PaaSword EU Project, profile picture
Uploaded byPaaSword EU Project
PDF, PPTX603 views

A Data Privacy and Security by Design Platform‐as‐a‐Service Framework

The document outlines the PAASWORD project, aimed at creating a security-by-design framework for developers to ensure secure application engineering in cloud environments. It highlights the challenges posed by increased attack vectors in the cloud and emphasizes the need for context-aware access to encrypted data. The initiative involves multiple use cases, such as IoT applications and cloud-based services, focusing on flexible key management and policy enforcement.

Embed presentation

Download as PDF, PPTX
www.paasword.eu A Data Privacy and Security by Design Platform‐as‐a‐Service Framework Dr. Panagiotis Gouvas - R&D Director - Ubitech Ltd Dr. Yiannis Verginadis -Senior Researcher - ICCS SecureCloud 2016 - May 24, 2016, Dublin
Agenda Motivation Goals PaaSword in a Nutshell Use Cases Ongoing work PaaSword28/06/2016 2
Motivation The cloud paradigm has definitely prevailed Most applications are delivered following the SaaS model Many developers rely on PaaS offerings for scalability Nearly all underlying resources (DBs, Queues etc) are outsourced at the IaaS level Attack vectors have increased ‘Raw data’ are the modern hacker’s holy grail The responsibility for the protection of data has shifted to the developer PaaSword28/06/2016 3
Motivation PaaSword28/06/2016 4
Motivation PaaSword28/06/2016 5 http://www.informationisbeautiful.net/visuaPaliazSawtoirodns/worlds-biggest-data-breaches-hacks/
Goals of PaaSword Framework To create a security-by-design framework which will allow developers to engineer secure applications To leverage the security and trust of data that reside on outsourced infrastructure To facilitate context-aware access to encrypted and (even) physically distributed datasets stored in outsourced infrastructure To prove the applicability, usability, effectiveness and value of our framework in real-life Cloud infrastructures, services and applications PaaSword28/06/2016 6
PaaSword in a Nutshell PaaSword28/06/2016 7
PaaSword Walkthrough PaaSword28/06/2016 8 Two types of Annotations: 1) Encryption & Distribution 2) Policy Enforcement
Concept of Secure Proxy PaaSword28/06/2016 9 Client Cloud DB Proxy Cloud DBClient Common (insecure) scenario Desired (secure) scenario in PaaSword
Virtual Database Architecture PaaSword28/06/2016 10 Data Index2Index1 SQL SQLDatabase Proxy (trusted) SQL Cloud (untrusted) User / Application Data (not encrypted) Data (encrypted)
What’s New PaaSword28/06/2016 11 ID Name Surname City Day of Birth 1 Paul Anderson Athens 01.01.1979 2 Howard Miller Karlsruhe 02.02.1974 3 Henry Cooper Berlin 03.03.1980 4 Henry Jones Thessaloniki 04.04.1985 ID Encrypted Data 1 Enc(Paul,Anderson,Athens,01.01.1979) 2 Enc(Howard,Miller,Karlsruhe,02.02.1974) 3 Enc(Henry,Cooper,Berlin,03.03.1980) 4 Enc(Henry,Jones,Thessaloniki,04.04.1985) Data Keyword-Name IDs Enc(Paul) Enc(1) Enc(Howard) Enc(2) Enc(Henry) Enc(3,4) Index1 Keyword-Surname IDs Enc(Anderson) Enc(1) Enc(Miller) Enc(2) Enc(Cooper) Enc(3) Enc(Jones) Enc(4) Index2 Original Keyword Encryption • AES (deterministic) • Support for most query types (excl. LIKE) Index Distribution • Index for same data type can be stored at different servers Distribution based on Privacy Constraints • Minimize exposure of sensitive information by careful distribution
What about Key Creation/Sharing Policies? 12
Overview Of Policies 13 Policy /Characteristic Where is the TED taking place? TED Key Generation TED Key Usage & Sharing Policy Modification of target schema SQL support P1 In the PaaS container Generated once during bootstrapping (in a Tenant Trusted Zone) and stored in-memory by the application It is recovered by the memory on demand per each query execution No Modification Yes P2 In the PaaS container One key is generated per Tenant (in a Tenant Trusted Zone) and a pair of user_key container_key is generated out of this tenant_key It is recomposed by the combination of a user_key and a container_key per each query_execution No Modification Yes P3 Outside the container in a Tenant Trusted Zone Generated once in a Tenant Trusted Zone E/D Key is used only in the Tenant Trusted Zone No Modification No P4 In the PaaS container Generated once during bootstrapping (in a Tenant Trusted Zone) and stored in-memory by the application It is recovered by the memory on demand per each query execution Modifications required No P5 In the PaaS container One key is generated per Tenant (in a Tenant Trusted Zone) and a pair of user_key container_key is generated out of this tenant_key It is recomposed by the combination of a user_key and a container_key per each query_execution Modifications required No
Comparative Analysis 14
Final Key Management Requirements Avoid running a service at the Tenant (T) that provides the Tenant Key (TK) to the Proxy (P). Tenant administrator is offline. Avoid giving TK to the Cloud Application (A) or the User (U) Ensure Access Control cannot be bypassed One key per tenant As simple as possible Recoverability PaaSword28/06/2016 15
Implemented Policy PaaSword28/06/2016 18 TKui User Encrypted with TK Cloud DB Application Access Control … TKa1 TKa2 TKa3 DB-Proxy TK = TKui  TKai  TKpi . … TKp1 TKp2 TKp3 TKui TKai TKui Admin Access
Semantic Authorization PaaSword will deliver an XACML 3.0 compliant Auth Engine with the ability to harmonize the attribute creation process through the usage of the extensible Context Model decouple the level of granularity of attributes that are used to define policies with the attributes that characterize ‘subjects’, ‘objects’ and the ‘environment’ to provide design-time conflict resolution for provided policies PaaSword28/06/2016 24
Semantic Authorization Engine PaaSword28/06/2016 25
Use Cases PaaSword Framework will be evaluated on 5 different Use Cases Secure Sensors Analytics for IoT applications Cloud-based Multi-tenant CRM software Encrypted Persistency included in PaaS/SaaS Services Multi-tenant ERP Environments Platform for Cross-border Document Exchange PaaSword28/06/2016 26
Challenges Functional Transparency: Developer should not implement security policies. S/he should only use them Comprehensive annotation framework: Proper annotations should be created for encryption/decryption and policy access Flexible Policy Management: Context-driven policies for accessing the stored information Efficient Virtualization of RDBMS: realizing the appropriate query synthesis and aposynthesis capabilities Flexible Key Management: mechanisms making the key usage transparent to the cloud-based applications and services Extensibility: the framework should be extensible even during runtime PaaSword28/06/2016 27
Consortium • Industrial Partner• Scientific Partner 28PaaSword
Interested in… ? Getting access to early results? Shaping and expanding PaaSword? Networking with leading companies & research institutes? Collaborating with us and the PaaSword Community? Join the Cloud Security Industrial Focus Group! Register at: https://www.paasword.eu/register/ 29PaaSword
PaaSword28/06/2016 30 Questions? Visit us: www.paasword.euAcknowledgements: This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No 644814.

