SlideShare a Scribd company logo

PaaSword's main idea, technical architecture and scientific challenges

PaaSword EU Project
PaaSword EU Project

Joint Workshop on Cyber Defence and Security, 8-9 Sep 2015, Brussels, Belgium

Technology
1 of 63
Download to read offline
www.paasword.eu Dr. Julia Vuong, Andreas Schoknecht CAS Software AG, Karlsruhe Institute of Technology PANOPTESEC Workshop September 08, 2015, Brussels
Agenda Introduction/Motivation PaaSword in a Nutshell Consortium Goals Business Challenges PaaSword Concepts Overview Basic Concepts PaaSword Requirements Methodology Functional Requirements Security Requirements PaaSword08/09/2015 2 PaaSword Architecture Overview PaaSword Policies PaaSword Scientific Challenges Searchable Encryption Access Policies Insecure APIs Conclusion
INTRODUCTION PaaSword08/09/2015 3
PaaSword in a Nutshell Holistic framework to unlock valuable business benefits of Cloud Computing by providing data privacy and security by design safeguarding both corporate and personal data for cloud infrastructures and storage services Protecting the data persistency layer and the database itself as the most critical targets PaaSword08/09/2015 4 PaaS Provider PaaSword API DB with Indexers on encrypted data Queries using Searchable Trusted IaaS Provider Adversary User Developer Publishes Application Encryption Scheme using PaaSword API encrypted data
Consortium • Industrial Partner• Scientific Partner PaaSword08/09/2015 5
Goals for PaaSword Leverage the security and trust of Cloud infrastructures and services Facilitate context-aware, ad-hoc decryption and access to encrypted and physically distributed datasets stored in Cloud infrastructures and services, Enable the engineering of data privacy and security by design Cloud services and applications Ensure the protection, privacy and integrity of the data stored in Cloud infrastructures and services Prove the applicability, usability, effectiveness and value of the PaaSword concepts, models and mechanisms in industrial, real-life Cloud infrastructures, services and applications PaaSword08/09/2015 6
Use Cases & Business Challenges PaaSword Framework outcome is demonstrated by means of 5 Use Cases situated in different application areas Secure Senors Analytics for IoT applications Cloud-based Multi-tenant CRM software Encrypted Persistency included in PaaS/SaaS Services Multi-tenant ERP Environments Platform for Cross-border Document Exchange Business Challenges are derived as a result of the analysis of the Use Cases PaaSword08/09/2015 7
Secure Sensors Data Fusion and Analytics Siemens SRL Sensor Middleware: fine grained ICT monitoring system for both static and mobile distributed critical infrastructures Public utilities (PU) or supply chains (SC) The system provides Reports in order to support the end-user in deciding whether to accept a shipment (SC) or public service (PU) through e.g. QoS monitoring Real-time alerts and early warnings in order to guarantee the quality of a provided service, i.e. enabling transporters (SC) and public service & safety providers (PU) to proactively avoiding or minimizing damages Automatic control operational states (i.e. of storage and transport conditions for SC, public services distribution and scaling for PU) in order to comply with product and service requirements Data stored in a NoSQL storage engine due to the linear scaling factor, scaling is achieved through Sharding PaaSword08/09/2015 8
Secure Sensors Data Fusion and Analytics The resulting security framework should: provide redundancy capabilities for the management, storage and processing systems in case of failures; provide support for performing failure and forensic analysis on data-storage and processing components; identify ways to detect and report security and system failures. PaaSword08/09/2015 9
Protection of Personal Data in a Multi-Tenant CRM Environment CAS Software AG CRM software stores, links and processes huge amount of personal and customer data as well as sensitive enterprise This data is an interesting target for mainly passive adversaries Another huge thread are internal adversaries who has access to unencrypted data of multi-tenants directly in the data center CRM software developers are mainly non-security experts who needs to write security-aware code. Data encryption needs to be included at the persistence layer. Performance impact needs to be limited to those data part what must be protected. Data is stored in relational databases. PaaSword08/09/2015 10
Protection of Personal Data in a Multi-Tenant CRM Environment The resulting security framework should support security as a part of the application/data lifecycle management; support tenant isolation in order to support the multiple-tenant structure of a CRM solution, especially the “one DB per tenant” approach; provide developer documentation and guidelines for security features in the platform in order to enable non-security experts to develop security-aware CRM software; provide patch management for secure platform components; provide secure key management; support permissions based on the situation of the user. PaaSword08/09/2015 11
Encrypted Persistency as PaaS/IaaS-Service- Pilot Implementation SixSq SlipStream, a cloud application management platform, facilitates management of the full cloud application lifecycle Most cloud applications are n-tier web applications that need appropriate levels of security, privacy and confidentiality. Developing the data protection infrastructure with respect to ISO standards and EU-data handling requirements is time consuming and costly. PaaSword08/09/2015 12
Encrypted Persistency as PaaS/IaaS-Service- Pilot Implementation The security framework should Produce components that can be parameterized and integrated with other application services (including external user authentication mechanisms); Provide a complete set of components that can demonstrably meet the requirements of the EU data protection legislation and similar other regulatory requirements around the world. PaaSword08/09/2015 13
Protection of Sensible Enterprise Information on Mulit-Tenant ERP Environments Singular Logic Enterprise Resource Planning solution with single-tenant and multi- tenant scenarios relying on IaaS deployment schemes. Data being exposed to third parties in a multi-tenant environment is one of the main risks. Virtualized infrastructure includes the risk that one machine in this setting could monitor what ist neighbours are doing. Poor implementation of access management includes the risk that customer data will get exposed to other users. PaaSword08/09/2015 14
Protection of Sensible Enterprise Information on Mulit-Tenant ERP Environments The resulting security framework should Support searchable encryption of database; Be able to support encryption/decryption through all steps the application and data lifecycle; Support tenant isolation in order to support the multiple-tenant ERP solution, based on the “one DB per tenant” approach; Not introduce extreme computational overhead; Offer encryption in data transportation layer; Provide extended developer documentation and guidelines for the security features in order to be properly integrated to the existing solution; Provide secure key management. PaaSword08/09/2015 15
Intergovernmental Secure Document and Personal Data Exchange Ubitech Intergovernmental Exchange Platform facilitate international co- operation in civil-status matters and to further enable the exchange of information between civil registrars The platform needed to adhere to very high security standards for the generation and transmission of highly sensitive personal data taking under consideration that the transmission channel is going to be the Internet, a totally hostile environment for sensitive data. problem of end-to-end electronic exchange, one of the most vulnerable parts of the platform is the so-called Exchange Server where the exchange (inbound/outbound) queues and routing databases reside protection of the raw data that reside in central database PaaSword08/09/2015 16
Intergovernmental Secure Document and Personal Data Exchange The resulting security framework should Produce components that re-assure as much as possible that inter- changeable data are secure from malicious users that are either external or internal i.e. they belong to the ecosystem of the operational environment. This is very crucial since these types of applications have complex operational environment. Produce components that can apply security policies that take under consideration the specificities of cross-border exchange (e.g. restrict the interaction of users based on their location) Produce components that are in-line with the eIDAS regulation (such as electronic signatures, electronic seals, time stamp, electronic delivery service and website authentication) while in parallel they contribute in seamless encryption of data PaaSword08/09/2015 17
Business Challenges Encryption of distributed existing databases and corresponding transaction logs Context-driven policies for accessing the stored information Object annotations modelling access rights for specific purposes, easily understood and defined by application developers, and a corresponding interpreter generating policy enforcement rules Virtualization of data storages, i.e. SQL and No-SQL, realizing the appropriate query synthesis and aposynthesis capabilities Key management mechanisms making the key usage transparent to the cloud-based applications and services Asymmetric encryption, enabling the per-user encryption of the stored data and the per-user definition of policies regarding said data PaaSword08/09/2015 18
Walkthrough PaaSword PaaSword provides an IDE-specific plug-in incorporating all PaaSword features used by the developer for his MVC-based application Developer creates annotations at the Data Access Objects referring to sensitive data that should be protected, according to the XACML-based Context-aware Policy Access Model PaaSword performs validity check of the DAO annotations According to the DAO annotations applications persistence layer is distributed and the data encrypted Each query and processing request is forwarded by the enhanced Controller to the Query Handling mechanism PaaSword08/09/2015 19
Walkthrough PaaSword Policy Enforcement Mechanism grants the incoming request access to the data or not taking into account the user-defined access policies; Query Handling mechanism submits the enhanced query to the augmented persistence layer; Database Proxy registers the distributed query to the distributed and encrypted parts and federates the respective data from the distributed parts of the database; Federated data synthesis and ad-hoc decryption utilizing the key of the end-user that is transparently (to the application) propagated to the Query Handling mechanism; Decrypted data is delivered to the application controller forwarding it to the end-user PaaSword08/09/2015 20
PAASWORD CONCEPTS
Overview of Basic Concepts PaaSword08/09/2015 22
what is this artefact? PaaSword Semantic Models is a set of Ontological models that aim to conceptualize two things: possible encryption/decryption policies that can be used during runtime by an application in order to protect specific columns in a database possible policies that can be applied in the web-endpoints of an application who is using it? They are used after their interpretation in libraries who manages it? A PaaSword Administrator is able to extend these models PaaSword Semantic Models PaaSword08/09/2015 23
Typesafe Development Libraries what is this artefact? It is a set of Java Annotation Libraries (JSR-175 compliant) that provide to developers the ability to annotate specific part of their code. These parts include @Entities. @Path(“/restendpoint”) etc Annotations will drive specific ‘business logic’ during runtime. who is using it? A Cloud Application Developer during the development of an application that will be hosted in a PaaS environment who manages it? It is autogenerated by a Semantic Model Interpreter PaaSword08/09/2015 24
PaaSword Application what is this artefact? This is not practically an actual artefact of the project. Though it is an application that uses the Typesafe Development Libraries who is using it? Upon the deployment in a JEE container the application is available to end-users. who manages it? The PaaSword Application is managed by a DevOps in the sense that it performs all apropriate steps that are needed prior to deployment PaaSword08/09/2015 25
