My answer is also a “depends” but my answer is contingent on what you mean by “policies and standards.” It depends, if by policies and standards, you are inquiring about technology-based solutions, such as encryption or legally driven ones. Since many of the responses appear technologically driven, I will address “policies and standards” from a regulatory framework. Unfortunately, I am not sure what type of user privacy is at risk or the cyberspace that is occupied. Is this a personal or commercial activity? What is the jurisdiction or place of activity? Is the information personal or sensitive in nature? By cyberspace, do you mean a local network or more public domain such as the Internet or social media use? Is the information staying within a local, national, or international space? By standards, do you mean privacy principles or fair information practices or specific bodies of laws and regulations? By policies, are you looking for codes of conduct or other similar documents? In the case of a social media site there may be important click-based agreements such as privacy notices and terms of service that may afford or derogate user protections. These agreements are extremely important but rarely read by the consumer. There are also other bodies of law that may apply depending on whether the information is personal, financial, intellectual, etc. It also depends if there is a national security issue or foreign intelligence concern. In this situation, there are Mutual Legal Assistance Treaties between nations that enable national security services of various countries to exchange personal information on their citizens. That is a major area of cyberlaw beyond what can be covered in this forum.

If data is flowing within a given national border or locally, then there may be local or national laws and regulations that apply. If there are transborder data flows, then there could be a variety of laws and regulations designed to protect personal privacy or little or no protections. For example, the EU through its data protection directive (soon to be Regulation, if and when it is officially adopted) affords EU citizens protections through transborder controls that are more stringent than say the sectorially-based U.S. data protection laws and regulations. Protections can vary based on whether a country affords protections to its public sector, or private sector, or both. In addition to national laws, there are also treaties and agreements that may or may not apply. As you can see your question has a “depends” answer scheme depending on precisely what you asking. If you want to learn more, I suggest reading legal scholarship by Prof. Graham Greenleaf at the University of New South Wales or Prof. Paul M. Schwartz at Berkley Law and Prof. Daniel J. Solove at George Washington University. These authors have published extensively on these and other related topics.

Yes, there are many wellknown protocol, SSL or VPN, and many variants, which provide the users privacy. But all has the limitation and vulnerable system

Hi Oussama, this is a three-fold problem actually (at least IMHO). Briefly:

First off is the legislative environment that drives the second part that relates to security policies, which in turn drive the procedures and controls to be applied.

There is no rule of thumb, however, if you want something high-level (essentially skipping the first part), you can reference ISO 27001, COBIT, etc. Such standards and models provide you guidance on what should be covered regarding user privacy in security policies. From this point onwards you can then identify the relevant controls (e.g. encryption) to preserve it. ISO 27001 may also cover legislative requirements if the Information Security Management System (ISMS) is properly applied.

On the other hand, you have to keep in mind that not all user information may need protection (e.g. public). So a means of classification must be present. You also must identify the information for which privacy must be preserved and the associated provider model. Finally, you need to take into account whether you are referring to personal information (that gets you back to the first part of the problem) or corporate information.

Encryption does not always solve the problem, particularly in cases where access to the data by the user may be continuous or used for specific purposes. For retention and backup purposes, encryption may indeed come into play (e.g. AES 256).

I hope I managed to provide you with an high level answer.

It depends on what kind of information you need to store on the server. If the information is considered identifying such as credit card number, or social security number. eventually you should use encryption. There are some alternatives when the link between two or several pieces of information is considered sensitive. This can be handled (to a certain extent) using anonymization techniques ([1], [2], and many others) at the stake of query processing. However, there are some ongoing works on how to partially encrypt the data to reduce client-server processing that you can find in [3] and [4]. The main idea is to anonymize the data that should be stored at the server using a bucketization technique such as the one provided in [2] and encrypt the link that is used to the join the separated tables. This way only the client is able to retrieve the correct information.

