08448380779 Call Girls In Greater Kailash - I Women Seeking Men
PaaSword's main idea, technical architecture and scientific challenges
1. www.paasword.eu
Dr. Julia Vuong, Andreas Schoknecht
CAS Software AG, Karlsruhe Institute of Technology
PANOPTESEC Workshop
September 08, 2015, Brussels
4. PaaSword in a Nutshell
Holistic framework to unlock
valuable business benefits of
Cloud Computing by
providing data privacy and
security by design
safeguarding both corporate
and personal data for cloud
infrastructures and storage
services
Protecting the data
persistency layer and the
database itself as the most
critical targets
PaaSword08/09/2015 4
PaaS Provider
PaaSword API
DB with
Indexers on encrypted data
Queries using Searchable
Trusted IaaS Provider
Adversary
User
Developer
Publishes Application
Encryption Scheme
using PaaSword API
encrypted data
6. Goals for PaaSword
Leverage the security and trust of Cloud infrastructures and services
Facilitate context-aware, ad-hoc decryption and access to encrypted
and physically distributed datasets stored in Cloud infrastructures and
services,
Enable the engineering of data privacy and security by design Cloud
services and applications
Ensure the protection, privacy and integrity of the data stored in Cloud
infrastructures and services
Prove the applicability, usability, effectiveness and value of the
PaaSword concepts, models and mechanisms in industrial, real-life
Cloud infrastructures, services and applications
PaaSword08/09/2015 6
7. Use Cases & Business Challenges
PaaSword Framework outcome is demonstrated by means of
5 Use Cases situated in different application areas
Secure Senors Analytics for IoT applications
Cloud-based Multi-tenant CRM software
Encrypted Persistency included in PaaS/SaaS Services
Multi-tenant ERP Environments
Platform for Cross-border Document Exchange
Business Challenges are derived as a result of the analysis of
the Use Cases
PaaSword08/09/2015 7
8. Secure Sensors Data Fusion and Analytics
Siemens SRL
Sensor Middleware: fine grained ICT monitoring system for both static
and mobile distributed critical infrastructures
Public utilities (PU) or supply chains (SC)
The system provides
Reports in order to support the end-user in deciding whether to accept a
shipment (SC) or public service (PU) through e.g. QoS monitoring
Real-time alerts and early warnings in order to guarantee the quality of a
provided service, i.e. enabling transporters (SC) and public service & safety
providers (PU) to proactively avoiding or minimizing damages
Automatic control operational states (i.e. of storage and transport
conditions for SC, public services distribution and scaling for PU) in order to
comply with product and service requirements
Data stored in a NoSQL storage engine due to the linear scaling factor,
scaling is achieved through Sharding
PaaSword08/09/2015 8
9. Secure Sensors Data Fusion and Analytics
The resulting security framework should:
provide redundancy capabilities for the management, storage
and processing systems in case of failures;
provide support for performing failure and forensic analysis on
data-storage and processing components;
identify ways to detect and report security and system failures.
PaaSword08/09/2015 9
10. Protection of Personal Data in a Multi-Tenant
CRM Environment
CAS Software AG
CRM software stores, links and processes huge amount of
personal and customer data as well as sensitive enterprise
This data is an interesting target for mainly passive adversaries
Another huge thread are internal adversaries who has access to
unencrypted data of multi-tenants directly in the data center
CRM software developers are mainly non-security experts who
needs to write security-aware code.
Data encryption needs to be included at the persistence layer.
Performance impact needs to be limited to those data part what
must be protected.
Data is stored in relational databases.
PaaSword08/09/2015 10
11. Protection of Personal Data in a Multi-Tenant
CRM Environment
The resulting security framework should
support security as a part of the application/data lifecycle
management;
support tenant isolation in order to support the multiple-tenant
structure of a CRM solution, especially the “one DB per tenant”
approach;
provide developer documentation and guidelines for security features
in the platform in order to enable non-security experts to develop
security-aware CRM software;
provide patch management for secure platform components;
provide secure key management;
support permissions based on the situation of the user.
