
Anonymization Using Clustering Techniques”, Proceedings of the
the Purdue Cyber Center and the National Science 12th International Conference on Database Systems for Advanced
Foundation under grants CNS-1111512 and ACI-1547358. Applications (DASFAA 2007), Bangkok, Thailand, April 9-12, 2007.
The contents of Section 3 are partially based on the results LNCS, Springer.
of the privacy session (chaired by the author of the present [17] G. Ghinita, P. Kalnis, A. Khoshgozaran, C. Shahabi, K.-L. Tan,
paper) organized as part of the NSF Big Data Security and “Private queries in location based services: anonymizers are not
necessary”, Proceedings of the ACM SIGMOD International
Privacy Workshop, September 16-17, 2014, Conference on Management of Data, SIGMOD 2008, Vancouver,
http://csi.utdallas.edu/events/NSF/NSF%20workshop%2020 BC, Canada, June 10-12, 2008.
14.htm. I would like to thank the workshop Chair, Professor [18] R. Paulet, Md. G. Kaosar, X. Yi, E. Bertino, “Privacy-Preserving and
Bhavani Thuraisingham, the chair of the workshop security Content-Protecting Location Based Queries”, IEEE Trans. Knowl.
session, Professor Murat Kantarcioglu, and the workshop Data Eng. 26(5): 1200-1210, 2014.
participants for the discussions during the workshop which [19] M. L. Damiani, E. Bertino, C. Silvestri, “The PROBE Framework for
the Personalized Cloaking of Private Locations”, Transactions on
lead to an initial draft agenda for privacy research for big
Data Privacy 3(2): 123-148, 2010.
data.
[20] M. Nabeel, E. Bertino, “Privacy Preserving Delegated Access Control
in Public Clouds”, IEEE Trans. Knowl. Data Eng. 26(9): 2268-2280,
REFERENCES 2014.
[1] “Data, data everywhere”, The Economist, 25 February 2010, [21] S.-H. Seo, M. Nabeel, X. Ding, E. Bertino, “An Efficient
available at http://www.economist.com/node/15557443 (Downladed Certificateless Encryption for Secure Data Sharing in Public Clouds”,
on April 30, 2012). IEEE Trans. Knowl. Data Eng. 26(9): 2107-2119, 2014.
[2] E. Bertino, “Big Data – Opportunities and Challenges”, Panel [22] B. Shebaro, O. Oluwatimi, D. Midi, E. Bertino, “IdentiDroid:
Position Paper, Proceedings of the 37th Annual IEEE Computer Android can finally Wear its Anonymous Suit”, Transactions on Data
Software and Applications Conference, COMPSAC 2013, Kyoto, Privacy 7(1): 27-50, 2014.
Japan, July 22-26, 2013.
[23] B. Carminati, E. Ferrari, M. Viviani, Security and Trust in Online
[3] J. Manyika, M. Chui, J. Bughin, R. Dobbs, P. Bisson, and A. Marrs. Social Networks. Morgan&Claypool, 2013.
Disruptive technologies: Advances that will transform life, business,
and the global economy. http://www.mckinsey.com/insights/business [24] E. Bertino, “E. Bertino, “Security with Privacy – Opportunities and
technology/disruptive_technologies, May 2013. Challenges”, Panel Position Paper, Proceedings of the 38th Annual
IEEE Computer Software and Applications Conference, COMPSAC
[4] E. Bertino, S. Nepal, R. Ranjan, “Building Sensor-Based Big Data 2014, Vasteras, Sweden, July 21-25, 2014.
Cyberinfrastructures”, IEEE Cloud Computing 2(5): 64-69 (2015).
[25] J. Cao, F.-Y. Rao, E. Bertino, M. Kantarcioglu, “A Hybrid Private
[5] E. Bertino. Data Protection from Insider Threats. Synthesis Lectures on
Record Linkage Scheme: Separating Differentially Private Synopses
Data Management, Morgan & Claypool Publishers 2012
from Matching Records”, Proceedings of the 31st International
[6] Elisa Bertino, “Data Trustworthiness - Approaches and Research Conference on Data Engineering (ICDE), Seoul (Korea), April 13-17,
Challenges”, Data Privacy Management, Autonomous Spontaneous 2015.