PaaSword-enabled Container what is this artefact? It is a JEE container that is able to interpret during runtime the (PaaSword) annotations that the developer has used. A PaaSword-enabled container is able to Interpret and implement encryption/decryption policies for specific columns of a database handle policies that are declaratively defined who is using it? A DevOps user that is responsible for the operation of an application who manages it? The PaaS provider PaaSword08/09/2015 26
Outsourced Database what is this artefact? It is a plain RDBMS engine that operates in a completely untrusted IaaS zone who is using it? The PaaSword-enabled application will use this RDBMS in order to host encrypted data who manages it? The IaaS provider PaaSword08/09/2015 27
REQUIREMENTS
Requirements Methodology Capturing of Requirements was a multi-step procedure. Initially we discriminated between Functional Requirements and Security Requirements Functional requirements affected the Architecture and will affect the reference implementation Security requirements affect the Encryption/Decryption policies and the Key-Management policies that will be developed Our end-users drove this procedure As a first step, all PaaSword stakeholders have been identified PaaSword08/09/2015 29
Different Requirements per Role PaaSword08/09/2015 30
PaaSword Administrator & Developer • PaaSword08/09/2015 31
DevOps’s & PaaS Provider’s F.R. PaaSword08/09/2015 32
Application User’s FR PaaSword08/09/2015 33
Capturing Security Requirements The core asset that has to be protected is the database Following a risk-management methodology we ended up in identifying Assets, Threats and Vulnerabilities that relate to the database Based on the identified Threats, end-users raised there concrete security requirements These requirements have been collected and ranked Ranking is a guide for reference implementation PaaSword08/09/2015 34
Security Requirements Meta-model PaaSword08/09/2015 35
PaaSword08/09/2015 36 Ranking Description CAS UBI SILO SixSq SIE Ave PSw SHALL guarantee that the credentials of a user can be revoked without affecting the Transparent Data Encryption (TDE) scheme that is used at the database level 9 10 9 9 9 9.2 PSw SHALL guarantee that the revocation of the credentials of one user does not affect the credentials or the TDE scheme of the other users 9 10 9 9 9 9.2 PSw SHOULD use a key generation algorithm (for keys associated to users/roles) that should guarantee that when a user key is compromised the rest of the keys MUST not be revoked 9 10 9 9 9 9.2 PSw SHALL support symmetric TDE of sensitive data. 9 10 9 7 7 8.4 PSw SHALL be operational only if transport level encryption is configured 9 9 9 6 5 7.6 PSw SHOULD ensure that deployed applications in the Application Server are trusted using a mature trust model 8 7 8 8 9 7.6 PSw SHALL interact with its underlying persistency layer using an encrypted connection 7 8 7 7 7 7.6 TDE SHOULD be supported on top of a monolithic database 9 10 9 5 5 7.6
PAASWORD ARCHITECTURE
Overview of Architecture PaaSword08/09/2015 38
PaaSword Central Administration It is a centralized component that hosts the Semantic Models and the libraries that are autogenerated by these models. Its main sub- components include: Semantic Model Management manages semantic artefacts Design Time Library Management generates JSR-175 Annotation libraries Runtime Library Management generates runtime libraries that are deployed in the PaaS Container PaaSword User Administration manages PaaSword users (i.e. ISVs that use the libraries) PaaSword08/09/2015 39
Application Development Zone PaaSword libraries can be used by the developers of ISVs in order to create PaaSword enabled applications. Libraries can be extended using a specific methodology. There is only one component that belongs to this zone: Trusted Deployment Generator it injects the deployment archive with the proper certificates/configurations that are needed it signs the deployment archive PaaSword08/09/2015 40
PaaSword Execution Container A JEE container which is able to interpret the annotations during runtime and perform all policies. Its main components include: PaaSword Deployment Management responsible to validate the deployment archive Transparent Encryption & Decryption Mechanism responsible to bootstrap the database and handle TDE queries Key Management Mechanism responsible to perform key management operations Security Policy Evaluation and Enforcement & Security Policy Management responsible to handle the policies that are defined by annotations and possibly edited by the DevOps HTTP Request interceptor responsible to forward the HTTP request to PaaSword handlers PaaSword08/09/2015 41
Tenant Trusted Operational Zone This is a special zone which belongs to the tenant which contains some components that facilitate searchable encryption. The main components in this zone include: Trusted Key Generator responsible to generate and handle tenant keys Re-encryption Proxy it facilitates searchable encryption PaaSword08/09/2015 42
PaaSword Policy 1 – Monolithic Installation Encryption/Decryption process is performed by using a PaaS Container Encryption key exists constantly in memory. Key is generated by TKP and provided once during bootstrapping. PaaSword08/09/2015 43
PaaSword Policy 1 – Monolithic Installation Easy to implement. No operational reconditions have to be fullfilled by the application provider. Business Login can perform SCRUD operations transparently. No theoretical proof that a key can not be circumvented by a compromised container. DB's data resides in one place, so brute force attacks can be performed upon their compromisation. Key is continuously stored in memory. • Disadvantages• Advantages PaaSword08/09/2015 44
PaaSword Policy 2 – Monolithic Installation Encryption and Decryption process is performed using a PaaS Container Encryption key exists constantly in memory. In contrast to PaaSword Policy 1: Key is resynthesized on demand in every entity's usage. Key is generated by TKP which is interconnected with IDM. PaaSword08/09/2015 45
PaaSword Policy 2 – Monolithic Installation Business Logic can perform SCRUD operations transparently. Asymmetric key is not stored permanently in memory. Revocation of one key is not affecting the platform. More complex to implement than PaaSword Policy 1. No theoretical proof that a key can not be circumvented by a compromised container. DB's data resides in one place, so brute force attacks can be performed upon their compromisation. • Disadvantages• Advantages PaaSword08/09/2015 46
PaaSword Policy 3 – Monolithic Installation Encryption and Decryption process is performed using an Encryption Proxy Key is based on a tenant key that is generated by the TKP Key is generated by the TKP PaaSword08/09/2015 47
PaaSword Policy 3 – Monolithic Installation Container has no access to plain text. Business Logic can not perform all SCRUD operations. • Disadvantage• Advantage PaaSword08/09/2015 48
PaaSword Policy 4 – Distributed Installation PaaSword08/09/2015 49 Hardware of data owner Certified cloud provider Storage cloud provider Fully trusted zone Trusted zone Semi-trusted zone Untrusted zone Data Index Index Data base proxy Zone Model
Secure Database Proxy PaaSword08/09/2015 50 Data Index2Index1 (no)SQL (no)SQLDB-Proxy (trusted) SQL Cloud (untrusted) User/Application Data (not encrypted) Data/Indexes (encrypted)
Transformation PaaSword08/09/2015 51 ID First Name Last Name Town Date Of Birth 1 Paul Fischer Hannover 01.01.1979 2 Hans Müller Karlsruhe 02.02.1974 3 Frank Schmidt Stuttgart 03.03.1972 4 Frank Maier Hamburg 04.04.1983 ID encrypted Data 1 Enc(Paul,Fischer, Hannover,01.01.1979) 2 Enc(Hans,Müller,Karlsruhe,02.02.1974) 3 Enc(Frank,Schmidt,Stuttgart,03.03.1972) 4 Enc(Frank,Maier,Hamburg,04.04.1983) Data Keyword IDs FirstName:Paul Enc(1) FirstName:Hans Enc(2) FirstName:Frank Enc(3,4) Index1 Keyword IDs LastName:Fischer Enc(1) LastName:Müller Enc(2) LastName:Schmidt Enc(3) LastName:Maier Enc(4) Index2 Attributes are lost in the crowd Original hidden association
Example (1/4) PaaSword08/09/2015 52 Data Index2Index1 SELECT ID FROM Index1 WHERE Keyword =‘FirstName:Frank’ SELECT ID FROM Index2 WHERE Keyword =‘LastName:Maier’ Transform query DB-Proxy SELECT * FROM Person WHERE FirstName = ‘Frank’ AND LastName = ‘Maier’ SELECT * FROM Personen WHERE FirstName = ‘Frank’ AND LastName = ‘Maier’ ID First Name Last Name Town Date Of Birth 1 Paul Fischer Hannover 01.01.1979 2 Hans Müller Karlsruhe 02.02.1974 3 Frank Schmidt Stuttgart 03.03.1972 4 Frank Maier Hamburg 04.04.1983
Example (2/4) PaaSword08/09/2015 53 Data Index2Index1 Decrypt and compose DB-Proxy SELECT * FROM Personen WHERE FirstName = ‘Frank’ AND LastName = ‘Maier’ ID First Name Last Name Town Date Of Birth 1 Paul Fischer Hannover 01.01.1979 2 Hans Müller Karlsruhe 02.02.1974 3 Frank Schmidt Stuttgart 03.03.1972 4 Frank Maier Hamburg 04.04.1983 IDs Enc(3,4) IDs Enc(4) ID 4
Example (3/4) PaaSword08/09/2015 54 Data Index2Index1 Fetch Data DB-Proxy SELECT * FROM Personen WHERE FirstName = ‘Frank’ AND LastName = ‘Maier’ ID First Name Last Name Town Date Of Birth 1 Paul Fischer Hannover 01.01.1979 2 Hans Müller Karlsruhe 02.02.1974 3 Frank Schmidt Stuttgart 03.03.1972 4 Frank Maier Hamburg 04.04.1983 SELECT * FROM Data WHERE ID in {4}
Example (4/4) PaaSword08/09/2015 55 Data Index2Index1 Decrypt and send result DB-Proxy SELECT * FROM Personen WHERE FirstName = ‘Frank’ AND LastName = ‘Maier’ ID First Name Last Name Town Date Of Birth 1 Paul Fischer Hannover 01.01.1979 2 Hans Müller Karlsruhe 02.02.1974 3 Frank Schmidt Stuttgart 03.03.1972 4 Frank Maier Hamburg 04.04.1983 Frank, Maier, Hamburg, 04.04.1983 Enc(Frank, Maier, Hamburg, 04.04.1983)
PAASWORD SCIENTIFIC CHALLENGES PaaSword08/09/2015 56
Searchable Encryption Scheme Define a Searchable Encryption (SE) scheme which is able to work with encrypted data basd on defined policies SE needs to allow multi-read, multi-write and needs to provide keywords privacy SE needs to offer revocation functionalities in order to tackle misbehaving users SE needs to be efficient and able to run on multiple devices with different resources Possible offer of different SE schemes with different functionalities/security level PaaSword08/09/2015 57
Access Control Policies Access Control Policies are based on the Access Control Model Developer choose the applied Access Control Model Key-Police Attribute Based Encryption – Ciphertext-Policy Attribute Based Encryption Which one can be applied in the PaaSword setting? Move to revocable version? Access Control Policies are Context-Aware by using a Context Model Context Model is based on LinkedUSDL taking into account context attributes, i.e. geolocation, device, … Each data type has its own context attributes PaaSword08/09/2015 58
Insecure APIs Transport Security Protect APIs carrying sensitive data within a secure channel Use SSL/TLS How to generate/manage valid certificates from internal/external certificate authority? Issues with configuring platform services and software integration Issues with end-to-end protection if any prxying platforms are required as intermediaries Code and Development Practices Test any API that pass JSON/XML messages or accept input from users/applications for standard injection flaws and cross-site request forgery attacks PaaSword08/09/2015 59
Insecure APIs Authentication & Authorization Open Issues Can APIs manage the encryption of usernames and password? Is it possible to manage two-factor authentication attributes? Can fine-grained authorization policies be created and maintained? Is there continuity between internal identity management systems and attributes, and those extended by APIs from cloud providers? Reusable tokens/password? API dependencies? Limited monitoring/logging capabilities? Inflexible access control? PaaSword08/09/2015 60
Conclusion I PaaSword provides a holisitic framework providing data privacy and security by design Added value exemplified on 5 business demonstrations Based on the concepts of PaaSword Semantic Models Typesafe Development Libraries PaaSword Application PaaSword-enabled Container Outsourced Database Architecture and Reference Implementation defined with the help of Requirements & Security Requirements from Stakeholders PaaSword08/09/2015 61
Conclusion II Architecture consists of PaaSword Central Administration Application Development Zone PaaSword Execution Container Tenant Trusted Operational Zone PaaSword Policies for Security 1,2,3,4 PaaSword Scientific Challenges Searchable Encryption working with encrypted data based on defined policies – Combine Seachable Encryption with Access Control Policies Insecure APIs PaaSword08/09/2015 62
PaaSword08/09/2015 63 Questions? Visit us: www.paasword.euAcknowledgements: This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No 644814.

