Extensions to the self protecting object model to facilitate integrity in stationary and mobile hosts

M.Sc. (Computer Science)In this dissertation we propose extensions to the Self Protecting Object (SPO) model to facilitate the sharing of information in a more effective manner. We see the sharing ofinformation as the sharing of objects that provide services. Sharing objects effectively is allowing the objects to be used in a secure environment, independent of their location, in a manner usage was intended. The SPO model proposed by Olivier [32] allows for objects in a federated database to be moved from one site to another and ensures that the security policy of the object will always be respected and implemented, regardless of its location. Although the SPO model does indeed allow for objects (information) to be shared effectively, it fails to address issues of maintaining integrity within objects. We therefore define the notion of maintaining integrity within the spa model and propose a model to achieve it. We argue that ensuring an SPO is only used in a way usage was intended does not suffice to ensure integrity. The model we propose is based on ensuring that modifications to an SPO are only executed if the modification does not violate the constraints defined for the Sf'O, The model" allows for an spa to maintain its unique identity in addition to maintaining its integrity. The SPO model is designed to be used in a federated database on sites that are stationary. Therefore, having addressed the issue of maintaining integrity within SPOs on stationary sites in the federated database, we then introduce the notion of a mobile site: a site that will eventually disconnect from the federated database and become unreachable for some time. Introducing the mobile site into the federated database allows us to propose the Mobile Self Protecting Object (MSPO) and its associated architecture. Because of the nature of mobile sites, the original model for maintaining integrity can not be applied to the MSPO architecture. We therefore propose a mechanism (to be implemented in unison with the original model) to ensure the integrity of MSPOs on mobile sites. We then discuss the JASPO prototype. The aim of the prototype was to determine if the Self Protecting Object model was feasible using current development technologies. We examine the requirements identified in order for the prototype to be successful and discuss how these were satisfied. Several modifications were made to the original spa model, including the addition of a new module and the exclusion of others, we discuss these modifications and examine why they were necessary

Secure data sharing and processing in heterogeneous clouds

The extensive cloud adoption among the European Public Sector Players empowered them to own and operate a range of cloud infrastructures. These deployments vary both in the size and capabilities, as well as in the range of employed technologies and processes. The public sector, however, lacks the necessary technology to enable effective, interoperable and secure integration of a multitude of its computing clouds and services. In this work we focus on the federation of private clouds and the approaches that enable secure data sharing and processing among the collaborating infrastructures and services of public entities. We investigate the aspects of access control, data and security policy languages, as well as cryptographic approaches that enable fine-grained security and data processing in semi-trusted environments. We identify the main challenges and frame the future work that serve as an enabler of interoperability among heterogeneous infrastructures and services. Our goal is to enable both security and legal conformance as well as to facilitate transparency, privacy and effectivity of private cloud federations for the public sector needs. © 2015 The Authors

Tool support for security-oriented virtual research collaborations

Collaboration is at the heart of e-Science and e-Research more generally. Successful collaborations must address both the needs of the end user researchers and the providers that make resources available. Usability and security are two fundamental requirements that are demanded by many collaborations and both concerns must be considered from both the researcher and resource provider perspective. In this paper we outline tools and methods developed at the National e-Science Centre (NeSC) that provide users with seamless, secure access to distributed resources through security-oriented research environments, whilst also allowing resource providers to define and enforce their own local access and usage policies through intuitive user interfaces. We describe these tools and illustrate their application in the ESRC-funded Data Management through e-Social Science (DAMES) and the JISC-funded SeeGEO projects