More Related Content

PPTX
PaaSword Presentation - Project Overview
byPaaSword EU Project
 
PDF
No More Dark Clouds With PaaSword - An Innovative Security By Design Framework
byPaaSword EU Project
 
PDF
Delivering transparent data_encryption_while_centrally_managing_keys_eskm-blo...
byBloombase
 
PDF
PaaSword - Technology Baseline
byPaaSword EU Project
 
PDF
Tour to Azure Security Center
byLalit Rawat
 
PPTX
Jenkins Terraform Vault
byShrivatsa Upadhye
 
PDF
IT_RFO10-14-ITS_AppendixA_20100513
byAlexander Doré
 
PDF
Cloud gateways for regulatory compliance
byUlf Mattsson
 
PaaSword Presentation - Project Overview
byPaaSword EU Project
 
No More Dark Clouds With PaaSword - An Innovative Security By Design Framework
byPaaSword EU Project
 
Delivering transparent data_encryption_while_centrally_managing_keys_eskm-blo...
byBloombase
 
PaaSword - Technology Baseline
byPaaSword EU Project
 
Tour to Azure Security Center
byLalit Rawat
 
Jenkins Terraform Vault
byShrivatsa Upadhye
 
IT_RFO10-14-ITS_AppendixA_20100513
byAlexander Doré
 
Cloud gateways for regulatory compliance
byUlf Mattsson
 

What's hot

PDF
Big Data security: Facing the challenge by Carlos Gómez at Big Data Spain 2017
byBig Data Spain
 
