SlideShare a Scribd company logo
www.paasword.eu
PaaSword Technology Baseline
Innovathens 10/11/2016
Outline
PaaSword in a Nutshell
Involved Actors & Threat Landscape
High Level Architecture
Distributed Searchable Encryption Engine
Semantic Authorization Engine
PaaSword18/11/2016 2
PaaSword in a Nutshell
Security and Privacy by-design Framework?
It is a framework that if it is adopted it provides increased security and privacy
guarantees
Adopted by whom?
Application Developers (it offers client libraries that have to be used by devs)
DevOps users (it offers management interface for the two offered
mechanisms)
What kind of security guarantees ?
PaaSword18/11/2016 3
Involved Actors & Threat Landscape
PaaSword18/11/2016 4
Data can be circumvented/stolen
Internal or external adversary
Execution environment
may be subjected to privilege
escalation
Authorization scheme
may be static or
even hardcoded
Framework Security Guarantees
Framework Guarantees
Mitigation of cyber threats that derive by malicious administrators that
administer ‘trusted’ Infrastructural resources
Minimization of breaking a privacy scheme through statistical attacks that rely
on pattern identification
Efficient security Policy enforcement through the decoupling of Policy
Definition and Policy Evaluation
PaaSword18/11/2016 5
How?
Two distinct mechanisms
1 – Distributed Searchable Encryption Engine
An engine that allows the transformation of any relational schema to a
fragmentation scheme that respects user-defined privacy constraints
The new schema is functionally equivalent with the original; yet it relies on
multiple IaaS providers
2 – Semantic Policy Authorization Engine
An engine that allows the decoupling of policy enforcement and policy definition
Decoupling is meaningful both during development and execution
PaaSword18/11/2016 6
PaaSword Walkthrough
PaaSword18/11/2016 7
Mechanism 1 - Distributed
Searchable Encryption Engine
Why plain Transparent Encryption Decryption is not enough ?
You loose a lot of SQL expressivity
Vulnerable to statistical attacks
PaaSword18/11/2016 8
PaaSword Annotations PaaSword Controller
What are Annotations?
Annotations are a form of metadata that provide data about a
program that is not part of the program itself
They can be used using three different strategies
Source Generation Strategy
Bytecode Transformation Strategy
Runtime Reflection Strategy
PaaSword uses annotations to
Define Entity Model which will be protected using advanced fragmentation
techniques
PaaSword18/11/2016 9
How JPA works?
PaaSword18/11/2016 10
PaaSword JPA
PaaSword18/11/2016 11
Several types of
Annotations:
1) Data Object
Definition
2) Encryption &
Distribution
Virtual Database Proxy
PaaSword18/11/2016 12
Data Index2Index1
SQL
SQLDatabase
Proxy
(trusted)
SQL
Cloud
(untrusted)
User / Application
Data
(not encrypted)
Data (encrypted)
What about Key Creation/Sharing
Policies?
13
Overview Of Policies
14
Policy /Characteristic Where is the TED taking
place?
TED Key Generation TED Key Usage & Sharing
Policy
Modification of target
schema
SQL support
P1 In the PaaS container Generated once during
bootstrapping (in a Tenant
Trusted Zone) and stored
in-memory by the
application
It is recovered by the
memory on demand per
each query execution
No Modification Yes
P2 In the PaaS container One key is generated per
Tenant (in a Tenant
Trusted Zone) and a pair of
user_key container_key is
generated out of this
tenant_key
It is recomposed by the
combination of a user_key
and a container_key per
each query_execution
No Modification Yes
P3 Outside the container in a
Tenant Trusted Zone
Generated once in a
Tenant Trusted Zone
E/D Key is used only in the
Tenant Trusted Zone
No Modification No
P4 In the PaaS container Generated once during
bootstrapping (in a Tenant
Trusted Zone) and stored
in-memory by the
application
It is recovered by the
memory on demand per
each query execution
Modifications required No
P5 In the PaaS container One key is generated per
Tenant (in a Tenant
Trusted Zone) and a pair of
user_key container_key is
generated out of this
tenant_key
It is recomposed by the
combination of a user_key
and a container_key per
each query_execution
Modifications required No
Comparative Analysis
15
Mechanism 2 – Semantic Policy
Authorization Engine
Why not an existing authorization engine?
Based on authorization metamodel
MAC, DAC, RBAC, ABAC
ABAC is considered dominant (from NIST)
Which Standard? and which Implementation of the Standard?
De-facto ABAC standard is XA-CML
Limitations of reference Implementation
Balana Engine (pure syntactic execution of rules)
PaaSword18/11/2016 16
Semantic Policy Enforcement
PaaSword18/11/2016 17
AccessControl
PaaSword Context
Model
PaaSword18/11/2016 18
Questions?
Visit us:
www.paasword.euAcknowledgements:
This project has received funding from the
European Union’s Horizon 2020 research and
innovation programme under grant
agreement No 644814.

More Related Content

What's hot

Benefits of web application firewalls
Benefits of web application firewallsBenefits of web application firewalls
Benefits of web application firewalls
EnclaveSecurity
 
PCI Compliane With Hadoop
PCI Compliane With HadoopPCI Compliane With Hadoop
PCI Compliane With Hadoop
Rommel Garcia
 
QualysGuard InfoDay 2013 - Web Application Firewall
QualysGuard InfoDay 2013 - Web Application FirewallQualysGuard InfoDay 2013 - Web Application Firewall
QualysGuard InfoDay 2013 - Web Application Firewall
Risk Analysis Consultants, s.r.o.
 