PaaSword08/09/2015 11
12. Encrypted Persistency as PaaS/IaaS-Service-
Pilot Implementation
SixSq
SlipStream, a cloud application management platform,
facilitates management of the full cloud application lifecycle
Most cloud applications are n-tier web applications that need
appropriate levels of security, privacy and confidentiality.
Developing the data protection infrastructure with respect to
ISO standards and EU-data handling requirements is time
consuming and costly.
PaaSword08/09/2015 12
13. Encrypted Persistency as PaaS/IaaS-Service-
Pilot Implementation
The security framework should
Produce components that can be parameterized and integrated
with other application services (including external user
authentication mechanisms);
Provide a complete set of components that can demonstrably
meet the requirements of the EU data protection legislation and
similar other regulatory requirements around the world.
PaaSword08/09/2015 13
14. Protection of Sensible Enterprise Information
on Mulit-Tenant ERP Environments
Singular Logic
Enterprise Resource Planning solution with single-tenant and multi-
tenant scenarios relying on IaaS deployment schemes.
Data being exposed to third parties in a multi-tenant environment is one
of the main risks.
Virtualized infrastructure includes the risk that one machine in this
setting could monitor what ist neighbours are doing.
Poor implementation of access management includes the risk that
customer data will get exposed to other users.
PaaSword08/09/2015 14
15. Protection of Sensible Enterprise Information
on Mulit-Tenant ERP Environments
The resulting security framework should
Support searchable encryption of database;
Be able to support encryption/decryption through all steps the
application and data lifecycle;
Support tenant isolation in order to support the multiple-tenant ERP
solution, based on the “one DB per tenant” approach;
Not introduce extreme computational overhead;
Offer encryption in data transportation layer;
Provide extended developer documentation and guidelines for the
security features in order to be properly integrated to the existing
solution;
Provide secure key management.
PaaSword08/09/2015 15
16. Intergovernmental Secure Document and
Personal Data Exchange
Ubitech
Intergovernmental Exchange Platform facilitate international co-
operation in civil-status matters and to further enable the exchange of
information between civil registrars
The platform needed to adhere to very high security standards for the
generation and transmission of highly sensitive personal data taking
under consideration that the transmission channel is going to be the
Internet, a totally hostile environment for sensitive data.
problem of end-to-end electronic exchange, one of the most vulnerable
parts of the platform is the so-called Exchange Server where the
exchange (inbound/outbound) queues and routing databases reside
protection of the raw data that reside in central database
PaaSword08/09/2015 16
17. Intergovernmental Secure Document and
Personal Data Exchange
The resulting security framework should
Produce components that re-assure as much as possible that inter-
changeable data are secure from malicious users that are either external
or internal i.e. they belong to the ecosystem of the operational
environment. This is very crucial since these types of applications have
complex operational environment.
