SlideShare a Scribd company logo
www.paasword.eu
A Data Privacy and Security by Design
Platform‐as‐a‐Service Framework
Dr. Panagiotis Gouvas - R&D Director - Ubitech Ltd
Dr. Yiannis Verginadis -Senior Researcher - ICCS
SecureCloud 2016 - May 24, 2016, Dublin
Agenda
Motivation
Goals
PaaSword in a Nutshell
Use Cases
Ongoing work
PaaSword28/06/2016 2
Motivation
The cloud paradigm has definitely prevailed
Most applications are delivered following the SaaS model
Many developers rely on PaaS offerings for scalability
Nearly all underlying resources (DBs, Queues etc) are outsourced
at the IaaS level
Attack vectors have increased
‘Raw data’ are the modern hacker’s holy grail
The responsibility for the protection of data has shifted to the
developer
PaaSword28/06/2016 3
Motivation
PaaSword28/06/2016 4
Motivation
PaaSword28/06/2016 5
http://www.informationisbeautiful.net/visuaPaliazSawtoirodns/worlds-biggest-data-breaches-hacks/
Goals of PaaSword Framework
To create a security-by-design framework which will allow developers
to engineer secure applications
To leverage the security and trust of data that reside on outsourced
infrastructure
To facilitate context-aware access to encrypted and (even) physically
distributed datasets stored in outsourced infrastructure
To prove the applicability, usability, effectiveness and value of our
framework in real-life Cloud infrastructures, services and applications
PaaSword28/06/2016 6
PaaSword in a Nutshell
PaaSword28/06/2016 7
PaaSword Walkthrough
PaaSword28/06/2016 8
Two types of
Annotations:
1) Encryption &
Distribution
2) Policy
Enforcement
Concept of Secure Proxy
PaaSword28/06/2016 9
Client Cloud DB
Proxy Cloud DBClient
Common (insecure) scenario Desired (secure) scenario in PaaSword
Virtual Database Architecture
PaaSword28/06/2016 10
Data Index2Index1
SQL
SQLDatabase
Proxy
(trusted)
SQL
Cloud
(untrusted)
User / Application
Data
(not encrypted)
Data (encrypted)
What’s New
PaaSword28/06/2016 11
ID Name Surname City Day of Birth
1 Paul Anderson Athens 01.01.1979
2 Howard Miller Karlsruhe 02.02.1974
3 Henry Cooper Berlin 03.03.1980
4 Henry Jones Thessaloniki 04.04.1985
ID Encrypted Data
1 Enc(Paul,Anderson,Athens,01.01.1979)
2 Enc(Howard,Miller,Karlsruhe,02.02.1974)
3 Enc(Henry,Cooper,Berlin,03.03.1980)
4 Enc(Henry,Jones,Thessaloniki,04.04.1985)
Data
Keyword-Name IDs
Enc(Paul) Enc(1)
Enc(Howard) Enc(2)
Enc(Henry) Enc(3,4)
Index1
Keyword-Surname IDs
Enc(Anderson) Enc(1)
Enc(Miller) Enc(2)
Enc(Cooper) Enc(3)
Enc(Jones) Enc(4)
Index2
Original
Keyword Encryption
• AES (deterministic)
• Support for most query types
(excl. LIKE)
Index Distribution
• Index for same data type can be stored at different
servers
Distribution based on Privacy Constraints
• Minimize exposure of sensitive information by careful distribution
What about Key Creation/Sharing
Policies?
12
Overview Of Policies
13
Policy /Characteristic Where is the TED taking
place?
TED Key Generation TED Key Usage & Sharing
Policy
Modification of target
schema
SQL support
P1 In the PaaS container Generated once during
bootstrapping (in a Tenant
Trusted Zone) and stored
in-memory by the
application
It is recovered by the
memory on demand per
each query execution
No Modification Yes
P2 In the PaaS container One key is generated per
Tenant (in a Tenant
Trusted Zone) and a pair of
user_key container_key is
generated out of this
tenant_key
It is recomposed by the
combination of a user_key
and a container_key per
each query_execution
No Modification Yes
P3 Outside the container in a
Tenant Trusted Zone
Generated once in a
Tenant Trusted Zone
E/D Key is used only in the
Tenant Trusted Zone
No Modification No
P4 In the PaaS container Generated once during
bootstrapping (in a Tenant
Trusted Zone) and stored
in-memory by the
application
It is recovered by the
memory on demand per
each query execution
Modifications required No
P5 In the PaaS container One key is generated per
Tenant (in a Tenant
Trusted Zone) and a pair of
user_key container_key is
generated out of this
tenant_key
It is recomposed by the
combination of a user_key
and a container_key per
each query_execution
Modifications required No
Comparative Analysis
14
Final Key Management Requirements
Avoid running a service at the Tenant (T) that provides the Tenant
Key (TK) to the Proxy (P). Tenant administrator is offline.
Avoid giving TK to the Cloud Application (A) or the User (U)
Ensure Access Control cannot be bypassed
One key per tenant
As simple as possible
Recoverability
PaaSword28/06/2016 15
Implemented Policy
PaaSword28/06/2016 18
TKui
User
Encrypted
with TK
Cloud DB
Application
Access
Control
…
TKa1
TKa2
TKa3
DB-Proxy
TK =
TKui 
TKai 
TKpi .
…
TKp1
TKp2
TKp3
TKui
TKai
TKui
Admin
Access
Semantic Authorization
PaaSword will deliver an XACML 3.0 compliant Auth
Engine with the ability to
harmonize the attribute creation process through the usage
of the extensible Context Model
decouple the level of granularity of attributes that are used
to define policies with the attributes that characterize
‘subjects’, ‘objects’ and the ‘environment’
to provide design-time conflict resolution for provided
policies
PaaSword28/06/2016 24
Semantic Authorization Engine
PaaSword28/06/2016 25
Use Cases
PaaSword Framework will be evaluated on 5 different Use
Cases
Secure Sensors Analytics for IoT applications
Cloud-based Multi-tenant CRM software
Encrypted Persistency included in PaaS/SaaS Services
Multi-tenant ERP Environments
Platform for Cross-border Document Exchange
PaaSword28/06/2016 26
Challenges
Functional Transparency: Developer should not implement
security policies. S/he should only use them
Comprehensive annotation framework: Proper annotations
should be created for encryption/decryption and policy access
Flexible Policy Management: Context-driven policies for
accessing the stored information
Efficient Virtualization of RDBMS: realizing the appropriate query
synthesis and aposynthesis capabilities
Flexible Key Management: mechanisms making the key usage
transparent to the cloud-based applications and services
Extensibility: the framework should be extensible even during
runtime
PaaSword28/06/2016 27
Consortium
• Industrial Partner• Scientific Partner
28PaaSword
Interested in… ?
Getting access to early results?
Shaping and expanding PaaSword?
Networking with leading companies & research
institutes?
Collaborating with us and the PaaSword Community?
Join the Cloud Security Industrial Focus Group!
Register at:
https://www.paasword.eu/register/
29PaaSword
PaaSword28/06/2016 30
Questions?
Visit us:
www.paasword.euAcknowledgements:
This project has received funding from the
European Union’s Horizon 2020 research and
innovation programme under grant
agreement No 644814.