PPTX
Securing Applications in the Cloud
bySecurity Innovation
 
PDF
Oscar Cabanillas - Elastic - OSL19
bymarketingsyone
 
PPT
Cloud Security Alliance's GRC Stack Overview
byValdez Ladd MBA, CISSP, CISA,
 
PDF
1. aws security and compliance wwps pre-day sao paolo - markry
byAmazon Web Services LATAM
 
PDF
Mastering the move
byTrivadis
 
PDF
Getting Started with Azure Security Center
byCheah Eng Soon
 
PDF
Keeping your Enterprise’s Big Data Secure by Owen O’Malley at Big Data Spain ...
byBig Data Spain
 
PDF
Trivadis - Microsoft Swiss Cloud Services
byTrivadis
 
PPTX
Azure security and Compliance
byKarina Matos
 
PPTX
Cloud Security, Risk and Compliance on AWS
byKarim Hopper
 
PPTX
DEVNET-1123 CSTA - Cisco Security Technical Alliances, New Program for Ecosys...
byCisco DevNet
 
PDF
Keynote: Elastic Security evolution and vision
byElasticsearch
 
PPTX
How to Implement Snowflake Security Best Practices with Panther
byPanther Labs
 
PDF
Database Modernization
byTrivadis
 
PDF
Trivadis - Microsoft Transform your data estate with cloud, data and AI
byTrivadis
 
PPTX
Azure security basics
byStas Lebedenko
 
PPT
Privacy Preserving Public Auditing for Data Storage Security in Cloud.ppt
byGirish Chandra
 
PPTX
Enterprise data management for microsoft hd insight
byJana Lass
 
DOCX
Toward secure and dependable
byIMPULSE_TECHNOLOGY
 
Big Data security: Facing the challenge by Carlos Gómez at Big Data Spain 2017
byBig Data Spain
 
Securing Applications in the Cloud
bySecurity Innovation
 
Oscar Cabanillas - Elastic - OSL19
bymarketingsyone
 
Cloud Security Alliance's GRC Stack Overview
byValdez Ladd MBA, CISSP, CISA,
 
1. aws security and compliance wwps pre-day sao paolo - markry
byAmazon Web Services LATAM
 
Mastering the move
byTrivadis
 
Getting Started with Azure Security Center
byCheah Eng Soon
 
Keeping your Enterprise’s Big Data Secure by Owen O’Malley at Big Data Spain ...
byBig Data Spain
 
Trivadis - Microsoft Swiss Cloud Services
byTrivadis
 
Azure security and Compliance
byKarina Matos
 
Cloud Security, Risk and Compliance on AWS
byKarim Hopper
 
DEVNET-1123 CSTA - Cisco Security Technical Alliances, New Program for Ecosys...
byCisco DevNet
 
Keynote: Elastic Security evolution and vision
byElasticsearch
 
How to Implement Snowflake Security Best Practices with Panther
byPanther Labs
 
Database Modernization
byTrivadis
 
Trivadis - Microsoft Transform your data estate with cloud, data and AI
byTrivadis
 
Azure security basics
byStas Lebedenko
 
Privacy Preserving Public Auditing for Data Storage Security in Cloud.ppt
byGirish Chandra
 
Enterprise data management for microsoft hd insight
byJana Lass
 
Toward secure and dependable
byIMPULSE_TECHNOLOGY
 

Viewers also liked

PPT
Space time & power.
bySoudip Sinha Roy
 
PDF
DePauwThesis
byWhitney Grandi
 
PPT
Mvc 130330091359-phpapp01
byJennie Gajjar
 
PDF
AL_PCI-Cheatsheet_web
byDerrick McBreairty
 
PDF
Soudip sinha roy
bySoudip Sinha Roy
 
PDF
COMMAND_V_Kaypresentation
byDayna Cotter
 
PPTX
Concerto di primavera
byIvan Marchitiello
 
PDF
LinkedIn Workshop: Profiles and Publishing (Digital Marketing Today)
byJulian Gamboa
 
