SlideShare a Scribd company logo
PaaSword: A Holistic Data Privacy and Security
by Design Framework for Cloud Services
Yiannis Verginadis, Antonis Michalas, Panagiotis Gouvas,
Gunther Schiefer, Gerald Hubsch, Iraklis Paraskakis
CLOSER 2015, Lisbon, May 21, 2015
Information Management Unit / ICCS of NTUA www.imu.iccs.gr
Agenda
 Introduction
 Data Security Challenges in the Cloud
 PaaSword Framework
 Conclusions
Information Management Unit / ICCS of NTUA www.imu.iccs.gr
Introduction
 Many users have started relying on cloud services without realizing it
 Many companies have remained cautious due to security concerns
 Applications and storage volumes often reside next to potentially hostile
virtual environments, leaving sensitive information at risk to theft,
unauthorized exposure or malicious manipulation
 Governmental regulation presents an additional concern of significant
legal and financial consequences if data confidentiality is breached
Focused interest Experimentation Near ubiquitous use
CloudAdoption
Information Management Unit / ICCS of NTUA www.imu.iccs.gr
Related Work
 Commonly used access control models (Ferrari 2010) are:
 Mandatory Access Control (MAC)
 Discretionary Access Control (DAC)
 Role-Based Access Control (RBAC)
 Extending these models:
 location-aware access control (LAAC) - there is a clear lack of
supporting additional pertinent contextual information (Cleeff et
al.,2010)
 context-aware access control (CAAC) – with shortcomings like:

lack of support for dynamically generated context (Covington et al., 2001)

lack of fine-grained data access control (Kayes et al., 2013)
Information Management Unit / ICCS of NTUA www.imu.iccs.gr
Related Work (contd.)
 Regarding the policy management there is lack of proper separation
of concerns (Kourtesis and Paraskakis, 2012)
 The policy definition and policy enforcement are entangled in the
implementation of a single software component, leading to the lack of

portability

explicit representation of policy relationships
 Regarding the data distribution and encryption algorithms...
 Gentry (2009), introduced the first fully homomorphic encryption
scheme that enables semantically secure outsourcing to the cloud

but presents severe performance issues
 In CryptDB (Popa et al., 2011), the concept of onions was used

with the main drawback the lack of security guarantees to the client
Information Management Unit / ICCS of NTUA www.imu.iccs.gr
Agenda
 Introduction
 Data Security Challenges in the Cloud
 PaaSword Framework
 Conclusions
Information Management Unit / ICCS of NTUA www.imu.iccs.gr
Security Challenges in the Cloud
 Top four threats identified (CSA, 2013) are:
 data leakage
 data loss
 account hijacking
 insecure APIs
 The most critical part of a modern cloud application is the data
persistency layer and the database itself
 The OWASP foundation has categorized the database-related
attacks as the most critical ones
 SQL injections represents 17% of all security breaches examined
 These attacks were responsible for 83% of the total records stolen,
from 2005 to 2011
Information Management Unit / ICCS of NTUA www.imu.iccs.gr
Security Challenges in the Cloud (contd.)
 Most of the security fences that are configured in a corporate
environment target the fortification of the so-called network
perimeter
 e.g. routers, hosts and virtual machines
 IDS and IPS try to cope with database-takeover security aspects,
but the risk of database compromise is greater than ever, as:
 automated exploitation tools (e.g. SQLMap) are widely spread
 IPS and IDS evasion techniques have become extremely sophisticated
 Internal adversaries or even unknown vulnerabilities of software
platforms widely adopted in the cloud may provide malicious access
to sensitive data
 e.g. Heartbleed flaw - constituted a serious fault in the OpenSSL
cryptography library, which remained unnoticed for more than two years
and affected over 60% of Web servers worldwide
Information Management Unit / ICCS of NTUA www.imu.iccs.gr
Security Challenges in the Cloud (contd.)
 Regarding the post-exploitation phase things are even worse in the
case where a symmetric encryption algorithm has been employed
 cracking toolkits that utilize GPU processing power (e.g. oclHashcat) are able to
crack ciphers using brute-force techniques with an attack rate of 162 billion
attempts per second
 The application developer is the one responsible for both
 sanitizing all HTTP-input parameters
 reassuring that compromised data will be useless
 Nevertheless, the mere utilization of an IaaS or PaaS provider, may
by itself spawn a multitude of inherent vulnerabilities
 that cannot be tackled effectively as they typically exceed the
responsibilities of an application developer
Information Management Unit / ICCS of NTUA www.imu.iccs.gr
Agenda
 Introduction
 Data Security Challenges in the Cloud
 PaaSword Framework
 Conclusions
Information Management Unit / ICCS of NTUA www.imu.iccs.gr
Threat Model
 We assume a semi-honest adversarial model for the cloud provider
(Paladi et al., 2014; Santos et al., 2009)
 a malicious cloud provider correctly follows the protocol specification
but can intercept all messages and may attempt to use them in order to
learn information that otherwise should remain private
 For the rest of the participants we consider the threat model (Santos
et al., 2009) that assumes that privileged access rights can be used
by a remote adversary, ADV, to leak confidential information
 e.g. a corrupted system administrator, can obtain remote access to any
host maintained by the provider.
 the adversary cannot access the volatile memory of any guest virtual
machine (VM) residing on the compute hosts of the provider
Information Management Unit / ICCS of NTUA www.imu.iccs.gr
Context-aware Access Model
 We envision a XACML-based context-aware access model,
 which is needed by the developers in order to annotate the Data Access
Objects of their applications
Information Management Unit / ICCS of NTUA www.imu.iccs.gr
Facets of the Context-Aware Access Model
Facets
IP
Address
(Local)
Time
Location Device
Type
Data
Connection
Type
etc…
Patterns
Frequency Usual
Duration
Usual
Dates
Usual
Hours
Previously
Accessed
Data
Sensitive / Non Sensitive Data
Role
Information Management Unit / ICCS of NTUA www.imu.iccs.gr
Policies Access, Governance and Enforcement
 A middleware that will provide:
 a transparent key usage for efficient authentication purposes,
 annotation capabilities in the form of a tool (IDE plugin) for allowing
developers to declaratively create the minimum amount of rule-set that
is needed for security enforcement purposes
 dynamically interpret the DAO annotations into policy enforcement
rules
 the governance and quality control of the annotations and their
respective policy rules
 the formulation and implementation of the overall policy enforcement
business logic
Information Management Unit / ICCS of NTUA www.imu.iccs.gr
 Devise an appropriate
vocabulary of concepts and
decide how they are
interrelated
 Populate the framework with
appropriate instances to give
rise to DAOs
 Formalise these concepts and
their interrelations – gives rise
to the ontology framework
Ontology for Access Policies
Information Management Unit / ICCS of NTUA www.imu.iccs.gr
Secure Storage
 We propose a design for a cryptographic cloud storage that will be
based on a symmetric searchable encryption (SSE) scheme similar
to (Kamara and Lauter, 2010)
 We plan to extend the previous work Cumulus4j (Huber et al., 2013)
and MimoSecco (Gabel and Hubsch, 2014)) that hides relations
between different data values of a data row
Information Management Unit / ICCS of NTUA www.imu.iccs.gr
PaaSword High-level View
Information Management Unit / ICCS of NTUA www.imu.iccs.gr
Conceptual Architecture
Information Management Unit / ICCS of NTUA www.imu.iccs.gr
Agenda
 Introduction
 Data Security Challenges in the Cloud
 PaaSword Framework
 Conclusions
Information Management Unit / ICCS of NTUA www.imu.iccs.gr
Conclusions & Next Steps
 Future work involves the implementation of the proposed framework
 This solution will be validated through 5 pilots:
 Encrypted persistency as a service in a PaaS provider
 Intergovernmental secure document and personal data exchange
 Secure sensors data fusion and analytics
 Protection of personal data in a multi-tenant CRM
 Protection of sensible enterprise information in multi-tenant ERP
Thank you for listening!
Acknowledgements:
This work is related to the PaaSword project and
has received funding from the European
Union’s Horizon 2020 research and
innovation programme under grant

