Regulatory Compliance Checking Over Encrypted Audit Logs

Feb 04, 2015

Download: MP4 Video Size: 149.6MB  
Watch on YouTube

Abstract

Individuals have the privacy expectation that organizations (e.g., bank, hospital) that collect personal information from them will not share these personal information with mischievous parties. To prevent unauthorized disclosure of personal information by organizations, US federal government has put forward privacy legislation like HIPAA and GLBA. Violation of these privacy regulations can bring down heavy financial penalties for the organization. To maintain compliance with all the relevant privacy regulations, organizations collect day-to-day privacy events in an audit log which is periodically checked for compliance.

The audit logs capturing the privacy sensitive events tend to be large and due to the cost-effectiveness of cloud infrastructures, outsourcing the audit log storage to a third party cloud service provider is now a viable option for organizations. As the audit logs can possibly contain customers' sensitive personal information, protecting confidentiality of the audit log data from the cloud service provider and other malicious parties should be a major objective for the organization. One possibility is to encrypt the audit logs before uploading it in the cloud storage. However, encrypting the audit log with any semantically secure encryption scheme might prohibit the organization from automatically check compliance of the audit log. Theoretical solutions like fully homomorphic encryption is not practically viable in this scenario. In this talk, I will present two very simple audit log encryption schemes that reveal enough information so that the organization can run an automatic compliance checking algorithm
over the encrypted log. With empirical evaluation we demonstrate that, our enhanced compliance checking algorithm incurs low to moderate overheads for our cryptographic schemes, relative to a baseline without encryption.