Produce components that can apply security policies that take under
consideration the specificities of cross-border exchange (e.g. restrict the
interaction of users based on their location)
Produce components that are in-line with the eIDAS regulation (such as
electronic signatures, electronic seals, time stamp, electronic delivery
service and website authentication) while in parallel they contribute in
seamless encryption of data
PaaSword08/09/2015 17
18. Business Challenges
Encryption of distributed existing databases and corresponding
transaction logs
Context-driven policies for accessing the stored information
Object annotations modelling access rights for specific purposes, easily
understood and defined by application developers, and a
corresponding interpreter generating policy enforcement rules
Virtualization of data storages, i.e. SQL and No-SQL, realizing the
appropriate query synthesis and aposynthesis capabilities
Key management mechanisms making the key usage transparent to
the cloud-based applications and services
Asymmetric encryption, enabling the per-user encryption of the stored
data and the per-user definition of policies regarding said data
PaaSword08/09/2015 18
19. Walkthrough PaaSword
PaaSword provides an IDE-specific plug-in incorporating all
PaaSword features used by the developer for his MVC-based
application
Developer creates annotations at the Data Access Objects
referring to sensitive data that should be protected, according to
the XACML-based Context-aware Policy Access Model
PaaSword performs validity check of the DAO annotations
According to the DAO annotations applications persistence layer
is distributed and the data encrypted
Each query and processing request is forwarded by the enhanced
Controller to the Query Handling mechanism
PaaSword08/09/2015 19
20. Walkthrough PaaSword
Policy Enforcement Mechanism grants the incoming request
access to the data or not taking into account the user-defined
access policies;
Query Handling mechanism submits the enhanced query to the
augmented persistence layer;
Database Proxy registers the distributed query to the distributed
and encrypted parts and federates the respective data from the
distributed parts of the database;
Federated data synthesis and ad-hoc decryption utilizing the key
of the end-user that is transparently (to the application)
propagated to the Query Handling mechanism;
Decrypted data is delivered to the application controller
forwarding it to the end-user
PaaSword08/09/2015 20
23. what is this artefact?
PaaSword Semantic Models is a set of Ontological models that aim to
conceptualize two things:
possible encryption/decryption policies that can be used during runtime by
an application in order to protect specific columns in a database
possible policies that can be applied in the web-endpoints of an application
who is using it?
They are used after their interpretation in libraries
who manages it?
A PaaSword Administrator is able to extend these models
PaaSword Semantic Models
PaaSword08/09/2015 23
24. Typesafe Development Libraries
what is this artefact?
It is a set of Java Annotation Libraries (JSR-175 compliant) that provide
to developers the ability to annotate specific part of their code.
These parts include @Entities. @Path(“/restendpoint”) etc
Annotations will drive specific ‘business logic’ during runtime.
who is using it?
A Cloud Application Developer during the development of an
application that will be hosted in a PaaS environment
who manages it?
It is autogenerated by a Semantic Model Interpreter
PaaSword08/09/2015 24
25. PaaSword Application
what is this artefact?
This is not practically an actual artefact of the project. Though it is an
application that uses the Typesafe Development Libraries
who is using it?
Upon the deployment in a JEE container the application is available to
end-users.
who manages it?
The PaaSword Application is managed by a DevOps in the sense that it
performs all apropriate steps that are needed prior to deployment
PaaSword08/09/2015 25
26. PaaSword-enabled Container
what is this artefact?
It is a JEE container that is able to interpret during runtime the
(PaaSword) annotations that the developer has used.
A PaaSword-enabled container is able to
Interpret and implement encryption/decryption policies for specific
columns of a database
handle policies that are declaratively defined
who is using it?
A DevOps user that is responsible for the operation of an application
who manages it?
The PaaS provider
PaaSword08/09/2015 26
27. Outsourced Database
what is this artefact?
It is a plain RDBMS engine that operates in a completely untrusted IaaS
zone
who is using it?
The PaaSword-enabled application will use this RDBMS in order to host
encrypted data
who manages it?
The IaaS provider
PaaSword08/09/2015 27
29. Requirements Methodology
Capturing of Requirements was a multi-step procedure.