Identidade digital federada globaliD

Mestrado em Engenharia de Computadores e TelemáticaO presente texto propõe uma solução para a gestão de identidade digital online tendo em conta a versatilidade, o anonimato, a privacidade, a veracidade, a credibilidade e a responsabilidade do utilizador, recorrendo para isso ao uso do Cartão de Cidadão Electrónico Nacional Português e a outros meios de autenticação públicos usados diariamente pelos utilizadores. A dissertação é composta pela apresentação do conceito de identidade e das suas particularidades, por uma análise aos vários problemas da gestão da informação pessoal online, uma análise aos vários modelos, mecanismos e especificações existentes para gerir a identidade digital online (gestão de identidade digital). Uma solução de gestão de identidade digital baseada no modelo de identidade federada e associada ao Cartão do Cidadão Electrónico Nacional Português é apresentada, descrita, analisada, avaliada e comparada com outras soluções existentes. Por fim um protótipo de um provedor de identidades digitais federadas baseado na solução de gestão de identidade digital proposta é apresentado.The following text provides a solution for the digital identity management on the Web regarding the users’ versatility, anonymity, privacy, veracity, trustworthiness and accountability by using the Portuguese National Electronic Citizen Identity Card and other publicly available authentication mechanisms users use daily. The dissertation consists of the presentation of the concept of identity and its particularities, an analysis to the several problems of managing personal information online, and an analysis to the several existing models, mechanisms and specifications for the management of the digital identity online (digital identity management). A solution for digital identity management based on the federated identity model and associated to the Portuguese National Electronic Citizen Identity Card is introduced, described, analyzed, evaluated and compared to other several existing solutions. Last, a prototype of a federated digital identity provider based on the purposed solution for digital identity management is presented

A Survey of Data Security: Practices from Cybersecurity and Challenges of Machine Learning

Machine learning (ML) is increasingly being deployed in critical systems. The data dependence of ML makes securing data used to train and test ML-enabled systems of utmost importance. While the field of cybersecurity has well-established practices for securing information, ML-enabled systems create new attack vectors. Furthermore, data science and cybersecurity domains adhere to their own set of skills and terminologies. This survey aims to present background information for experts in both domains in topics such as cryptography, access control, zero trust architectures, homomorphic encryption, differential privacy for machine learning, and federated learning to establish shared foundations and promote advancements in data security

Taking Computation to Data: Integrating Privacy-preserving AI techniques and Blockchain Allowing Secure Analysis of Sensitive Data on Premise

PhD thesis in Information technologyWith the advancement of artificial intelligence (AI), digital pathology has seen significant progress in recent years. However, the use of medical AI raises concerns about patient data privacy. The CLARIFY project is a research project funded under the European Union’s Marie Sklodowska-Curie Actions (MSCA) program. The primary objective of CLARIFY is to create a reliable, automated digital diagnostic platform that utilizes cloud-based data algorithms and artificial intelligence to enable interpretation and diagnosis of wholeslide-images (WSI) from any location, maximizing the advantages of AI-based digital pathology. My research as an early stage researcher for the CLARIFY project centers on securing information systems using machine learning and access control techniques. To achieve this goal, I extensively researched privacy protection technologies such as federated learning, differential privacy, dataset distillation, and blockchain. These technologies have different priorities in terms of privacy, computational efficiency, and usability. Therefore, we designed a computing system that supports different levels of privacy security, based on the concept: taking computation to data. Our approach is based on two design principles. First, when external users need to access internal data, a robust access control mechanism must be established to limit unauthorized access. Second, it implies that raw data should be processed to ensure privacy and security. Specifically, we use smart contractbased access control and decentralized identity technology at the system security boundary to ensure the flexibility and immutability of verification. If the user’s raw data still cannot be directly accessed, we propose to use dataset distillation technology to filter out privacy, or use locally trained model as data agent. Our research focuses on improving the usability of these methods, and this thesis serves as a demonstration of current privacy-preserving and secure computing technologies

Migration of an On-Premise Single-Tenant Enterprise Application to the Azure Cloud: The Multi-Tenancy Case Study