More Related Content

What's hot

Maintaining Trust & Control of your Data in the Cloud
Maintaining Trust & Control of your Data in the CloudMaintaining Trust & Control of your Data in the Cloud
Maintaining Trust & Control of your Data in the Cloud
Amazon Web Services
 
Big Data security: Facing the challenge by Carlos Gómez at Big Data Spain 2017
Big Data security: Facing the challenge by Carlos Gómez at Big Data Spain 2017Big Data security: Facing the challenge by Carlos Gómez at Big Data Spain 2017
Big Data security: Facing the challenge by Carlos Gómez at Big Data Spain 2017
Big Data Spain
 
Securing Applications in the Cloud
Securing Applications in the CloudSecuring Applications in the Cloud
Securing Applications in the Cloud
Security Innovation
 
Oscar Cabanillas - Elastic - OSL19
Oscar Cabanillas - Elastic - OSL19Oscar Cabanillas - Elastic - OSL19
Oscar Cabanillas - Elastic - OSL19
marketingsyone
 
Cloud Security Alliance's GRC Stack Overview
Cloud Security Alliance's GRC Stack OverviewCloud Security Alliance's GRC Stack Overview
Cloud Security Alliance's GRC Stack Overview
Valdez Ladd MBA, CISSP, CISA,
 
1. aws security and compliance wwps pre-day sao paolo - markry
1. aws security and compliance   wwps pre-day sao paolo - markry1. aws security and compliance   wwps pre-day sao paolo - markry
1. aws security and compliance wwps pre-day sao paolo - markry
Amazon Web Services LATAM
 
Mastering the move
Mastering the moveMastering the move
Mastering the move
Trivadis
 
Getting Started with Azure Security Center
Getting Started with Azure Security CenterGetting Started with Azure Security Center
Getting Started with Azure Security Center
Cheah Eng Soon
 
Keeping your Enterprise’s Big Data Secure by Owen O’Malley at Big Data Spain ...
Keeping your Enterprise’s Big Data Secure by Owen O’Malley at Big Data Spain ...Keeping your Enterprise’s Big Data Secure by Owen O’Malley at Big Data Spain ...
Keeping your Enterprise’s Big Data Secure by Owen O’Malley at Big Data Spain ...
Big Data Spain
 
Trivadis - Microsoft Swiss Cloud Services
Trivadis - Microsoft Swiss Cloud ServicesTrivadis - Microsoft Swiss Cloud Services
Trivadis - Microsoft Swiss Cloud Services
Trivadis
 
Azure security and Compliance
Azure security and ComplianceAzure security and Compliance
Azure security and Compliance
Karina Matos
 
Cloud Security, Risk and Compliance on AWS
Cloud Security, Risk and Compliance on AWSCloud Security, Risk and Compliance on AWS
Cloud Security, Risk and Compliance on AWS
Karim Hopper
 
DEVNET-1123 CSTA - Cisco Security Technical Alliances, New Program for Ecosys...
DEVNET-1123	CSTA - Cisco Security Technical Alliances, New Program for Ecosys...DEVNET-1123	CSTA - Cisco Security Technical Alliances, New Program for Ecosys...
DEVNET-1123 CSTA - Cisco Security Technical Alliances, New Program for Ecosys...
Cisco DevNet
 
Keynote: Elastic Security evolution and vision
Keynote: Elastic Security evolution and visionKeynote: Elastic Security evolution and vision
Keynote: Elastic Security evolution and vision
Elasticsearch
 
How to Implement Snowflake Security Best Practices with Panther
How to Implement Snowflake Security Best Practices with PantherHow to Implement Snowflake Security Best Practices with Panther
How to Implement Snowflake Security Best Practices with Panther
Panther Labs
 
Database Modernization
Database ModernizationDatabase Modernization
Database Modernization
Trivadis
 
Trivadis - Microsoft Transform your data estate with cloud, data and AI
Trivadis - Microsoft Transform your data estate with cloud, data and AITrivadis - Microsoft Transform your data estate with cloud, data and AI
Trivadis - Microsoft Transform your data estate with cloud, data and AI
Trivadis
 
Azure security basics
Azure security basicsAzure security basics
Azure security basics
Stas Lebedenko
 
Privacy Preserving Public Auditing for Data Storage Security in Cloud.ppt
Privacy Preserving Public Auditing for Data Storage Security in Cloud.pptPrivacy Preserving Public Auditing for Data Storage Security in Cloud.ppt
Privacy Preserving Public Auditing for Data Storage Security in Cloud.ppt
Girish Chandra
 