HIPAA 101 Compliance Threat Landscape & Best Practices
HIPAA 101 Compliance Threat Landscape & Best PracticesHIPAA 101 Compliance Threat Landscape & Best Practices
HIPAA 101 Compliance Threat Landscape & Best Practices
Hostway|HOSTING
 
Nagios Conference 2012 - Jared Bird - Providing Value Throughout the Organiza...
Nagios Conference 2012 - Jared Bird - Providing Value Throughout the Organiza...Nagios Conference 2012 - Jared Bird - Providing Value Throughout the Organiza...
Nagios Conference 2012 - Jared Bird - Providing Value Throughout the Organiza...
Nagios
 
Threat Detection using Analytics & Machine Learning
Threat Detection using Analytics & Machine LearningThreat Detection using Analytics & Machine Learning
Threat Detection using Analytics & Machine Learning
Priyanka Aash
 
Cloud penetration testing
Cloud penetration testingCloud penetration testing
Cloud penetration testing
vericlouds11
 
Luncheon 2016-01-21 - Emerging Threats and Strategies for Defense by Paul Fle...
Luncheon 2016-01-21 - Emerging Threats and Strategies for Defense by Paul Fle...Luncheon 2016-01-21 - Emerging Threats and Strategies for Defense by Paul Fle...
Luncheon 2016-01-21 - Emerging Threats and Strategies for Defense by Paul Fle...
North Texas Chapter of the ISSA
 
Présentation ELK/SIEM et démo Wazuh
Présentation ELK/SIEM et démo WazuhPrésentation ELK/SIEM et démo Wazuh
Présentation ELK/SIEM et démo Wazuh
Aurélie Henriot
 
Security for cloud native workloads
Security for cloud native workloadsSecurity for cloud native workloads
Security for cloud native workloads
Runcy Oommen
 
McAfee - Enterprise Security Manager (ESM) - SIEM
McAfee - Enterprise Security Manager (ESM) - SIEMMcAfee - Enterprise Security Manager (ESM) - SIEM
McAfee - Enterprise Security Manager (ESM) - SIEM
Iftikhar Ali Iqbal
 
BeyondCorp - Google Security for Everyone Else
BeyondCorp  - Google Security for Everyone ElseBeyondCorp  - Google Security for Everyone Else
BeyondCorp - Google Security for Everyone Else
Ivan Dwyer
 
CSF18 - Implementing Gartners #1 - Whitelisting- Karim El-Melhaoui
CSF18 - Implementing Gartners #1 - Whitelisting- Karim El-MelhaouiCSF18 - Implementing Gartners #1 - Whitelisting- Karim El-Melhaoui
CSF18 - Implementing Gartners #1 - Whitelisting- Karim El-Melhaoui
NCCOMMS
 
McAfee - McAfee Application Control (MAC) - Whitelisting
McAfee - McAfee Application Control (MAC) - WhitelistingMcAfee - McAfee Application Control (MAC) - Whitelisting
McAfee - McAfee Application Control (MAC) - Whitelisting
Iftikhar Ali Iqbal
 
IT_RFO10-14-ITS_AppendixA_20100513
IT_RFO10-14-ITS_AppendixA_20100513IT_RFO10-14-ITS_AppendixA_20100513
IT_RFO10-14-ITS_AppendixA_20100513
Alexander Doré
 
McAfee - McAfee Active Response (MAR) - Endpoint Detection & Response (EDR)
McAfee - McAfee Active Response (MAR) - Endpoint Detection & Response (EDR)McAfee - McAfee Active Response (MAR) - Endpoint Detection & Response (EDR)
McAfee - McAfee Active Response (MAR) - Endpoint Detection & Response (EDR)
Iftikhar Ali Iqbal
 
Secure Web Applications Ver0.01
Secure Web Applications Ver0.01Secure Web Applications Ver0.01
Secure Web Applications Ver0.01
Vasan Ramadoss
 
CryptTech 2015
CryptTech 2015CryptTech 2015
CryptTech 2015
Mustafa Kuğu
 
Technologies You Need to Safely Use the Cloud
Technologies You Need to Safely Use the CloudTechnologies You Need to Safely Use the Cloud
Technologies You Need to Safely Use the Cloud
CloudPassage
 
Css sf azure_8-9-17-microsoft_azure_security_overview_babak suzani_msft
Css sf azure_8-9-17-microsoft_azure_security_overview_babak suzani_msftCss sf azure_8-9-17-microsoft_azure_security_overview_babak suzani_msft
Css sf azure_8-9-17-microsoft_azure_security_overview_babak suzani_msft
Alert Logic
 

What's hot (20)

Benefits of web application firewalls
Benefits of web application firewallsBenefits of web application firewalls
Benefits of web application firewalls
 
PCI Compliane With Hadoop
PCI Compliane With HadoopPCI Compliane With Hadoop
PCI Compliane With Hadoop
 
QualysGuard InfoDay 2013 - Web Application Firewall
QualysGuard InfoDay 2013 - Web Application FirewallQualysGuard InfoDay 2013 - Web Application Firewall
QualysGuard InfoDay 2013 - Web Application Firewall
 
HIPAA 101 Compliance Threat Landscape & Best Practices
HIPAA 101 Compliance Threat Landscape & Best PracticesHIPAA 101 Compliance Threat Landscape & Best Practices
HIPAA 101 Compliance Threat Landscape & Best Practices
 
Nagios Conference 2012 - Jared Bird - Providing Value Throughout the Organiza...
Nagios Conference 2012 - Jared Bird - Providing Value Throughout the Organiza...Nagios Conference 2012 - Jared Bird - Providing Value Throughout the Organiza...
Nagios Conference 2012 - Jared Bird - Providing Value Throughout the Organiza...
 
Threat Detection using Analytics & Machine Learning
Threat Detection using Analytics & Machine LearningThreat Detection using Analytics & Machine Learning
Threat Detection using Analytics & Machine Learning
 
Cloud penetration testing
Cloud penetration testingCloud penetration testing
Cloud penetration testing
 
Luncheon 2016-01-21 - Emerging Threats and Strategies for Defense by Paul Fle...
Luncheon 2016-01-21 - Emerging Threats and Strategies for Defense by Paul Fle...Luncheon 2016-01-21 - Emerging Threats and Strategies for Defense by Paul Fle...
Luncheon 2016-01-21 - Emerging Threats and Strategies for Defense by Paul Fle...
 
Présentation ELK/SIEM et démo Wazuh
Présentation ELK/SIEM et démo WazuhPrésentation ELK/SIEM et démo Wazuh
Présentation ELK/SIEM et démo Wazuh
 
Security for cloud native workloads
Security for cloud native workloadsSecurity for cloud native workloads
Security for cloud native workloads
 
McAfee - Enterprise Security Manager (ESM) - SIEM
McAfee - Enterprise Security Manager (ESM) - SIEMMcAfee - Enterprise Security Manager (ESM) - SIEM
McAfee - Enterprise Security Manager (ESM) - SIEM
 
BeyondCorp - Google Security for Everyone Else
BeyondCorp  - Google Security for Everyone ElseBeyondCorp  - Google Security for Everyone Else
BeyondCorp - Google Security for Everyone Else
 
CSF18 - Implementing Gartners #1 - Whitelisting- Karim El-Melhaoui
CSF18 - Implementing Gartners #1 - Whitelisting- Karim El-MelhaouiCSF18 - Implementing Gartners #1 - Whitelisting- Karim El-Melhaoui
CSF18 - Implementing Gartners #1 - Whitelisting- Karim El-Melhaoui
 