Initially we discriminated between Functional Requirements and
Security Requirements
Functional requirements affected the Architecture and will affect the
reference implementation
Security requirements affect the Encryption/Decryption policies and
the Key-Management policies that will be developed
Our end-users drove this procedure
As a first step, all PaaSword stakeholders have been identified
PaaSword08/09/2015 29
34. Capturing Security Requirements
The core asset that has to be protected is the database
Following a risk-management methodology we ended up in
identifying Assets, Threats and Vulnerabilities that relate to the
database
Based on the identified Threats, end-users raised there concrete
security requirements
These requirements have been collected and ranked
Ranking is a guide for reference implementation
PaaSword08/09/2015 34
36. PaaSword08/09/2015 36
Ranking
Description CAS UBI SILO SixSq SIE Ave
PSw SHALL guarantee that the credentials of a user can be revoked
without affecting the Transparent Data Encryption (TDE) scheme that is
used at the database level
9 10 9 9 9 9.2
PSw SHALL guarantee that the revocation of the credentials of one
user does not affect the credentials or the TDE scheme of the other
users
9 10 9 9 9 9.2
PSw SHOULD use a key generation algorithm (for keys associated to
users/roles) that should guarantee that when a user key is
compromised the rest of the keys MUST not be revoked
9 10 9 9 9 9.2
PSw SHALL support symmetric TDE of sensitive data. 9 10 9 7 7 8.4
PSw SHALL be operational only if transport level encryption is
configured
9 9 9 6 5 7.6
PSw SHOULD ensure that deployed applications in the Application
Server are trusted using a mature trust model
8 7 8 8 9 7.6
PSw SHALL interact with its underlying persistency layer using an
encrypted connection
7 8 7 7 7 7.6
TDE SHOULD be supported on top of a monolithic database 9 10 9 5 5 7.6
39. PaaSword Central Administration
It is a centralized component that hosts the Semantic Models and the
libraries that are autogenerated by these models. Its main sub-
components include:
Semantic Model Management
manages semantic artefacts
Design Time Library Management
generates JSR-175 Annotation libraries
Runtime Library Management
generates runtime libraries that are deployed in the PaaS Container
PaaSword User Administration
manages PaaSword users (i.e. ISVs that use the libraries)
PaaSword08/09/2015 39
40. Application Development Zone
PaaSword libraries can be used by the developers of ISVs in order to
create PaaSword enabled applications. Libraries can be extended using
a specific methodology. There is only one component that belongs to
this zone:
Trusted Deployment Generator
it injects the deployment archive with the proper certificates/configurations
that are needed
it signs the deployment archive
PaaSword08/09/2015 40
41. PaaSword Execution Container
A JEE container which is able to interpret the annotations during
runtime and perform all policies. Its main components include:
PaaSword Deployment Management
responsible to validate the deployment archive
Transparent Encryption & Decryption Mechanism
responsible to bootstrap the database and handle TDE queries
Key Management Mechanism
responsible to perform key management operations
Security Policy Evaluation and Enforcement & Security Policy
Management
responsible to handle the policies that are defined by annotations and possibly
edited by the DevOps
HTTP Request interceptor
responsible to forward the HTTP request to PaaSword handlers
PaaSword08/09/2015 41
42. Tenant Trusted Operational Zone
This is a special zone which belongs to the tenant which contains some
components that facilitate searchable encryption. The main
components in this zone include:
Trusted Key Generator
responsible to generate and handle tenant keys
Re-encryption Proxy
it facilitates searchable encryption
PaaSword08/09/2015 42
43. PaaSword Policy 1 –
Monolithic Installation
Encryption/Decryption process is performed by using a PaaS
Container
Encryption key exists constantly in memory.
Key is generated by TKP and provided once during bootstrapping.
PaaSword08/09/2015 43
44. PaaSword Policy 1 –
Monolithic Installation
Easy to implement.
No operational reconditions
have to be fullfilled by the
application provider.
Business Login can perform
SCRUD operations
transparently.
No theoretical proof that a
key can not be circumvented
by a compromised container.
DB's data resides in one
place, so brute force attacks
can be performed upon their
compromisation.
Key is continuously stored in
memory.
• Disadvantages• Advantages
PaaSword08/09/2015 44
45. PaaSword Policy 2 –
Monolithic Installation
Encryption and Decryption process is performed using a PaaS
Container
Encryption key exists constantly in memory.
In contrast to PaaSword Policy 1: Key is resynthesized on demand
in every entity's usage.
Key is generated by TKP which is interconnected with IDM.