More Related Content

What's hot

Iaetsd secure data storage against attacks in cloud
Iaetsd secure data storage against attacks in cloudIaetsd secure data storage against attacks in cloud
Iaetsd secure data storage against attacks in cloud
Iaetsd Iaetsd
 
Cloud technology to ensure the protection of fundamental methods and use of i...
Cloud technology to ensure the protection of fundamental methods and use of i...Cloud technology to ensure the protection of fundamental methods and use of i...
Cloud technology to ensure the protection of fundamental methods and use of i...
SubmissionResearchpa
 
Hans Bos
Hans BosHans Bos
Hans Bos
Dutch Power
 
Design and implement a new cloud security method based on multi clouds on ope...
Design and implement a new cloud security method based on multi clouds on ope...Design and implement a new cloud security method based on multi clouds on ope...
Design and implement a new cloud security method based on multi clouds on ope...
csandit
 
Cloud Security using NIST guidelines
Cloud Security using NIST guidelinesCloud Security using NIST guidelines
Cloud Security using NIST guidelines
Srishti Ahuja
 
E-Mail Systems In Cloud Computing Environment Privacy,Trust And Security Chal...
E-Mail Systems In Cloud Computing Environment Privacy,Trust And Security Chal...E-Mail Systems In Cloud Computing Environment Privacy,Trust And Security Chal...
E-Mail Systems In Cloud Computing Environment Privacy,Trust And Security Chal...
IJERA Editor
 
Cloud Security using NIST guidelines
Cloud Security using NIST guidelinesCloud Security using NIST guidelines
Cloud Security using NIST guidelines
Srishti Ahuja
 
Proposed Model for Enhancing Data Storage Security in Cloud Computing Systems
Proposed Model for Enhancing Data Storage Security in Cloud Computing SystemsProposed Model for Enhancing Data Storage Security in Cloud Computing Systems
Proposed Model for Enhancing Data Storage Security in Cloud Computing Systems
Hossam Al-Ansary
 
Cloud Security for U.S. Military Agencies
Cloud Security for U.S. Military AgenciesCloud Security for U.S. Military Agencies
Cloud Security for U.S. Military Agencies
NJVC, LLC
 
Ijirsm ashok-kumar-h-problems-and-solutions-infrastructure-as-service-securit...
Ijirsm ashok-kumar-h-problems-and-solutions-infrastructure-as-service-securit...Ijirsm ashok-kumar-h-problems-and-solutions-infrastructure-as-service-securit...
Ijirsm ashok-kumar-h-problems-and-solutions-infrastructure-as-service-securit...
IJIR JOURNALS IJIRUSA
 
Security Architecture and Design - CISSP
Security Architecture and Design - CISSPSecurity Architecture and Design - CISSP
Security Architecture and Design - CISSP
Srishti Ahuja
 
IRJET- Design and Analytical Study of Id Based Pixel Secured Cloud Enablem...
IRJET- 	  Design and Analytical Study of Id Based Pixel Secured Cloud Enablem...IRJET- 	  Design and Analytical Study of Id Based Pixel Secured Cloud Enablem...
IRJET- Design and Analytical Study of Id Based Pixel Secured Cloud Enablem...
IRJET Journal
 
(Pdf) yury chemerkin _i-society-2013 proceedings
(Pdf) yury chemerkin _i-society-2013 proceedings(Pdf) yury chemerkin _i-society-2013 proceedings
(Pdf) yury chemerkin _i-society-2013 proceedings
STO STRATEGY
 
Investigative analysis of security issues and challenges in cloud computing a...
Investigative analysis of security issues and challenges in cloud computing a...Investigative analysis of security issues and challenges in cloud computing a...
Investigative analysis of security issues and challenges in cloud computing a...
IAEME Publication
 
Analysis of classical encryption techniques in cloud computing
Analysis of classical encryption techniques in cloud computingAnalysis of classical encryption techniques in cloud computing
Analysis of classical encryption techniques in cloud computing
redpel dot com
 
Achieving Data Dissemination with Security using FIWARE and Intel Software Gu...
Achieving Data Dissemination with Security using FIWARE and Intel Software Gu...Achieving Data Dissemination with Security using FIWARE and Intel Software Gu...
Achieving Data Dissemination with Security using FIWARE and Intel Software Gu...
Dalton Valadares
 
Secure Channel Establishment Techniques for Homomorphic Encryption in Cloud C...
Secure Channel Establishment Techniques for Homomorphic Encryption in Cloud C...Secure Channel Establishment Techniques for Homomorphic Encryption in Cloud C...
Secure Channel Establishment Techniques for Homomorphic Encryption in Cloud C...
IRJET Journal
 
Blueprint for Cyber Security Zone Modeling
Blueprint for Cyber Security Zone ModelingBlueprint for Cyber Security Zone Modeling
Blueprint for Cyber Security Zone Modeling
ITIIIndustries
 
CYBERSECURITY MESH - DIGITAL TRUST FRAMEWORK
CYBERSECURITY MESH - DIGITAL TRUST FRAMEWORKCYBERSECURITY MESH - DIGITAL TRUST FRAMEWORK
CYBERSECURITY MESH - DIGITAL TRUST FRAMEWORK
Maganathin Veeraragaloo
 

What's hot (19)

Iaetsd secure data storage against attacks in cloud
Iaetsd secure data storage against attacks in cloudIaetsd secure data storage against attacks in cloud
Iaetsd secure data storage against attacks in cloud
 
Cloud technology to ensure the protection of fundamental methods and use of i...
Cloud technology to ensure the protection of fundamental methods and use of i...Cloud technology to ensure the protection of fundamental methods and use of i...
Cloud technology to ensure the protection of fundamental methods and use of i...
 