Recommended

PLEDGE: A POLICY-BASED SECURITY PROTOCOL FOR PROTECTING CONTENT ADDRESSABLE S...
PLEDGE: A POLICY-BASED SECURITY PROTOCOL FOR PROTECTING CONTENT ADDRESSABLE S...PLEDGE: A POLICY-BASED SECURITY PROTOCOL FOR PROTECTING CONTENT ADDRESSABLE S...
PLEDGE: A POLICY-BASED SECURITY PROTOCOL FOR PROTECTING CONTENT ADDRESSABLE S...IJNSA Journal
 
PRISMACLOUD Cloud Security and Privacy by Design
PRISMACLOUD Cloud Security and Privacy by DesignPRISMACLOUD Cloud Security and Privacy by Design
PRISMACLOUD Cloud Security and Privacy by DesignPRISMACLOUD Project
 
Service Compositions: Curse or Blessing for Security?
Service Compositions: Curse or Blessing for Security?Service Compositions: Curse or Blessing for Security?
Service Compositions: Curse or Blessing for Security?Achim D. Brucker
 
How much can I trust my cloud services?
How much can I trust my cloud services?How much can I trust my cloud services?
How much can I trust my cloud services?ATMOSPHERE .
 
IRJET- Mutual Key Oversight Procedure for Cloud Security and Distribution of ...
IRJET- Mutual Key Oversight Procedure for Cloud Security and Distribution of ...IRJET- Mutual Key Oversight Procedure for Cloud Security and Distribution of ...
IRJET- Mutual Key Oversight Procedure for Cloud Security and Distribution of ...IRJET Journal
 
paper
paperpaper
paperGustavo El Khoury
 
Cloud Security POV_Final (by KM)
Cloud Security POV_Final (by KM)Cloud Security POV_Final (by KM)
Cloud Security POV_Final (by KM)Khiro Mishra
 
Isaca journal - bridging the gap between access and security in big data...
Isaca journal - bridging the gap between access and security in big data...Isaca journal - bridging the gap between access and security in big data...
Isaca journal - bridging the gap between access and security in big data...Ulf Mattsson
 

Recommended

PLEDGE: A POLICY-BASED SECURITY PROTOCOL FOR PROTECTING CONTENT ADDRESSABLE S...
PLEDGE: A POLICY-BASED SECURITY PROTOCOL FOR PROTECTING CONTENT ADDRESSABLE S...PLEDGE: A POLICY-BASED SECURITY PROTOCOL FOR PROTECTING CONTENT ADDRESSABLE S...
PLEDGE: A POLICY-BASED SECURITY PROTOCOL FOR PROTECTING CONTENT ADDRESSABLE S...IJNSA Journal
 
PRISMACLOUD Cloud Security and Privacy by Design
PRISMACLOUD Cloud Security and Privacy by DesignPRISMACLOUD Cloud Security and Privacy by Design
PRISMACLOUD Cloud Security and Privacy by DesignPRISMACLOUD Project
 
Service Compositions: Curse or Blessing for Security?
Service Compositions: Curse or Blessing for Security?Service Compositions: Curse or Blessing for Security?
Service Compositions: Curse or Blessing for Security?Achim D. Brucker
 
How much can I trust my cloud services?
How much can I trust my cloud services?How much can I trust my cloud services?
How much can I trust my cloud services?ATMOSPHERE .
 
IRJET- Mutual Key Oversight Procedure for Cloud Security and Distribution of ...
IRJET- Mutual Key Oversight Procedure for Cloud Security and Distribution of ...IRJET- Mutual Key Oversight Procedure for Cloud Security and Distribution of ...
IRJET- Mutual Key Oversight Procedure for Cloud Security and Distribution of ...IRJET Journal
 
paper
paperpaper
paperGustavo El Khoury
 
Cloud Security POV_Final (by KM)
Cloud Security POV_Final (by KM)Cloud Security POV_Final (by KM)
Cloud Security POV_Final (by KM)Khiro Mishra
 
Isaca journal - bridging the gap between access and security in big data...
Isaca journal - bridging the gap between access and security in big data...Isaca journal - bridging the gap between access and security in big data...
Isaca journal - bridging the gap between access and security in big data...Ulf Mattsson
 
Paper1
Paper1Paper1
Paper1Vikas Khairnar
 
Privacy Preserving in Authentication Protocol for Shared Authority Based Clou...
Privacy Preserving in Authentication Protocol for Shared Authority Based Clou...Privacy Preserving in Authentication Protocol for Shared Authority Based Clou...
Privacy Preserving in Authentication Protocol for Shared Authority Based Clou...IRJET Journal
 
Cloud Auditing
Cloud AuditingCloud Auditing
Cloud AuditingJonathan Sinclair
 
Privacy Preserving Public Auditing for Data Storage Security in Cloud.ppt
Privacy Preserving Public Auditing for Data Storage Security in Cloud.pptPrivacy Preserving Public Auditing for Data Storage Security in Cloud.ppt
Privacy Preserving Public Auditing for Data Storage Security in Cloud.pptGirish Chandra
 
A Survey on Different Techniques Used in Decentralized Cloud Computing
A Survey on Different Techniques Used in Decentralized Cloud ComputingA Survey on Different Techniques Used in Decentralized Cloud Computing
A Survey on Different Techniques Used in Decentralized Cloud ComputingEditor IJCATR
 
IEEE 2014 JAVA MOBILE COMPUTING PROJECTS Cloud assisted mobile-access of heal...
IEEE 2014 JAVA MOBILE COMPUTING PROJECTS Cloud assisted mobile-access of heal...IEEE 2014 JAVA MOBILE COMPUTING PROJECTS Cloud assisted mobile-access of heal...
IEEE 2014 JAVA MOBILE COMPUTING PROJECTS Cloud assisted mobile-access of heal...IEEEFINALYEARSTUDENTPROJECTS
 
IRJET- A Novel and Secure Approach to Control and Access Data in Cloud St...
IRJET- A Novel and Secure Approach to Control and Access Data in Cloud St...IRJET- A Novel and Secure Approach to Control and Access Data in Cloud St...
IRJET- A Novel and Secure Approach to Control and Access Data in Cloud St...IRJET Journal
 
(ISC)2 CCSP - Certified Cloud Security Professional
(ISC)2 CCSP - Certified Cloud Security Professional(ISC)2 CCSP - Certified Cloud Security Professional
(ISC)2 CCSP - Certified Cloud Security ProfessionalHatem ElSahhar
 
L04302088092
L04302088092L04302088092
L04302088092ijceronline
 
Pega_0625_Pega_Cloud_Security_Reliability_19
Pega_0625_Pega_Cloud_Security_Reliability_19Pega_0625_Pega_Cloud_Security_Reliability_19
Pega_0625_Pega_Cloud_Security_Reliability_19Douglas Kim
 
A robust and verifiable threshold multi authority access control system in pu...
A robust and verifiable threshold multi authority access control system in pu...A robust and verifiable threshold multi authority access control system in pu...
A robust and verifiable threshold multi authority access control system in pu...IJARIIT
 
Managing Cloud Security Risks in Your Organization
Managing Cloud Security Risks in Your OrganizationManaging Cloud Security Risks in Your Organization
Managing Cloud Security Risks in Your OrganizationCharles Lim
 
Cloud Security, Standards and Applications
Cloud Security, Standards and ApplicationsCloud Security, Standards and Applications
Cloud Security, Standards and ApplicationsDr. Sunil Kr. Pandey
 
SafeNet DataSecure vs. Native SQL Server Encryption
SafeNet DataSecure vs. Native SQL Server EncryptionSafeNet DataSecure vs. Native SQL Server Encryption
SafeNet DataSecure vs. Native SQL Server EncryptionSafeNet
 
Cybersecurity Capability Maturity Model (C2M2)
Cybersecurity Capability Maturity Model (C2M2)Cybersecurity Capability Maturity Model (C2M2)
Cybersecurity Capability Maturity Model (C2M2)Maganathin Veeraragaloo
 
Cloud Security 2014 AASNET
Cloud Security 2014 AASNETCloud Security 2014 AASNET
Cloud Security 2014 AASNETFarrukh Shahzad
 
