The Aniketos project aims to help establish and maintain trustworthy and secure behavior in dynamically changing environments of composite services. It develops methods and tool support for the design and runtime composition of secure dynamic services. The project addresses challenges of composite security where individual services may be trustworthy but their composition is not clear. It proposes expressing security and trustworthiness requirements through models and generating security agreements. The Aniketos platform supports security definition, evaluation, monitoring, and adaptation for composite services.

1. Aniketos: Supporting Trustworthy
and Secure Composition in
Service and Cloud Environments
Per Håkon Meland
Erkuden Rios Velasco
David Llewellyn-Jones
http://aniketos.eu
4th of July 2011
Effectsplus Clustering Event, Amsterdam

2. Contents
Background
Project overview
Objective, facts, partners
Challenges we are facing
and what we can do about them…
Box image by ba1969: http://www.sxc.hu/photo/1301543
Effectsplus July 2011 2

3. Future Internet
Networked services
From monolithic full-service stack suppliers
To dynamic services built using multiple
services from multiple providers
Autonomic computing paradigm
Self-management
Self-healing
Self-configuration
Self-protection
Dynamic mix of Cloud/non-cloud services depending on
Service availability
Functionality
Price
Performance
Trustworthiness
Security features
Effectsplus July 2011 3

4. Aniketos Project
The main objective of Aniketos is to help establish
and maintain trustworthiness and secure behaviour
in a dynamically changing environment of
composite services.
Methods, tool support and security services to support
design-time creation and run-time (re-)composition of
dynamic services
Notifications about threats and changes
Socio-technical evaluations for acceptance and effective
security
ICT FP7 Objective 1.4: Secure, dependable and
trusted infrastructures
Started August 2010 running until February 2014
See http://aniketos.eu
Effectsplus July 2011 4

5. Compose Service Case Studies
Air traffic
service pool
SESAR
Future telecom services
Photo by Joe Lipson, CC license
eGovernance: Land buying
Effectsplus July 2011 5

6. Aniketos Consortium
Athens Technology Center SA
Atos Origin
DAEM S.A.
DeepBlue
SELEX ELSAG (ex Elsag Datamat)
Italtel
Liverpool John Moores University
National Research Council of Italy
SAP
SEARCH Lab Ltd
Stiftelsen SINTEF
Tecnalia Research & Innovation
Thales
University of Salzburg
University of Trento
Waterford Institute of Technology
Wind Telecomunicazioni S.p.A.
Effectsplus July 2011 6

7. Composite Security
Not just enforcing single security property on
all services
Distributed services from multiple providers
Difficulty knowing if a policy is violated or not
Service providers agree to fulfil a customer’s
policy
Need to know whether their service can fulfil it
Need to decide whether this is the case
Need tools to determine security properties
based on composition
Effectsplus July 2011 7

8. Example
A ‘recursive services’ scenario
Using a service, don’t need to know (or
care) whether it’s a single service or
composite service
When determining the trustworthiness
or security of a service, these issues
may be critical!
Data flow:
Where is my data stored?
Who has access to these data?
How are they stored?
How are they deleted?
Which laws and policies apply?
Effectsplus July 2011 8

9. Source: http://www.zdnet.com/blog/igeneration/microsoft-admits-patriot-act-can-access-eu-based-cloud-data/11225
Effectsplus July 2011 9

10. Composite Trust
Services require not just security, but also trust
Service provider claims to fulfil a security policy
How can a service consumer trust this?
Need tools for quantification of
trustworthiness and verification
Composite services introduce
Composite trust
Chains of trust
Requirements on careful attribution
Who’s trustworthiness rating should be affected if something goes
wrong?
Effectsplus July 2011 10

11. Aniketos Remedies for
Composite Security and Trust
Express security and trustworthiness requirements
through graphical modelling
Generation of security SLA templates
Discovery, matching and planning
Provide design-time and runtime modules for evaluating
and monitoring security and trustworthiness between
service stakeholders
Subscription-based notifications and alerts (“early-
warning”)
Effectsplus July 2011 11

12. Societal Acceptance
and Effective Security
Trust and security are not only technical matters
Depend heavily on the human factors to be effective
Composite services are often complex
Service end user should have an easy and understandable way of
relying on its trustworthiness
Aniketos contribution
Define a user-centred view on service trust and security
Investigate user acceptance and practical usability
Use case studies for future European services
Effectsplus July 2011 12

13. Summary of Security and Trust
Challenges for the Future Internet
Services made up of other services
Service composition may not be obvious externally
Services provided by multiple providers
Service components change; trust information
may not be available
Widespread adoption means security must
be clear for non-technical users
Padlock image from arinas74: http://www.sxc.hu/photo/1056349
Effectsplus July 2011 13

14. Aniketos Approach
Make composite services able to establish and maintain security and trustworthiness
Effectsplus July 2011 14 / 27

15. Aniketos Approach
Make composite services able to establish and maintain security and trustworthiness
Effectsplus July 2011 15 / 27

16. Aniketos Approach – Objectives
Ensure and manage trustworthiness of interoperable and
dynamically evolving services (through trust models and metrics)
Develop integral framework providing methods and tool support for
secure interoperable service development, composition, adaptation
and management through concept of Security Engineering
Define how to efficiently analyse, solve and share information on how
new threats and vulnerabilities can be mitigated or how services can
adapt to them
Promote and contribute to best practices, standards and own
certification work related to security and trust
Demonstrate and evaluate practical use of security techniques,
frameworks, patterns and tools in ordinary development of software
and service with end-user trials
Effectsplus July 2011 16 / 27

17. Aniketos Approach
Effectsplus July 2011 17 / 27

18. Platform Overview
This approach is reflected in the platform design
Incorporates The Aniketos platform
The Aniketos platform
Design-time support Design-time support Runtime support
Design-time support Runtime support
Run-time support Trustworthiness definition Trustworthiness monitoring
and evaluation
Trustworthiness definition and evaluation
Trustworthiness monitoring
Community support and evaluation and evaluation
Security property definition Runtime validation of secure
Security properties are defined and evaluated Securityevaluation
and property definition
and evaluation
service behaviour
Runtime validation of secure
service behaviour
Trustworthiness underpins security claims Composite service analysis
and preparation
Composite service analysis
Composite service adaptation
and recomposition
Composite service adaptation
and preparation and recomposition
Threat context included in analysis
Community support
Composite analysis allows trust and security Community support
properties to be understood in the context of Reference architecture and
patterns
Reference architecture and
Threat analysis and notification
Threat analysis and notification
patterns
composite services End user trust and assurance Aniketos market place
End user trust and assurance Aniketos market place
Support provided in terms of
Reference designs and security patterns
Threat information
Notifications
Effectsplus July 2011 18 / 27

19. Key Concepts
Trust
Used to determine whether offered security contracts are likely to
be adhered to
Security
Security requirements are defined by a security contract requested
by the consumer, and fulfilled by a security policy agreed by the
provider
Threats
Threats define the context
Different security may be needed as new threats and
vulnerabilities are identified
Effectsplus July 2011 19 / 27

20. Threat Detection and Response
Service deployment environment is dynamic
Fluctuating threats picture for service providers
Changing operating conditions for end users
New attack methods and capabilities emerge
Flaws and vulnerabilities may be discovered in services
Aniketos contribution
Investigating new threat landscape
Investigate threats to composite services
Undertake work in understanding their nature
Establish how to deal with them
Effectsplus July 2011 20/27