Hans Bos
Hans BosHans Bos
Hans Bos
 
Design and implement a new cloud security method based on multi clouds on ope...
Design and implement a new cloud security method based on multi clouds on ope...Design and implement a new cloud security method based on multi clouds on ope...
Design and implement a new cloud security method based on multi clouds on ope...
 
Cloud Security using NIST guidelines
Cloud Security using NIST guidelinesCloud Security using NIST guidelines
Cloud Security using NIST guidelines
 
E-Mail Systems In Cloud Computing Environment Privacy,Trust And Security Chal...
E-Mail Systems In Cloud Computing Environment Privacy,Trust And Security Chal...E-Mail Systems In Cloud Computing Environment Privacy,Trust And Security Chal...
E-Mail Systems In Cloud Computing Environment Privacy,Trust And Security Chal...
 
Cloud Security using NIST guidelines
Cloud Security using NIST guidelinesCloud Security using NIST guidelines
Cloud Security using NIST guidelines
 
Proposed Model for Enhancing Data Storage Security in Cloud Computing Systems
Proposed Model for Enhancing Data Storage Security in Cloud Computing SystemsProposed Model for Enhancing Data Storage Security in Cloud Computing Systems
Proposed Model for Enhancing Data Storage Security in Cloud Computing Systems
 
Cloud Security for U.S. Military Agencies
Cloud Security for U.S. Military AgenciesCloud Security for U.S. Military Agencies
Cloud Security for U.S. Military Agencies
 
Ijirsm ashok-kumar-h-problems-and-solutions-infrastructure-as-service-securit...
Ijirsm ashok-kumar-h-problems-and-solutions-infrastructure-as-service-securit...Ijirsm ashok-kumar-h-problems-and-solutions-infrastructure-as-service-securit...
Ijirsm ashok-kumar-h-problems-and-solutions-infrastructure-as-service-securit...
 
Security Architecture and Design - CISSP
Security Architecture and Design - CISSPSecurity Architecture and Design - CISSP
Security Architecture and Design - CISSP
 
IRJET- Design and Analytical Study of Id Based Pixel Secured Cloud Enablem...
IRJET- 	  Design and Analytical Study of Id Based Pixel Secured Cloud Enablem...IRJET- 	  Design and Analytical Study of Id Based Pixel Secured Cloud Enablem...
IRJET- Design and Analytical Study of Id Based Pixel Secured Cloud Enablem...
 
(Pdf) yury chemerkin _i-society-2013 proceedings
(Pdf) yury chemerkin _i-society-2013 proceedings(Pdf) yury chemerkin _i-society-2013 proceedings
(Pdf) yury chemerkin _i-society-2013 proceedings
 
Investigative analysis of security issues and challenges in cloud computing a...
Investigative analysis of security issues and challenges in cloud computing a...Investigative analysis of security issues and challenges in cloud computing a...
Investigative analysis of security issues and challenges in cloud computing a...
 
Analysis of classical encryption techniques in cloud computing
Analysis of classical encryption techniques in cloud computingAnalysis of classical encryption techniques in cloud computing
Analysis of classical encryption techniques in cloud computing
 
Achieving Data Dissemination with Security using FIWARE and Intel Software Gu...
Achieving Data Dissemination with Security using FIWARE and Intel Software Gu...Achieving Data Dissemination with Security using FIWARE and Intel Software Gu...
Achieving Data Dissemination with Security using FIWARE and Intel Software Gu...
 
Secure Channel Establishment Techniques for Homomorphic Encryption in Cloud C...
Secure Channel Establishment Techniques for Homomorphic Encryption in Cloud C...Secure Channel Establishment Techniques for Homomorphic Encryption in Cloud C...
Secure Channel Establishment Techniques for Homomorphic Encryption in Cloud C...
 
Blueprint for Cyber Security Zone Modeling
Blueprint for Cyber Security Zone ModelingBlueprint for Cyber Security Zone Modeling
Blueprint for Cyber Security Zone Modeling
 
CYBERSECURITY MESH - DIGITAL TRUST FRAMEWORK
CYBERSECURITY MESH - DIGITAL TRUST FRAMEWORKCYBERSECURITY MESH - DIGITAL TRUST FRAMEWORK
CYBERSECURITY MESH - DIGITAL TRUST FRAMEWORK
 

Viewers also liked

Keeping up with the Revolution in IT Security
Keeping up with the Revolution in IT SecurityKeeping up with the Revolution in IT Security
Keeping up with the Revolution in IT Security
Distil Networks
 
Keynote Address at 2013 CloudCon: A day in the life of the SMB by Michael To...
Keynote Address at 2013 CloudCon: A day in the life of the SMB  by Michael To...Keynote Address at 2013 CloudCon: A day in the life of the SMB  by Michael To...
Keynote Address at 2013 CloudCon: A day in the life of the SMB by Michael To...
exponential-inc
 
Winning the war against data- Strategies to beat your arch nemesis: files - G...
Winning the war against data- Strategies to beat your arch nemesis: files - G...Winning the war against data- Strategies to beat your arch nemesis: files - G...
Winning the war against data- Strategies to beat your arch nemesis: files - G...
Spiceworks
 
Enterprise 2.0: What it is and why it matters
Enterprise 2.0: What it is and why it mattersEnterprise 2.0: What it is and why it matters
Enterprise 2.0: What it is and why it matters
digitallibrary
 
SMB Security Opportunity –Use and Plans for Solutions and Profile of "Securit...
SMB Security Opportunity –Use and Plans for Solutions and Profile of "Securit...SMB Security Opportunity –Use and Plans for Solutions and Profile of "Securit...
SMB Security Opportunity –Use and Plans for Solutions and Profile of "Securit...
Motty Ben Atia
 