Enterprise data management for microsoft hd insight
Enterprise data management for microsoft hd insightEnterprise data management for microsoft hd insight
Enterprise data management for microsoft hd insight
Jana Lass
 

What's hot (20)

Maintaining Trust & Control of your Data in the Cloud
Maintaining Trust & Control of your Data in the CloudMaintaining Trust & Control of your Data in the Cloud
Maintaining Trust & Control of your Data in the Cloud
 
Big Data security: Facing the challenge by Carlos Gómez at Big Data Spain 2017
Big Data security: Facing the challenge by Carlos Gómez at Big Data Spain 2017Big Data security: Facing the challenge by Carlos Gómez at Big Data Spain 2017
Big Data security: Facing the challenge by Carlos Gómez at Big Data Spain 2017
 
Securing Applications in the Cloud
Securing Applications in the CloudSecuring Applications in the Cloud
Securing Applications in the Cloud
 
Oscar Cabanillas - Elastic - OSL19
Oscar Cabanillas - Elastic - OSL19Oscar Cabanillas - Elastic - OSL19
Oscar Cabanillas - Elastic - OSL19
 
Cloud Security Alliance's GRC Stack Overview
Cloud Security Alliance's GRC Stack OverviewCloud Security Alliance's GRC Stack Overview
Cloud Security Alliance's GRC Stack Overview
 
1. aws security and compliance wwps pre-day sao paolo - markry
1. aws security and compliance   wwps pre-day sao paolo - markry1. aws security and compliance   wwps pre-day sao paolo - markry
1. aws security and compliance wwps pre-day sao paolo - markry
 
Mastering the move
Mastering the moveMastering the move
Mastering the move
 
Getting Started with Azure Security Center
Getting Started with Azure Security CenterGetting Started with Azure Security Center
Getting Started with Azure Security Center
 
Keeping your Enterprise’s Big Data Secure by Owen O’Malley at Big Data Spain ...
Keeping your Enterprise’s Big Data Secure by Owen O’Malley at Big Data Spain ...Keeping your Enterprise’s Big Data Secure by Owen O’Malley at Big Data Spain ...
Keeping your Enterprise’s Big Data Secure by Owen O’Malley at Big Data Spain ...
 
Trivadis - Microsoft Swiss Cloud Services
Trivadis - Microsoft Swiss Cloud ServicesTrivadis - Microsoft Swiss Cloud Services
Trivadis - Microsoft Swiss Cloud Services
 
Azure security and Compliance
Azure security and ComplianceAzure security and Compliance
Azure security and Compliance
 
Cloud Security, Risk and Compliance on AWS
Cloud Security, Risk and Compliance on AWSCloud Security, Risk and Compliance on AWS
Cloud Security, Risk and Compliance on AWS
 
DEVNET-1123 CSTA - Cisco Security Technical Alliances, New Program for Ecosys...
DEVNET-1123	CSTA - Cisco Security Technical Alliances, New Program for Ecosys...DEVNET-1123	CSTA - Cisco Security Technical Alliances, New Program for Ecosys...
DEVNET-1123 CSTA - Cisco Security Technical Alliances, New Program for Ecosys...
 
Keynote: Elastic Security evolution and vision
Keynote: Elastic Security evolution and visionKeynote: Elastic Security evolution and vision
Keynote: Elastic Security evolution and vision
 
How to Implement Snowflake Security Best Practices with Panther
How to Implement Snowflake Security Best Practices with PantherHow to Implement Snowflake Security Best Practices with Panther
How to Implement Snowflake Security Best Practices with Panther
 
Database Modernization
Database ModernizationDatabase Modernization
Database Modernization
 
Trivadis - Microsoft Transform your data estate with cloud, data and AI
Trivadis - Microsoft Transform your data estate with cloud, data and AITrivadis - Microsoft Transform your data estate with cloud, data and AI
Trivadis - Microsoft Transform your data estate with cloud, data and AI
 
Azure security basics
Azure security basicsAzure security basics
Azure security basics
 
Privacy Preserving Public Auditing for Data Storage Security in Cloud.ppt
Privacy Preserving Public Auditing for Data Storage Security in Cloud.pptPrivacy Preserving Public Auditing for Data Storage Security in Cloud.ppt
Privacy Preserving Public Auditing for Data Storage Security in Cloud.ppt
 
Enterprise data management for microsoft hd insight
Enterprise data management for microsoft hd insightEnterprise data management for microsoft hd insight
Enterprise data management for microsoft hd insight
 

Viewers also liked

Space time & power.
Space time & power.Space time & power.
Space time & power.
Soudip Sinha Roy
 
DePauwThesis
DePauwThesisDePauwThesis
DePauwThesis
Whitney Grandi
 
Mvc 130330091359-phpapp01
Mvc 130330091359-phpapp01Mvc 130330091359-phpapp01
Mvc 130330091359-phpapp01
Jennie Gajjar
 
AL_PCI-Cheatsheet_web
AL_PCI-Cheatsheet_webAL_PCI-Cheatsheet_web
AL_PCI-Cheatsheet_web
Derrick McBreairty
 
Soudip sinha roy
Soudip sinha roySoudip sinha roy
Soudip sinha roy
Soudip Sinha Roy
 
COMMAND_V_Kaypresentation
COMMAND_V_KaypresentationCOMMAND_V_Kaypresentation
COMMAND_V_Kaypresentation
Dayna Cotter
 
Concerto di primavera
Concerto di primaveraConcerto di primavera
Concerto di primavera
Ivan Marchitiello
 
LinkedIn Workshop: Profiles and Publishing (Digital Marketing Today)
LinkedIn Workshop: Profiles and Publishing (Digital Marketing Today)LinkedIn Workshop: Profiles and Publishing (Digital Marketing Today)
LinkedIn Workshop: Profiles and Publishing (Digital Marketing Today)
Julian Gamboa
 