Enhanced Data Partitioning Technique for Improving Cloud Data Storage Security
Enhanced Data Partitioning Technique for Improving Cloud Data Storage SecurityEnhanced Data Partitioning Technique for Improving Cloud Data Storage Security
Enhanced Data Partitioning Technique for Improving Cloud Data Storage SecurityEditor IJMTER
 
Daten unter Kontrolle
Daten unter KontrolleDaten unter Kontrolle
Daten unter KontrollePaaSword EU Project
 
Towards Trusted eHealth Services in the Cloud
Towards Trusted eHealth Services in the CloudTowards Trusted eHealth Services in the Cloud
Towards Trusted eHealth Services in the CloudPaaSword EU Project
 
The history of social networks
The history of social networksThe history of social networks
The history of social networksKnut Linke
 
El arte-de-isabel-guerra
El arte-de-isabel-guerraEl arte-de-isabel-guerra
El arte-de-isabel-guerraabelenguer
 
ElDar Marble and Granite
ElDar Marble and GraniteElDar Marble and Granite
ElDar Marble and Granitea2zdecor
 

More Related Content

What's hot

Privacy Preserving in Authentication Protocol for Shared Authority Based Clou...
Privacy Preserving in Authentication Protocol for Shared Authority Based Clou...Privacy Preserving in Authentication Protocol for Shared Authority Based Clou...
Privacy Preserving in Authentication Protocol for Shared Authority Based Clou...IRJET Journal
 
Privacy Preserving Public Auditing for Data Storage Security in Cloud.ppt
Privacy Preserving Public Auditing for Data Storage Security in Cloud.pptPrivacy Preserving Public Auditing for Data Storage Security in Cloud.ppt
Privacy Preserving Public Auditing for Data Storage Security in Cloud.pptGirish Chandra
 
A Survey on Different Techniques Used in Decentralized Cloud Computing
A Survey on Different Techniques Used in Decentralized Cloud ComputingA Survey on Different Techniques Used in Decentralized Cloud Computing
A Survey on Different Techniques Used in Decentralized Cloud ComputingEditor IJCATR
 
IEEE 2014 JAVA MOBILE COMPUTING PROJECTS Cloud assisted mobile-access of heal...
IEEE 2014 JAVA MOBILE COMPUTING PROJECTS Cloud assisted mobile-access of heal...IEEE 2014 JAVA MOBILE COMPUTING PROJECTS Cloud assisted mobile-access of heal...
IEEE 2014 JAVA MOBILE COMPUTING PROJECTS Cloud assisted mobile-access of heal...IEEEFINALYEARSTUDENTPROJECTS
 
IRJET- A Novel and Secure Approach to Control and Access Data in Cloud St...
IRJET- A Novel and Secure Approach to Control and Access Data in Cloud St...IRJET- A Novel and Secure Approach to Control and Access Data in Cloud St...
IRJET- A Novel and Secure Approach to Control and Access Data in Cloud St...IRJET Journal
 
(ISC)2 CCSP - Certified Cloud Security Professional
(ISC)2 CCSP - Certified Cloud Security Professional(ISC)2 CCSP - Certified Cloud Security Professional
(ISC)2 CCSP - Certified Cloud Security ProfessionalHatem ElSahhar
 
Pega_0625_Pega_Cloud_Security_Reliability_19
Pega_0625_Pega_Cloud_Security_Reliability_19Pega_0625_Pega_Cloud_Security_Reliability_19
Pega_0625_Pega_Cloud_Security_Reliability_19Douglas Kim
 
A robust and verifiable threshold multi authority access control system in pu...
A robust and verifiable threshold multi authority access control system in pu...A robust and verifiable threshold multi authority access control system in pu...
A robust and verifiable threshold multi authority access control system in pu...IJARIIT
 
Managing Cloud Security Risks in Your Organization
Managing Cloud Security Risks in Your OrganizationManaging Cloud Security Risks in Your Organization
Managing Cloud Security Risks in Your OrganizationCharles Lim
 
Cloud Security, Standards and Applications
Cloud Security, Standards and ApplicationsCloud Security, Standards and Applications
Cloud Security, Standards and ApplicationsDr. Sunil Kr. Pandey
 
SafeNet DataSecure vs. Native SQL Server Encryption
SafeNet DataSecure vs. Native SQL Server EncryptionSafeNet DataSecure vs. Native SQL Server Encryption
SafeNet DataSecure vs. Native SQL Server EncryptionSafeNet
 
Cybersecurity Capability Maturity Model (C2M2)
Cybersecurity Capability Maturity Model (C2M2)Cybersecurity Capability Maturity Model (C2M2)
Cybersecurity Capability Maturity Model (C2M2)Maganathin Veeraragaloo
 
Cloud Security 2014 AASNET
Cloud Security 2014 AASNETCloud Security 2014 AASNET
Cloud Security 2014 AASNETFarrukh Shahzad
 
Enhanced Data Partitioning Technique for Improving Cloud Data Storage Security
Enhanced Data Partitioning Technique for Improving Cloud Data Storage SecurityEnhanced Data Partitioning Technique for Improving Cloud Data Storage Security
Enhanced Data Partitioning Technique for Improving Cloud Data Storage SecurityEditor IJMTER
 

What's hot (17)

Paper1
Paper1Paper1
Paper1
 
Privacy Preserving in Authentication Protocol for Shared Authority Based Clou...
Privacy Preserving in Authentication Protocol for Shared Authority Based Clou...Privacy Preserving in Authentication Protocol for Shared Authority Based Clou...
Privacy Preserving in Authentication Protocol for Shared Authority Based Clou...
 
Cloud Auditing
Cloud AuditingCloud Auditing
Cloud Auditing
 
Privacy Preserving Public Auditing for Data Storage Security in Cloud.ppt
Privacy Preserving Public Auditing for Data Storage Security in Cloud.pptPrivacy Preserving Public Auditing for Data Storage Security in Cloud.ppt
Privacy Preserving Public Auditing for Data Storage Security in Cloud.ppt
 
A Survey on Different Techniques Used in Decentralized Cloud Computing
A Survey on Different Techniques Used in Decentralized Cloud ComputingA Survey on Different Techniques Used in Decentralized Cloud Computing
A Survey on Different Techniques Used in Decentralized Cloud Computing
 
IEEE 2014 JAVA MOBILE COMPUTING PROJECTS Cloud assisted mobile-access of heal...
IEEE 2014 JAVA MOBILE COMPUTING PROJECTS Cloud assisted mobile-access of heal...IEEE 2014 JAVA MOBILE COMPUTING PROJECTS Cloud assisted mobile-access of heal...
IEEE 2014 JAVA MOBILE COMPUTING PROJECTS Cloud assisted mobile-access of heal...
 
IRJET- A Novel and Secure Approach to Control and Access Data in Cloud St...
IRJET- A Novel and Secure Approach to Control and Access Data in Cloud St...IRJET- A Novel and Secure Approach to Control and Access Data in Cloud St...
IRJET- A Novel and Secure Approach to Control and Access Data in Cloud St...
 
(ISC)2 CCSP - Certified Cloud Security Professional
(ISC)2 CCSP - Certified Cloud Security Professional(ISC)2 CCSP - Certified Cloud Security Professional
(ISC)2 CCSP - Certified Cloud Security Professional
 
L04302088092
L04302088092L04302088092
L04302088092
 
Pega_0625_Pega_Cloud_Security_Reliability_19
Pega_0625_Pega_Cloud_Security_Reliability_19Pega_0625_Pega_Cloud_Security_Reliability_19
Pega_0625_Pega_Cloud_Security_Reliability_19
 
A robust and verifiable threshold multi authority access control system in pu...
A robust and verifiable threshold multi authority access control system in pu...A robust and verifiable threshold multi authority access control system in pu...
A robust and verifiable threshold multi authority access control system in pu...
 
Managing Cloud Security Risks in Your Organization
Managing Cloud Security Risks in Your OrganizationManaging Cloud Security Risks in Your Organization
Managing Cloud Security Risks in Your Organization
 
Cloud Security, Standards and Applications
Cloud Security, Standards and ApplicationsCloud Security, Standards and Applications
Cloud Security, Standards and Applications
 
SafeNet DataSecure vs. Native SQL Server Encryption
SafeNet DataSecure vs. Native SQL Server EncryptionSafeNet DataSecure vs. Native SQL Server Encryption
SafeNet DataSecure vs. Native SQL Server Encryption
 
Cybersecurity Capability Maturity Model (C2M2)
Cybersecurity Capability Maturity Model (C2M2)Cybersecurity Capability Maturity Model (C2M2)
Cybersecurity Capability Maturity Model (C2M2)
 
Cloud Security 2014 AASNET
Cloud Security 2014 AASNETCloud Security 2014 AASNET
Cloud Security 2014 AASNET
 
Enhanced Data Partitioning Technique for Improving Cloud Data Storage Security
Enhanced Data Partitioning Technique for Improving Cloud Data Storage SecurityEnhanced Data Partitioning Technique for Improving Cloud Data Storage Security
Enhanced Data Partitioning Technique for Improving Cloud Data Storage Security
 

Viewers also liked

Towards Trusted eHealth Services in the Cloud
Towards Trusted eHealth Services in the CloudTowards Trusted eHealth Services in the Cloud
Towards Trusted eHealth Services in the CloudPaaSword EU Project
 
The history of social networks
The history of social networksThe history of social networks
The history of social networksKnut Linke
 
El arte-de-isabel-guerra
El arte-de-isabel-guerraEl arte-de-isabel-guerra
El arte-de-isabel-guerraabelenguer
 
ElDar Marble and Granite
ElDar Marble and GraniteElDar Marble and Granite
ElDar Marble and Granitea2zdecor
 
Preparing Life Insurers for the Future of Distribution
Preparing Life Insurers for the Future of DistributionPreparing Life Insurers for the Future of Distribution
Preparing Life Insurers for the Future of DistributionCognizant
 
Ifam lounge bilanzpolitik
Ifam lounge bilanzpolitikIfam lounge bilanzpolitik
Ifam lounge bilanzpolitikWerner Drizhal
 
Videos baratos en la red
Videos baratos en la redVideos baratos en la red
Videos baratos en la redjaquepublicidad
 