[1] Ashwin Machanavajjhala, Daniel Kifer, Johannes Gehrke, Muthuramakrishnan Venkitasubramaniam: L-diversity: Privacy beyond k-anonymity. TKDD 1(1) (2007)

[2] Xiaokui Xiao, Yufei Tao: Anatomy: Simple and Effective Privacy Preservation. VLDB 2006: 139-150

[3] Ahmet Erhan Nergiz, Chris Clifton: Query Processing in Private Data Outsourcing Using Anonymization. DBSec 2011: 138-153

[4] Ahmet Erhan Nergiz, Chris Clifton, Qutaibah M. Malluhi: Updating outsourced anatomized private databases. EDBT 2013: 179-190

The "Platform for Privacy Preferences (P3P) Project" (http://www.w3.org/P3P/) Recommendation of the World Wide Web Consortium (W3C) offers a standard to enforce privacy in website. Additionally, some applications and frameworks are built on top of this standard.

The most important issue you need to address is to define WHAT you want to protect and FROM what threat. And you can not find any standard to help you with this. Previous comments highlight very relevant standards and security techniques, which will help you to better understand the issues and deploy confidentiality and integrity safeguards - I would also recommend to use GPG with email systems. But just installing the tools or reading the standards will not make you more secure.

The relevant ISO Standard is ISO/IEC 29100 "Information Technology - Security Techniques - Privacy Framework", but it is rather abstract, focusing on general principles.

See http://www.amazon.com/Information-Security-Privacy-Executives-Technologists/dp/161632807X

My answer is also a “depends” but my answer is contingent on what you mean by “policies and standards.” It depends, if by policies and standards, you are inquiring about technology-based solutions, such as encryption or legally driven ones. Since many of the responses appear technologically driven, I will address “policies and standards” from a regulatory framework. Unfortunately, I am not sure what type of user privacy is at risk or the cyberspace that is occupied. Is this a personal or commercial activity? What is the jurisdiction or place of activity? Is the information personal or sensitive in nature? By cyberspace, do you mean a local network or more public domain such as the Internet or social media use? Is the information staying within a local, national, or international space? By standards, do you mean privacy principles or fair information practices or specific bodies of laws and regulations? By policies, are you looking for codes of conduct or other similar documents? In the case of a social media site there may be important click-based agreements such as privacy notices and terms of service that may afford or derogate user protections. These agreements are extremely important but rarely read by the consumer. There are also other bodies of law that may apply depending on whether the information is personal, financial, intellectual, etc. It also depends if there is a national security issue or foreign intelligence concern. In this situation, there are Mutual Legal Assistance Treaties between nations that enable national security services of various countries to exchange personal information on their citizens. That is a major area of cyberlaw beyond what can be covered in this forum.

If data is flowing within a given national border or locally, then there may be local or national laws and regulations that apply. If there are transborder data flows, then there could be a variety of laws and regulations designed to protect personal privacy or little or no protections. For example, the EU through its data protection directive (soon to be Regulation, if and when it is officially adopted) affords EU citizens protections through transborder controls that are more stringent than say the sectorially-based U.S. data protection laws and regulations. Protections can vary based on whether a country affords protections to its public sector, or private sector, or both. In addition to national laws, there are also treaties and agreements that may or may not apply. As you can see your question has a “depends” answer scheme depending on precisely what you asking. If you want to learn more, I suggest reading legal scholarship by Prof. Graham Greenleaf at the University of New South Wales or Prof. Paul M. Schwartz at Berkley Law and Prof. Daniel J. Solove at George Washington University. These authors have published extensively on these and other related topics.

ISO/IEC 27032:2012 Information technology -- Security techniques -- Guidelines for cybersecurity is the ISO framework for cibersecurity.

As Theodoros Stergiou said, cibersecurity is not only a technical issue. There are legal and organizational components. The ISO defines the ciberspace, the relationships with network, information,... Security, the stakeholders and their roles. Cooperation between them seems to be the key for Security in ciberspace.

As user privacy concerns there is now a movement in Europe towards armonizing the legislation relative to user data protection in the different states.