Williams gregpowersportsillustrated
Williams gregpowersportsillustratedWilliams gregpowersportsillustrated
Williams gregpowersportsillustrated
gregw1234
 
Segovia Nautique Collection
Segovia Nautique CollectionSegovia Nautique Collection
Segovia Nautique Collection
segoviaasia
 
Goa Country
Goa CountryGoa Country
Goa Country
ULTRAPEDO
 
Inclusionary Zoning_McCarthy
Inclusionary Zoning_McCarthyInclusionary Zoning_McCarthy
Inclusionary Zoning_McCarthy
Lev McCarthy
 
TRC Summer Research Award_Final Report
TRC Summer Research Award_Final ReportTRC Summer Research Award_Final Report
TRC Summer Research Award_Final Report
Lev McCarthy
 
Bio 1.0 ase biodiesel overview and benefits march 14 2015 instructor notes
Bio 1.0 ase biodiesel overview and benefits march 14 2015 instructor notesBio 1.0 ase biodiesel overview and benefits march 14 2015 instructor notes
Bio 1.0 ase biodiesel overview and benefits march 14 2015 instructor notes
courtcaitlin
 
Sabin_biodata_V5
Sabin_biodata_V5Sabin_biodata_V5
Sabin_biodata_V5
Sabin Sathian
 
2013 enhancing graduates’ employability skills-malaysia
2013 enhancing graduates’ employability skills-malaysia2013 enhancing graduates’ employability skills-malaysia
2013 enhancing graduates’ employability skills-malaysia
razalibmuda
 
Kapanowski FINAL_Lean Assessment
Kapanowski FINAL_Lean AssessmentKapanowski FINAL_Lean Assessment
Kapanowski FINAL_Lean Assessment
Gary Kapanowski
 
Kapanowski Final_FUNDAMENTALS
Kapanowski Final_FUNDAMENTALSKapanowski Final_FUNDAMENTALS
Kapanowski Final_FUNDAMENTALS
Gary Kapanowski
 

Viewers also liked (20)

Space time & power.
Space time & power.Space time & power.
Space time & power.
 
DePauwThesis
DePauwThesisDePauwThesis
DePauwThesis
 
Mvc 130330091359-phpapp01
Mvc 130330091359-phpapp01Mvc 130330091359-phpapp01
Mvc 130330091359-phpapp01
 
AL_PCI-Cheatsheet_web
AL_PCI-Cheatsheet_webAL_PCI-Cheatsheet_web
AL_PCI-Cheatsheet_web
 
Soudip sinha roy
Soudip sinha roySoudip sinha roy
Soudip sinha roy
 
COMMAND_V_Kaypresentation
COMMAND_V_KaypresentationCOMMAND_V_Kaypresentation
COMMAND_V_Kaypresentation
 
Concerto di primavera
Concerto di primaveraConcerto di primavera
Concerto di primavera
 
LinkedIn Workshop: Profiles and Publishing (Digital Marketing Today)
LinkedIn Workshop: Profiles and Publishing (Digital Marketing Today)LinkedIn Workshop: Profiles and Publishing (Digital Marketing Today)
LinkedIn Workshop: Profiles and Publishing (Digital Marketing Today)
 
Williams gregpowersportsillustrated
Williams gregpowersportsillustratedWilliams gregpowersportsillustrated
Williams gregpowersportsillustrated
 
Segovia Nautique Collection
Segovia Nautique CollectionSegovia Nautique Collection
Segovia Nautique Collection
 
Goa Country
Goa CountryGoa Country
Goa Country
 
Inclusionary Zoning_McCarthy
Inclusionary Zoning_McCarthyInclusionary Zoning_McCarthy
Inclusionary Zoning_McCarthy
 
TRC Summer Research Award_Final Report
TRC Summer Research Award_Final ReportTRC Summer Research Award_Final Report
TRC Summer Research Award_Final Report
 
sujata
sujatasujata
sujata
 
Bio 1.0 ase biodiesel overview and benefits march 14 2015 instructor notes
Bio 1.0 ase biodiesel overview and benefits march 14 2015 instructor notesBio 1.0 ase biodiesel overview and benefits march 14 2015 instructor notes
Bio 1.0 ase biodiesel overview and benefits march 14 2015 instructor notes
 
Sabin_biodata_V5
Sabin_biodata_V5Sabin_biodata_V5
Sabin_biodata_V5
 
2013 enhancing graduates’ employability skills-malaysia
2013 enhancing graduates’ employability skills-malaysia2013 enhancing graduates’ employability skills-malaysia
2013 enhancing graduates’ employability skills-malaysia
 
Portfolio
PortfolioPortfolio
Portfolio
 
Kapanowski FINAL_Lean Assessment
Kapanowski FINAL_Lean AssessmentKapanowski FINAL_Lean Assessment
Kapanowski FINAL_Lean Assessment
 
Kapanowski Final_FUNDAMENTALS
Kapanowski Final_FUNDAMENTALSKapanowski Final_FUNDAMENTALS
Kapanowski Final_FUNDAMENTALS
 

Similar to A Data Privacy and Security by Design Platform‐as‐a‐Service Framework

PaaSword's main idea, technical architecture and scientific challenges
PaaSword's main idea, technical architecture and scientific challenges PaaSword's main idea, technical architecture and scientific challenges
PaaSword's main idea, technical architecture and scientific challenges
PaaSword EU Project
 
Oracle Cloud Computing Strategy
Oracle Cloud Computing StrategyOracle Cloud Computing Strategy
Oracle Cloud Computing Strategy
Rex Wang
 
Oracle Keynote Cloud Expo 11-04-09
Oracle Keynote Cloud Expo 11-04-09Oracle Keynote Cloud Expo 11-04-09
Oracle Keynote Cloud Expo 11-04-09
Rex Wang
 
