A Data Location Control Model for Cloud Service Deployments

  • Kaniz FatemaEmail author
  • Philip D. Healy
  • Vincent C. Emeakaroha
  • John P. Morrison
  • Theo Lynn
Conference paper
Part of the Communications in Computer and Information Science book series (CCIS, volume 512)


A data location control model for Cloud services is presented. The model is intended for use by Cloud SaaS providers that collect personal data that can potentially be stored and processed at multiple geographic locations. It incorporates users’ location preferences into authorization decisions by converting them into XACML policies that are consulted before data transfer operations. The model also ensures that the users have visibility into the location of their data and are informed when the location of their data changes. A prototype of the model has been implemented and was used to perform validation tests in various Cloud setups. These scenarios serve to demonstrate how location control can be integrated on top of existing public and private Cloud platforms. A sketch is also provided of an architecture that embeds location control functionality directly into the OpenStack Cloud platform. We further propose an enhancement to the model that alters its behaviour from being restrictive to prescriptive so that Cloud providers can copy data to a non-preferred locations in case of emergency. Under this approach, the number of authorized vs unauthorized transfers can be made publicly available by the provider as an assurance measure for consumers.


Authorization system Access control Data location XACML Cloud computing 



The research work described in this paper was supported by the Irish Centre for Cloud Computing and Commerce, an Irish national Technology Centre funded by Enterprise Ireland and the Irish Industrial Development Authority.