PPTX
Williams gregpowersportsillustrated
bygregw1234
 
PPTX
Segovia Nautique Collection
bysegoviaasia
 
PPT
Goa Country
byULTRAPEDO
 
PDF
Inclusionary Zoning_McCarthy
byLev McCarthy
 
PDF
TRC Summer Research Award_Final Report
byLev McCarthy
 
PDF
sujata
byAlice Notarianni
 
PPTX
Bio 1.0 ase biodiesel overview and benefits march 14 2015 instructor notes
bycourtcaitlin
 
PDF
Sabin_biodata_V5
bySabin Sathian
 
PDF
2013 enhancing graduates’ employability skills-malaysia
byrazalibmuda
 
PPT
Portfolio
byЕріка Микуланинець
 
PDF
Kapanowski FINAL_Lean Assessment
byGary Kapanowski
 
PDF
Kapanowski Final_FUNDAMENTALS
byGary Kapanowski
 
Space time & power.
bySoudip Sinha Roy
 
DePauwThesis
byWhitney Grandi
 
Mvc 130330091359-phpapp01
byJennie Gajjar
 
AL_PCI-Cheatsheet_web
byDerrick McBreairty
 
Soudip sinha roy
bySoudip Sinha Roy
 
COMMAND_V_Kaypresentation
byDayna Cotter
 
Concerto di primavera
byIvan Marchitiello
 
LinkedIn Workshop: Profiles and Publishing (Digital Marketing Today)
byJulian Gamboa
 
Williams gregpowersportsillustrated
bygregw1234
 
Segovia Nautique Collection
bysegoviaasia
 
Goa Country
byULTRAPEDO
 
Inclusionary Zoning_McCarthy
byLev McCarthy
 
TRC Summer Research Award_Final Report
byLev McCarthy
 
sujata
byAlice Notarianni
 
Bio 1.0 ase biodiesel overview and benefits march 14 2015 instructor notes
bycourtcaitlin
 
Sabin_biodata_V5
bySabin Sathian
 
2013 enhancing graduates’ employability skills-malaysia
byrazalibmuda
 
Portfolio
byЕріка Микуланинець
 
Kapanowski FINAL_Lean Assessment
byGary Kapanowski
 
Kapanowski Final_FUNDAMENTALS
byGary Kapanowski
 

Similar to A Data Privacy and Security by Design Platform‐as‐a‐Service Framework

PDF
PaaSword - No More Dark Clouds with PaaSword
byPaaSword EU Project
 
PDF
No More Dark Clouds: A Privacy Preserving Framework for the Cloud
byPaaSword EU Project
 
PDF
PaaSword's main idea, technical architecture and scientific challenges
byPaaSword EU Project
 
PDF
PaaSword-Business Cases
byPaaSword EU Project
 
PDF
PaaSword: A Holistic Data Privacy and Security by Design Framework for Cloud ...
byPaaSword EU Project
 
PPT
PaaSword: A Holistic Data Privacy and Security by Design Framework for Cloud ...
byYiannis Verginadis
 
PPTX
YugaByte DB - "Designing a Distributed Database Architecture for GDPR Complia...
byJimmy Guerrero
 
PDF
Paper1
byVikas Khairnar
 
PPTX
Brave new world of encryption v1
byKhazret Sapenov
 
PDF
SaaS Platform Securing
byLeo TechnoSoft
 
PPTX
Distributed Database Architecture for GDPR
byYugabyte
 
PDF
A Survey on Context Security Policies in the Cloud
byPaaSword EU Project
 
PDF
A New Approach for Securely Sharing Data between Cloud Users with Dual Keys
byijtsrd
 
PDF
Blockchain based Data Security as a Service in Cloud Platform Security
byijccsa
 
PDF
Blockchain based Data Security as a Service in Cloud Platform Security
byijccsa
 
PDF
BLOCKCHAIN BASED DATA SECURITY AS A SERVICE IN CLOUD PLATFORM SECURITY
byijccsa
 
PDF
CRITICISMS OF THE FUTURE AVAILABILITY IN SUSTAINABLE GENDER GOAL, ACCESS TO L...
bycsijjournal
 
PDF
BLOCKCHAIN BASED DATA SECURITY AS A SERVICE IN CLOUD PLATFORM SECURITY
byijccsa
 
PDF
Blockchain based Data Security as a Service in Cloud Platform Security
byijccsa
 