Building a database security program
Building a database security programBuilding a database security program
Building a database security program
matt_presson
 
Box.net overview
Box.net overviewBox.net overview
Box.net overview
Eric McDuffee
 
Security Essentials for the SMB IT Network (on a Shoestring Budget!) - Adam W...
Security Essentials for the SMB IT Network (on a Shoestring Budget!) - Adam W...Security Essentials for the SMB IT Network (on a Shoestring Budget!) - Adam W...
Security Essentials for the SMB IT Network (on a Shoestring Budget!) - Adam W...
Spiceworks
 
Advanced IT and Cyber Security for Your Business
Advanced IT and Cyber Security for Your BusinessAdvanced IT and Cyber Security for Your Business
Advanced IT and Cyber Security for Your Business
Infopulse
 
The next generation of IT security
The next generation of IT securityThe next generation of IT security
The next generation of IT security
Sophos Benelux
 
Robbery Prevention for Small Businesses
Robbery Prevention for Small BusinessesRobbery Prevention for Small Businesses
Robbery Prevention for Small Businesses
Fundera
 
Windows 10 Enterprise E3 - Best in Class Security and Control - Presented by ...
Windows 10 Enterprise E3 - Best in Class Security and Control - Presented by ...Windows 10 Enterprise E3 - Best in Class Security and Control - Presented by ...
Windows 10 Enterprise E3 - Best in Class Security and Control - Presented by ...
David J Rosenthal
 
Security Guide For Small Business
Security Guide For Small BusinessSecurity Guide For Small Business
Security Guide For Small Business
BrendanRose
 
Challenges Of Global Data Collection
Challenges Of Global Data Collection   Challenges Of Global Data Collection
Challenges Of Global Data Collection
ResearchShare
 
5 Step Data Security Plan for Small Businesses
5 Step Data Security Plan for Small Businesses5 Step Data Security Plan for Small Businesses
5 Step Data Security Plan for Small Businesses
Wilkins Consulting, LLC
 
Big data security challenges and recommendations!
Big data security challenges and recommendations!Big data security challenges and recommendations!
Big data security challenges and recommendations!
cisoplatform
 
Small business data security
Small business data securitySmall business data security
Small business data security
David Usher
 
Big Data Security with Hadoop
Big Data Security with HadoopBig Data Security with Hadoop
Big Data Security with Hadoop
Cloudera, Inc.
 
Big data security
Big data securityBig data security
Big data security
Joey Echeverria
 
Infrastructure API Lightning Talk by Jeremy Pollard of box.com
Infrastructure API Lightning Talk by Jeremy Pollard of box.comInfrastructure API Lightning Talk by Jeremy Pollard of box.com
Infrastructure API Lightning Talk by Jeremy Pollard of box.com
DevOps4Networks
 

Viewers also liked (20)

Keeping up with the Revolution in IT Security
Keeping up with the Revolution in IT SecurityKeeping up with the Revolution in IT Security
Keeping up with the Revolution in IT Security
 
Keynote Address at 2013 CloudCon: A day in the life of the SMB by Michael To...
Keynote Address at 2013 CloudCon: A day in the life of the SMB  by Michael To...Keynote Address at 2013 CloudCon: A day in the life of the SMB  by Michael To...
Keynote Address at 2013 CloudCon: A day in the life of the SMB by Michael To...
 
Winning the war against data- Strategies to beat your arch nemesis: files - G...
Winning the war against data- Strategies to beat your arch nemesis: files - G...Winning the war against data- Strategies to beat your arch nemesis: files - G...
Winning the war against data- Strategies to beat your arch nemesis: files - G...
 
Enterprise 2.0: What it is and why it matters
Enterprise 2.0: What it is and why it mattersEnterprise 2.0: What it is and why it matters
Enterprise 2.0: What it is and why it matters
 
SMB Security Opportunity –Use and Plans for Solutions and Profile of "Securit...
SMB Security Opportunity –Use and Plans for Solutions and Profile of "Securit...SMB Security Opportunity –Use and Plans for Solutions and Profile of "Securit...
SMB Security Opportunity –Use and Plans for Solutions and Profile of "Securit...
 
Building a database security program
Building a database security programBuilding a database security program
Building a database security program
 
Box.net overview
Box.net overviewBox.net overview
Box.net overview
 
Security Essentials for the SMB IT Network (on a Shoestring Budget!) - Adam W...
Security Essentials for the SMB IT Network (on a Shoestring Budget!) - Adam W...Security Essentials for the SMB IT Network (on a Shoestring Budget!) - Adam W...
Security Essentials for the SMB IT Network (on a Shoestring Budget!) - Adam W...
 
Advanced IT and Cyber Security for Your Business
Advanced IT and Cyber Security for Your BusinessAdvanced IT and Cyber Security for Your Business
Advanced IT and Cyber Security for Your Business
 
The next generation of IT security
The next generation of IT securityThe next generation of IT security
The next generation of IT security
 
Robbery Prevention for Small Businesses
Robbery Prevention for Small BusinessesRobbery Prevention for Small Businesses
Robbery Prevention for Small Businesses
 
Windows 10 Enterprise E3 - Best in Class Security and Control - Presented by ...
Windows 10 Enterprise E3 - Best in Class Security and Control - Presented by ...Windows 10 Enterprise E3 - Best in Class Security and Control - Presented by ...
Windows 10 Enterprise E3 - Best in Class Security and Control - Presented by ...
 
Security Guide For Small Business
Security Guide For Small BusinessSecurity Guide For Small Business
Security Guide For Small Business
 
Challenges Of Global Data Collection
Challenges Of Global Data Collection   Challenges Of Global Data Collection
Challenges Of Global Data Collection
 
5 Step Data Security Plan for Small Businesses
5 Step Data Security Plan for Small Businesses5 Step Data Security Plan for Small Businesses
5 Step Data Security Plan for Small Businesses
 
Big data security challenges and recommendations!
Big data security challenges and recommendations!Big data security challenges and recommendations!
Big data security challenges and recommendations!
 