McAfee - McAfee Application Control (MAC) - Whitelisting
McAfee - McAfee Application Control (MAC) - WhitelistingMcAfee - McAfee Application Control (MAC) - Whitelisting
McAfee - McAfee Application Control (MAC) - Whitelisting
 
IT_RFO10-14-ITS_AppendixA_20100513
IT_RFO10-14-ITS_AppendixA_20100513IT_RFO10-14-ITS_AppendixA_20100513
IT_RFO10-14-ITS_AppendixA_20100513
 
McAfee - McAfee Active Response (MAR) - Endpoint Detection & Response (EDR)
McAfee - McAfee Active Response (MAR) - Endpoint Detection & Response (EDR)McAfee - McAfee Active Response (MAR) - Endpoint Detection & Response (EDR)
McAfee - McAfee Active Response (MAR) - Endpoint Detection & Response (EDR)
 
Secure Web Applications Ver0.01
Secure Web Applications Ver0.01Secure Web Applications Ver0.01
Secure Web Applications Ver0.01
 
CryptTech 2015
CryptTech 2015CryptTech 2015
CryptTech 2015
 
Technologies You Need to Safely Use the Cloud
Technologies You Need to Safely Use the CloudTechnologies You Need to Safely Use the Cloud
Technologies You Need to Safely Use the Cloud
 
Css sf azure_8-9-17-microsoft_azure_security_overview_babak suzani_msft
Css sf azure_8-9-17-microsoft_azure_security_overview_babak suzani_msftCss sf azure_8-9-17-microsoft_azure_security_overview_babak suzani_msft
Css sf azure_8-9-17-microsoft_azure_security_overview_babak suzani_msft
 

Viewers also liked

PaaSword - Context-aware Access Control
PaaSword - Context-aware Access ControlPaaSword - Context-aware Access Control
PaaSword - Context-aware Access Control
PaaSword EU Project
 
Segovia Nautique Collection
Segovia Nautique CollectionSegovia Nautique Collection
Segovia Nautique Collection
segoviaasia
 
DePauwThesis
DePauwThesisDePauwThesis
DePauwThesis
Whitney Grandi
 
Kapanowski FINAL_CIPL
Kapanowski FINAL_CIPLKapanowski FINAL_CIPL
Kapanowski FINAL_CIPL
Gary Kapanowski
 
Concerto di primavera
Concerto di primaveraConcerto di primavera
Concerto di primavera
Ivan Marchitiello
 
Anisa Updated CV May
Anisa Updated CV MayAnisa Updated CV May
Anisa Updated CV May
Anisa Mohamed
 
Soudip sinha roy
Soudip sinha roySoudip sinha roy
Soudip sinha roy
Soudip Sinha Roy
 
Bio 1.0 ase biodiesel overview and benefits march 14 2015 instructor notes
Bio 1.0 ase biodiesel overview and benefits march 14 2015 instructor notesBio 1.0 ase biodiesel overview and benefits march 14 2015 instructor notes
Bio 1.0 ase biodiesel overview and benefits march 14 2015 instructor notes
courtcaitlin
 
Nano tubes Modern Technology
Nano tubes Modern TechnologyNano tubes Modern Technology
Nano tubes Modern Technology
Soudip Sinha Roy
 
2013 enhancing graduates’ employability skills-malaysia
2013 enhancing graduates’ employability skills-malaysia2013 enhancing graduates’ employability skills-malaysia
2013 enhancing graduates’ employability skills-malaysia
razalibmuda
 
HELLEN WANGUI GATHOGO-cv 2015 CONFIDENTIAL
HELLEN WANGUI GATHOGO-cv 2015 CONFIDENTIALHELLEN WANGUI GATHOGO-cv 2015 CONFIDENTIAL
HELLEN WANGUI GATHOGO-cv 2015 CONFIDENTIAL
Hellen Gathogo
 
AL_PCI-Cheatsheet_web
AL_PCI-Cheatsheet_webAL_PCI-Cheatsheet_web
AL_PCI-Cheatsheet_web
Derrick McBreairty
 
Williams gregpowersportsillustrated
Williams gregpowersportsillustratedWilliams gregpowersportsillustrated
Williams gregpowersportsillustrated
gregw1234
 
Goa Country
Goa CountryGoa Country
Goa Country
ULTRAPEDO
 
Acucut Presentation.rev1
Acucut Presentation.rev1Acucut Presentation.rev1
Acucut Presentation.rev1
Ajit Shah
 
Kapanowski Final_FUNDAMENTALS
Kapanowski Final_FUNDAMENTALSKapanowski Final_FUNDAMENTALS
Kapanowski Final_FUNDAMENTALS
Gary Kapanowski
 
Social Media & Metrics (Digital Marketing Today)
Social Media & Metrics (Digital Marketing Today)Social Media & Metrics (Digital Marketing Today)
Social Media & Metrics (Digital Marketing Today)
Julian Gamboa
 
LinkedIn Workshop: Profiles and Publishing (Digital Marketing Today)
LinkedIn Workshop: Profiles and Publishing (Digital Marketing Today)LinkedIn Workshop: Profiles and Publishing (Digital Marketing Today)
LinkedIn Workshop: Profiles and Publishing (Digital Marketing Today)
Julian Gamboa
 

Viewers also liked (19)

PaaSword - Context-aware Access Control
PaaSword - Context-aware Access ControlPaaSword - Context-aware Access Control
PaaSword - Context-aware Access Control
 
Segovia Nautique Collection
Segovia Nautique CollectionSegovia Nautique Collection
Segovia Nautique Collection
 
DePauwThesis
DePauwThesisDePauwThesis
DePauwThesis
 
Kapanowski FINAL_CIPL
Kapanowski FINAL_CIPLKapanowski FINAL_CIPL
Kapanowski FINAL_CIPL
 
Concerto di primavera
Concerto di primaveraConcerto di primavera
Concerto di primavera
 
Anisa Updated CV May
Anisa Updated CV MayAnisa Updated CV May
Anisa Updated CV May
 
Soudip sinha roy
Soudip sinha roySoudip sinha roy
Soudip sinha roy
 
Bio 1.0 ase biodiesel overview and benefits march 14 2015 instructor notes
Bio 1.0 ase biodiesel overview and benefits march 14 2015 instructor notesBio 1.0 ase biodiesel overview and benefits march 14 2015 instructor notes
Bio 1.0 ase biodiesel overview and benefits march 14 2015 instructor notes
 