PDF
Blockchain based Data Security as a Service in Cloud Platform Security
byijccsa
 
PaaSword - No More Dark Clouds with PaaSword
byPaaSword EU Project
 
No More Dark Clouds: A Privacy Preserving Framework for the Cloud
byPaaSword EU Project
 
PaaSword's main idea, technical architecture and scientific challenges
byPaaSword EU Project
 
PaaSword-Business Cases
byPaaSword EU Project
 
PaaSword: A Holistic Data Privacy and Security by Design Framework for Cloud ...
byPaaSword EU Project
 
PaaSword: A Holistic Data Privacy and Security by Design Framework for Cloud ...
byYiannis Verginadis
 
YugaByte DB - "Designing a Distributed Database Architecture for GDPR Complia...
byJimmy Guerrero
 
Paper1
byVikas Khairnar
 
Brave new world of encryption v1
byKhazret Sapenov
 
SaaS Platform Securing
byLeo TechnoSoft
 
Distributed Database Architecture for GDPR
byYugabyte
 
A Survey on Context Security Policies in the Cloud
byPaaSword EU Project
 
A New Approach for Securely Sharing Data between Cloud Users with Dual Keys
byijtsrd
 
Blockchain based Data Security as a Service in Cloud Platform Security
byijccsa
 
Blockchain based Data Security as a Service in Cloud Platform Security
byijccsa
 
BLOCKCHAIN BASED DATA SECURITY AS A SERVICE IN CLOUD PLATFORM SECURITY
byijccsa
 
CRITICISMS OF THE FUTURE AVAILABILITY IN SUSTAINABLE GENDER GOAL, ACCESS TO L...
bycsijjournal
 
BLOCKCHAIN BASED DATA SECURITY AS A SERVICE IN CLOUD PLATFORM SECURITY
byijccsa
 
Blockchain based Data Security as a Service in Cloud Platform Security
byijccsa
 
Blockchain based Data Security as a Service in Cloud Platform Security
byijccsa
 

Recently uploaded

PDF
Saga: The new era of transactions in a microservices architecture
byGiovanni Marigi
 
PDF
JR : Quality Random Data from the Command line
byGiovanni Marigi
 
PPTX
Lecture 05. API Security for DevSecOps Eng.pptx
byvinocol222
 
PPT
Waste water treatment plant operation and maintenance
byDuggineniRamakrishna
 
PDF
Chapter 2 Computer Threat .pdf
byGetnet Tigabie Askale -(GM)
 
PDF
6 Insights from the Patron Saint of AI Failure
byScott M. Graffius
 
PDF
Top 10 Dedicated Server Providers in Stockholm (Updated Edition).pdf
byAtal Networks
 
PDF
Effective Ai powered mock interview .pdf
byamazingnishusingh766
 
PDF
Early Signs of Constraint Loss in Modern System Design
byReality Drift Archive
 
PDF
The Cost of Missing Critical Connections in Data - Suspicious Behavior Detect...
byEnterprise Knowledge
 
PDF
65 AI-related Posts Catalog https://tinyurl.com/mpavkr8z
byBob Marcus
 
PDF
Best Bank Statement Converter Software - A Documentation-Based Meta-Analysis ...
bylewisconrada
 
PPTX
Flutter & Firebase Session Slides - GDG VESIT
bygdgcodecellcmpn
 
PDF
Master the FME Connector for ArcGIS: Streamlined Data Management & Robust Met...
bySafe Software
 
PPTX
JAVA Programming Lecture 1 C 4 Yourself.pptx
byyvsbglfaeahuyldzhq
 
PDF
SEO in Charleston SC | Local SEO Strategies to Grow Your Business.pdf
bycustomdigitalsolutio1
 
PPTX
Software Tools for penetration Testing (1).pptx
byAmosCheruiyot13
 
PDF
Mobile Onboarding UX 11 Best Practices for Retention (2026).pdf
byDesign Studio UI UX
 
PPTX
Lecture 04. about Black heads and Hackerss.pptx
byvinocol222
 
PPTX
UNIT 1- Introduction to Basic of Computer Fundamentals
bypawarbhaktiit
 
Saga: The new era of transactions in a microservices architecture
byGiovanni Marigi
 