No More Dark Clouds: A Privacy Preserving Framework for the Cloud
No More Dark Clouds: A Privacy Preserving Framework for the CloudNo More Dark Clouds: A Privacy Preserving Framework for the Cloud
No More Dark Clouds: A Privacy Preserving Framework for the Cloud
PaaSword EU Project
 
Cooperative Schedule Data Possession for Integrity Verification in Multi-Clou...
Cooperative Schedule Data Possession for Integrity Verification in Multi-Clou...Cooperative Schedule Data Possession for Integrity Verification in Multi-Clou...
Cooperative Schedule Data Possession for Integrity Verification in Multi-Clou...
IJMER
 
Practical Guide to Platform-as-a-Service
Practical Guide to Platform-as-a-Service Practical Guide to Platform-as-a-Service
Practical Guide to Platform-as-a-Service
Cloud Standards Customer Council
 
CWIN17 India / Insights platform architecture v1 0 virtual - subhadeep dutta
CWIN17 India / Insights platform architecture v1 0   virtual - subhadeep duttaCWIN17 India / Insights platform architecture v1 0   virtual - subhadeep dutta
CWIN17 India / Insights platform architecture v1 0 virtual - subhadeep dutta
Capgemini
 
A robust and verifiable threshold multi authority access control system in pu...
A robust and verifiable threshold multi authority access control system in pu...A robust and verifiable threshold multi authority access control system in pu...
A robust and verifiable threshold multi authority access control system in pu...
IJARIIT
 
Rackspace: Best Practices for Security Compliance on AWS
Rackspace: Best Practices for Security Compliance on AWSRackspace: Best Practices for Security Compliance on AWS
Rackspace: Best Practices for Security Compliance on AWS
Amazon Web Services
 
Cloud Computing
Cloud ComputingCloud Computing
Cloud Computing
Alicja Sieminska
 
ATMOSPHERE at Digital Infrastructure for Research (DI4R) 2018
ATMOSPHERE at Digital Infrastructure for Research (DI4R) 2018ATMOSPHERE at Digital Infrastructure for Research (DI4R) 2018
ATMOSPHERE at Digital Infrastructure for Research (DI4R) 2018
ATMOSPHERE .
 
Cloud Data Protection for the Masses
Cloud Data Protection for the MassesCloud Data Protection for the Masses
Cloud Data Protection for the Masses
IRJET Journal
 
The New Stack Container Summit Talk
The New Stack Container Summit TalkThe New Stack Container Summit Talk
The New Stack Container Summit Talk
The New Stack
 
(ENT211) Migrating the US Government to the Cloud | AWS re:Invent 2014
(ENT211) Migrating the US Government to the Cloud | AWS re:Invent 2014(ENT211) Migrating the US Government to the Cloud | AWS re:Invent 2014
(ENT211) Migrating the US Government to the Cloud | AWS re:Invent 2014
Amazon Web Services
 
A Survey on Access Control Scheme for Data in Cloud with Anonymous Authentica...
A Survey on Access Control Scheme for Data in Cloud with Anonymous Authentica...A Survey on Access Control Scheme for Data in Cloud with Anonymous Authentica...
A Survey on Access Control Scheme for Data in Cloud with Anonymous Authentica...
IRJET Journal
 
Cloud computing What Why How
Cloud computing What Why HowCloud computing What Why How
Cloud computing What Why How
Asian Institute of Technology (AIT)
 
PaaSword - No More Dark Clouds with PaaSword
PaaSword - No More Dark Clouds with PaaSwordPaaSword - No More Dark Clouds with PaaSword
PaaSword - No More Dark Clouds with PaaSword
PaaSword EU Project
 
Techcello at a glance
Techcello at a glanceTechcello at a glance
Techcello at a glance
Techcello
 
DEVELOPING APPLICATION FOR CLOUD – A PROGRAMMER’S PERSPECTIVE
DEVELOPING APPLICATION FOR CLOUD – A PROGRAMMER’S PERSPECTIVEDEVELOPING APPLICATION FOR CLOUD – A PROGRAMMER’S PERSPECTIVE
DEVELOPING APPLICATION FOR CLOUD – A PROGRAMMER’S PERSPECTIVE
cscpconf
 
Data Virtualization to Survive a Multi and Hybrid Cloud World
Data Virtualization to Survive a Multi and Hybrid Cloud WorldData Virtualization to Survive a Multi and Hybrid Cloud World
Data Virtualization to Survive a Multi and Hybrid Cloud World
Denodo
 

Similar to A Data Privacy and Security by Design Platform‐as‐a‐Service Framework (20)

PaaSword's main idea, technical architecture and scientific challenges
PaaSword's main idea, technical architecture and scientific challenges PaaSword's main idea, technical architecture and scientific challenges
PaaSword's main idea, technical architecture and scientific challenges
 
Oracle Cloud Computing Strategy
Oracle Cloud Computing StrategyOracle Cloud Computing Strategy
Oracle Cloud Computing Strategy
 
Oracle Keynote Cloud Expo 11-04-09
Oracle Keynote Cloud Expo 11-04-09Oracle Keynote Cloud Expo 11-04-09
Oracle Keynote Cloud Expo 11-04-09
 
No More Dark Clouds: A Privacy Preserving Framework for the Cloud
No More Dark Clouds: A Privacy Preserving Framework for the CloudNo More Dark Clouds: A Privacy Preserving Framework for the Cloud
No More Dark Clouds: A Privacy Preserving Framework for the Cloud
 
Cooperative Schedule Data Possession for Integrity Verification in Multi-Clou...
Cooperative Schedule Data Possession for Integrity Verification in Multi-Clou...Cooperative Schedule Data Possession for Integrity Verification in Multi-Clou...
Cooperative Schedule Data Possession for Integrity Verification in Multi-Clou...
 