Mike Faris
Mike FarisMike Faris
Mike Faris
 
Nano tubes Modern Technology
Nano tubes Modern TechnologyNano tubes Modern Technology
Nano tubes Modern Technology
 
2013 enhancing graduates’ employability skills-malaysia
2013 enhancing graduates’ employability skills-malaysia2013 enhancing graduates’ employability skills-malaysia
2013 enhancing graduates’ employability skills-malaysia
 
HELLEN WANGUI GATHOGO-cv 2015 CONFIDENTIAL
HELLEN WANGUI GATHOGO-cv 2015 CONFIDENTIALHELLEN WANGUI GATHOGO-cv 2015 CONFIDENTIAL
HELLEN WANGUI GATHOGO-cv 2015 CONFIDENTIAL
 
AL_PCI-Cheatsheet_web
AL_PCI-Cheatsheet_webAL_PCI-Cheatsheet_web
AL_PCI-Cheatsheet_web
 
Williams gregpowersportsillustrated
Williams gregpowersportsillustratedWilliams gregpowersportsillustrated
Williams gregpowersportsillustrated
 
Goa Country
Goa CountryGoa Country
Goa Country
 
Acucut Presentation.rev1
Acucut Presentation.rev1Acucut Presentation.rev1
Acucut Presentation.rev1
 
Kapanowski Final_FUNDAMENTALS
Kapanowski Final_FUNDAMENTALSKapanowski Final_FUNDAMENTALS
Kapanowski Final_FUNDAMENTALS
 
Social Media & Metrics (Digital Marketing Today)
Social Media & Metrics (Digital Marketing Today)Social Media & Metrics (Digital Marketing Today)
Social Media & Metrics (Digital Marketing Today)
 
LinkedIn Workshop: Profiles and Publishing (Digital Marketing Today)
LinkedIn Workshop: Profiles and Publishing (Digital Marketing Today)LinkedIn Workshop: Profiles and Publishing (Digital Marketing Today)
LinkedIn Workshop: Profiles and Publishing (Digital Marketing Today)
 

Similar to PaaSword - Technology Baseline

Writing RPG Applications Using Cryptographic Services APIs
Writing RPG Applications Using Cryptographic Services APIsWriting RPG Applications Using Cryptographic Services APIs
Writing RPG Applications Using Cryptographic Services APIs
Carsten Flensburg
 
The App Sec How-To: Choosing a SAST Tool
The App Sec How-To: Choosing a SAST ToolThe App Sec How-To: Choosing a SAST Tool
The App Sec How-To: Choosing a SAST Tool
Checkmarx
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
FernandoVizer
 
Apache Stratos - Building a PaaS using OSGi and Equinox
Apache Stratos - Building a PaaS using OSGi and EquinoxApache Stratos - Building a PaaS using OSGi and Equinox
Apache Stratos - Building a PaaS using OSGi and Equinox
Paul Fremantle
 
Pivotal Cloud Foundry 2.4: A First Look
Pivotal Cloud Foundry 2.4: A First LookPivotal Cloud Foundry 2.4: A First Look
Pivotal Cloud Foundry 2.4: A First Look
VMware Tanzu
 
PaaSword's main idea, technical architecture and scientific challenges
PaaSword's main idea, technical architecture and scientific challenges PaaSword's main idea, technical architecture and scientific challenges
PaaSword's main idea, technical architecture and scientific challenges
PaaSword EU Project
 
G05.2013 Security Information and Event Management
G05.2013   Security Information and Event ManagementG05.2013   Security Information and Event Management
G05.2013 Security Information and Event Management
Satya Harish
 
OWASP Secure Coding Quick Reference Guide
OWASP Secure Coding Quick Reference GuideOWASP Secure Coding Quick Reference Guide
OWASP Secure Coding Quick Reference Guide
Aryan G
 
Extra micrometer practices with Quarkus | DevNation Tech Talk
Extra micrometer practices with Quarkus | DevNation Tech TalkExtra micrometer practices with Quarkus | DevNation Tech Talk
Extra micrometer practices with Quarkus | DevNation Tech Talk
Red Hat Developers
 
Top10 Characteristics of Awesome Apps
Top10 Characteristics of Awesome AppsTop10 Characteristics of Awesome Apps
Top10 Characteristics of Awesome Apps
Casey Lee
 
Enhancing Password Manager Chrome Extension through Multi Authentication and ...
Enhancing Password Manager Chrome Extension through Multi Authentication and ...Enhancing Password Manager Chrome Extension through Multi Authentication and ...
Enhancing Password Manager Chrome Extension through Multi Authentication and ...
ijtsrd
 
pcnsa-study-guide_PAN-OS_v11.0-1__01.pdf
pcnsa-study-guide_PAN-OS_v11.0-1__01.pdfpcnsa-study-guide_PAN-OS_v11.0-1__01.pdf
pcnsa-study-guide_PAN-OS_v11.0-1__01.pdf
Azzeddine Salem
 
Palo alto networks pcnse6 study guide feb 2015
Palo alto networks pcnse6 study guide feb 2015Palo alto networks pcnse6 study guide feb 2015
Palo alto networks pcnse6 study guide feb 2015
Silva_2
 
Multi-tenancy In the Cloud
Multi-tenancy In the CloudMulti-tenancy In the Cloud
Multi-tenancy In the Cloud
sdevillers
 
Tools & Techniques for Addressing Component Vulnerabilities for PCI Compliance
Tools & Techniques for Addressing Component Vulnerabilities for PCI ComplianceTools & Techniques for Addressing Component Vulnerabilities for PCI Compliance
Tools & Techniques for Addressing Component Vulnerabilities for PCI Compliance
Sonatype
 
Anypoint API Manager Custom Policies & Best Practices
Anypoint API Manager Custom Policies & Best PracticesAnypoint API Manager Custom Policies & Best Practices
Anypoint API Manager Custom Policies & Best Practices
MuleSoft Meetups
 
TrueSight Enterprise Edition
TrueSight Enterprise EditionTrueSight Enterprise Edition
TrueSight Enterprise Edition
michaelkmcdowell
 
Tideway Software Identification
Tideway   Software IdentificationTideway   Software Identification
Tideway Software Identification
Peter Grant
 
Testing a Microservices Architecture
Testing a Microservices ArchitectureTesting a Microservices Architecture
Testing a Microservices Architecture
Parasoft
 