JR : Quality Random Data from the Command line
byGiovanni Marigi
 
Lecture 05. API Security for DevSecOps Eng.pptx
byvinocol222
 
Waste water treatment plant operation and maintenance
byDuggineniRamakrishna
 
Chapter 2 Computer Threat .pdf
byGetnet Tigabie Askale -(GM)
 
6 Insights from the Patron Saint of AI Failure
byScott M. Graffius
 
Top 10 Dedicated Server Providers in Stockholm (Updated Edition).pdf
byAtal Networks
 
Effective Ai powered mock interview .pdf
byamazingnishusingh766
 
Early Signs of Constraint Loss in Modern System Design
byReality Drift Archive
 
The Cost of Missing Critical Connections in Data - Suspicious Behavior Detect...
byEnterprise Knowledge
 
65 AI-related Posts Catalog https://tinyurl.com/mpavkr8z
byBob Marcus
 
Best Bank Statement Converter Software - A Documentation-Based Meta-Analysis ...
bylewisconrada
 
Flutter & Firebase Session Slides - GDG VESIT
bygdgcodecellcmpn
 
Master the FME Connector for ArcGIS: Streamlined Data Management & Robust Met...
bySafe Software
 
JAVA Programming Lecture 1 C 4 Yourself.pptx
byyvsbglfaeahuyldzhq
 
SEO in Charleston SC | Local SEO Strategies to Grow Your Business.pdf
bycustomdigitalsolutio1
 
Software Tools for penetration Testing (1).pptx
byAmosCheruiyot13
 
Mobile Onboarding UX 11 Best Practices for Retention (2026).pdf
byDesign Studio UI UX
 
