Globalized market trends and fast-changing business conditions induce significant changes for enterprises and their Information Systems to provide agility, scalability, interoperability features…  The digital transformation involved by the Social networks, Mobile computing environment, Big Data Analytics and Cloud technologies calls for a new information-driven cyber-security management strategy. Success in achieving any benefit from such ICT investment is directly affected by the trust we have in the services in the way they use our Personal Information. Currently, cybersecurity is based on an analysis of threats and assets limited to specific components and is mostly focused on Corporate Information Systems. This leads to consider Personal Information protection according to a service provider vision. Those methodologies introduce countermeasures but that can be bypassed by attackers who adopt adaptive strategy like tracking security incidents originated in the usage of personal information. Moreover, the fast adoption of innovative smart services lead to new protection challenges as their underlying Big Data operating function involves “cross processes” among several (Personal) Information sources, often seen as “unfair practices”. As such, protection of Personal Information constitutes a major challenge for the future of digital societies. Supporting sustainable Personal Information management is a key challenge for both Personal Information ecosystem that need accurate and reliable personal data and for end-users that often "loss control" on their private life. More and more initiatives (such as the one carried out by the Fing) or judiciary decisions (that do not recognise the safe harbor label as a "privacy certification ») increase the call for a new way to manage and protect personal Information by letting people manage their own personal information protection in a sustainable way.

To fit these requirements, this research work challenges new security models to define a consistent protection for services and Big Data environment to fit security policy requirements of corporate information system or end-user personal data privacy management in cloud infrastructure. To provide a life-long protection, these models must also pay attention on « due usage » specification and management for information and services. Taking advantage of previous PhD works on DRM specification for services and on Model Driven Security, this research project aims at organizing a multi-dimensional security policy framework (taking into account both services and data protection) to fit the SMAC opened context. To this end, a particular attention will be paid on Meta-Data based access control and on incremental rights specification to support protection consistency validation.

More precisely, this thesis aims at (1) organizing a multi-dimensional security policy framework (taking into account both services and data protection) to support a unified Due Usage policy specification supporting a consistent life-long protection of information and services,  (2) organize a consistent policy composition framework (mixing the traditional “control-driven” process and the "data driven" visions to select and weave both services and data security requirements) the required Quality of Protection specification and (3)  manage and orchestrate the convenient security services in a models@run.time vision.