Cloud technology options towards Free Flow of Data

This whitepaper collects the technology solutions that the projects in the Data Protection, Security and Privacy Cluster propose to address the challenges raised by the working areas of the Free Flow of Data initiative. The document describes the technologies, methodologies, models, and tools researched and developed by the clustered projects mapped to the ten areas of work of the Free Flow of Data initiative. The aim is to facilitate the identification of the state-of-the-art of technology options towards solving the data security and privacy challenges posed by the Free Flow of Data initiative in Europe. The document gives reference to the Cluster, the individual projects and the technologies produced by them

SLA-Based Continuous Security Assurance in Multi-Cloud DevOps

Multi-cloud applications, i.e. those that are deployed over multiple independent Cloud providers, pose a number of challenges to the security-aware development and operation. Security assurance in such applications is hard due to the lack of insights of security controls ap- plied by Cloud providers and the need of controlling the security levels of all the components and layers at a time. This paper presents the MUSA approach to Service Level Agreement (SLA)-based continuous security assurance in multi-cloud applications. The paper details the proposed model for capturing the security controls in the o ered application Se- curity SLA and the approach to continuously monitor and asses the controls at operation phase. This new approach enables to easily align development security requirements with controls monitored at operation as well as early react at operation to any possible security incident or SLA violation.The MUSA project leading to this paper has received funding from the European Union's Horizon 2020 research and innovation programme under grant agreement No. 644429

Towards Self-Protective Multi-Cloud Applications: MUSA – a Holistic Framework to Support the Security-Intelligent Lifecycle Management of Multi-Cloud Applications

The most challenging applications in heterogeneous cloud ecosystems are those that are able to maximise the benefits of the combination of the cloud resources in use: multi-cloud applications. They have to deal with the security of the individual components as well as with the overall application security including the communications and the data flow between the components. In this paper we present a novel approach currently in progress, the MUSA framework. The MUSA framework aims to support the security-intelligent lifecycle management of distributed applications over heterogeneous cloud resources. The framework includes security-by-design mechanisms to allow application self-protection at runtime, as well as methods and tools for the integrated security assurance in both the engineering and operation of multi-cloud applications. The MUSA framework leverages security-by-design, agile and DevOps approaches to enable the security-aware development and operation of multi-cloud applications.European Commission's H202

Automatic Resource Allocation for High Availability Cloud Services

AbstractThis paper proposes an approach to support cloud brokers finding optimal configurations in the deployment of dependability and security sensitive cloud applications. The approach is based on model-driven principles and uses both UML and Bayesian Networks to capture, analyse and optimise cloud deployment configurations. While the paper is most focused on the initial allocation phase, the approach is extensible to the operational phases of the life-cycle. In such a way, a continuous improvement of cloud applications may be realised by monitoring, enforcing and re-negotiating cloud resources following detected anomalies and failures

Service Quality Assessment for Cloud-based Distributed Data Services

The issue of less-than-100% reliability and trust-worthiness of third-party controlled cloud components (e.g., IaaS and SaaS components from different vendors) may lead to laxity in the QoS guarantees offered by a service-support system S to various applications. An example of S is a replicated data service to handle customer queries with fault-tolerance and performance goals. QoS laxity (i.e., SLA violations) may be inadvertent: say, due to the inability of system designers to model the impact of sub-system behaviors onto a deliverable QoS. Sometimes, QoS laxity may even be intentional: say, to reap revenue-oriented benefits by cheating on resource allocations and/or excessive statistical-sharing of system resources (e.g., VM cycles, number of servers). Our goal is to assess how well the internal mechanisms of S are geared to offer a required level of service to the applications. We use computational models of S to determine the optimal feasible resource schedules and verify how close is the actual system behavior to a model-computed \u27gold-standard\u27. Our QoS assessment methods allow comparing different service vendors (possibly with different business policies) in terms of canonical properties: such as elasticity, linearity, isolation, and fairness (analogical to a comparative rating of restaurants). Case studies of cloud-based distributed applications are described to illustrate our QoS assessment methods. Specific systems studied in the thesis are: i) replicated data services where the servers may be hosted on multiple data-centers for fault-tolerance and performance reasons; and ii) content delivery networks to geographically distributed clients where the content data caches may reside on different data-centers. The methods studied in the thesis are useful in various contexts of QoS management and self-configurations in large-scale cloud-based distributed systems that are inherently complex due to size, diversity, and environment dynamicity