Small business data security
Small business data securitySmall business data security
Small business data security
 
Big Data Security with Hadoop
Big Data Security with HadoopBig Data Security with Hadoop
Big Data Security with Hadoop
 
Big data security
Big data securityBig data security
Big data security
 
Infrastructure API Lightning Talk by Jeremy Pollard of box.com
Infrastructure API Lightning Talk by Jeremy Pollard of box.comInfrastructure API Lightning Talk by Jeremy Pollard of box.com
Infrastructure API Lightning Talk by Jeremy Pollard of box.com
 

Similar to PaaSword: A Holistic Data Privacy and Security by Design Framework for Cloud Services

DESIGN AND IMPLEMENT A NEW CLOUD SECURITY METHOD BASED ON MULTI CLOUDS ON OPE...
DESIGN AND IMPLEMENT A NEW CLOUD SECURITY METHOD BASED ON MULTI CLOUDS ON OPE...DESIGN AND IMPLEMENT A NEW CLOUD SECURITY METHOD BASED ON MULTI CLOUDS ON OPE...
DESIGN AND IMPLEMENT A NEW CLOUD SECURITY METHOD BASED ON MULTI CLOUDS ON OPE...
cscpconf
 
No More Dark Clouds: A Privacy Preserving Framework for the Cloud
No More Dark Clouds: A Privacy Preserving Framework for the CloudNo More Dark Clouds: A Privacy Preserving Framework for the Cloud
No More Dark Clouds: A Privacy Preserving Framework for the Cloud
PaaSword EU Project
 
Project 3
Project 3Project 3
Project 3
Priyanka Goswami
 
Secure modelling schema of distributed information
Secure modelling schema of distributed informationSecure modelling schema of distributed information
Secure modelling schema of distributed information
iaemedu
 
Secure modelling schema of distributed information access management in cloud...
Secure modelling schema of distributed information access management in cloud...Secure modelling schema of distributed information access management in cloud...
Secure modelling schema of distributed information access management in cloud...
iaemedu
 
AbstractCloud computing technology has become the new fron.docx
AbstractCloud computing technology has become the new fron.docxAbstractCloud computing technology has become the new fron.docx
AbstractCloud computing technology has become the new fron.docx
SALU18
 
SECURE CLOUD ARCHITECTURE
SECURE CLOUD ARCHITECTURESECURE CLOUD ARCHITECTURE
SECURE CLOUD ARCHITECTURE
acijjournal
 
B018211016
B018211016B018211016
B018211016
IOSR Journals
 
A Survey on Context Security Policies in the Cloud
A Survey on Context Security Policies in the CloudA Survey on Context Security Policies in the Cloud
A Survey on Context Security Policies in the Cloud
PaaSword EU Project
 
EFFECTIVE METHOD FOR MANAGING AUTOMATION AND MONITORING IN MULTI-CLOUD COMPUT...
EFFECTIVE METHOD FOR MANAGING AUTOMATION AND MONITORING IN MULTI-CLOUD COMPUT...EFFECTIVE METHOD FOR MANAGING AUTOMATION AND MONITORING IN MULTI-CLOUD COMPUT...
EFFECTIVE METHOD FOR MANAGING AUTOMATION AND MONITORING IN MULTI-CLOUD COMPUT...
IJNSA Journal
 
Cloud computing
Cloud computingCloud computing
Cloud computing
Dulith Kasun
 
MIST Effective Masquerade Attack Detection in the Cloud
MIST Effective Masquerade Attack Detection in the CloudMIST Effective Masquerade Attack Detection in the Cloud
MIST Effective Masquerade Attack Detection in the Cloud
Kumar Goud
 
IRJET - Data Security in Cloud Computing using Homomorphic Algoritham
IRJET - Data Security in Cloud Computing using Homomorphic AlgorithamIRJET - Data Security in Cloud Computing using Homomorphic Algoritham
IRJET - Data Security in Cloud Computing using Homomorphic Algoritham
IRJET Journal
 
Evaluation Of The Data Security Methods In Cloud Computing Environments
Evaluation Of The Data Security Methods In Cloud Computing EnvironmentsEvaluation Of The Data Security Methods In Cloud Computing Environments
Evaluation Of The Data Security Methods In Cloud Computing Environments
ijfcstjournal
 
Cloud security
Cloud security Cloud security
Cloud security
Mohamed Shalash
 
IRJET - Multimedia Security on Cloud Computing using Cryptography
IRJET - Multimedia Security on Cloud Computing using CryptographyIRJET - Multimedia Security on Cloud Computing using Cryptography
IRJET - Multimedia Security on Cloud Computing using Cryptography
IRJET Journal
 
Mitigating the Integrity Issues in Cloud Computing Utilizing Cryptography Alg...
Mitigating the Integrity Issues in Cloud Computing Utilizing Cryptography Alg...Mitigating the Integrity Issues in Cloud Computing Utilizing Cryptography Alg...
Mitigating the Integrity Issues in Cloud Computing Utilizing Cryptography Alg...
AJASTJournal
 
Reliable security in cloud computing environment 2-3-4-5-6
Reliable security in cloud computing environment 2-3-4-5-6Reliable security in cloud computing environment 2-3-4-5-6
Reliable security in cloud computing environment 2-3-4-5-6
IAEME Publication
 
Threat Modeling of Cloud based Implementation of Homomorphic Encryption
Threat Modeling of Cloud based Implementation of Homomorphic EncryptionThreat Modeling of Cloud based Implementation of Homomorphic Encryption
Threat Modeling of Cloud based Implementation of Homomorphic Encryption
ijcisjournal
 
Security Issues in Cloud Computing by rahul abhishek
Security Issues in Cloud Computing  by rahul abhishekSecurity Issues in Cloud Computing  by rahul abhishek
Security Issues in Cloud Computing by rahul abhishek
Er. rahul abhishek
 

Similar to PaaSword: A Holistic Data Privacy and Security by Design Framework for Cloud Services (20)

DESIGN AND IMPLEMENT A NEW CLOUD SECURITY METHOD BASED ON MULTI CLOUDS ON OPE...
DESIGN AND IMPLEMENT A NEW CLOUD SECURITY METHOD BASED ON MULTI CLOUDS ON OPE...DESIGN AND IMPLEMENT A NEW CLOUD SECURITY METHOD BASED ON MULTI CLOUDS ON OPE...
DESIGN AND IMPLEMENT A NEW CLOUD SECURITY METHOD BASED ON MULTI CLOUDS ON OPE...
 