A&B Catalog 2011
A&B Catalog 2011A&B Catalog 2011
A&B Catalog 2011nancygrav
 
Student net iwmw 2010 presentation upload
Student net iwmw 2010 presentation uploadStudent net iwmw 2010 presentation upload
Student net iwmw 2010 presentation uploadJosef Lapka
 
Formato para referencia de documento electrónico copia
Formato para referencia de documento electrónico copiaFormato para referencia de documento electrónico copia
Formato para referencia de documento electrónico copiaDaniel Kintero
 
El Ayuntamiento de La Roda de Andalucía incentiva la contratación de personas...
El Ayuntamiento de La Roda de Andalucía incentiva la contratación de personas...El Ayuntamiento de La Roda de Andalucía incentiva la contratación de personas...
El Ayuntamiento de La Roda de Andalucía incentiva la contratación de personas...JdJuan Guadalinfo
 
Crowdar - Introducción a BDD
Crowdar - Introducción a BDDCrowdar - Introducción a BDD
Crowdar - Introducción a BDDJavier Re
 
Concordia university-guide firstyear
Concordia university-guide firstyearConcordia university-guide firstyear
Concordia university-guide firstyeariamprosperous
 

Viewers also liked (20)

Daten unter Kontrolle
Daten unter KontrolleDaten unter Kontrolle
Daten unter Kontrolle
 
Towards Trusted eHealth Services in the Cloud
Towards Trusted eHealth Services in the CloudTowards Trusted eHealth Services in the Cloud
Towards Trusted eHealth Services in the Cloud
 
The history of social networks
The history of social networksThe history of social networks
The history of social networks
 
El arte-de-isabel-guerra
El arte-de-isabel-guerraEl arte-de-isabel-guerra
El arte-de-isabel-guerra
 
ElDar Marble and Granite
ElDar Marble and GraniteElDar Marble and Granite
ElDar Marble and Granite
 
Preparing Life Insurers for the Future of Distribution
Preparing Life Insurers for the Future of DistributionPreparing Life Insurers for the Future of Distribution
Preparing Life Insurers for the Future of Distribution
 
Acs ss ice_led
Acs ss ice_ledAcs ss ice_led
Acs ss ice_led
 
Ifam lounge bilanzpolitik
Ifam lounge bilanzpolitikIfam lounge bilanzpolitik
Ifam lounge bilanzpolitik
 
Videos baratos en la red
Videos baratos en la redVideos baratos en la red
Videos baratos en la red
 
New Riverside Green Sand MSDS
New Riverside Green Sand MSDSNew Riverside Green Sand MSDS
New Riverside Green Sand MSDS
 
E - Sweet Tale
E - Sweet TaleE - Sweet Tale
E - Sweet Tale
 
A&B Catalog 2011
A&B Catalog 2011A&B Catalog 2011
A&B Catalog 2011
 
Prádena
Prádena Prádena
Prádena
 
Student net iwmw 2010 presentation upload
Student net iwmw 2010 presentation uploadStudent net iwmw 2010 presentation upload
Student net iwmw 2010 presentation upload
 
Formato para referencia de documento electrónico copia
Formato para referencia de documento electrónico copiaFormato para referencia de documento electrónico copia
Formato para referencia de documento electrónico copia
 
El Ayuntamiento de La Roda de Andalucía incentiva la contratación de personas...
El Ayuntamiento de La Roda de Andalucía incentiva la contratación de personas...El Ayuntamiento de La Roda de Andalucía incentiva la contratación de personas...
El Ayuntamiento de La Roda de Andalucía incentiva la contratación de personas...
 
imPacT 2016-PT & PTA
imPacT 2016-PT & PTAimPacT 2016-PT & PTA
imPacT 2016-PT & PTA
 
Visual kei
Visual keiVisual kei
Visual kei
 
Crowdar - Introducción a BDD
Crowdar - Introducción a BDDCrowdar - Introducción a BDD
Crowdar - Introducción a BDD
 
Concordia university-guide firstyear
Concordia university-guide firstyearConcordia university-guide firstyear
Concordia university-guide firstyear
 

Similar to PaaSword's main idea, technical architecture and scientific challenges

No More Dark Clouds: A Privacy Preserving Framework for the Cloud
No More Dark Clouds: A Privacy Preserving Framework for the CloudNo More Dark Clouds: A Privacy Preserving Framework for the Cloud
No More Dark Clouds: A Privacy Preserving Framework for the CloudPaaSword EU Project
 
IRJET- A Survey on Remote Data Possession Verification Protocol in Cloud Storage
IRJET- A Survey on Remote Data Possession Verification Protocol in Cloud StorageIRJET- A Survey on Remote Data Possession Verification Protocol in Cloud Storage
IRJET- A Survey on Remote Data Possession Verification Protocol in Cloud StorageIRJET Journal
 
A Data Privacy and Security by Design Platform‐as‐a‐Service Framework
A Data Privacy and Security by Design Platform‐as‐a‐Service FrameworkA Data Privacy and Security by Design Platform‐as‐a‐Service Framework
A Data Privacy and Security by Design Platform‐as‐a‐Service FrameworkPaaSword EU Project
 
Effective Information Flow Control as a Service: EIFCaaS
Effective Information Flow Control as a Service: EIFCaaSEffective Information Flow Control as a Service: EIFCaaS
Effective Information Flow Control as a Service: EIFCaaSIRJET Journal
 
A Survey on Access Control Scheme for Data in Cloud with Anonymous Authentica...
A Survey on Access Control Scheme for Data in Cloud with Anonymous Authentica...A Survey on Access Control Scheme for Data in Cloud with Anonymous Authentica...
A Survey on Access Control Scheme for Data in Cloud with Anonymous Authentica...IRJET Journal
 
DATA SHARING PROTOCOL TO MINIMIZE THE SECURITY AND PRIVACY RISKS OF CLOUD STO...
DATA SHARING PROTOCOL TO MINIMIZE THE SECURITY AND PRIVACY RISKS OF CLOUD STO...DATA SHARING PROTOCOL TO MINIMIZE THE SECURITY AND PRIVACY RISKS OF CLOUD STO...
DATA SHARING PROTOCOL TO MINIMIZE THE SECURITY AND PRIVACY RISKS OF CLOUD STO...IRJET Journal
 
IRJET- Deduplication of Encrypted Bigdata on Cloud
IRJET- Deduplication of Encrypted Bigdata on CloudIRJET- Deduplication of Encrypted Bigdata on Cloud
IRJET- Deduplication of Encrypted Bigdata on CloudIRJET Journal
 
Cooperative Schedule Data Possession for Integrity Verification in Multi-Clou...
Cooperative Schedule Data Possession for Integrity Verification in Multi-Clou...Cooperative Schedule Data Possession for Integrity Verification in Multi-Clou...
Cooperative Schedule Data Possession for Integrity Verification in Multi-Clou...IJMER
 
Ibm cloud forum managing heterogenousclouds_final
Ibm cloud forum managing heterogenousclouds_finalIbm cloud forum managing heterogenousclouds_final
Ibm cloud forum managing heterogenousclouds_finalMauricio Godoy
 
A Comparative Review on Data Security Challenges in Cloud Computing
A Comparative Review on Data Security Challenges in Cloud ComputingA Comparative Review on Data Security Challenges in Cloud Computing
A Comparative Review on Data Security Challenges in Cloud ComputingIRJET Journal
 
ATMOSPHERE at Digital Infrastructure for Research (DI4R) 2018
ATMOSPHERE at Digital Infrastructure for Research (DI4R) 2018ATMOSPHERE at Digital Infrastructure for Research (DI4R) 2018
ATMOSPHERE at Digital Infrastructure for Research (DI4R) 2018ATMOSPHERE .
 
EOSC-hub Week - Cloud Lightning Talks: Atmosphere
EOSC-hub Week - Cloud Lightning Talks: AtmosphereEOSC-hub Week - Cloud Lightning Talks: Atmosphere
EOSC-hub Week - Cloud Lightning Talks: AtmosphereATMOSPHERE .
 
Atmosphere: project objctives
Atmosphere: project objctivesAtmosphere: project objctives
Atmosphere: project objctivesEOSC-hub project
 
IRJET- Homomorphic Encryption Scheme in Cloud Computing for Security and Priv...
IRJET- Homomorphic Encryption Scheme in Cloud Computing for Security and Priv...IRJET- Homomorphic Encryption Scheme in Cloud Computing for Security and Priv...
IRJET- Homomorphic Encryption Scheme in Cloud Computing for Security and Priv...IRJET Journal
 
A Secure, Scalable, Flexible and Fine-Grained Access Control Using Hierarchic...
A Secure, Scalable, Flexible and Fine-Grained Access Control Using Hierarchic...A Secure, Scalable, Flexible and Fine-Grained Access Control Using Hierarchic...
A Secure, Scalable, Flexible and Fine-Grained Access Control Using Hierarchic...Editor IJCATR
 

Similar to PaaSword's main idea, technical architecture and scientific challenges (20)

PaaSword-Business Cases
PaaSword-Business CasesPaaSword-Business Cases
PaaSword-Business Cases
 
No More Dark Clouds: A Privacy Preserving Framework for the Cloud
No More Dark Clouds: A Privacy Preserving Framework for the CloudNo More Dark Clouds: A Privacy Preserving Framework for the Cloud
No More Dark Clouds: A Privacy Preserving Framework for the Cloud
 
IRJET- A Survey on Remote Data Possession Verification Protocol in Cloud Storage
IRJET- A Survey on Remote Data Possession Verification Protocol in Cloud StorageIRJET- A Survey on Remote Data Possession Verification Protocol in Cloud Storage
IRJET- A Survey on Remote Data Possession Verification Protocol in Cloud Storage
 
SECURING THE CLOUD DATA LAKES
SECURING THE CLOUD DATA LAKESSECURING THE CLOUD DATA LAKES
SECURING THE CLOUD DATA LAKES
 
A Data Privacy and Security by Design Platform‐as‐a‐Service Framework
A Data Privacy and Security by Design Platform‐as‐a‐Service FrameworkA Data Privacy and Security by Design Platform‐as‐a‐Service Framework
A Data Privacy and Security by Design Platform‐as‐a‐Service Framework
 
V04405122126
V04405122126V04405122126
V04405122126
 
Effective Information Flow Control as a Service: EIFCaaS
Effective Information Flow Control as a Service: EIFCaaSEffective Information Flow Control as a Service: EIFCaaS
Effective Information Flow Control as a Service: EIFCaaS
 
A Survey on Access Control Scheme for Data in Cloud with Anonymous Authentica...
A Survey on Access Control Scheme for Data in Cloud with Anonymous Authentica...A Survey on Access Control Scheme for Data in Cloud with Anonymous Authentica...
A Survey on Access Control Scheme for Data in Cloud with Anonymous Authentica...
 
