Regulatory Compliance Checking Over Encrypted Audit Logs
Omar Chowdhury - Purdue University
Feb 04, 2015Size: 149.6MB
Download: MP4 Video
Watch in your Browser Watch on YouTube
AbstractIndividuals have the privacy expectation that organizations (e.g., bank, hospital) that collect personal information from them will not share these personal information with mischievous parties. To prevent unauthorized disclosure of personal information by organizations, US federal government has put forward privacy legislation like HIPAA and GLBA. Violation of these privacy regulations can bring down heavy financial penalties for the organization. To maintain compliance with all the relevant privacy regulations, organizations collect day-to-day privacy events in an audit log which is periodically checked for compliance.
The audit logs capturing the privacy sensitive events tend to be large and due to the cost-effectiveness of cloud infrastructures, outsourcing the audit log storage to a third party cloud service provider is now a viable option for organizations. As the audit logs can possibly contain customers' sensitive personal information, protecting confidentiality of the audit log data from the cloud service provider and other malicious parties should be a major objective for the organization. One possibility is to encrypt the audit logs before uploading it in the cloud storage. However, encrypting the audit log with any semantically secure encryption scheme might prohibit the organization from automatically check compliance of the audit log. Theoretical solutions like fully homomorphic encryption is not practically viable in this scenario. In this talk, I will present two very simple audit log encryption schemes that reveal enough information so that the organization can run an automatic compliance checking algorithm
over the encrypted log. With empirical evaluation we demonstrate that, our enhanced compliance checking algorithm incurs low to moderate overheads for our cryptographic schemes, relative to a baseline without encryption.
About the SpeakerOmar Chowdhury is a Post-Doctoral Research Associate in the Department of Computer Science at Purdue University. Prior to joining Purdue University, he was a Post-Doctoral Research Associate in Cylab, Carnegie Mellon University. He received his B.Sc. in Computer Science & Engineering from Bangladesh University of Engineering & Technology and his Ph.D. in Computer Science in the University of Texas at San Antonio. His research interest lies in investigating fundamental issues in
The views, opinions and assumptions expressed in these videos are those of the presenter and do not necessarily reflect the official policy or position of CERIAS or Purdue University. All content included in these videos, are the property of Purdue University, the presenter and/or the presenter’s organization, and protected by U.S. and international copyright laws. The collection, arrangement and assembly of all content in these videos and on the hosting website exclusive property of Purdue University. You may not copy, reproduce, distribute, publish, display, perform, modify, create derivative works, transmit, or in any other way exploit any part of copyrighted material without permission from CERIAS, Purdue University.