ETD

Archivio digitale delle tesi discusse presso l'Università di Pisa

Tesi etd-07112021-124810


Tipo di tesi
Tesi di dottorato di ricerca
Autore
DAOUDAGH, SAID
URN
etd-07112021-124810
Titolo
The GDPR Compliance Through Access Control Systems
Settore scientifico disciplinare
INF/01
Corso di studi
INFORMATICA
Relatori
tutor Dott.ssa Marchetti, Eda
correlatore Prof.ssa Monreale, Anna
Parole chiave
  • User Stories
  • Systematic Approach
  • Lifecycle
  • GDPR
  • Access Control
  • Consent Management
  • Data Protection
Data inizio appello
20/07/2021
Consultabilità
Non consultabile
Data di rilascio
20/07/2024
Riassunto
The GDPR is changing how Personal Data should be processed. It states, in Art. 5.1(f), that "[data] should be processed in a manner that ensures appropriate security of the personal data […], using appropriate technical or organizational measures (integrity and confidentiality)". We identify in the Access Control (AC) systems such a measure. Indeed, AC is the mechanism used to restrict access to data or systems according to Access Control Policies (ACPs), i.e., a set of rules that specify who has access to which resources and under which circumstances.

In our view, the ACPs, when suitably enriched with attributes, elements and rules extracted from the GDPR provisions, can suitably specify the regulations and the AC systems can assure a by-design lawfully compliance with the privacy preserving rules.

Vulnerabilities, threats, inaccuracies and misinterpretations that occur during the process of ACPs specification and AC systems implementation may have serious consequences for the security of personal data (security perspective) and for the lawfulness of the data processing (legal perspective).

For mitigating these risks, this thesis provides a systematic process for automatically deriving, testing and enforcing ACPs and AC systems in line with the GDPR. Its data protection by-design solution promotes the adoption of AC systems ruled by policies systematically designed for expressing the GDPR's provisions. Specifically, the main contributions of this thesis are:

(1) the definition of an Access Control Development Life Cycle for analyzing, designing, implementing and testing AC mechanisms (systems and policies) able to guarantee the compliance with the GDPR;

(2) the realization of a reference architecture allowing the automatic application of the proposed Life Cycle; and

(3) the use of the thesis proposal within five application examples highlighting the flexibility and feasibility of the proposal.
File