DATA SHARING PROTOCOL TO MINIMIZE THE SECURITY AND PRIVACY RISKS OF CLOUD STO...
DATA SHARING PROTOCOL TO MINIMIZE THE SECURITY AND PRIVACY RISKS OF CLOUD STO...DATA SHARING PROTOCOL TO MINIMIZE THE SECURITY AND PRIVACY RISKS OF CLOUD STO...
DATA SHARING PROTOCOL TO MINIMIZE THE SECURITY AND PRIVACY RISKS OF CLOUD STO...
 
IRJET- Deduplication of Encrypted Bigdata on Cloud
IRJET- Deduplication of Encrypted Bigdata on CloudIRJET- Deduplication of Encrypted Bigdata on Cloud
IRJET- Deduplication of Encrypted Bigdata on Cloud
 
Cooperative Schedule Data Possession for Integrity Verification in Multi-Clou...
Cooperative Schedule Data Possession for Integrity Verification in Multi-Clou...Cooperative Schedule Data Possession for Integrity Verification in Multi-Clou...
Cooperative Schedule Data Possession for Integrity Verification in Multi-Clou...
 
Ibm cloud forum managing heterogenousclouds_final
Ibm cloud forum managing heterogenousclouds_finalIbm cloud forum managing heterogenousclouds_final
Ibm cloud forum managing heterogenousclouds_final
 
A Comparative Review on Data Security Challenges in Cloud Computing
A Comparative Review on Data Security Challenges in Cloud ComputingA Comparative Review on Data Security Challenges in Cloud Computing
A Comparative Review on Data Security Challenges in Cloud Computing
 
Practical Guide to Platform-as-a-Service
Practical Guide to Platform-as-a-Service Practical Guide to Platform-as-a-Service
Practical Guide to Platform-as-a-Service
 
ATMOSPHERE at Digital Infrastructure for Research (DI4R) 2018
ATMOSPHERE at Digital Infrastructure for Research (DI4R) 2018ATMOSPHERE at Digital Infrastructure for Research (DI4R) 2018
ATMOSPHERE at Digital Infrastructure for Research (DI4R) 2018
 
EOSC-hub Week - Cloud Lightning Talks: Atmosphere
EOSC-hub Week - Cloud Lightning Talks: AtmosphereEOSC-hub Week - Cloud Lightning Talks: Atmosphere
EOSC-hub Week - Cloud Lightning Talks: Atmosphere
 
Atmosphere: project objctives
Atmosphere: project objctivesAtmosphere: project objctives
Atmosphere: project objctives
 
IRJET- Homomorphic Encryption Scheme in Cloud Computing for Security and Priv...
IRJET- Homomorphic Encryption Scheme in Cloud Computing for Security and Priv...IRJET- Homomorphic Encryption Scheme in Cloud Computing for Security and Priv...
IRJET- Homomorphic Encryption Scheme in Cloud Computing for Security and Priv...
 
A Secure, Scalable, Flexible and Fine-Grained Access Control Using Hierarchic...
A Secure, Scalable, Flexible and Fine-Grained Access Control Using Hierarchic...A Secure, Scalable, Flexible and Fine-Grained Access Control Using Hierarchic...
A Secure, Scalable, Flexible and Fine-Grained Access Control Using Hierarchic...
 
Governing in the Cloud
Governing in the CloudGoverning in the Cloud
Governing in the Cloud
 

More from PaaSword EU Project

PaaSword - Distributed Searchable Encryption Engine
PaaSword - Distributed Searchable Encryption EnginePaaSword - Distributed Searchable Encryption Engine
PaaSword - Distributed Searchable Encryption EnginePaaSword EU Project
 
PaaSword - No More Dark Clouds with PaaSword
PaaSword - No More Dark Clouds with PaaSwordPaaSword - No More Dark Clouds with PaaSword
PaaSword - No More Dark Clouds with PaaSwordPaaSword EU Project
 
PaaSword - Context-aware Access Control
PaaSword - Context-aware Access ControlPaaSword - Context-aware Access Control
PaaSword - Context-aware Access ControlPaaSword EU Project
 
PaaSword Presentation - Project Overview
PaaSword Presentation - Project OverviewPaaSword Presentation - Project Overview
PaaSword Presentation - Project OverviewPaaSword EU Project
 
No More Dark Clouds With PaaSword - An Innovative Security By Design Framework
No More Dark Clouds With PaaSword - An Innovative Security By Design FrameworkNo More Dark Clouds With PaaSword - An Innovative Security By Design Framework
No More Dark Clouds With PaaSword - An Innovative Security By Design FrameworkPaaSword EU Project
 
A Survey on Context Security Policies in the Cloud
A Survey on Context Security Policies in the CloudA Survey on Context Security Policies in the Cloud
A Survey on Context Security Policies in the CloudPaaSword EU Project
 
Towards Efficient and Secure Data Storage in Multi-Tenant Cloud-Based CRM Sol...
Towards Efficient and Secure Data Storage in Multi-Tenant Cloud-Based CRM Sol...Towards Efficient and Secure Data Storage in Multi-Tenant Cloud-Based CRM Sol...
Towards Efficient and Secure Data Storage in Multi-Tenant Cloud-Based CRM Sol...PaaSword EU Project
 
PaaSword: A Holistic Data Privacy and Security by Design Framework for Cloud ...
PaaSword: A Holistic Data Privacy and Security by Design Framework for Cloud ...PaaSword: A Holistic Data Privacy and Security by Design Framework for Cloud ...
PaaSword: A Holistic Data Privacy and Security by Design Framework for Cloud ...PaaSword EU Project
 

More from PaaSword EU Project (9)

PaaSword - Distributed Searchable Encryption Engine
PaaSword - Distributed Searchable Encryption EnginePaaSword - Distributed Searchable Encryption Engine
PaaSword - Distributed Searchable Encryption Engine
 
PaaSword - No More Dark Clouds with PaaSword
PaaSword - No More Dark Clouds with PaaSwordPaaSword - No More Dark Clouds with PaaSword
PaaSword - No More Dark Clouds with PaaSword
 
PaaSword - Technology Baseline
PaaSword - Technology BaselinePaaSword - Technology Baseline
PaaSword - Technology Baseline
 
PaaSword - Context-aware Access Control
PaaSword - Context-aware Access ControlPaaSword - Context-aware Access Control
PaaSword - Context-aware Access Control
 
PaaSword Presentation - Project Overview
PaaSword Presentation - Project OverviewPaaSword Presentation - Project Overview
PaaSword Presentation - Project Overview
 
No More Dark Clouds With PaaSword - An Innovative Security By Design Framework
No More Dark Clouds With PaaSword - An Innovative Security By Design FrameworkNo More Dark Clouds With PaaSword - An Innovative Security By Design Framework
No More Dark Clouds With PaaSword - An Innovative Security By Design Framework
 
A Survey on Context Security Policies in the Cloud
A Survey on Context Security Policies in the CloudA Survey on Context Security Policies in the Cloud
A Survey on Context Security Policies in the Cloud
 
Towards Efficient and Secure Data Storage in Multi-Tenant Cloud-Based CRM Sol...
Towards Efficient and Secure Data Storage in Multi-Tenant Cloud-Based CRM Sol...Towards Efficient and Secure Data Storage in Multi-Tenant Cloud-Based CRM Sol...
Towards Efficient and Secure Data Storage in Multi-Tenant Cloud-Based CRM Sol...
 
PaaSword: A Holistic Data Privacy and Security by Design Framework for Cloud ...
PaaSword: A Holistic Data Privacy and Security by Design Framework for Cloud ...PaaSword: A Holistic Data Privacy and Security by Design Framework for Cloud ...
PaaSword: A Holistic Data Privacy and Security by Design Framework for Cloud ...
 

Recently uploaded

Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 

Recently uploaded (20)

Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 

PaaSword's main idea, technical architecture and scientific challenges

  • 1. www.paasword.eu Dr. Julia Vuong, Andreas Schoknecht CAS Software AG, Karlsruhe Institute of Technology PANOPTESEC Workshop September 08, 2015, Brussels
  • 2. Agenda Introduction/Motivation PaaSword in a Nutshell Consortium Goals Business Challenges PaaSword Concepts Overview Basic Concepts PaaSword Requirements Methodology Functional Requirements Security Requirements PaaSword08/09/2015 2 PaaSword Architecture Overview PaaSword Policies PaaSword Scientific Challenges Searchable Encryption Access Policies Insecure APIs Conclusion
  • 4. PaaSword in a Nutshell Holistic framework to unlock valuable business benefits of Cloud Computing by providing data privacy and security by design safeguarding both corporate and personal data for cloud infrastructures and storage services Protecting the data persistency layer and the database itself as the most critical targets PaaSword08/09/2015 4 PaaS Provider PaaSword API DB with Indexers on encrypted data Queries using Searchable Trusted IaaS Provider Adversary User Developer Publishes Application Encryption Scheme using PaaSword API encrypted data
  • 5. Consortium • Industrial Partner• Scientific Partner PaaSword08/09/2015 5
  • 6. Goals for PaaSword Leverage the security and trust of Cloud infrastructures and services Facilitate context-aware, ad-hoc decryption and access to encrypted and physically distributed datasets stored in Cloud infrastructures and services, Enable the engineering of data privacy and security by design Cloud services and applications Ensure the protection, privacy and integrity of the data stored in Cloud infrastructures and services Prove the applicability, usability, effectiveness and value of the PaaSword concepts, models and mechanisms in industrial, real-life Cloud infrastructures, services and applications PaaSword08/09/2015 6
  • 7. Use Cases & Business Challenges PaaSword Framework outcome is demonstrated by means of 5 Use Cases situated in different application areas Secure Senors Analytics for IoT applications Cloud-based Multi-tenant CRM software Encrypted Persistency included in PaaS/SaaS Services Multi-tenant ERP Environments Platform for Cross-border Document Exchange Business Challenges are derived as a result of the analysis of the Use Cases PaaSword08/09/2015 7
  • 8. Secure Sensors Data Fusion and Analytics Siemens SRL Sensor Middleware: fine grained ICT monitoring system for both static and mobile distributed critical infrastructures Public utilities (PU) or supply chains (SC) The system provides Reports in order to support the end-user in deciding whether to accept a shipment (SC) or public service (PU) through e.g. QoS monitoring Real-time alerts and early warnings in order to guarantee the quality of a provided service, i.e. enabling transporters (SC) and public service & safety providers (PU) to proactively avoiding or minimizing damages Automatic control operational states (i.e. of storage and transport conditions for SC, public services distribution and scaling for PU) in order to comply with product and service requirements Data stored in a NoSQL storage engine due to the linear scaling factor, scaling is achieved through Sharding PaaSword08/09/2015 8
  • 9. Secure Sensors Data Fusion and Analytics The resulting security framework should: provide redundancy capabilities for the management, storage and processing systems in case of failures; provide support for performing failure and forensic analysis on data-storage and processing components; identify ways to detect and report security and system failures. PaaSword08/09/2015 9
  • 10. Protection of Personal Data in a Multi-Tenant CRM Environment CAS Software AG CRM software stores, links and processes huge amount of personal and customer data as well as sensitive enterprise This data is an interesting target for mainly passive adversaries Another huge thread are internal adversaries who has access to unencrypted data of multi-tenants directly in the data center CRM software developers are mainly non-security experts who needs to write security-aware code. Data encryption needs to be included at the persistence layer. Performance impact needs to be limited to those data part what must be protected. Data is stored in relational databases. PaaSword08/09/2015 10
  • 11. Protection of Personal Data in a Multi-Tenant CRM Environment The resulting security framework should support security as a part of the application/data lifecycle management; support tenant isolation in order to support the multiple-tenant structure of a CRM solution, especially the “one DB per tenant” approach; provide developer documentation and guidelines for security features in the platform in order to enable non-security experts to develop security-aware CRM software; provide patch management for secure platform components; provide secure key management; support permissions based on the situation of the user. PaaSword08/09/2015 11
  • 12. Encrypted Persistency as PaaS/IaaS-Service- Pilot Implementation SixSq SlipStream, a cloud application management platform, facilitates management of the full cloud application lifecycle Most cloud applications are n-tier web applications that need appropriate levels of security, privacy and confidentiality. Developing the data protection infrastructure with respect to ISO standards and EU-data handling requirements is time consuming and costly. PaaSword08/09/2015 12
  • 13. Encrypted Persistency as PaaS/IaaS-Service- Pilot Implementation The security framework should Produce components that can be parameterized and integrated with other application services (including external user authentication mechanisms); Provide a complete set of components that can demonstrably meet the requirements of the EU data protection legislation and similar other regulatory requirements around the world. PaaSword08/09/2015 13
  • 14. Protection of Sensible Enterprise Information on Mulit-Tenant ERP Environments Singular Logic Enterprise Resource Planning solution with single-tenant and multi- tenant scenarios relying on IaaS deployment schemes. Data being exposed to third parties in a multi-tenant environment is one of the main risks. Virtualized infrastructure includes the risk that one machine in this setting could monitor what ist neighbours are doing. Poor implementation of access management includes the risk that customer data will get exposed to other users. PaaSword08/09/2015 14
  • 15. Protection of Sensible Enterprise Information on Mulit-Tenant ERP Environments The resulting security framework should Support searchable encryption of database; Be able to support encryption/decryption through all steps the application and data lifecycle; Support tenant isolation in order to support the multiple-tenant ERP solution, based on the “one DB per tenant” approach; Not introduce extreme computational overhead; Offer encryption in data transportation layer; Provide extended developer documentation and guidelines for the security features in order to be properly integrated to the existing solution; Provide secure key management. PaaSword08/09/2015 15
  • 16. Intergovernmental Secure Document and Personal Data Exchange Ubitech Intergovernmental Exchange Platform facilitate international co- operation in civil-status matters and to further enable the exchange of information between civil registrars The platform needed to adhere to very high security standards for the generation and transmission of highly sensitive personal data taking under consideration that the transmission channel is going to be the Internet, a totally hostile environment for sensitive data. problem of end-to-end electronic exchange, one of the most vulnerable parts of the platform is the so-called Exchange Server where the exchange (inbound/outbound) queues and routing databases reside protection of the raw data that reside in central database PaaSword08/09/2015 16
  • 17. Intergovernmental Secure Document and Personal Data Exchange The resulting security framework should Produce components that re-assure as much as possible that inter- changeable data are secure from malicious users that are either external or internal i.e. they belong to the ecosystem of the operational environment. This is very crucial since these types of applications have complex operational environment. Produce components that can apply security policies that take under consideration the specificities of cross-border exchange (e.g. restrict the interaction of users based on their location) Produce components that are in-line with the eIDAS regulation (such as electronic signatures, electronic seals, time stamp, electronic delivery service and website authentication) while in parallel they contribute in seamless encryption of data PaaSword08/09/2015 17
  • 18. Business Challenges Encryption of distributed existing databases and corresponding transaction logs Context-driven policies for accessing the stored information Object annotations modelling access rights for specific purposes, easily understood and defined by application developers, and a corresponding interpreter generating policy enforcement rules Virtualization of data storages, i.e. SQL and No-SQL, realizing the appropriate query synthesis and aposynthesis capabilities Key management mechanisms making the key usage transparent to the cloud-based applications and services Asymmetric encryption, enabling the per-user encryption of the stored data and the per-user definition of policies regarding said data PaaSword08/09/2015 18
  • 19. Walkthrough PaaSword PaaSword provides an IDE-specific plug-in incorporating all PaaSword features used by the developer for his MVC-based application Developer creates annotations at the Data Access Objects referring to sensitive data that should be protected, according to the XACML-based Context-aware Policy Access Model PaaSword performs validity check of the DAO annotations According to the DAO annotations applications persistence layer is distributed and the data encrypted Each query and processing request is forwarded by the enhanced Controller to the Query Handling mechanism PaaSword08/09/2015 19
  • 20. Walkthrough PaaSword Policy Enforcement Mechanism grants the incoming request access to the data or not taking into account the user-defined access policies; Query Handling mechanism submits the enhanced query to the augmented persistence layer; Database Proxy registers the distributed query to the distributed and encrypted parts and federates the respective data from the distributed parts of the database; Federated data synthesis and ad-hoc decryption utilizing the key of the end-user that is transparently (to the application) propagated to the Query Handling mechanism; Decrypted data is delivered to the application controller forwarding it to the end-user PaaSword08/09/2015 20
  • 22. Overview of Basic Concepts PaaSword08/09/2015 22
  • 23. what is this artefact? PaaSword Semantic Models is a set of Ontological models that aim to conceptualize two things: possible encryption/decryption policies that can be used during runtime by an application in order to protect specific columns in a database possible policies that can be applied in the web-endpoints of an application who is using it? They are used after their interpretation in libraries who manages it? A PaaSword Administrator is able to extend these models PaaSword Semantic Models PaaSword08/09/2015 23
  • 24. Typesafe Development Libraries what is this artefact? It is a set of Java Annotation Libraries (JSR-175 compliant) that provide to developers the ability to annotate specific part of their code. These parts include @Entities. @Path(“/restendpoint”) etc Annotations will drive specific ‘business logic’ during runtime. who is using it? A Cloud Application Developer during the development of an application that will be hosted in a PaaS environment who manages it? It is autogenerated by a Semantic Model Interpreter PaaSword08/09/2015 24
  • 25. PaaSword Application what is this artefact? This is not practically an actual artefact of the project. Though it is an application that uses the Typesafe Development Libraries who is using it? Upon the deployment in a JEE container the application is available to end-users. who manages it? The PaaSword Application is managed by a DevOps in the sense that it performs all apropriate steps that are needed prior to deployment PaaSword08/09/2015 25