Practical Guide to Platform-as-a-Service
Practical Guide to Platform-as-a-Service Practical Guide to Platform-as-a-Service
Practical Guide to Platform-as-a-Service
 
CWIN17 India / Insights platform architecture v1 0 virtual - subhadeep dutta
CWIN17 India / Insights platform architecture v1 0   virtual - subhadeep duttaCWIN17 India / Insights platform architecture v1 0   virtual - subhadeep dutta
CWIN17 India / Insights platform architecture v1 0 virtual - subhadeep dutta
 
A robust and verifiable threshold multi authority access control system in pu...
A robust and verifiable threshold multi authority access control system in pu...A robust and verifiable threshold multi authority access control system in pu...
A robust and verifiable threshold multi authority access control system in pu...
 
Rackspace: Best Practices for Security Compliance on AWS
Rackspace: Best Practices for Security Compliance on AWSRackspace: Best Practices for Security Compliance on AWS
Rackspace: Best Practices for Security Compliance on AWS
 
Cloud Computing
Cloud ComputingCloud Computing
Cloud Computing
 
ATMOSPHERE at Digital Infrastructure for Research (DI4R) 2018
ATMOSPHERE at Digital Infrastructure for Research (DI4R) 2018ATMOSPHERE at Digital Infrastructure for Research (DI4R) 2018
ATMOSPHERE at Digital Infrastructure for Research (DI4R) 2018
 
Cloud Data Protection for the Masses
Cloud Data Protection for the MassesCloud Data Protection for the Masses
Cloud Data Protection for the Masses
 
The New Stack Container Summit Talk
The New Stack Container Summit TalkThe New Stack Container Summit Talk
The New Stack Container Summit Talk
 
(ENT211) Migrating the US Government to the Cloud | AWS re:Invent 2014
(ENT211) Migrating the US Government to the Cloud | AWS re:Invent 2014(ENT211) Migrating the US Government to the Cloud | AWS re:Invent 2014
(ENT211) Migrating the US Government to the Cloud | AWS re:Invent 2014
 
A Survey on Access Control Scheme for Data in Cloud with Anonymous Authentica...
A Survey on Access Control Scheme for Data in Cloud with Anonymous Authentica...A Survey on Access Control Scheme for Data in Cloud with Anonymous Authentica...
A Survey on Access Control Scheme for Data in Cloud with Anonymous Authentica...
 
Cloud computing What Why How
Cloud computing What Why HowCloud computing What Why How
Cloud computing What Why How
 
PaaSword - No More Dark Clouds with PaaSword
PaaSword - No More Dark Clouds with PaaSwordPaaSword - No More Dark Clouds with PaaSword
PaaSword - No More Dark Clouds with PaaSword
 
Techcello at a glance
Techcello at a glanceTechcello at a glance
Techcello at a glance
 
DEVELOPING APPLICATION FOR CLOUD – A PROGRAMMER’S PERSPECTIVE
DEVELOPING APPLICATION FOR CLOUD – A PROGRAMMER’S PERSPECTIVEDEVELOPING APPLICATION FOR CLOUD – A PROGRAMMER’S PERSPECTIVE
DEVELOPING APPLICATION FOR CLOUD – A PROGRAMMER’S PERSPECTIVE
 
Data Virtualization to Survive a Multi and Hybrid Cloud World
Data Virtualization to Survive a Multi and Hybrid Cloud WorldData Virtualization to Survive a Multi and Hybrid Cloud World
Data Virtualization to Survive a Multi and Hybrid Cloud World
 

More from PaaSword EU Project

PaaSword - Distributed Searchable Encryption Engine
PaaSword - Distributed Searchable Encryption EnginePaaSword - Distributed Searchable Encryption Engine
PaaSword - Distributed Searchable Encryption Engine
PaaSword EU Project
 
PaaSword - Context-aware Access Control
PaaSword - Context-aware Access ControlPaaSword - Context-aware Access Control
PaaSword - Context-aware Access Control
PaaSword EU Project
 
PaaSword-Business Cases
PaaSword-Business CasesPaaSword-Business Cases
PaaSword-Business Cases
PaaSword EU Project
 
Daten unter Kontrolle
Daten unter KontrolleDaten unter Kontrolle
Daten unter Kontrolle
PaaSword EU Project
 
Towards Trusted eHealth Services in the Cloud
Towards Trusted eHealth Services in the CloudTowards Trusted eHealth Services in the Cloud
Towards Trusted eHealth Services in the Cloud
PaaSword EU Project
 
A Survey on Context Security Policies in the Cloud
A Survey on Context Security Policies in the CloudA Survey on Context Security Policies in the Cloud
A Survey on Context Security Policies in the Cloud
PaaSword EU Project
 
Towards Efficient and Secure Data Storage in Multi-Tenant Cloud-Based CRM Sol...
Towards Efficient and Secure Data Storage in Multi-Tenant Cloud-Based CRM Sol...Towards Efficient and Secure Data Storage in Multi-Tenant Cloud-Based CRM Sol...
Towards Efficient and Secure Data Storage in Multi-Tenant Cloud-Based CRM Sol...
PaaSword EU Project
 
PaaSword: A Holistic Data Privacy and Security by Design Framework for Cloud ...
PaaSword: A Holistic Data Privacy and Security by Design Framework for Cloud ...PaaSword: A Holistic Data Privacy and Security by Design Framework for Cloud ...
PaaSword: A Holistic Data Privacy and Security by Design Framework for Cloud ...
PaaSword EU Project
 

More from PaaSword EU Project (8)

PaaSword - Distributed Searchable Encryption Engine
PaaSword - Distributed Searchable Encryption EnginePaaSword - Distributed Searchable Encryption Engine
PaaSword - Distributed Searchable Encryption Engine
 
PaaSword - Context-aware Access Control
PaaSword - Context-aware Access ControlPaaSword - Context-aware Access Control
PaaSword - Context-aware Access Control
 