No More Dark Clouds: A Privacy Preserving Framework for the Cloud
No More Dark Clouds: A Privacy Preserving Framework for the CloudNo More Dark Clouds: A Privacy Preserving Framework for the Cloud
No More Dark Clouds: A Privacy Preserving Framework for the Cloud
 
Project 3
Project 3Project 3
Project 3
 
Secure modelling schema of distributed information
Secure modelling schema of distributed informationSecure modelling schema of distributed information
Secure modelling schema of distributed information
 
Secure modelling schema of distributed information access management in cloud...
Secure modelling schema of distributed information access management in cloud...Secure modelling schema of distributed information access management in cloud...
Secure modelling schema of distributed information access management in cloud...
 
AbstractCloud computing technology has become the new fron.docx
AbstractCloud computing technology has become the new fron.docxAbstractCloud computing technology has become the new fron.docx
AbstractCloud computing technology has become the new fron.docx
 
SECURE CLOUD ARCHITECTURE
SECURE CLOUD ARCHITECTURESECURE CLOUD ARCHITECTURE
SECURE CLOUD ARCHITECTURE
 
B018211016
B018211016B018211016
B018211016
 
A Survey on Context Security Policies in the Cloud
A Survey on Context Security Policies in the CloudA Survey on Context Security Policies in the Cloud
A Survey on Context Security Policies in the Cloud
 
EFFECTIVE METHOD FOR MANAGING AUTOMATION AND MONITORING IN MULTI-CLOUD COMPUT...
EFFECTIVE METHOD FOR MANAGING AUTOMATION AND MONITORING IN MULTI-CLOUD COMPUT...EFFECTIVE METHOD FOR MANAGING AUTOMATION AND MONITORING IN MULTI-CLOUD COMPUT...
EFFECTIVE METHOD FOR MANAGING AUTOMATION AND MONITORING IN MULTI-CLOUD COMPUT...
 
Cloud computing
Cloud computingCloud computing
Cloud computing
 
MIST Effective Masquerade Attack Detection in the Cloud
MIST Effective Masquerade Attack Detection in the CloudMIST Effective Masquerade Attack Detection in the Cloud
MIST Effective Masquerade Attack Detection in the Cloud
 
IRJET - Data Security in Cloud Computing using Homomorphic Algoritham
IRJET - Data Security in Cloud Computing using Homomorphic AlgorithamIRJET - Data Security in Cloud Computing using Homomorphic Algoritham
IRJET - Data Security in Cloud Computing using Homomorphic Algoritham
 
Evaluation Of The Data Security Methods In Cloud Computing Environments
Evaluation Of The Data Security Methods In Cloud Computing EnvironmentsEvaluation Of The Data Security Methods In Cloud Computing Environments
Evaluation Of The Data Security Methods In Cloud Computing Environments
 
Cloud security
Cloud security Cloud security
Cloud security
 
IRJET - Multimedia Security on Cloud Computing using Cryptography
IRJET - Multimedia Security on Cloud Computing using CryptographyIRJET - Multimedia Security on Cloud Computing using Cryptography
IRJET - Multimedia Security on Cloud Computing using Cryptography
 
Mitigating the Integrity Issues in Cloud Computing Utilizing Cryptography Alg...
Mitigating the Integrity Issues in Cloud Computing Utilizing Cryptography Alg...Mitigating the Integrity Issues in Cloud Computing Utilizing Cryptography Alg...
Mitigating the Integrity Issues in Cloud Computing Utilizing Cryptography Alg...
 
Reliable security in cloud computing environment 2-3-4-5-6
Reliable security in cloud computing environment 2-3-4-5-6Reliable security in cloud computing environment 2-3-4-5-6
Reliable security in cloud computing environment 2-3-4-5-6
 
Threat Modeling of Cloud based Implementation of Homomorphic Encryption
Threat Modeling of Cloud based Implementation of Homomorphic EncryptionThreat Modeling of Cloud based Implementation of Homomorphic Encryption
Threat Modeling of Cloud based Implementation of Homomorphic Encryption
 
Security Issues in Cloud Computing by rahul abhishek
Security Issues in Cloud Computing  by rahul abhishekSecurity Issues in Cloud Computing  by rahul abhishek
Security Issues in Cloud Computing by rahul abhishek
 

Recently uploaded

Discover the Unseen: Tailored Recommendation of Unwatched Content
Discover the Unseen: Tailored Recommendation of Unwatched ContentDiscover the Unseen: Tailored Recommendation of Unwatched Content
Discover the Unseen: Tailored Recommendation of Unwatched Content
ScyllaDB
 
What is an RPA CoE? Session 1 – CoE Vision
What is an RPA CoE?  Session 1 – CoE VisionWhat is an RPA CoE?  Session 1 – CoE Vision
What is an RPA CoE? Session 1 – CoE Vision
DianaGray10
 
Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving
 
"$10 thousand per minute of downtime: architecture, queues, streaming and fin...
"$10 thousand per minute of downtime: architecture, queues, streaming and fin..."$10 thousand per minute of downtime: architecture, queues, streaming and fin...
"$10 thousand per minute of downtime: architecture, queues, streaming and fin...
Fwdays
 
Day 2 - Intro to UiPath Studio Fundamentals
Day 2 - Intro to UiPath Studio FundamentalsDay 2 - Intro to UiPath Studio Fundamentals
Day 2 - Intro to UiPath Studio Fundamentals
UiPathCommunity
 
A Deep Dive into ScyllaDB's Architecture
A Deep Dive into ScyllaDB's ArchitectureA Deep Dive into ScyllaDB's Architecture
A Deep Dive into ScyllaDB's Architecture
ScyllaDB
 
Session 1 - Intro to Robotic Process Automation.pdf
Session 1 - Intro to Robotic Process Automation.pdfSession 1 - Intro to Robotic Process Automation.pdf
Session 1 - Intro to Robotic Process Automation.pdf
UiPathCommunity
 
Introducing BoxLang : A new JVM language for productivity and modularity!
Introducing BoxLang : A new JVM language for productivity and modularity!Introducing BoxLang : A new JVM language for productivity and modularity!
Introducing BoxLang : A new JVM language for productivity and modularity!
Ortus Solutions, Corp
 
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeckPoznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
FilipTomaszewski5
 
Getting the Most Out of ScyllaDB Monitoring: ShareChat's Tips
Getting the Most Out of ScyllaDB Monitoring: ShareChat's TipsGetting the Most Out of ScyllaDB Monitoring: ShareChat's Tips
Getting the Most Out of ScyllaDB Monitoring: ShareChat's Tips
ScyllaDB
 
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptxPRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
christinelarrosa
 