Kokkuvõte Pilvearvutuse edu muudab radikaalselt tavasid kuidas edaspidi infotehnoloogia teenuseid arendatakse, juurutatakse ja hallatakse. Sellest tulenevalt on sõnakõlks „pilve migratsioon“ vägagi aktuaalne paljudes ettevõtetes. Tänu sellele tehnoloogiale on paljud suured ja väikesed ettevõtted huvitatud enda tarkvara, andmebaasi süsteemide ja infrastruktuuri üleviimisest pilve keskkonda. Olemasolevate süsteemide migreerimine pilve võib vähendada kulutusi, mis on seotud vajamineva riistvara, tarkvara paigaldamise ning litsentseerimisega ja samuti selle kõige haldamiseks vajaminevate inimeste palkamisega. Rakenduse ja selle andmete hoidmine pilves, mis teenindab mitmeid üürnike (ik. tenants) võib osutuda kalliks kui ei kasutada jagatud lähenemist üürnike vahel. Sellest tulenevalt on teadlikult disainitud rakenduse ning andme arhitektuur äärmiselt oluline organisatsioonile, mis kasutab mitme-üürniku (ik. multi-tenant) lähenemist. Käesolevas magistritöös kirjeldatakse juhtumiuuringut (ik. case study) ning saadud kogemusi eraldiseiseva majasiseselt paigaldatava rakenduse migreerimisel Azure pilve keskkonda. Töö kirjeldab juristidele mõeldud tootlikkuse mõõtmise tarkvara andmekihi migreerimist Azure pilvekeskkonda. Majasisese ühe tarbijaga tarkvara andmekihi üleviimine efektiivsele mitme-üürniku andmekandja süsteemi pilve keskkonnas nõuab lisaks ka kõrgetasemelise autentimis-mehhanismi disainimist ning realiseerimist. Töö põhirõhk on turvalise skaleeruva ning mitme-üürniku efektiivse andmekandja süsteemi arhitektuuri disainimine ning realiseerimine pilve-keskkonda. Projektis kasutatakse SQL Database’i (endine SQL Azure) poolt pakutavat sisse ehitatud võimekust (SQL Federations) selleks, et tagada turvaline andmete eraldatus erinevate üürnike vahel ja andmebaasi skaleeruvus. Tarkvara andmekihi migreerimine pilve keskkonda toob kaasa kulude vähenemis, mis on seotud tarkvara tarnimisega, paigaldamise ning haldamisega. Lisaks aitab see ettevõttel laieneda uutele turgudele, mis enne migreerimist oli takistatud kohapeal teostava tarkvara paigaldamisega. Tänu pilves olevale andmekihile nõuab uuele kliendile süsteemi paigaldamine väga väikest kulutust.The success of cloud computing is changing the way how information technology services are developed, deployed, maintained and scaled. This makes the ‘migration to the cloud’ a buzzword in the industry for most of the enterprises today. Observing so many advantages of this phenomenon technology, enterprises from small to large scales are interested in migrating their software applications, database systems or infrastructures to cloud scale solutions. Migrating existing systems to a cloud scale solution can reduce the expenses related to costs of the necessary hardware for servers, installation of the operating system environment, license costs of the operating system and database products, deployment of the database products and hiring professional staff for keeping the system up and running. However, storing the application data to a back-end that serves multiple tenants on the cloud will be also costly if the resources on the cloud platform are not shared fairly among tenants. Thus, a carefully designed multi-tenant architecture is essential for an organization that serves multiple tenants. In this master thesis, we will describe a case study and lessons learned on the migration of an enterprise application from an on-premise deployment backend to the Azure Cloud. More specifically, the thesis describes the migration of a productivity tool specialized for legal professionals to a multi-tenant data storage back-ends on Azure Cloud. Moving an on-premise, single-tenant software backend to a multi-tenant data storage system on the cloud will also require design and implementation of authentication mechanisms. The core focus of the work consists of the design and implementation of a secure, scalable and multi-tenant efficient data storage system and application architecture on the cloud. SQL Database (formerly SQL Azure) offers native features (SQL Federations) for the secure isolation of the data among tenants and database scalability which has been used inside the project. Furthermore, the basic application authentication mechanism is enhanced with identity providers such as Google Account and Windows Live ID by embedding native functionality of Windows Azure called Azure Access Control Service to the login mechanism. Migration of the software backend to a cloud scale solution is expected to reduce the costs related to delivery, deployment, maintenance and operation of the software for the business. Furthermore, it will help the business to target new markets since it is a cloud based solution and requires very little initial effort to deliver the software to the new customers

On Achieving Privacy-Preserving State-of-the-Art Edge Intelligence

Deep Neural Network (DNN) Inference in Edge Computing, often called Edge Intelligence, requires solutions to insure that sensitive data confidentiality and intellectual property are not revealed in the process. Privacy-preserving Edge Intelligence is only emerging, despite the growing prevalence of Edge Computing as a context of Machine-Learning-as-a-Service. Solutions are yet to be applied, and possibly adapted, to state-of-the-art DNNs. This position paper provides an original assessment of the compatibility of existing techniques for privacy-preserving DNN Inference with the characteristics of an Edge Computing setup, highlighting the appropriateness of secret sharing in this context. We then address the future role of model compression methods in the research towards secret sharing on DNNs with state-of-the-art performance