PaaSword-Business Cases
PaaSword-Business CasesPaaSword-Business Cases
PaaSword-Business Cases
 
Daten unter Kontrolle
Daten unter KontrolleDaten unter Kontrolle
Daten unter Kontrolle
 
Towards Trusted eHealth Services in the Cloud
Towards Trusted eHealth Services in the CloudTowards Trusted eHealth Services in the Cloud
Towards Trusted eHealth Services in the Cloud
 
A Survey on Context Security Policies in the Cloud
A Survey on Context Security Policies in the CloudA Survey on Context Security Policies in the Cloud
A Survey on Context Security Policies in the Cloud
 
Towards Efficient and Secure Data Storage in Multi-Tenant Cloud-Based CRM Sol...
Towards Efficient and Secure Data Storage in Multi-Tenant Cloud-Based CRM Sol...Towards Efficient and Secure Data Storage in Multi-Tenant Cloud-Based CRM Sol...
Towards Efficient and Secure Data Storage in Multi-Tenant Cloud-Based CRM Sol...
 
PaaSword: A Holistic Data Privacy and Security by Design Framework for Cloud ...
PaaSword: A Holistic Data Privacy and Security by Design Framework for Cloud ...PaaSword: A Holistic Data Privacy and Security by Design Framework for Cloud ...
PaaSword: A Holistic Data Privacy and Security by Design Framework for Cloud ...
 

Recently uploaded

GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge GraphGraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
Neo4j
 
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and BioinformaticiansBiomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Neo4j
 
Leveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and StandardsLeveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and Standards
Neo4j
 
High performance Serverless Java on AWS- GoTo Amsterdam 2024
High performance Serverless Java on AWS- GoTo Amsterdam 2024High performance Serverless Java on AWS- GoTo Amsterdam 2024
High performance Serverless Java on AWS- GoTo Amsterdam 2024
Vadym Kazulkin
 
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-EfficiencyFreshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
ScyllaDB
 
What is an RPA CoE? Session 2 – CoE Roles
What is an RPA CoE?  Session 2 – CoE RolesWhat is an RPA CoE?  Session 2 – CoE Roles
What is an RPA CoE? Session 2 – CoE Roles
DianaGray10
 
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
Pitangent Analytics & Technology Solutions Pvt. Ltd
 
Essentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation ParametersEssentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation Parameters
Safe Software
 
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeckPoznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
FilipTomaszewski5
 
Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving
 
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptxPRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
christinelarrosa
 
JavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green MasterplanJavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green Masterplan
Miro Wengner
 
Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)
Jakub Marek
 
AppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSFAppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSF
Ajin Abraham
 
"What does it really mean for your system to be available, or how to define w...
"What does it really mean for your system to be available, or how to define w..."What does it really mean for your system to be available, or how to define w...
"What does it really mean for your system to be available, or how to define w...
Fwdays
 
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
DanBrown980551
 
inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
inQuba Webinar Mastering Customer Journey Management with Dr Graham HillinQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
LizaNolte
 
Y-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PPY-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PP
c5vrf27qcz
 
Mutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented ChatbotsMutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented Chatbots
Pablo Gómez Abajo
 
"$10 thousand per minute of downtime: architecture, queues, streaming and fin...
"$10 thousand per minute of downtime: architecture, queues, streaming and fin..."$10 thousand per minute of downtime: architecture, queues, streaming and fin...
"$10 thousand per minute of downtime: architecture, queues, streaming and fin...
Fwdays
 

Recently uploaded (20)

GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge GraphGraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
 
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and BioinformaticiansBiomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
 
Leveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and StandardsLeveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and Standards
 
High performance Serverless Java on AWS- GoTo Amsterdam 2024
High performance Serverless Java on AWS- GoTo Amsterdam 2024High performance Serverless Java on AWS- GoTo Amsterdam 2024
High performance Serverless Java on AWS- GoTo Amsterdam 2024
 
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-EfficiencyFreshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
 
What is an RPA CoE? Session 2 – CoE Roles
What is an RPA CoE?  Session 2 – CoE RolesWhat is an RPA CoE?  Session 2 – CoE Roles
What is an RPA CoE? Session 2 – CoE Roles
 
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
 
Essentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation ParametersEssentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation Parameters
 
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeckPoznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
 
Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024
 
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptxPRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
 
JavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green MasterplanJavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green Masterplan
 
Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)
 
AppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSFAppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSF
 
"What does it really mean for your system to be available, or how to define w...
"What does it really mean for your system to be available, or how to define w..."What does it really mean for your system to be available, or how to define w...
"What does it really mean for your system to be available, or how to define w...
 
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
 
inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
inQuba Webinar Mastering Customer Journey Management with Dr Graham HillinQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
 
Y-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PPY-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PP
 
Mutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented ChatbotsMutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented Chatbots
 
"$10 thousand per minute of downtime: architecture, queues, streaming and fin...
"$10 thousand per minute of downtime: architecture, queues, streaming and fin..."$10 thousand per minute of downtime: architecture, queues, streaming and fin...
"$10 thousand per minute of downtime: architecture, queues, streaming and fin...
 