PaaSword08/09/2015 45
46. PaaSword Policy 2 –
Monolithic Installation
Business Logic can perform
SCRUD operations
transparently.
Asymmetric key is not stored
permanently in memory.
Revocation of one key is not
affecting the platform.
More complex to implement
than PaaSword Policy 1.
No theoretical proof that a
key can not be circumvented
by a compromised container.
DB's data resides in one
place, so brute force attacks
can be performed upon their
compromisation.
• Disadvantages• Advantages
PaaSword08/09/2015 46
47. PaaSword Policy 3 –
Monolithic Installation
Encryption and Decryption process is performed using an
Encryption Proxy
Key is based on a tenant key that is generated by the TKP
Key is generated by the TKP
PaaSword08/09/2015 47
48. PaaSword Policy 3 –
Monolithic Installation
Container has no access to
plain text.
Business Logic can not
perform all SCRUD
operations.
• Disadvantage• Advantage
PaaSword08/09/2015 48
49. PaaSword Policy 4 –
Distributed Installation
PaaSword08/09/2015 49
Hardware of
data owner
Certified
cloud provider
Storage
cloud provider
Fully trusted zone Trusted zone Semi-trusted zone Untrusted zone
Data
Index
Index
Data base
proxy
Zone Model
50. Secure Database Proxy
PaaSword08/09/2015 50
Data Index2Index1
(no)SQL
(no)SQLDB-Proxy
(trusted)
SQL
Cloud
(untrusted)
User/Application
Data
(not encrypted)
Data/Indexes (encrypted)
51. Transformation
PaaSword08/09/2015 51
ID First Name Last Name Town Date Of Birth
1 Paul Fischer Hannover 01.01.1979
2 Hans Müller Karlsruhe 02.02.1974
3 Frank Schmidt Stuttgart 03.03.1972
4 Frank Maier Hamburg 04.04.1983
ID encrypted Data
1 Enc(Paul,Fischer, Hannover,01.01.1979)
2 Enc(Hans,Müller,Karlsruhe,02.02.1974)
3 Enc(Frank,Schmidt,Stuttgart,03.03.1972)
4 Enc(Frank,Maier,Hamburg,04.04.1983)
Data
Keyword IDs
FirstName:Paul Enc(1)
FirstName:Hans Enc(2)
FirstName:Frank Enc(3,4)
Index1
Keyword IDs
LastName:Fischer Enc(1)
LastName:Müller Enc(2)
LastName:Schmidt Enc(3)
LastName:Maier Enc(4)
Index2
Attributes are lost in the crowd
Original
hidden association
52. Example (1/4)
PaaSword08/09/2015 52
Data Index2Index1
SELECT ID FROM Index1
WHERE Keyword =‘FirstName:Frank’
SELECT ID FROM Index2
WHERE Keyword =‘LastName:Maier’
Transform query
DB-Proxy
SELECT * FROM Person
WHERE FirstName = ‘Frank’
AND LastName = ‘Maier’
SELECT * FROM Personen WHERE FirstName
= ‘Frank’ AND LastName = ‘Maier’
ID First Name Last Name Town Date Of Birth
1 Paul Fischer Hannover 01.01.1979
2 Hans Müller Karlsruhe 02.02.1974
3 Frank Schmidt Stuttgart 03.03.1972
4 Frank Maier Hamburg 04.04.1983
53. Example (2/4)
PaaSword08/09/2015 53
Data Index2Index1
Decrypt
and compose
DB-Proxy
SELECT * FROM Personen WHERE FirstName
= ‘Frank’ AND LastName = ‘Maier’
ID First Name Last Name Town Date Of Birth
1 Paul Fischer Hannover 01.01.1979
2 Hans Müller Karlsruhe 02.02.1974
3 Frank Schmidt Stuttgart 03.03.1972
4 Frank Maier Hamburg 04.04.1983
IDs Enc(3,4)
IDs Enc(4)
ID 4
54. Example (3/4)
PaaSword08/09/2015 54
Data Index2Index1
Fetch Data
DB-Proxy
SELECT * FROM Personen WHERE FirstName
= ‘Frank’ AND LastName = ‘Maier’
ID First Name Last Name Town Date Of Birth
1 Paul Fischer Hannover 01.01.1979
2 Hans Müller Karlsruhe 02.02.1974
3 Frank Schmidt Stuttgart 03.03.1972
4 Frank Maier Hamburg 04.04.1983
SELECT * FROM Data
WHERE ID in {4}
55. Example (4/4)
PaaSword08/09/2015 55