  • 26. PaaSword-enabled Container what is this artefact? It is a JEE container that is able to interpret during runtime the (PaaSword) annotations that the developer has used. A PaaSword-enabled container is able to Interpret and implement encryption/decryption policies for specific columns of a database handle policies that are declaratively defined who is using it? A DevOps user that is responsible for the operation of an application who manages it? The PaaS provider PaaSword08/09/2015 26
  • 27. Outsourced Database what is this artefact? It is a plain RDBMS engine that operates in a completely untrusted IaaS zone who is using it? The PaaSword-enabled application will use this RDBMS in order to host encrypted data who manages it? The IaaS provider PaaSword08/09/2015 27
  • 29. Requirements Methodology Capturing of Requirements was a multi-step procedure. Initially we discriminated between Functional Requirements and Security Requirements Functional requirements affected the Architecture and will affect the reference implementation Security requirements affect the Encryption/Decryption policies and the Key-Management policies that will be developed Our end-users drove this procedure As a first step, all PaaSword stakeholders have been identified PaaSword08/09/2015 29
  • 30. Different Requirements per Role PaaSword08/09/2015 30
  • 31. PaaSword Administrator & Developer • PaaSword08/09/2015 31
  • 32. DevOps’s & PaaS Provider’s F.R. PaaSword08/09/2015 32
  • 34. Capturing Security Requirements The core asset that has to be protected is the database Following a risk-management methodology we ended up in identifying Assets, Threats and Vulnerabilities that relate to the database Based on the identified Threats, end-users raised there concrete security requirements These requirements have been collected and ranked Ranking is a guide for reference implementation PaaSword08/09/2015 34
  • 36. PaaSword08/09/2015 36 Ranking Description CAS UBI SILO SixSq SIE Ave PSw SHALL guarantee that the credentials of a user can be revoked without affecting the Transparent Data Encryption (TDE) scheme that is used at the database level 9 10 9 9 9 9.2 PSw SHALL guarantee that the revocation of the credentials of one user does not affect the credentials or the TDE scheme of the other users 9 10 9 9 9 9.2 PSw SHOULD use a key generation algorithm (for keys associated to users/roles) that should guarantee that when a user key is compromised the rest of the keys MUST not be revoked 9 10 9 9 9 9.2 PSw SHALL support symmetric TDE of sensitive data. 9 10 9 7 7 8.4 PSw SHALL be operational only if transport level encryption is configured 9 9 9 6 5 7.6 PSw SHOULD ensure that deployed applications in the Application Server are trusted using a mature trust model 8 7 8 8 9 7.6 PSw SHALL interact with its underlying persistency layer using an encrypted connection 7 8 7 7 7 7.6 TDE SHOULD be supported on top of a monolithic database 9 10 9 5 5 7.6
  • 39. PaaSword Central Administration It is a centralized component that hosts the Semantic Models and the libraries that are autogenerated by these models. Its main sub- components include: Semantic Model Management manages semantic artefacts Design Time Library Management generates JSR-175 Annotation libraries Runtime Library Management generates runtime libraries that are deployed in the PaaS Container PaaSword User Administration manages PaaSword users (i.e. ISVs that use the libraries) PaaSword08/09/2015 39
  • 40. Application Development Zone PaaSword libraries can be used by the developers of ISVs in order to create PaaSword enabled applications. Libraries can be extended using a specific methodology. There is only one component that belongs to this zone: Trusted Deployment Generator it injects the deployment archive with the proper certificates/configurations that are needed it signs the deployment archive PaaSword08/09/2015 40
  • 41. PaaSword Execution Container A JEE container which is able to interpret the annotations during runtime and perform all policies. Its main components include: PaaSword Deployment Management responsible to validate the deployment archive Transparent Encryption & Decryption Mechanism responsible to bootstrap the database and handle TDE queries Key Management Mechanism responsible to perform key management operations Security Policy Evaluation and Enforcement & Security Policy Management responsible to handle the policies that are defined by annotations and possibly edited by the DevOps HTTP Request interceptor responsible to forward the HTTP request to PaaSword handlers PaaSword08/09/2015 41
  • 42. Tenant Trusted Operational Zone This is a special zone which belongs to the tenant which contains some components that facilitate searchable encryption. The main components in this zone include: Trusted Key Generator responsible to generate and handle tenant keys Re-encryption Proxy it facilitates searchable encryption PaaSword08/09/2015 42
  • 43. PaaSword Policy 1 – Monolithic Installation Encryption/Decryption process is performed by using a PaaS Container Encryption key exists constantly in memory. Key is generated by TKP and provided once during bootstrapping. PaaSword08/09/2015 43
  • 44. PaaSword Policy 1 – Monolithic Installation Easy to implement. No operational reconditions have to be fullfilled by the application provider. Business Login can perform SCRUD operations transparently. No theoretical proof that a key can not be circumvented by a compromised container. DB's data resides in one place, so brute force attacks can be performed upon their compromisation. Key is continuously stored in memory. • Disadvantages• Advantages PaaSword08/09/2015 44
  • 45. PaaSword Policy 2 – Monolithic Installation Encryption and Decryption process is performed using a PaaS Container Encryption key exists constantly in memory. In contrast to PaaSword Policy 1: Key is resynthesized on demand in every entity's usage. Key is generated by TKP which is interconnected with IDM. PaaSword08/09/2015 45
  • 46. PaaSword Policy 2 – Monolithic Installation Business Logic can perform SCRUD operations transparently. Asymmetric key is not stored permanently in memory. Revocation of one key is not affecting the platform. More complex to implement than PaaSword Policy 1. No theoretical proof that a key can not be circumvented by a compromised container. DB's data resides in one place, so brute force attacks can be performed upon their compromisation. • Disadvantages• Advantages PaaSword08/09/2015 46
  • 47. PaaSword Policy 3 – Monolithic Installation Encryption and Decryption process is performed using an Encryption Proxy Key is based on a tenant key that is generated by the TKP Key is generated by the TKP PaaSword08/09/2015 47
  • 48. PaaSword Policy 3 – Monolithic Installation Container has no access to plain text. Business Logic can not perform all SCRUD operations. • Disadvantage• Advantage PaaSword08/09/2015 48
  • 49. PaaSword Policy 4 – Distributed Installation PaaSword08/09/2015 49 Hardware of data owner Certified cloud provider Storage cloud provider Fully trusted zone Trusted zone Semi-trusted zone Untrusted zone Data Index Index Data base proxy Zone Model
  • 50. Secure Database Proxy PaaSword08/09/2015 50 Data Index2Index1 (no)SQL (no)SQLDB-Proxy (trusted) SQL Cloud (untrusted) User/Application Data (not encrypted) Data/Indexes (encrypted)
  • 51. Transformation PaaSword08/09/2015 51 ID First Name Last Name Town Date Of Birth 1 Paul Fischer Hannover 01.01.1979 2 Hans Müller Karlsruhe 02.02.1974 3 Frank Schmidt Stuttgart 03.03.1972 4 Frank Maier Hamburg 04.04.1983 ID encrypted Data 1 Enc(Paul,Fischer, Hannover,01.01.1979) 2 Enc(Hans,Müller,Karlsruhe,02.02.1974) 3 Enc(Frank,Schmidt,Stuttgart,03.03.1972) 4 Enc(Frank,Maier,Hamburg,04.04.1983) Data Keyword IDs FirstName:Paul Enc(1) FirstName:Hans Enc(2) FirstName:Frank Enc(3,4) Index1 Keyword IDs LastName:Fischer Enc(1) LastName:Müller Enc(2) LastName:Schmidt Enc(3) LastName:Maier Enc(4) Index2 Attributes are lost in the crowd Original hidden association
  • 52. Example (1/4) PaaSword08/09/2015 52 Data Index2Index1 SELECT ID FROM Index1 WHERE Keyword =‘FirstName:Frank’ SELECT ID FROM Index2 WHERE Keyword =‘LastName:Maier’ Transform query DB-Proxy SELECT * FROM Person WHERE FirstName = ‘Frank’ AND LastName = ‘Maier’ SELECT * FROM Personen WHERE FirstName = ‘Frank’ AND LastName = ‘Maier’ ID First Name Last Name Town Date Of Birth 1 Paul Fischer Hannover 01.01.1979 2 Hans Müller Karlsruhe 02.02.1974 3 Frank Schmidt Stuttgart 03.03.1972 4 Frank Maier Hamburg 04.04.1983
  • 53. Example (2/4) PaaSword08/09/2015 53 Data Index2Index1 Decrypt and compose DB-Proxy SELECT * FROM Personen WHERE FirstName = ‘Frank’ AND LastName = ‘Maier’ ID First Name Last Name Town Date Of Birth 1 Paul Fischer Hannover 01.01.1979 2 Hans Müller Karlsruhe 02.02.1974 3 Frank Schmidt Stuttgart 03.03.1972 4 Frank Maier Hamburg 04.04.1983 IDs Enc(3,4) IDs Enc(4) ID 4
  • 54. Example (3/4) PaaSword08/09/2015 54 Data Index2Index1 Fetch Data DB-Proxy SELECT * FROM Personen WHERE FirstName = ‘Frank’ AND LastName = ‘Maier’ ID First Name Last Name Town Date Of Birth 1 Paul Fischer Hannover 01.01.1979 2 Hans Müller Karlsruhe 02.02.1974 3 Frank Schmidt Stuttgart 03.03.1972 4 Frank Maier Hamburg 04.04.1983 SELECT * FROM Data WHERE ID in {4}
  • 55. Example (4/4) PaaSword08/09/2015 55 Data Index2Index1 Decrypt and send result DB-Proxy SELECT * FROM Personen WHERE FirstName = ‘Frank’ AND LastName = ‘Maier’ ID First Name Last Name Town Date Of Birth 1 Paul Fischer Hannover 01.01.1979 2 Hans Müller Karlsruhe 02.02.1974 3 Frank Schmidt Stuttgart 03.03.1972 4 Frank Maier Hamburg 04.04.1983 Frank, Maier, Hamburg, 04.04.1983 Enc(Frank, Maier, Hamburg, 04.04.1983)
  • 57. Searchable Encryption Scheme Define a Searchable Encryption (SE) scheme which is able to work with encrypted data basd on defined policies SE needs to allow multi-read, multi-write and needs to provide keywords privacy SE needs to offer revocation functionalities in order to tackle misbehaving users SE needs to be efficient and able to run on multiple devices with different resources Possible offer of different SE schemes with different functionalities/security level PaaSword08/09/2015 57
  • 58. Access Control Policies Access Control Policies are based on the Access Control Model Developer choose the applied Access Control Model Key-Police Attribute Based Encryption – Ciphertext-Policy Attribute Based Encryption Which one can be applied in the PaaSword setting? Move to revocable version? Access Control Policies are Context-Aware by using a Context Model Context Model is based on LinkedUSDL taking into account context attributes, i.e. geolocation, device, … Each data type has its own context attributes PaaSword08/09/2015 58
  • 59. Insecure APIs Transport Security Protect APIs carrying sensitive data within a secure channel Use SSL/TLS How to generate/manage valid certificates from internal/external certificate authority? Issues with configuring platform services and software integration Issues with end-to-end protection if any prxying platforms are required as intermediaries Code and Development Practices Test any API that pass JSON/XML messages or accept input from users/applications for standard injection flaws and cross-site request forgery attacks PaaSword08/09/2015 59
  • 60. Insecure APIs Authentication & Authorization Open Issues Can APIs manage the encryption of usernames and password? Is it possible to manage two-factor authentication attributes? Can fine-grained authorization policies be created and maintained? Is there continuity between internal identity management systems and attributes, and those extended by APIs from cloud providers? Reusable tokens/password? API dependencies? Limited monitoring/logging capabilities? Inflexible access control? PaaSword08/09/2015 60
  • 61. Conclusion I PaaSword provides a holisitic framework providing data privacy and security by design Added value exemplified on 5 business demonstrations Based on the concepts of PaaSword Semantic Models Typesafe Development Libraries PaaSword Application PaaSword-enabled Container Outsourced Database Architecture and Reference Implementation defined with the help of Requirements & Security Requirements from Stakeholders PaaSword08/09/2015 61
  • 62. Conclusion II Architecture consists of PaaSword Central Administration Application Development Zone PaaSword Execution Container Tenant Trusted Operational Zone PaaSword Policies for Security 1,2,3,4 PaaSword Scientific Challenges Searchable Encryption working with encrypted data based on defined policies – Combine Seachable Encryption with Access Control Policies Insecure APIs PaaSword08/09/2015 62
  • 63. PaaSword08/09/2015 63 Questions? Visit us: www.paasword.euAcknowledgements: This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No 644814.