The Center for Education and Research in Information Assurance and Security (CERIAS)

The Center for Education and Research in
Information Assurance and Security (CERIAS)

Omar Chowdhury - Purdue University

Students: Spring 2025, unless noted otherwise, sessions will be virtual on Zoom.

Regulatory Compliance Checking Over Encrypted Audit Logs

Feb 04, 2015

Download: Video Icon MP4 Video Size: 149.6MB  
Watch on Youtube Watch on YouTube

Abstract

Individuals have the privacy expectation that organizations (e.g., bank, hospital) that collect personal information from them will not share these personal information with mischievous parties. To prevent unauthorized disclosure of personal information by organizations, US federal government has put forward privacy legislation like HIPAA and GLBA. Violation of these privacy regulations can bring down heavy financial penalties for the organization. To maintain compliance with all the relevant privacy regulations, organizations collect day-to-day privacy events in an audit log which is periodically checked for compliance.

The audit logs capturing the privacy sensitive events tend to be large and due to the cost-effectiveness of cloud infrastructures, outsourcing the audit log storage to a third party cloud service provider is now a viable option for organizations. As the audit logs can possibly contain customers' sensitive personal information, protecting confidentiality of the audit log data from the cloud service provider and other malicious parties should be a major objective for the organization. One possibility is to encrypt the audit logs before uploading it in the cloud storage. However, encrypting the audit log with any semantically secure encryption scheme might prohibit the organization from automatically check compliance of the audit log. Theoretical solutions like fully homomorphic encryption is not practically viable in this scenario. In this talk, I will present two very simple audit log encryption schemes that reveal enough information so that the organization can run an automatic compliance checking algorithm
over the encrypted log. With empirical evaluation we demonstrate that, our enhanced compliance checking algorithm incurs low to moderate overheads for our cryptographic schemes, relative to a baseline without encryption.

About the Speaker

Omar Chowdhury
Omar Chowdhury is a Post-Doctoral Research Associate in the Department of Computer Science at Purdue University. Prior to joining Purdue University, he was a Post-Doctoral Research Associate in Cylab, Carnegie Mellon University. He received his B.Sc. in Computer Science & Engineering from Bangladesh University of Engineering & Technology and his Ph.D. in Computer Science in the University of Texas at San Antonio. His research interest lies in investigating fundamental issues in
Computer Security and Privacy. He is interested in developing novel access control features and technologies. His current research focuses on using formal verification techniques to design efficient security and privacy policy analysis and enforcement mechanisms. Specifically, he is interested in developing efficient algorithms for checking compliance of practical privacy policies like HIPAA and GLBA. He has won the best paper award The ACM Symposium on Access Control Models and Technologies (SACMAT). He has also served as a program committee member in The ACM Symposium on Access Control Models and Technologies (SACMAT).


Ways to Watch

YouTube

Watch Now!

Over 500 videos of our weekly seminar and symposia keynotes are available on our YouTube Channel. Also check out Spaf's YouTube Channel. Subscribe today!