Data Index2Index1
Decrypt and
send result
DB-Proxy
SELECT * FROM Personen WHERE FirstName
= ‘Frank’ AND LastName = ‘Maier’
ID First Name Last Name Town Date Of Birth
1 Paul Fischer Hannover 01.01.1979
2 Hans Müller Karlsruhe 02.02.1974
3 Frank Schmidt Stuttgart 03.03.1972
4 Frank Maier Hamburg 04.04.1983
Frank, Maier, Hamburg,
04.04.1983
Enc(Frank, Maier, Hamburg, 04.04.1983)
57. Searchable Encryption Scheme
Define a Searchable Encryption (SE) scheme which is able to work with
encrypted data basd on defined policies
SE needs to allow multi-read, multi-write and needs to provide
keywords privacy
SE needs to offer revocation functionalities in order to tackle
misbehaving users
SE needs to be efficient and able to run on multiple devices with
different resources
Possible offer of different SE schemes with different
functionalities/security level
PaaSword08/09/2015 57
58. Access Control Policies
Access Control Policies are based on the Access Control Model
Developer choose the applied Access Control Model
Key-Police Attribute Based Encryption – Ciphertext-Policy Attribute
Based Encryption
Which one can be applied in the PaaSword setting?
Move to revocable version?
Access Control Policies are Context-Aware by using a Context Model
Context Model is based on LinkedUSDL taking into account context
attributes, i.e. geolocation, device, …
Each data type has its own context attributes
PaaSword08/09/2015 58
59. Insecure APIs
Transport Security
Protect APIs carrying sensitive data within a secure channel
Use SSL/TLS
How to generate/manage valid certificates from internal/external certificate
authority?
Issues with configuring platform services and software integration
Issues with end-to-end protection if any prxying platforms are required as
intermediaries
Code and Development Practices
Test any API that pass JSON/XML messages or accept input from
users/applications for standard injection flaws and cross-site request
forgery attacks
PaaSword08/09/2015 59
60. Insecure APIs
Authentication & Authorization
Open Issues
Can APIs manage the encryption of usernames and password?
Is it possible to manage two-factor authentication attributes?
Can fine-grained authorization policies be created and maintained?
Is there continuity between internal identity management systems and
attributes, and those extended by APIs from cloud providers?
Reusable tokens/password?
API dependencies?
Limited monitoring/logging capabilities?
Inflexible access control?
PaaSword08/09/2015 60
61. Conclusion I
PaaSword provides a holisitic framework providing data privacy and
security by design
Added value exemplified on 5 business demonstrations
Based on the concepts of
PaaSword Semantic Models
Typesafe Development Libraries
PaaSword Application
PaaSword-enabled Container
Outsourced Database
Architecture and Reference Implementation defined with the help of
Requirements & Security Requirements from Stakeholders
PaaSword08/09/2015 61
62. Conclusion II
Architecture consists of
PaaSword Central Administration
Application Development Zone
PaaSword Execution Container
Tenant Trusted Operational Zone
PaaSword Policies for Security
1,2,3,4
PaaSword Scientific Challenges
Searchable Encryption working with encrypted data based on defined policies –
Combine Seachable Encryption with Access Control Policies
Insecure APIs
PaaSword08/09/2015 62