Představení Oracle SPARC Miniclusteru
Představení Oracle SPARC MiniclusteruPředstavení Oracle SPARC Miniclusteru
Představení Oracle SPARC Miniclusteru
MarketingArrowECS_CZ
 

Similar to PaaSword - Technology Baseline (20)

Writing RPG Applications Using Cryptographic Services APIs
Writing RPG Applications Using Cryptographic Services APIsWriting RPG Applications Using Cryptographic Services APIs
Writing RPG Applications Using Cryptographic Services APIs
 
The App Sec How-To: Choosing a SAST Tool
The App Sec How-To: Choosing a SAST ToolThe App Sec How-To: Choosing a SAST Tool
The App Sec How-To: Choosing a SAST Tool
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
Apache Stratos - Building a PaaS using OSGi and Equinox
Apache Stratos - Building a PaaS using OSGi and EquinoxApache Stratos - Building a PaaS using OSGi and Equinox
Apache Stratos - Building a PaaS using OSGi and Equinox
 
Pivotal Cloud Foundry 2.4: A First Look
Pivotal Cloud Foundry 2.4: A First LookPivotal Cloud Foundry 2.4: A First Look
Pivotal Cloud Foundry 2.4: A First Look
 
PaaSword's main idea, technical architecture and scientific challenges
PaaSword's main idea, technical architecture and scientific challenges PaaSword's main idea, technical architecture and scientific challenges
PaaSword's main idea, technical architecture and scientific challenges
 
G05.2013 Security Information and Event Management
G05.2013   Security Information and Event ManagementG05.2013   Security Information and Event Management
G05.2013 Security Information and Event Management
 
OWASP Secure Coding Quick Reference Guide
OWASP Secure Coding Quick Reference GuideOWASP Secure Coding Quick Reference Guide
OWASP Secure Coding Quick Reference Guide
 
Extra micrometer practices with Quarkus | DevNation Tech Talk
Extra micrometer practices with Quarkus | DevNation Tech TalkExtra micrometer practices with Quarkus | DevNation Tech Talk
Extra micrometer practices with Quarkus | DevNation Tech Talk
 
Top10 Characteristics of Awesome Apps
Top10 Characteristics of Awesome AppsTop10 Characteristics of Awesome Apps
Top10 Characteristics of Awesome Apps
 
Enhancing Password Manager Chrome Extension through Multi Authentication and ...
Enhancing Password Manager Chrome Extension through Multi Authentication and ...Enhancing Password Manager Chrome Extension through Multi Authentication and ...
Enhancing Password Manager Chrome Extension through Multi Authentication and ...
 
pcnsa-study-guide_PAN-OS_v11.0-1__01.pdf
pcnsa-study-guide_PAN-OS_v11.0-1__01.pdfpcnsa-study-guide_PAN-OS_v11.0-1__01.pdf
pcnsa-study-guide_PAN-OS_v11.0-1__01.pdf
 
Palo alto networks pcnse6 study guide feb 2015
Palo alto networks pcnse6 study guide feb 2015Palo alto networks pcnse6 study guide feb 2015
Palo alto networks pcnse6 study guide feb 2015
 
Multi-tenancy In the Cloud
Multi-tenancy In the CloudMulti-tenancy In the Cloud
Multi-tenancy In the Cloud
 
Tools & Techniques for Addressing Component Vulnerabilities for PCI Compliance
Tools & Techniques for Addressing Component Vulnerabilities for PCI ComplianceTools & Techniques for Addressing Component Vulnerabilities for PCI Compliance
Tools & Techniques for Addressing Component Vulnerabilities for PCI Compliance
 
Anypoint API Manager Custom Policies & Best Practices
Anypoint API Manager Custom Policies & Best PracticesAnypoint API Manager Custom Policies & Best Practices
Anypoint API Manager Custom Policies & Best Practices
 
TrueSight Enterprise Edition
TrueSight Enterprise EditionTrueSight Enterprise Edition
TrueSight Enterprise Edition
 
Tideway Software Identification
Tideway   Software IdentificationTideway   Software Identification
Tideway Software Identification
 
Testing a Microservices Architecture
Testing a Microservices ArchitectureTesting a Microservices Architecture
Testing a Microservices Architecture
 
Představení Oracle SPARC Miniclusteru
Představení Oracle SPARC MiniclusteruPředstavení Oracle SPARC Miniclusteru
Představení Oracle SPARC Miniclusteru
 

More from PaaSword EU Project

PaaSword - Distributed Searchable Encryption Engine
PaaSword - Distributed Searchable Encryption EnginePaaSword - Distributed Searchable Encryption Engine
PaaSword - Distributed Searchable Encryption Engine
PaaSword EU Project
 
PaaSword - No More Dark Clouds with PaaSword
PaaSword - No More Dark Clouds with PaaSwordPaaSword - No More Dark Clouds with PaaSword
PaaSword - No More Dark Clouds with PaaSword
PaaSword EU Project
 
PaaSword-Business Cases
PaaSword-Business CasesPaaSword-Business Cases
PaaSword-Business Cases
PaaSword EU Project
 
Daten unter Kontrolle
Daten unter KontrolleDaten unter Kontrolle
Daten unter Kontrolle
PaaSword EU Project
 
PaaSword Presentation - Project Overview
PaaSword Presentation - Project OverviewPaaSword Presentation - Project Overview
PaaSword Presentation - Project Overview
PaaSword EU Project
 
No More Dark Clouds With PaaSword - An Innovative Security By Design Framework
No More Dark Clouds With PaaSword - An Innovative Security By Design FrameworkNo More Dark Clouds With PaaSword - An Innovative Security By Design Framework
No More Dark Clouds With PaaSword - An Innovative Security By Design Framework
PaaSword EU Project
 
Towards Trusted eHealth Services in the Cloud
Towards Trusted eHealth Services in the CloudTowards Trusted eHealth Services in the Cloud
Towards Trusted eHealth Services in the Cloud
PaaSword EU Project
 
A Survey on Context Security Policies in the Cloud
A Survey on Context Security Policies in the CloudA Survey on Context Security Policies in the Cloud
A Survey on Context Security Policies in the Cloud
PaaSword EU Project
 
Towards Efficient and Secure Data Storage in Multi-Tenant Cloud-Based CRM Sol...
Towards Efficient and Secure Data Storage in Multi-Tenant Cloud-Based CRM Sol...Towards Efficient and Secure Data Storage in Multi-Tenant Cloud-Based CRM Sol...
Towards Efficient and Secure Data Storage in Multi-Tenant Cloud-Based CRM Sol...
PaaSword EU Project
 
