www.paasword.eu

No More Dark Clouds: A Privacy Preserving Framework for the Cloud

Dr. Simone Braun

CAS Software AG Networking Session at ICT 2015 Conference

October 20, 2015, Lisbon

Motivation

The Cloud paradigm has definitely prevailed

Most application are delivered following the SaaS model

Many developers rely on PaaS offerings for scalablity

Nearly all underlying resources (DBs, Queues etc) are outsourced at the IaaS level

Attack vectors have increased

‘Raw data’ are the modern hacker’s holy grail

The responsibility for the protection of data has shifted to the developer

2 20/10/2015

Motivation

20/10/2015 3 http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

Our Goals

To create a security-by-design framework which will allow developers to engineer secure applications

To leverage the security and trust of data that reside on outsourced infrastructure

To facilitate context-aware access to encrypted and (even) physically distributed datasets stored in outsourced infrastructure

To prove the applicability, usability, effectiveness and value of our framework in real-life Cloud infrastructures, services and applications

20/10/2015 4

Consortium

• Industrial Partner • Scientific Partner

20/10/2015 5

Agenda

Elevator Pitches: 1) Security-by-Design (Panagiotis Gouvas, UBITECH)

2) Context-aware Security Models (Yiannis Verginadis, ICCS)

3) The Need for Transparent Data Protection in the Cloud (Christian Gehrmann, SICS)

Round Table Discussions

Summary

20/10/2015 7

SECURITY BY DESIGN

Dr. Panagiotis Gouvas

UBITECH LTD

20/10/2015 8

Database: the holy grail

20/10/2015 10

20/10/2015 11

Traditional

Source Code

Annotations

Mapped to

queries

Specific type of

annotations

affect the way

the user input will be

Handled during query

execution E (k,m)

k D(k,C)

Security-by-Design may be implemented in various ways

Design Decisions

The place where the TED is taking place.

The mechanism that generates the TED key.

The way the TED key is used

The modification of the target database schema

12 20/10/2015

Policies that will be implemented

20/10/2015 13

CONTEXT-AWARE SECURITY MODELS

Dr. Yiannis Verginadis

Institute of Communications & Computer Systems (ICCS)

20/10/2015 14

What is Context?

“Any information that can be used to characterize the situation of an entity. An entity is a person, place, or object that is considered relevant to the interaction between a user and an application, including the user and applications themselves” (Abowd, et al., 1999; Dey, 2001)

20/10/2015 15

What is Context-Aware Security?

• “Context-aware security is the use of supplemental information to improve security decisions at the time they are made, resulting in more accurate security decisions capable of supporting dynamic business and IT environments” (Gartner)

20/10/2015 16

PaaSword Context-Aware Security Model

Security business model (SBM) An ontologically-expressed framework for annotating web-endpoints

Set by the product manager Separation of concerns between policy definition and enforcement

Conceptually divided into two parts

20/10/2015 17

Context Model (CM)

Gives rise to dynamic security controls

Data Distribution and Encryption Model (DDEM)

Gives rise to static security controls

18

Overview

AF: Annotation-formation

DTF: Development-time facing component

RTF: Runtime facing component

SBM: Security business model

web-endpoint annotations

THE NEED FOR TRANSPARENT DATA PROTECTION IN THE CLOUD

Christian Gehrmann, Swedish Institute of Computer Science

Matthias Gabel, Karlsruhe Institute of Technology

20/10/2015 19

Cloud data protection vision

One of the major obstacle for high data security in cloud applications are transparent (from end-user and developers points of view) data protection solutions

Cloud platforms should provide efficient tools for developers to protect data without the need of making detailed security configurations or key management solution themselves, i.e. it should offered by the cloud platform!

End-user applications should be able to fast and efficient retrieve protected, i.e. encrypted and integrity protected, cloud stored data without compromising security

20/10/2015 20

Technology maturity

Schemes for protected cloud storage that also allow quick data look-up have been subject for research and development for a long time. However, the schemes needs to be adapted to real cloud platforms and development environments.

Efficient and secure principles for platform assisted (for developers) cloud data protection is a fairly new area of research with huge potential!

20/10/2015 21

Searchable data protection high level view

20/10/2015 22

Client Cloud DB Proxy Cloud DB Client

Common (insecure) scenario Desired (secure) scenario in PaaSword

Paasword protection logic

20/10/2015 23

Discuss with us

Do you consider context-aware security valuable for the Cloud?

What is the most critical aspect of context that should be considered during the access control decision making?

Which is more important security or performance in the Cloud?

Which context model serialization format do you think is the most appropriate?

20/10/2015 24

Interested in… ?

Getting access to early results?

Shaping and expanding PaaSword?

Networking with leading companies & research institutes?

Collaborating with us and the PaaSword Community?

Join the Cloud Security Industrial Focus Group!

Contact: Christos Georgousopoulos (Christos.Georgousopoulos@intrasoft-intl.com) or any other PaaSword member

20/10/2015 25

20/10/2015 26

Questions?

Visit us:

www.paasword.eu Acknowledgements: This project has received funding from the

European Union’s Horizon 2020 research and innovation programme under grant

agreement No 644814.