A Data Privacy and Security by Design Platform‐as‐a‐Service Framework

  • 1. www.paasword.eu A Data Privacy and Security by Design Platform‐as‐a‐Service Framework Dr. Panagiotis Gouvas - R&D Director - Ubitech Ltd Dr. Yiannis Verginadis -Senior Researcher - ICCS SecureCloud 2016 - May 24, 2016, Dublin
  • 2. Agenda Motivation Goals PaaSword in a Nutshell Use Cases Ongoing work PaaSword28/06/2016 2
  • 3. Motivation The cloud paradigm has definitely prevailed Most applications are delivered following the SaaS model Many developers rely on PaaS offerings for scalability Nearly all underlying resources (DBs, Queues etc) are outsourced at the IaaS level Attack vectors have increased ‘Raw data’ are the modern hacker’s holy grail The responsibility for the protection of data has shifted to the developer PaaSword28/06/2016 3
  • 6. Goals of PaaSword Framework To create a security-by-design framework which will allow developers to engineer secure applications To leverage the security and trust of data that reside on outsourced infrastructure To facilitate context-aware access to encrypted and (even) physically distributed datasets stored in outsourced infrastructure To prove the applicability, usability, effectiveness and value of our framework in real-life Cloud infrastructures, services and applications PaaSword28/06/2016 6
  • 7. PaaSword in a Nutshell PaaSword28/06/2016 7
  • 8. PaaSword Walkthrough PaaSword28/06/2016 8 Two types of Annotations: 1) Encryption & Distribution 2) Policy Enforcement
  • 9. Concept of Secure Proxy PaaSword28/06/2016 9 Client Cloud DB Proxy Cloud DBClient Common (insecure) scenario Desired (secure) scenario in PaaSword
  • 10. Virtual Database Architecture PaaSword28/06/2016 10 Data Index2Index1 SQL SQLDatabase Proxy (trusted) SQL Cloud (untrusted) User / Application Data (not encrypted) Data (encrypted)
  • 11. What’s New PaaSword28/06/2016 11 ID Name Surname City Day of Birth 1 Paul Anderson Athens 01.01.1979 2 Howard Miller Karlsruhe 02.02.1974 3 Henry Cooper Berlin 03.03.1980 4 Henry Jones Thessaloniki 04.04.1985 ID Encrypted Data 1 Enc(Paul,Anderson,Athens,01.01.1979) 2 Enc(Howard,Miller,Karlsruhe,02.02.1974) 3 Enc(Henry,Cooper,Berlin,03.03.1980) 4 Enc(Henry,Jones,Thessaloniki,04.04.1985) Data Keyword-Name IDs Enc(Paul) Enc(1) Enc(Howard) Enc(2) Enc(Henry) Enc(3,4) Index1 Keyword-Surname IDs Enc(Anderson) Enc(1) Enc(Miller) Enc(2) Enc(Cooper) Enc(3) Enc(Jones) Enc(4) Index2 Original Keyword Encryption • AES (deterministic) • Support for most query types (excl. LIKE) Index Distribution • Index for same data type can be stored at different servers Distribution based on Privacy Constraints • Minimize exposure of sensitive information by careful distribution
  • 12. What about Key Creation/Sharing Policies? 12
  • 13. Overview Of Policies 13 Policy /Characteristic Where is the TED taking place? TED Key Generation TED Key Usage & Sharing Policy Modification of target schema SQL support P1 In the PaaS container Generated once during bootstrapping (in a Tenant Trusted Zone) and stored in-memory by the application It is recovered by the memory on demand per each query execution No Modification Yes P2 In the PaaS container One key is generated per Tenant (in a Tenant Trusted Zone) and a pair of user_key container_key is generated out of this tenant_key It is recomposed by the combination of a user_key and a container_key per each query_execution No Modification Yes P3 Outside the container in a Tenant Trusted Zone Generated once in a Tenant Trusted Zone E/D Key is used only in the Tenant Trusted Zone No Modification No P4 In the PaaS container Generated once during bootstrapping (in a Tenant Trusted Zone) and stored in-memory by the application It is recovered by the memory on demand per each query execution Modifications required No P5 In the PaaS container One key is generated per Tenant (in a Tenant Trusted Zone) and a pair of user_key container_key is generated out of this tenant_key It is recomposed by the combination of a user_key and a container_key per each query_execution Modifications required No
  • 15. Final Key Management Requirements Avoid running a service at the Tenant (T) that provides the Tenant Key (TK) to the Proxy (P). Tenant administrator is offline. Avoid giving TK to the Cloud Application (A) or the User (U) Ensure Access Control cannot be bypassed One key per tenant As simple as possible Recoverability PaaSword28/06/2016 15
  • 16. Implemented Policy PaaSword28/06/2016 18 TKui User Encrypted with TK Cloud DB Application Access Control … TKa1 TKa2 TKa3 DB-Proxy TK = TKui  TKai  TKpi . … TKp1 TKp2 TKp3 TKui TKai TKui Admin Access
  • 17. Semantic Authorization PaaSword will deliver an XACML 3.0 compliant Auth Engine with the ability to harmonize the attribute creation process through the usage of the extensible Context Model decouple the level of granularity of attributes that are used to define policies with the attributes that characterize ‘subjects’, ‘objects’ and the ‘environment’ to provide design-time conflict resolution for provided policies PaaSword28/06/2016 24
  • 19. Use Cases PaaSword Framework will be evaluated on 5 different Use Cases Secure Sensors Analytics for IoT applications Cloud-based Multi-tenant CRM software Encrypted Persistency included in PaaS/SaaS Services Multi-tenant ERP Environments Platform for Cross-border Document Exchange PaaSword28/06/2016 26
  • 20. Challenges Functional Transparency: Developer should not implement security policies. S/he should only use them Comprehensive annotation framework: Proper annotations should be created for encryption/decryption and policy access Flexible Policy Management: Context-driven policies for accessing the stored information Efficient Virtualization of RDBMS: realizing the appropriate query synthesis and aposynthesis capabilities Flexible Key Management: mechanisms making the key usage transparent to the cloud-based applications and services Extensibility: the framework should be extensible even during runtime PaaSword28/06/2016 27
  • 21. Consortium • Industrial Partner• Scientific Partner 28PaaSword
  • 22. Interested in… ? Getting access to early results? Shaping and expanding PaaSword? Networking with leading companies & research institutes? Collaborating with us and the PaaSword Community? Join the Cloud Security Industrial Focus Group! Register at: https://www.paasword.eu/register/ 29PaaSword
  • 23. PaaSword28/06/2016 30 Questions? Visit us: www.paasword.euAcknowledgements: This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No 644814.