No More Dark Clouds: A Privacy Preserving Framework for the Cloud
No More Dark Clouds: A Privacy Preserving Framework for the CloudNo More Dark Clouds: A Privacy Preserving Framework for the Cloud
No More Dark Clouds: A Privacy Preserving Framework for the Cloud
PaaSword EU Project
 
PaaSword: A Holistic Data Privacy and Security by Design Framework for Cloud ...
PaaSword: A Holistic Data Privacy and Security by Design Framework for Cloud ...PaaSword: A Holistic Data Privacy and Security by Design Framework for Cloud ...
PaaSword: A Holistic Data Privacy and Security by Design Framework for Cloud ...
PaaSword EU Project
 

More from PaaSword EU Project (11)

PaaSword - Distributed Searchable Encryption Engine
PaaSword - Distributed Searchable Encryption EnginePaaSword - Distributed Searchable Encryption Engine
PaaSword - Distributed Searchable Encryption Engine
 
PaaSword - No More Dark Clouds with PaaSword
PaaSword - No More Dark Clouds with PaaSwordPaaSword - No More Dark Clouds with PaaSword
PaaSword - No More Dark Clouds with PaaSword
 
PaaSword-Business Cases
PaaSword-Business CasesPaaSword-Business Cases
PaaSword-Business Cases
 
Daten unter Kontrolle
Daten unter KontrolleDaten unter Kontrolle
Daten unter Kontrolle
 
PaaSword Presentation - Project Overview
PaaSword Presentation - Project OverviewPaaSword Presentation - Project Overview
PaaSword Presentation - Project Overview
 
No More Dark Clouds With PaaSword - An Innovative Security By Design Framework
No More Dark Clouds With PaaSword - An Innovative Security By Design FrameworkNo More Dark Clouds With PaaSword - An Innovative Security By Design Framework
No More Dark Clouds With PaaSword - An Innovative Security By Design Framework
 
Towards Trusted eHealth Services in the Cloud
Towards Trusted eHealth Services in the CloudTowards Trusted eHealth Services in the Cloud
Towards Trusted eHealth Services in the Cloud
 
A Survey on Context Security Policies in the Cloud
A Survey on Context Security Policies in the CloudA Survey on Context Security Policies in the Cloud
A Survey on Context Security Policies in the Cloud
 
Towards Efficient and Secure Data Storage in Multi-Tenant Cloud-Based CRM Sol...
Towards Efficient and Secure Data Storage in Multi-Tenant Cloud-Based CRM Sol...Towards Efficient and Secure Data Storage in Multi-Tenant Cloud-Based CRM Sol...
Towards Efficient and Secure Data Storage in Multi-Tenant Cloud-Based CRM Sol...
 
No More Dark Clouds: A Privacy Preserving Framework for the Cloud
No More Dark Clouds: A Privacy Preserving Framework for the CloudNo More Dark Clouds: A Privacy Preserving Framework for the Cloud
No More Dark Clouds: A Privacy Preserving Framework for the Cloud
 
PaaSword: A Holistic Data Privacy and Security by Design Framework for Cloud ...
PaaSword: A Holistic Data Privacy and Security by Design Framework for Cloud ...PaaSword: A Holistic Data Privacy and Security by Design Framework for Cloud ...
PaaSword: A Holistic Data Privacy and Security by Design Framework for Cloud ...
 

Recently uploaded

ppt on the brain chip neuralink.pptx
ppt  on   the brain  chip neuralink.pptxppt  on   the brain  chip neuralink.pptx
ppt on the brain chip neuralink.pptx
Reetu63
 
Ensuring Efficiency and Speed with Practical Solutions for Clinical Operations
Ensuring Efficiency and Speed with Practical Solutions for Clinical OperationsEnsuring Efficiency and Speed with Practical Solutions for Clinical Operations
Ensuring Efficiency and Speed with Practical Solutions for Clinical Operations
OnePlan Solutions
 
42 Ways to Generate Real Estate Leads - Sellxpert
42 Ways to Generate Real Estate Leads - Sellxpert42 Ways to Generate Real Estate Leads - Sellxpert
42 Ways to Generate Real Estate Leads - Sellxpert
vaishalijagtap12
 
TheFutureIsDynamic-BoxLang-CFCamp2024.pdf
TheFutureIsDynamic-BoxLang-CFCamp2024.pdfTheFutureIsDynamic-BoxLang-CFCamp2024.pdf
TheFutureIsDynamic-BoxLang-CFCamp2024.pdf
Ortus Solutions, Corp
 
Baha Majid WCA4Z IBM Z Customer Council Boston June 2024.pdf
Baha Majid WCA4Z IBM Z Customer Council Boston June 2024.pdfBaha Majid WCA4Z IBM Z Customer Council Boston June 2024.pdf
Baha Majid WCA4Z IBM Z Customer Council Boston June 2024.pdf
Baha Majid
 
Microsoft-Power-Platform-Adoption-Planning.pptx
Microsoft-Power-Platform-Adoption-Planning.pptxMicrosoft-Power-Platform-Adoption-Planning.pptx
Microsoft-Power-Platform-Adoption-Planning.pptx
jrodriguezq3110
 
Going AOT: Everything you need to know about GraalVM for Java applications
Going AOT: Everything you need to know about GraalVM for Java applicationsGoing AOT: Everything you need to know about GraalVM for Java applications
Going AOT: Everything you need to know about GraalVM for Java applications
Alina Yurenko
 
Streamlining End-to-End Testing Automation
Streamlining End-to-End Testing AutomationStreamlining End-to-End Testing Automation
Streamlining End-to-End Testing Automation
Anand Bagmar
 
What is Continuous Testing in DevOps - A Definitive Guide.pdf
What is Continuous Testing in DevOps - A Definitive Guide.pdfWhat is Continuous Testing in DevOps - A Definitive Guide.pdf
What is Continuous Testing in DevOps - A Definitive Guide.pdf
kalichargn70th171
 
Unlock the Secrets to Effortless Video Creation with Invideo: Your Ultimate G...
Unlock the Secrets to Effortless Video Creation with Invideo: Your Ultimate G...Unlock the Secrets to Effortless Video Creation with Invideo: Your Ultimate G...
Unlock the Secrets to Effortless Video Creation with Invideo: Your Ultimate G...
The Third Creative Media
 