Protocols you ask for are for example used by payment gateways where the communication is encrypted between the user and the bank

It appears that security and privacy are many times still considered the same thing. Privacy may rely on information security, but having security does not imply privacy (for a technological solution to provide true privacy protection it must provide the individual with the ability to control what data is collected about them, how the colltected will be used, and with whom the data will be shared). I would be wary of any standard that only promotes encryption of data at rest or in motion as a means of protecting privacy.

As far as standards are concerned: The ISO standards provide high-level principles (in a similar fashion to the OECD's guidelines for cross-border flow of information), which prompted other standards such as P3P, EPAL, WS-Privacy, and a whole slew of others. In turn, these standards will have influenced legislation (or even have been influenced by legislation): HIPAA and COPPA in the US, EU Data Protection Directives, PoPI act in South Africa, Australian Privacy Act, Canada's Freedom of information and protection of privacy act (including their healthcare information protection act). Which in turn will have influenced technological implementations (in addition the the original IPC/Registratiekamer's description of a privacy enhancing technology).

A reading of all of these standards will show that they all have a common theme, but I direct you to https://xkcd.com/927/ for some tongue-in-cheek insight into the nature of standards.

Privacy in Cyberspace seems a broad term, and could encompass at least these: confidentiality of the data at rest; confidentiality of the data in transit; privacy of the content of information about the person stored in a database owned by someone else (your credit card info in Amazon servers, for ex; your fiscal data held by government; your health data held by several hospitals, etc).

Then you have to worry about things like proper access control policies securely implemented for the stored data, secure management of backups of that stored information and so on.

So, there are several points you want to address here, but that also depends on your role: are you a user seeking assurance by some provider that your data will be protected? Are you on the other hand a provider who have to give these assurances to users? If so, then you have to consider the whole system, and you should first do a detailed analysis of the assets you need to protect, a risk analysis of these assets, round up the relevant legislation to know your obligations (you have to give at least due care) and then decide what are the appropriate controls.

If for example you are storing medical data in the US, you have to comply with HIPAA; if you are processing credit card information, you have to comply with PCI-DSS. For more concrete things, if you want secure communication, you have to ensure at least confidentiality and integrity. There are a number of internet protocols for these, but remember they can not use only encryption, since this only gives you confidentiality. You also need integrity protection schemes (ex: message authentication codes or signatures). Your best bet is to use standardized protocols like IPSec and TLS, but keep note that all of them have vulnerabilities in the literature. And if you pick one of these, do make sure to disable any standard like Dual_EC_DRBG or others that come to light as having been broken or compromised.

If you want to secure data at rest, there is a major research area right now on how to encrypt data in a database and still make it useful. This is particularly pertinent for cloud computing, where you want the data to remain secret while still being amenable to operation.

If you want to protect personal data stored, but not encrypted, in a database, you could use anonymization techniques as reported above. There is also Differential Privacy, which was proposed by Cynthia Dwork with the same purpose but with near-cryptographic assurances. There are also techniques that rely on data perturbation, that is, change of the real data in a way that overall aggregate results stay more or less the same.

Hi all

Not an ehaustive answer, but you could look at NIST, Cloud security Alliance, and also

at the A4Cloud project http://www.a4cloud.eu/.

The problem is much more complex than usual access control, accountability is a main concern.

It all depends on what you want to protect. You must determine that first. There are couple of solutions as some have elaborated - security policies or standards could be interpreted in various ways. There are lots of ways to go about it and one of them is to implement PGP server and that server could serve as a key server. There are lots more on PGP.

Hi,

There are many different kinds of security requirements. I'm agree with Ayodel, it's better to have a precise security requirement and then find the solution.

However, you can check our project Seed4C.

Seed4C introduction: The cloud security challenge not only reflects on the secure running of software on one single machine, but rather on managing and guaranteeing security of a computer group or cluster seen as a single entity. Seed4C focus is to evolve from cloud security with an isolated point or centralized points of enforcement for security to cloud security with cooperative points of enforcement for security.