Security, and Security Assurance - 9th International Workshop, DPM
[26] C.Dwork, A. Roth, “The Algorithmic Foundations of Differential
2014, 7th International Workshop, SETOP 2014, and 3rd
International Workshop, QASA 2014, Wroclaw, Poland, September Privacy”, Foundations and Trends in Theoretical Computer Science
10-11, 2014. Revised Selected Papers. 9(3-4): 211-407, 2014.
[7] Elisa Bertino, “Big Data - Security and Privacy”, Proceedings of the [27] D. Lin, P. Rao, E. Bertino, N. Li, J. Lobo, “EXAM: a Comprehensive
2015 IEEE International Congress on Big Data, New York City, NY, Environment for the Analysis of Access Control Policies”,
USA, June 27 - July 2, 2015. International Journal of Information Security (IJIS), Vol.9, No.4,
pp.253-273, August 2010.
[8] D. E. Denning, P. J. Denning. “Data Security”, ACM Comput. Surv.
11(3): 227-249 (1979). [28] Q. Ni, E.Bertino, J. Lobo, C. Brodie, C.M.Karat, J. Karat, A.
Trombetta, “Privacy-Aware Role-Based Access Control”, ACM
[9] E. Bertino, R. Sandhu, “Database Security – Concepts, Approaches,
Transactions on Information and System Security, Vol.13, No.3,
and Challenges”, IEEE Trans. Dependable Sec. Comput. 2(1):2-19
Article 24, July 2010.
(2005).
[29] Q. Ni, J. Lobo, S. B. Calo, P. Rohatgi, E. Bertino, “Automating role-
[10] M. D. Schwartz, D. E. Denning, P. J. Denning, “Linear Queries in
based provisioning by learning from examples”, Proceedings of the
Statistical Databases” ACM Trans. Database Syst. 4(2): 156-167
(1979). 14th ACM Symposium on Access Control Models and Technologies,
SACMAT 2009, Stresa, Italy, June 3-5, 2009.
[11] D. E. Denning, P. J. Denning, M D. Schwartz. “The Tracker: A
Threat to Statistical Database Security”, ACM Trans. Database Syst. [30] H. Ulusoy et al. “Vigiles: Fine-Grained Access Control for
4(1): 76-96 (1979). MapReduce Systems”, Proceedings of the 2014 IEEE International
Congress on Big Data, Anchorage, AK, USA, June 27 - July 2, 2014.
[12] Q. Ni, S. Xu, E. Bertino, R. S. Sandhu, W. Han, “An Access Control
Language for a General Provenance Model”, Secure Data [31] E. Bertino, G. Ghinita, A. Kamra, “Access Control for Databases:
Management, Proceedings of the 6th VLDB Workshop, SDM 2009, Concepts and Systems”, Foundations and Trends in Databases, 3(1-
Lyon, France, August 28, 2009. 2): 1-148, 2011.
[13] C. Batini, M. Scannapieco. Data and Information Qaulity – [32] E. Bertino, L.M.Haas, “Views and Security in Distributed Database
Dimensions, Principles and Techniques. Springer, 2016. Management Systems”, Proceedings of the International Conference

406
 on Extending Database Technology (EDBT’88), Venice, Italy, March [45] D. Midi, E. Bertino, “Node or Link? Fine-Grained Analysis of Packet
14-18, 1988, Springer 1988 Lecture Notes in Computer Science. Loss Attacks in Wireless Sensor Networks”, ACM Transactions on
[33] J.W. Byun, E. Bertino, N. Li, “Purpose based access control of Sensor Networks, accepted for publication, in print, 2016.
complex data for privacy protection”, Proceedings of the 10th ACM [46] E. Bertino, P. Bonatti, E. Ferrari, “TRBAC: A temporal role-based
Symposium on Access Control Models and Technologies, SACMAT access control model”, ACM Trans. Inf. Syst. Secur. 4(3): 191-233
2005, Stockholm, Sweden, June 1-3, 2005. (2001).
[34] E. Bertino, “Data Security and Privacy in the IoT”, Keynote [47] M. L. Damiani, E. Bertino, B. Catania, P. Perlasca, “GEO-RBAC: A
Abastract, Proceedings of Proceedings of the 19th International spatially aware RBAC”, ACM Trans. Inf. Syst. Secur. 10(1) (2007).