Flutter vs. React Native: A Detailed Comparison for App Development in 2024
Flutter vs. React Native: A Detailed Comparison for App Development in 2024Flutter vs. React Native: A Detailed Comparison for App Development in 2024
Flutter vs. React Native: A Detailed Comparison for App Development in 2024
dhavalvaghelanectarb
 
The Comprehensive Guide to Validating Audio-Visual Performances.pdf
The Comprehensive Guide to Validating Audio-Visual Performances.pdfThe Comprehensive Guide to Validating Audio-Visual Performances.pdf
The Comprehensive Guide to Validating Audio-Visual Performances.pdf
kalichargn70th171
 
Hyperledger Besu 빨리 따라하기 (Private Networks)
Hyperledger Besu 빨리 따라하기 (Private Networks)Hyperledger Besu 빨리 따라하기 (Private Networks)
Hyperledger Besu 빨리 따라하기 (Private Networks)
wonyong hwang
 
Beginner's Guide to Observability@Devoxx PL 2024
Beginner's  Guide to Observability@Devoxx PL 2024Beginner's  Guide to Observability@Devoxx PL 2024
Beginner's Guide to Observability@Devoxx PL 2024
michniczscribd
 
A Comprehensive Guide on Implementing Real-World Mobile Testing Strategies fo...
A Comprehensive Guide on Implementing Real-World Mobile Testing Strategies fo...A Comprehensive Guide on Implementing Real-World Mobile Testing Strategies fo...
A Comprehensive Guide on Implementing Real-World Mobile Testing Strategies fo...
kalichargn70th171
 
Migration From CH 1.0 to CH 2.0 and Mule 4.6 & Java 17 Upgrade.pptx
Migration From CH 1.0 to CH 2.0 and  Mule 4.6 & Java 17 Upgrade.pptxMigration From CH 1.0 to CH 2.0 and  Mule 4.6 & Java 17 Upgrade.pptx
Migration From CH 1.0 to CH 2.0 and Mule 4.6 & Java 17 Upgrade.pptx
ervikas4
 
Alluxio Webinar | 10x Faster Trino Queries on Your Data Platform
Alluxio Webinar | 10x Faster Trino Queries on Your Data PlatformAlluxio Webinar | 10x Faster Trino Queries on Your Data Platform
Alluxio Webinar | 10x Faster Trino Queries on Your Data Platform
Alluxio, Inc.
 
Penify - Let AI do the Documentation, you write the Code.
Penify - Let AI do the Documentation, you write the Code.Penify - Let AI do the Documentation, you write the Code.
Penify - Let AI do the Documentation, you write the Code.
KrishnaveniMohan1
 
Stork Product Overview: An AI-Powered Autonomous Delivery Fleet
Stork Product Overview: An AI-Powered Autonomous Delivery FleetStork Product Overview: An AI-Powered Autonomous Delivery Fleet
Stork Product Overview: An AI-Powered Autonomous Delivery Fleet
Vince Scalabrino
 

Recently uploaded (20)

ppt on the brain chip neuralink.pptx
ppt  on   the brain  chip neuralink.pptxppt  on   the brain  chip neuralink.pptx
ppt on the brain chip neuralink.pptx
 
Ensuring Efficiency and Speed with Practical Solutions for Clinical Operations
Ensuring Efficiency and Speed with Practical Solutions for Clinical OperationsEnsuring Efficiency and Speed with Practical Solutions for Clinical Operations
Ensuring Efficiency and Speed with Practical Solutions for Clinical Operations
 
42 Ways to Generate Real Estate Leads - Sellxpert
42 Ways to Generate Real Estate Leads - Sellxpert42 Ways to Generate Real Estate Leads - Sellxpert
42 Ways to Generate Real Estate Leads - Sellxpert
 
TheFutureIsDynamic-BoxLang-CFCamp2024.pdf
TheFutureIsDynamic-BoxLang-CFCamp2024.pdfTheFutureIsDynamic-BoxLang-CFCamp2024.pdf
TheFutureIsDynamic-BoxLang-CFCamp2024.pdf
 
Baha Majid WCA4Z IBM Z Customer Council Boston June 2024.pdf
Baha Majid WCA4Z IBM Z Customer Council Boston June 2024.pdfBaha Majid WCA4Z IBM Z Customer Council Boston June 2024.pdf
Baha Majid WCA4Z IBM Z Customer Council Boston June 2024.pdf
 
Microsoft-Power-Platform-Adoption-Planning.pptx
Microsoft-Power-Platform-Adoption-Planning.pptxMicrosoft-Power-Platform-Adoption-Planning.pptx
Microsoft-Power-Platform-Adoption-Planning.pptx
 
Going AOT: Everything you need to know about GraalVM for Java applications
Going AOT: Everything you need to know about GraalVM for Java applicationsGoing AOT: Everything you need to know about GraalVM for Java applications
Going AOT: Everything you need to know about GraalVM for Java applications
 
Streamlining End-to-End Testing Automation
Streamlining End-to-End Testing AutomationStreamlining End-to-End Testing Automation
Streamlining End-to-End Testing Automation
 
What is Continuous Testing in DevOps - A Definitive Guide.pdf
What is Continuous Testing in DevOps - A Definitive Guide.pdfWhat is Continuous Testing in DevOps - A Definitive Guide.pdf
What is Continuous Testing in DevOps - A Definitive Guide.pdf
 
Unlock the Secrets to Effortless Video Creation with Invideo: Your Ultimate G...
Unlock the Secrets to Effortless Video Creation with Invideo: Your Ultimate G...Unlock the Secrets to Effortless Video Creation with Invideo: Your Ultimate G...
Unlock the Secrets to Effortless Video Creation with Invideo: Your Ultimate G...
 