Self-healing Multi-Cloud Application Modelling

Cloud computing market forecasts and technology trends confirm that Cloud is an IT disrupting phenomena and that the number of companies with multi-cloud strategy is continuously growing. Cost optimization and increased competitiveness of companies that exploit multi-cloud will only be possible when they are able to leverage multiple cloud offerings, while mastering both the complexity of multiple cloud provider management and the protection against the higher exposure to attacks that multi-cloud brings. This paper presents the MUSA Security modelling language for multi-cloud applications which is based on the Cloud Application Modelling and Execution Language (CAMEL) to overcome the lack of expressiveness of state-of-the-art modelling languages towards easing: a) the automation of distributed deployment, b) the computation of composite Service Level Agreements (SLAs) that include security and privacy aspects, and c) the risk analysis and service match-making taking into account not only functionality and business aspects of the cloud services, but also security aspects. The paper includes the description of the MUSA Modeller as the Web tool supporting the modelling with the MUSA modelling language. The paper introduces also the MUSA SecDevOps framework in which the MUSA Modeller is integrated and with which the MUSA Modeller will be validated.The MUSA project leading to this paper has received funding from the European Union’s Horizon 2020 research and innovation pro- gramme under grant agreement No 644429

Inter-organizational Interoperability through integration of Multiagent, Web Service, and Semantic Web Technologies

This paper presents a software architecture for inter-organizational multiagent systems. The architecture integrates Web service technology into multiagent systems to overcome the technical interoperability problem of current multiagent systems in the fast growing service-oriented environments. We integrate Semantic Web technology to make multiagent systems semantically interoperable. We address the problem of interoperability regarding interfaces, messaging protocols, data exchanged, and security whilst considering a dynamic e-business environment. The proposed architecture enables service virtualization, secure service access across organizational boundaries, service-to-agent communication, and OWL reasoning within agents

A framework for orchestrating secure and dynamic access of IoT services in multi-cloud environments

IoT devices have complex requirements but their limitations in terms of storage, network, computing, data analytics, scalability and big data management require it to be used it with a technology like cloud computing. IoT backend with cloud computing can present new ways to offer services that are massively scalable, can be dynamically configured, and delivered on demand with largescale infrastructure resources. However, a single cloud infrastructure might be unable to deal with the increasing demand of cloud services in which hundreds of users might be accessing cloud resources, leading to a big data problem and the need for efficient frameworks to handle a large number of user requests for IoT services. These challenges require new functional elements and provisioning schemes. To this end, we propose the usage of multi-clouds with IoT which can optimize the user requirements by allowing them to choose best IoT services from many services hosted in various cloud platforms and provide them with more infrastructure and platform resources to meet their requirements. This paper presents a novel framework for dynamic and secure IoT services access across multi-clouds using cloud on-demand model. To facilitate multi-cloud collaboration, novel protocols are designed and implemented on cloud platforms. The various stages involved in the framework for allowing users access to IoT services in multi-clouds are service matchmaking (i.e. to choose the best service matching user requirements), authentication (i.e. a lightweight mechanism to authenticate users at runtime before granting them service access), and SLA management (including SLA negotiation, enforcement and monitoring). SLA management offers benefits like negotiating required service parameters, enforcing mechanisms to ensure that service execution in the external cloud is according to the agreed SLAs and monitoring to verify that the cloud provider complies with those SLAs. The detailed system design to establish secure multi-cloud collaboration has been presented. Moreover, the designed protocols are empirically implemented on two different clouds including OpenStack and Amazon AWS. Experiments indicate that proposed system is scalable, authentication protocols result only in a limited overhead compared to standard authentication protocols, and any SLA violation by a cloud provider could be recorded and reported back to the user.N/