Harnessing the Power of NLP and Knowledge Graphs for Opioid Research
Harnessing the Power of NLP and Knowledge Graphs for Opioid ResearchHarnessing the Power of NLP and Knowledge Graphs for Opioid Research
Harnessing the Power of NLP and Knowledge Graphs for Opioid Research
Neo4j
 
"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota
Fwdays
 
Y-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PPY-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PP
c5vrf27qcz
 
Leveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and StandardsLeveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and Standards
Neo4j
 
Demystifying Knowledge Management through Storytelling
Demystifying Knowledge Management through StorytellingDemystifying Knowledge Management through Storytelling
Demystifying Knowledge Management through Storytelling
Enterprise Knowledge
 
Principle of conventional tomography-Bibash Shahi ppt..pptx
Principle of conventional tomography-Bibash Shahi ppt..pptxPrinciple of conventional tomography-Bibash Shahi ppt..pptx
Principle of conventional tomography-Bibash Shahi ppt..pptx
BibashShahi
 
AWS Certified Solutions Architect Associate (SAA-C03)
AWS Certified Solutions Architect Associate (SAA-C03)AWS Certified Solutions Architect Associate (SAA-C03)
AWS Certified Solutions Architect Associate (SAA-C03)
HarpalGohil4
 
Mutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented ChatbotsMutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented Chatbots
Pablo Gómez Abajo
 
inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
inQuba Webinar Mastering Customer Journey Management with Dr Graham HillinQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
LizaNolte
 

Recently uploaded (20)

Discover the Unseen: Tailored Recommendation of Unwatched Content
Discover the Unseen: Tailored Recommendation of Unwatched ContentDiscover the Unseen: Tailored Recommendation of Unwatched Content
Discover the Unseen: Tailored Recommendation of Unwatched Content
 
What is an RPA CoE? Session 1 – CoE Vision
What is an RPA CoE?  Session 1 – CoE VisionWhat is an RPA CoE?  Session 1 – CoE Vision
What is an RPA CoE? Session 1 – CoE Vision
 
Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024
 
"$10 thousand per minute of downtime: architecture, queues, streaming and fin...
"$10 thousand per minute of downtime: architecture, queues, streaming and fin..."$10 thousand per minute of downtime: architecture, queues, streaming and fin...
"$10 thousand per minute of downtime: architecture, queues, streaming and fin...
 
Day 2 - Intro to UiPath Studio Fundamentals
Day 2 - Intro to UiPath Studio FundamentalsDay 2 - Intro to UiPath Studio Fundamentals
Day 2 - Intro to UiPath Studio Fundamentals
 
A Deep Dive into ScyllaDB's Architecture
A Deep Dive into ScyllaDB's ArchitectureA Deep Dive into ScyllaDB's Architecture
A Deep Dive into ScyllaDB's Architecture
 
Session 1 - Intro to Robotic Process Automation.pdf
Session 1 - Intro to Robotic Process Automation.pdfSession 1 - Intro to Robotic Process Automation.pdf
Session 1 - Intro to Robotic Process Automation.pdf
 
Introducing BoxLang : A new JVM language for productivity and modularity!
Introducing BoxLang : A new JVM language for productivity and modularity!Introducing BoxLang : A new JVM language for productivity and modularity!
Introducing BoxLang : A new JVM language for productivity and modularity!
 
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeckPoznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
 
Getting the Most Out of ScyllaDB Monitoring: ShareChat's Tips
Getting the Most Out of ScyllaDB Monitoring: ShareChat's TipsGetting the Most Out of ScyllaDB Monitoring: ShareChat's Tips
Getting the Most Out of ScyllaDB Monitoring: ShareChat's Tips
 
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptxPRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
 
Harnessing the Power of NLP and Knowledge Graphs for Opioid Research
Harnessing the Power of NLP and Knowledge Graphs for Opioid ResearchHarnessing the Power of NLP and Knowledge Graphs for Opioid Research
Harnessing the Power of NLP and Knowledge Graphs for Opioid Research
 
"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota
 
Y-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PPY-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PP
 
Leveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and StandardsLeveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and Standards
 
Demystifying Knowledge Management through Storytelling
Demystifying Knowledge Management through StorytellingDemystifying Knowledge Management through Storytelling
Demystifying Knowledge Management through Storytelling
 
Principle of conventional tomography-Bibash Shahi ppt..pptx
Principle of conventional tomography-Bibash Shahi ppt..pptxPrinciple of conventional tomography-Bibash Shahi ppt..pptx
Principle of conventional tomography-Bibash Shahi ppt..pptx
 
AWS Certified Solutions Architect Associate (SAA-C03)
AWS Certified Solutions Architect Associate (SAA-C03)AWS Certified Solutions Architect Associate (SAA-C03)
AWS Certified Solutions Architect Associate (SAA-C03)
 
Mutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented ChatbotsMutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented Chatbots
 
inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
inQuba Webinar Mastering Customer Journey Management with Dr Graham HillinQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
 

PaaSword: A Holistic Data Privacy and Security by Design Framework for Cloud Services