Flutter vs. React Native: A Detailed Comparison for App Development in 2024
Flutter vs. React Native: A Detailed Comparison for App Development in 2024Flutter vs. React Native: A Detailed Comparison for App Development in 2024
Flutter vs. React Native: A Detailed Comparison for App Development in 2024
 
The Comprehensive Guide to Validating Audio-Visual Performances.pdf
The Comprehensive Guide to Validating Audio-Visual Performances.pdfThe Comprehensive Guide to Validating Audio-Visual Performances.pdf
The Comprehensive Guide to Validating Audio-Visual Performances.pdf
 
bgiolcb
bgiolcbbgiolcb
bgiolcb
 
Hyperledger Besu 빨리 따라하기 (Private Networks)
Hyperledger Besu 빨리 따라하기 (Private Networks)Hyperledger Besu 빨리 따라하기 (Private Networks)
Hyperledger Besu 빨리 따라하기 (Private Networks)
 
Beginner's Guide to Observability@Devoxx PL 2024
Beginner's  Guide to Observability@Devoxx PL 2024Beginner's  Guide to Observability@Devoxx PL 2024
Beginner's Guide to Observability@Devoxx PL 2024
 
A Comprehensive Guide on Implementing Real-World Mobile Testing Strategies fo...
A Comprehensive Guide on Implementing Real-World Mobile Testing Strategies fo...A Comprehensive Guide on Implementing Real-World Mobile Testing Strategies fo...
A Comprehensive Guide on Implementing Real-World Mobile Testing Strategies fo...
 
Migration From CH 1.0 to CH 2.0 and Mule 4.6 & Java 17 Upgrade.pptx
Migration From CH 1.0 to CH 2.0 and  Mule 4.6 & Java 17 Upgrade.pptxMigration From CH 1.0 to CH 2.0 and  Mule 4.6 & Java 17 Upgrade.pptx
Migration From CH 1.0 to CH 2.0 and Mule 4.6 & Java 17 Upgrade.pptx
 
Alluxio Webinar | 10x Faster Trino Queries on Your Data Platform
Alluxio Webinar | 10x Faster Trino Queries on Your Data PlatformAlluxio Webinar | 10x Faster Trino Queries on Your Data Platform
Alluxio Webinar | 10x Faster Trino Queries on Your Data Platform
 
Penify - Let AI do the Documentation, you write the Code.
Penify - Let AI do the Documentation, you write the Code.Penify - Let AI do the Documentation, you write the Code.
Penify - Let AI do the Documentation, you write the Code.
 
Stork Product Overview: An AI-Powered Autonomous Delivery Fleet
Stork Product Overview: An AI-Powered Autonomous Delivery FleetStork Product Overview: An AI-Powered Autonomous Delivery Fleet
Stork Product Overview: An AI-Powered Autonomous Delivery Fleet
 

PaaSword - Technology Baseline

  • 2. Outline PaaSword in a Nutshell Involved Actors & Threat Landscape High Level Architecture Distributed Searchable Encryption Engine Semantic Authorization Engine PaaSword18/11/2016 2
  • 3. PaaSword in a Nutshell Security and Privacy by-design Framework? It is a framework that if it is adopted it provides increased security and privacy guarantees Adopted by whom? Application Developers (it offers client libraries that have to be used by devs) DevOps users (it offers management interface for the two offered mechanisms) What kind of security guarantees ? PaaSword18/11/2016 3
  • 4. Involved Actors & Threat Landscape PaaSword18/11/2016 4 Data can be circumvented/stolen Internal or external adversary Execution environment may be subjected to privilege escalation Authorization scheme may be static or even hardcoded
  • 5. Framework Security Guarantees Framework Guarantees Mitigation of cyber threats that derive by malicious administrators that administer ‘trusted’ Infrastructural resources Minimization of breaking a privacy scheme through statistical attacks that rely on pattern identification Efficient security Policy enforcement through the decoupling of Policy Definition and Policy Evaluation PaaSword18/11/2016 5
  • 6. How? Two distinct mechanisms 1 – Distributed Searchable Encryption Engine An engine that allows the transformation of any relational schema to a fragmentation scheme that respects user-defined privacy constraints The new schema is functionally equivalent with the original; yet it relies on multiple IaaS providers 2 – Semantic Policy Authorization Engine An engine that allows the decoupling of policy enforcement and policy definition Decoupling is meaningful both during development and execution PaaSword18/11/2016 6
  • 8. Mechanism 1 - Distributed Searchable Encryption Engine Why plain Transparent Encryption Decryption is not enough ? You loose a lot of SQL expressivity Vulnerable to statistical attacks PaaSword18/11/2016 8 PaaSword Annotations PaaSword Controller
  • 9. What are Annotations? Annotations are a form of metadata that provide data about a program that is not part of the program itself They can be used using three different strategies Source Generation Strategy Bytecode Transformation Strategy Runtime Reflection Strategy PaaSword uses annotations to Define Entity Model which will be protected using advanced fragmentation techniques PaaSword18/11/2016 9
  • 11. PaaSword JPA PaaSword18/11/2016 11 Several types of Annotations: 1) Data Object Definition 2) Encryption & Distribution
  • 12. Virtual Database Proxy PaaSword18/11/2016 12 Data Index2Index1 SQL SQLDatabase Proxy (trusted) SQL Cloud (untrusted) User / Application Data (not encrypted) Data (encrypted)
  • 13. What about Key Creation/Sharing Policies? 13
  • 14. Overview Of Policies 14 Policy /Characteristic Where is the TED taking place? TED Key Generation TED Key Usage & Sharing Policy Modification of target schema SQL support P1 In the PaaS container Generated once during bootstrapping (in a Tenant Trusted Zone) and stored in-memory by the application It is recovered by the memory on demand per each query execution No Modification Yes P2 In the PaaS container One key is generated per Tenant (in a Tenant Trusted Zone) and a pair of user_key container_key is generated out of this tenant_key It is recomposed by the combination of a user_key and a container_key per each query_execution No Modification Yes P3 Outside the container in a Tenant Trusted Zone Generated once in a Tenant Trusted Zone E/D Key is used only in the Tenant Trusted Zone No Modification No P4 In the PaaS container Generated once during bootstrapping (in a Tenant Trusted Zone) and stored in-memory by the application It is recovered by the memory on demand per each query execution Modifications required No P5 In the PaaS container One key is generated per Tenant (in a Tenant Trusted Zone) and a pair of user_key container_key is generated out of this tenant_key It is recomposed by the combination of a user_key and a container_key per each query_execution Modifications required No
  • 16. Mechanism 2 – Semantic Policy Authorization Engine Why not an existing authorization engine? Based on authorization metamodel MAC, DAC, RBAC, ABAC ABAC is considered dominant (from NIST) Which Standard? and which Implementation of the Standard? De-facto ABAC standard is XA-CML Limitations of reference Implementation Balana Engine (pure syntactic execution of rules) PaaSword18/11/2016 16
  • 17. Semantic Policy Enforcement PaaSword18/11/2016 17 AccessControl PaaSword Context Model
  • 18. PaaSword18/11/2016 18 Questions? Visit us: www.paasword.euAcknowledgements: This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No 644814.