I perceive Oussama's question more in general than seeking for a list of standards. And by the way I am inclined to challenge suitability, longevity and sanity of most standards regarding privacy.

Protection of privacy is a question of how intelligent you are and what are you trying to protect and what are you prepared to sacrifice.

The question of privacy is primarily a RELATIVE, not ABSOLUTE. You can only ask "how to achieve privacy RELATIVE to him or her or them". There is no such thing as privacy in general. For example if I want my SSN to be a private number that I do not wish to give to anybody - it is then useless. But I may decide to share it with DMV while not to share it with my neighbor, my wife and my Facebook gang.

Many people have lost their identity or impaired their privacy because they acted unwisely while there was nothing wrong with security protocols they used.

On top of that, on the security side of the coin, it is important that people are educated about what encryption is and what it is used for. I noted that most people would give away their sentitive data without checking the authenticity of the web site and without checking that https is being used, or that would click on a link that apparently leads to a secure suite while in fact it would lead to a completely difefrent and infected URL, etc.

Relevant to that, ENISA recently published a list of recommended algorithms and key sizes for encryption https://www.enisa.europa.eu/activities/identity-and-trust/library/deliverables/algorithms-key-sizes-and-parameters-report

It may be a common practice in developed countries but in developing countries till now there are only those rules which are in favour of securing the elites but common man is not protected against cyber crimes.

Yes, please see the solution presented in our paper indicated in the link below:

https://www.researchgate.net/publication/257200931_Multi-Tenancy_Authorization_System_with_Federated_Identity_for_Cloud-Based_Environments_Using_Shibboleth

ABSTRACT The services provided in clouds may represent an increase in the efficiency and effectiveness in the operations of the enterprise business, improving the cost-effectiveness related to services and resources consumption. However, there is concern about the privacy of data, since such data are outside the client's domain. For these services to be effectively enjoyed by organizations it is necessary to provide access control. The objective of this work is to provide identity management, based on digital identity federation, with authentication and authorization mechanisms for access control in cloud computing environments to independent, trusted third-parties.

Conference Paper Multi-Tenancy Authorization System with Federated Identity f...

it is impossible to regulate the cyber space because of many factors like

1) Cyber space does not have any border or jurisdiction to apply the specific Law.

2) Cyber space is created in the virtual world, it is not like physical world.

3) The Law is not keeping pace with the modern Cyber Crime

4) Does not have any single authoritative world organisation to fix the security standards or policies regarding Cyber Crime or privacy.

5) Lack of awareness regarding on line or off line crimes in the cyber space.

In spite of all these factors the organisation can have their own security and privacy policies and standard to protect the privacy of the end users.

To really get your answer, you need to decide on what you mean by privacy.

What entity is protecting their privacy, and what data fields should be protected?

The current model is "every man for himself." Privacy is considered to be the responsibility, mainly, of a given consumer. This is the opt-out model, where consumers of web services are expected to be able to ascertain whether they want to put certain information out on the web or not.

All the legal definitions of privacy, or of personally identifiable information (PII) are aimed at service providers. Encryption, though an excellent answer for many issues, is hard for an average consumer to set up for themselves. Email encrypted by default and websites encrypted by default are great starts to avoid man-in-the-middle attacks and data theft by eavesdropping. They do nothing to keep a consumer safe from phishing, where a message sender is impersonating a trusted entity, or flat-out fraud.

If you hand a stranger your car keys and give them a 2 hour head start, they are probably going to get away with it.

People give their private information away every day. The situation is not theft by taking, but accepting a freely offered gift that the giver regrets later. A successful fraud set-up always leaves the victim feeling as if there was just a misunderstanding that could be sorted out by talking through the thing again.

There should probably be a required training course for people considering web-surfing in "How not to be fooled."

There was an attempt from W3C to protect privacy of users. It is called P3P: http://www.w3.org/P3P/ Unfortunately it has not been widely used due to usability issues.