  • 1. PaaSword: A Holistic Data Privacy and Security by Design Framework for Cloud Services Yiannis Verginadis, Antonis Michalas, Panagiotis Gouvas, Gunther Schiefer, Gerald Hubsch, Iraklis Paraskakis CLOSER 2015, Lisbon, May 21, 2015
  • 2. Information Management Unit / ICCS of NTUA www.imu.iccs.gr Agenda  Introduction  Data Security Challenges in the Cloud  PaaSword Framework  Conclusions
  • 3. Information Management Unit / ICCS of NTUA www.imu.iccs.gr Introduction  Many users have started relying on cloud services without realizing it  Many companies have remained cautious due to security concerns  Applications and storage volumes often reside next to potentially hostile virtual environments, leaving sensitive information at risk to theft, unauthorized exposure or malicious manipulation  Governmental regulation presents an additional concern of significant legal and financial consequences if data confidentiality is breached Focused interest Experimentation Near ubiquitous use CloudAdoption
  • 4. Information Management Unit / ICCS of NTUA www.imu.iccs.gr Related Work  Commonly used access control models (Ferrari 2010) are:  Mandatory Access Control (MAC)  Discretionary Access Control (DAC)  Role-Based Access Control (RBAC)  Extending these models:  location-aware access control (LAAC) - there is a clear lack of supporting additional pertinent contextual information (Cleeff et al.,2010)  context-aware access control (CAAC) – with shortcomings like:  lack of support for dynamically generated context (Covington et al., 2001)  lack of fine-grained data access control (Kayes et al., 2013)
  • 5. Information Management Unit / ICCS of NTUA www.imu.iccs.gr Related Work (contd.)  Regarding the policy management there is lack of proper separation of concerns (Kourtesis and Paraskakis, 2012)  The policy definition and policy enforcement are entangled in the implementation of a single software component, leading to the lack of  portability  explicit representation of policy relationships  Regarding the data distribution and encryption algorithms...  Gentry (2009), introduced the first fully homomorphic encryption scheme that enables semantically secure outsourcing to the cloud  but presents severe performance issues  In CryptDB (Popa et al., 2011), the concept of onions was used  with the main drawback the lack of security guarantees to the client
  • 6. Information Management Unit / ICCS of NTUA www.imu.iccs.gr Agenda  Introduction  Data Security Challenges in the Cloud  PaaSword Framework  Conclusions
  • 7. Information Management Unit / ICCS of NTUA www.imu.iccs.gr Security Challenges in the Cloud  Top four threats identified (CSA, 2013) are:  data leakage  data loss  account hijacking  insecure APIs  The most critical part of a modern cloud application is the data persistency layer and the database itself  The OWASP foundation has categorized the database-related attacks as the most critical ones  SQL injections represents 17% of all security breaches examined  These attacks were responsible for 83% of the total records stolen, from 2005 to 2011
  • 8. Information Management Unit / ICCS of NTUA www.imu.iccs.gr Security Challenges in the Cloud (contd.)  Most of the security fences that are configured in a corporate environment target the fortification of the so-called network perimeter  e.g. routers, hosts and virtual machines  IDS and IPS try to cope with database-takeover security aspects, but the risk of database compromise is greater than ever, as:  automated exploitation tools (e.g. SQLMap) are widely spread  IPS and IDS evasion techniques have become extremely sophisticated  Internal adversaries or even unknown vulnerabilities of software platforms widely adopted in the cloud may provide malicious access to sensitive data  e.g. Heartbleed flaw - constituted a serious fault in the OpenSSL cryptography library, which remained unnoticed for more than two years and affected over 60% of Web servers worldwide
  • 9. Information Management Unit / ICCS of NTUA www.imu.iccs.gr Security Challenges in the Cloud (contd.)  Regarding the post-exploitation phase things are even worse in the case where a symmetric encryption algorithm has been employed  cracking toolkits that utilize GPU processing power (e.g. oclHashcat) are able to crack ciphers using brute-force techniques with an attack rate of 162 billion attempts per second  The application developer is the one responsible for both  sanitizing all HTTP-input parameters  reassuring that compromised data will be useless  Nevertheless, the mere utilization of an IaaS or PaaS provider, may by itself spawn a multitude of inherent vulnerabilities  that cannot be tackled effectively as they typically exceed the responsibilities of an application developer
  • 10. Information Management Unit / ICCS of NTUA www.imu.iccs.gr Agenda  Introduction  Data Security Challenges in the Cloud  PaaSword Framework  Conclusions
  • 11. Information Management Unit / ICCS of NTUA www.imu.iccs.gr Threat Model  We assume a semi-honest adversarial model for the cloud provider (Paladi et al., 2014; Santos et al., 2009)  a malicious cloud provider correctly follows the protocol specification but can intercept all messages and may attempt to use them in order to learn information that otherwise should remain private  For the rest of the participants we consider the threat model (Santos et al., 2009) that assumes that privileged access rights can be used by a remote adversary, ADV, to leak confidential information  e.g. a corrupted system administrator, can obtain remote access to any host maintained by the provider.  the adversary cannot access the volatile memory of any guest virtual machine (VM) residing on the compute hosts of the provider
  • 12. Information Management Unit / ICCS of NTUA www.imu.iccs.gr Context-aware Access Model  We envision a XACML-based context-aware access model,  which is needed by the developers in order to annotate the Data Access Objects of their applications
  • 13. Information Management Unit / ICCS of NTUA www.imu.iccs.gr Facets of the Context-Aware Access Model Facets IP Address (Local) Time Location Device Type Data Connection Type etc… Patterns Frequency Usual Duration Usual Dates Usual Hours Previously Accessed Data Sensitive / Non Sensitive Data Role
  • 14. Information Management Unit / ICCS of NTUA www.imu.iccs.gr Policies Access, Governance and Enforcement  A middleware that will provide:  a transparent key usage for efficient authentication purposes,  annotation capabilities in the form of a tool (IDE plugin) for allowing developers to declaratively create the minimum amount of rule-set that is needed for security enforcement purposes  dynamically interpret the DAO annotations into policy enforcement rules  the governance and quality control of the annotations and their respective policy rules  the formulation and implementation of the overall policy enforcement business logic
  • 15. Information Management Unit / ICCS of NTUA www.imu.iccs.gr  Devise an appropriate vocabulary of concepts and decide how they are interrelated  Populate the framework with appropriate instances to give rise to DAOs  Formalise these concepts and their interrelations – gives rise to the ontology framework Ontology for Access Policies
  • 16. Information Management Unit / ICCS of NTUA www.imu.iccs.gr Secure Storage  We propose a design for a cryptographic cloud storage that will be based on a symmetric searchable encryption (SSE) scheme similar to (Kamara and Lauter, 2010)  We plan to extend the previous work Cumulus4j (Huber et al., 2013) and MimoSecco (Gabel and Hubsch, 2014)) that hides relations between different data values of a data row
  • 17. Information Management Unit / ICCS of NTUA www.imu.iccs.gr PaaSword High-level View
  • 18. Information Management Unit / ICCS of NTUA www.imu.iccs.gr Conceptual Architecture
  • 19. Information Management Unit / ICCS of NTUA www.imu.iccs.gr Agenda  Introduction  Data Security Challenges in the Cloud  PaaSword Framework  Conclusions
  • 20. Information Management Unit / ICCS of NTUA www.imu.iccs.gr Conclusions & Next Steps  Future work involves the implementation of the proposed framework  This solution will be validated through 5 pilots:  Encrypted persistency as a service in a PaaS provider  Intergovernmental secure document and personal data exchange  Secure sensors data fusion and analytics  Protection of personal data in a multi-tenant CRM  Protection of sensible enterprise information in multi-tenant ERP
  • 21. Thank you for listening! Acknowledgements: This work is related to the PaaSword project and has received funding from the European Union’s Horizon 2020 research and innovation programme under grant