Lecture 04. about Black heads and Hackerss.pptx
byvinocol222
 
UNIT 1- Introduction to Basic of Computer Fundamentals
bypawarbhaktiit
 

A Data Privacy and Security by Design Platform‐as‐a‐Service Framework

  • 1.
    www.paasword.eu A Data Privacyand Security by Design Platform‐as‐a‐Service Framework Dr. Panagiotis Gouvas - R&D Director - Ubitech Ltd Dr. Yiannis Verginadis -Senior Researcher - ICCS SecureCloud 2016 - May 24, 2016, Dublin
  • 2.
    Agenda Motivation Goals PaaSword in aNutshell Use Cases Ongoing work PaaSword28/06/2016 2
  • 3.
    Motivation The cloud paradigmhas definitely prevailed Most applications are delivered following the SaaS model Many developers rely on PaaS offerings for scalability Nearly all underlying resources (DBs, Queues etc) are outsourced at the IaaS level Attack vectors have increased ‘Raw data’ are the modern hacker’s holy grail The responsibility for the protection of data has shifted to the developer PaaSword28/06/2016 3
  • 4.
  • 5.
  • 6.
    Goals of PaaSwordFramework To create a security-by-design framework which will allow developers to engineer secure applications To leverage the security and trust of data that reside on outsourced infrastructure To facilitate context-aware access to encrypted and (even) physically distributed datasets stored in outsourced infrastructure To prove the applicability, usability, effectiveness and value of our framework in real-life Cloud infrastructures, services and applications PaaSword28/06/2016 6
  • 7.
    PaaSword in aNutshell PaaSword28/06/2016 7
  • 8.
    PaaSword Walkthrough PaaSword28/06/2016 8 Twotypes of Annotations: 1) Encryption & Distribution 2) Policy Enforcement
  • 9.
    Concept of SecureProxy PaaSword28/06/2016 9 Client Cloud DB Proxy Cloud DBClient Common (insecure) scenario Desired (secure) scenario in PaaSword
  • 10.
    Virtual Database Architecture PaaSword28/06/201610 Data Index2Index1 SQL SQLDatabase Proxy (trusted) SQL Cloud (untrusted) User / Application Data (not encrypted) Data (encrypted)
  • 11.
    What’s New PaaSword28/06/2016 11 IDName Surname City Day of Birth 1 Paul Anderson Athens 01.01.1979 2 Howard Miller Karlsruhe 02.02.1974 3 Henry Cooper Berlin 03.03.1980 4 Henry Jones Thessaloniki 04.04.1985 ID Encrypted Data 1 Enc(Paul,Anderson,Athens,01.01.1979) 2 Enc(Howard,Miller,Karlsruhe,02.02.1974) 3 Enc(Henry,Cooper,Berlin,03.03.1980) 4 Enc(Henry,Jones,Thessaloniki,04.04.1985) Data Keyword-Name IDs Enc(Paul) Enc(1) Enc(Howard) Enc(2) Enc(Henry) Enc(3,4) Index1 Keyword-Surname IDs Enc(Anderson) Enc(1) Enc(Miller) Enc(2) Enc(Cooper) Enc(3) Enc(Jones) Enc(4) Index2 Original Keyword Encryption • AES (deterministic) • Support for most query types (excl. LIKE) Index Distribution • Index for same data type can be stored at different servers Distribution based on Privacy Constraints • Minimize exposure of sensitive information by careful distribution
  • 12.
    What about KeyCreation/Sharing Policies? 12
  • 13.
    Overview Of Policies 13 Policy/Characteristic Where is the TED taking place? TED Key Generation TED Key Usage & Sharing Policy Modification of target schema SQL support P1 In the PaaS container Generated once during bootstrapping (in a Tenant Trusted Zone) and stored in-memory by the application It is recovered by the memory on demand per each query execution No Modification Yes P2 In the PaaS container One key is generated per Tenant (in a Tenant Trusted Zone) and a pair of user_key container_key is generated out of this tenant_key It is recomposed by the combination of a user_key and a container_key per each query_execution No Modification Yes P3 Outside the container in a Tenant Trusted Zone Generated once in a Tenant Trusted Zone E/D Key is used only in the Tenant Trusted Zone No Modification No P4 In the PaaS container Generated once during bootstrapping (in a Tenant Trusted Zone) and stored in-memory by the application It is recovered by the memory on demand per each query execution Modifications required No P5 In the PaaS container One key is generated per Tenant (in a Tenant Trusted Zone) and a pair of user_key container_key is generated out of this tenant_key It is recomposed by the combination of a user_key and a container_key per each query_execution Modifications required No
  • 14.
  • 15.
    Final Key ManagementRequirements Avoid running a service at the Tenant (T) that provides the Tenant Key (TK) to the Proxy (P). Tenant administrator is offline. Avoid giving TK to the Cloud Application (A) or the User (U) Ensure Access Control cannot be bypassed One key per tenant As simple as possible Recoverability PaaSword28/06/2016 15
  • 16.
    Implemented Policy PaaSword28/06/2016 18 TKui User Encrypted withTK Cloud DB Application Access Control … TKa1 TKa2 TKa3 DB-Proxy TK = TKui  TKai  TKpi . … TKp1 TKp2 TKp3 TKui TKai TKui Admin Access
  • 17.
    Semantic Authorization PaaSword willdeliver an XACML 3.0 compliant Auth Engine with the ability to harmonize the attribute creation process through the usage of the extensible Context Model decouple the level of granularity of attributes that are used to define policies with the attributes that characterize ‘subjects’, ‘objects’ and the ‘environment’ to provide design-time conflict resolution for provided policies PaaSword28/06/2016 24
  • 18.
  • 19.
    Use Cases PaaSword Frameworkwill be evaluated on 5 different Use Cases Secure Sensors Analytics for IoT applications Cloud-based Multi-tenant CRM software Encrypted Persistency included in PaaS/SaaS Services Multi-tenant ERP Environments Platform for Cross-border Document Exchange PaaSword28/06/2016 26
  • 20.
    Challenges Functional Transparency: Developershould not implement security policies. S/he should only use them Comprehensive annotation framework: Proper annotations should be created for encryption/decryption and policy access Flexible Policy Management: Context-driven policies for accessing the stored information Efficient Virtualization of RDBMS: realizing the appropriate query synthesis and aposynthesis capabilities Flexible Key Management: mechanisms making the key usage transparent to the cloud-based applications and services Extensibility: the framework should be extensible even during runtime PaaSword28/06/2016 27
  • 21.
    Consortium • Industrial Partner•Scientific Partner 28PaaSword
  • 22.
    Interested in… ? Gettingaccess to early results? Shaping and expanding PaaSword? Networking with leading companies & research institutes? Collaborating with us and the PaaSword Community? Join the Cloud Security Industrial Focus Group! Register at: https://www.paasword.eu/register/ 29PaaSword
  • 23.
    PaaSword28/06/2016 30 Questions? Visit us: www.paasword.euAcknowledgements: Thisproject has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No 644814.