  1. 1.
    Albeshri, A., Boyd, C., Nieto, J.G.: Geoproof: proofs of geographic location for cloud computing environment. In: 2012 32nd International Conference on Distributed Computing Systems Workshops (ICDCSW), pp. 506–514 (2012)Google Scholar
  2. 2.
    Almutairi, A., Sarfraz, M., Basalamah, S., Aref, W., Ghafoor, A.: A distributed access control architecture for cloud computing. IEEE Softw. 29(2), 36–44 (2012)CrossRefGoogle Scholar
  3. 3.
    Ashley, P., Hada, S., Karjoth, G., Powers, C., Schunter, M.: Enterprise privacy authorization language (EPAL 1.2). Submission to W3C (2003)Google Scholar
  4. 4.
    Basescu, C., Carpen-Amarie, A., Leordeanu, C., Costan, A., Antoniu, G.: Managing data access on clouds: a generic framework for enforcing security policies. In: 2011 IEEE International Conference on Advanced Information Networking and Applications (AINA), pp. 459–466 (2011)Google Scholar
  5. 5.
    Chadwick, D., Zhao, G., Otenko, S., Laborde, R., Linying, S., Nguyen, T.A.: PERMIS: a modular authorization infrastructure. Concurrency Comput. Pract. Experience 20(11), 1341–1357 (2008)CrossRefGoogle Scholar
  6. 6.
    Chadwick, D.W., Fatema, K.: A privacy preserving authorisation system for the cloud. J. Comput. Syst. Sci. 78(5), 1359–1373 (2012)CrossRefGoogle Scholar
  7. 7.
    Chen, D., Zhao, H.: Data security and privacy protection issues in cloud computing. In: 2012 International Conference on Computer Science and Electronics Engineering (ICCSEE), vol. 1, pp. 647–651. IEEE (2012)Google Scholar
  8. 8.
    Cranor, L.F.: P3P: making privacy policies more useful. IEEE Secur. Priv. 1(6), 50–55 (2003)CrossRefGoogle Scholar
  9. 9.
    De Capitani di Vimercati, S., Samarati, P., Jajodia, S.: Policies, models, and languages for access control. In: Bhalla, S. (ed.) DNIS 2005. LNCS, vol. 3433, pp. 225–237. Springer, Heidelberg (2005) CrossRefGoogle Scholar
  10. 10.
    Fatema, K., Chadwick, D.W., Lievens, S.: A multi-privacy policy enforcement system. In: Fischer-Hübner, S., Duquenoy, P., Hansen, M., Leenes, R., Zhang, G. (eds.) Privacy and Identity Management for Life. IFIP AICT, vol. 352, pp. 297–310. Springer, Heidelberg (2011) CrossRefGoogle Scholar
  11. 11.
    Fatema, K., Healy, P., Emeakaroha, V.C., Morrison, J.P., Lynn, T.: A user data location control model for cloud services. In: International Conference on Cloud Computing and Services Science, CLOSER 2014 (2014)Google Scholar
  12. 12.
    Godik, S., Anderson, A., Parducci, B., Humenn, P., Vajjhala, S.: Oasis extensible access control 2 markup language (XACML) 3. Technical report OASIS (2002)Google Scholar
  13. 13.
    Gondree, M., Peterson, Z.N.J.: Geolocation of data in the cloud. In: Proceedings of the Third ACM Conference on Data and Application Security and Privacy, pp. 25–36. ACM (2013)Google Scholar
  14. 14.
    Iskander, M.K., Wilkinson, D.W., Lee, A.J., Chrysanthis, P.K.: Enforcing policy and data consistency of cloud transactions. In: 2011 31st International Conference on Distributed Computing Systems Workshops (ICDCSW), pp. 253–262. IEEE (2011)Google Scholar
  15. 15.
    ISO. Information technology - open systems interconnection - security frameworks for open systems: Access control framework (1996)Google Scholar
  16. 16.
    Jackson, K.: OpenStack Cloud Computing Cookbook. Packt, Birmingham (2012) Google Scholar
  17. 17.
    Lynn, T., Healy, P., McClatchey, R., Morrison, J., Pahl, C., Lee, B.: The case for cloud service trustmarks and assurance-as-a-service. In: International Conference on Cloud Computing and Services Science CLOSER 2013 (2013)Google Scholar
  18. 18.
    Massonet, P., Naqvi, S., Ponsard, C., Latanicki, J., Rochwerger, B., Villari, M.: A monitoring and audit logging architecture for data location compliance in federated cloud infrastructures. In: 2011 IEEE International Symposium on Parallel and Distributed Processing Workshops and Ph.D. Forum (IPDPSW), pp. 1510–1517 (2011)Google Scholar
  19. 19.
    Mohan, A., Blough, D.M.: An attribute-based authorization policy framework with dynamic conflict resolution. In: Proceedings of the 9th Symposium on Identity and Trust on the Internet, pp. 37–50. ACM (2010)Google Scholar
  20. 20.
    Noman, A., Adams, C.: DLAS: data location assurance service for cloud computing environments. In: 2012 Tenth Annual International Conference on Privacy, Security and Trust (PST), pp. 225–228. IEEE (2012)Google Scholar
  21. 21.
    Ries, T., Fusenig, V., Vilbois, C., Engel, T.: Verification of data location in cloud networking. In: 2011 Fourth IEEE International Conference on Utility and Cloud Computing (UCC), pp. 439–444. IEEE (2011)Google Scholar
  22. 22.
    Spillner, J., Schill, A.: Flexible data distribution policy language and gateway architecture. In: 2012 IEEE Latin America Conference on Cloud Computing and Communications (LATINCLOUD), pp. 1–6. IEEE (2012)Google Scholar
  23. 23.
    Subashini, S., Kavitha, V.: A survey on security issues in service delivery models of cloud computing. J. Netw. Comput. Appl. 34(1), 1–11 (2011)CrossRefGoogle Scholar
  24. 24.
    Turkmen, F., Crispo, B.: Performance evaluation of XACML PDP implementations. In: Proceedings of the 2008 ACM workshop on Secure web services, pp. 37–44. ACM (2008)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  • Kaniz Fatema
    • 1
    Email author
  • Philip D. Healy
    • 1
  • Vincent C. Emeakaroha
    • 1
  • John P. Morrison
    • 1
  • Theo Lynn
    • 2
  1. 1.Irish Centre for Cloud Computing and CommerceUniversity College CorkCorkIreland
  2. 2.Irish Centre for Cloud Computing and CommerceDublin City UniversityDublinIreland

Personalised recommendations