Conference on Extending Database Technology, EDBT 2016, [48] N. Rullo, D. Midi, E. Serra, E. Bertino, “Strategic Security Resource
Bordeaux, France, March 15-16, 2016, Bordeaux, France, March 15- Allocation”, Poster Paper, Proceedings of the 36th IEEE International
16, 2016. Conference on Distributed Computing Systems, ICDCS 2016, Nara,
[35] K. Rawlinson. HP study reveals 70 percent of internet of things Japan, June 27 – June 30, 2016.
devices vulnerable to attack. http://www8.hp.com/us/en/hp-news/ [49] M. Nabeel, N. Shang, E. Bertino, “Privacy Preserving Policy-Based
[36] https://www.owasp.org/index.php/OWASP_Internet_of_Things_Proj Content Sharing in Public Clouds”, IEEE Trans. Knowl. Data Eng.
ect 25(11): 2602-2614 (2013).
[37] B. Schneier, “Cryptography is Harder than It Looks”, Computing [50] M. I. Sarfraz, M. Nabeel, J. Cao, E. Bertino, “DBMask: Fine-Grained
Edge, March 2016. Access Control on Encrypted Relational Databases”, Proceedings of
the 5th ACM Conference on Data and Application Security and
[38] S.-H. Seo, J. Won, E. Bertino, “pCLSC-TKEM: a Pairing-free
Privacy, CODASPY 2015, San Antonio, TX, USA, March 2-4, 2015.
Certificateless Signcryption-tag Key Encapsulation Mechanism for a
Privacy-Preserving IoT”, submitted for publication to Transactions on [51] G. Ateniese, M. T. Goodrich, V. Lekakis, C. Papamanthou, E.
Data Privacy. Paraskevas, R. Tamassia, “Accountable Storage.”, IACR Cryptology
ePrint Archive 2014: 886 (2014).
[39] A. A. Mudgerikar, A. Singla, I. Papapanagiotou, A.A. Yavuz, “HAA:
Hardware-Accelerated Authentication for Internet of Things in [52] A. C. Squicciarini, M. Shehab, F. Paci, “Collective privacy
Mission Critical Vehicular Networks”, Proceedings of the 34th management in social networks”, Proceedings of the 18th
International Conference for Military Communications (IEEE International Conference on World Wide Web, WWW 2009, Madrid,
MILCOM 2015), October 2015. Spain, April 20-24, 2009.
[40] J. Won , S.-H. Seo, E. Bertino, “A Secure Communication Protocol [53] A. C. Squicciarini, F. Paci, S. Sundareswaran, “PriMa: an effective
for Drones and Smart Objects”, Proceedings of the 10th ACM privacy protection mechanism for social networks”, Proceedings of
Symposium on Information, Computer and Communications the 5th ACM Symposium on Information, Computer and
Security, ASIA CCS '15, Singapore, April 14-17, 2015. Communications Security, ASIACCS 2010, Beijing, China, April 13-
16, 2010.
[41] http://www.tinyos.net/tinyos-2.x/doc/html/tep105.html
[54] A. Sallam, E. Bertino, S.R. Hussain, D. Landers, R. M. Lefler, D.
[42] J. Habibi, A. Panicker, A. Gupta, E. Bertino, “DisARM: Mitigating
Steiner, “DBSAFE – An Anomaly Detection System to Protecte
Buffer Overflow Attacks on Embedded Devices”, Proceedings of the
Databases from Exfiltration Attempts”, accepted for publication in
9th International Conference on Network and System Security, NSS
IEEE Systems Journal, 2016, in print.
2015, New York, NY, USA, November 3-5, 2015.
S. R. Hussain, A. Sallam, E. Bertino, “DetAnom: Detecting Anomalous
[43] J. Habibi, A. Gupta, S. Carlsony, A. Panicker, E. Bertino, “MAVR:
Database Transactions by Insiders”, Proceedings of the 5th ACM
Code Reuse Stealthy Attacks and Mitigation on Unmanned Aerial
Conference on Data and Application Security and Privacy,
Vehicles”, Proceedings of the 35th IEEE International Conference on
CODASPY 2015, San Antonio, TX, USA, March 2-4, 2015.
Distributed Computing Systems, ICDCS 2015, Columbus, OH, USA,
June 29 - July 2, 2015.
[44] D. Midi. T. Payer, E. Bertino, “nesCheck: Memory Safety for
Embedded Devices”, submitted for publication, 2016.

407