An Elasticity-aware Governance Platform for Cloud Service Delivery

In cloud service provisioning scenarios with a changing demand from consumers, it is appealing for cloud providers to leverage only a limited amount of the virtualized resources required to provide the service. However, it is not easy to determine how much resources are required to satisfy consumers expectations in terms of Quality of Service (QoS). Some existing frameworks provide mechanisms to adapt the required cloud resources in the service delivery, also called an elastic service, but only for consumers with the same QoS expectations. The problem arises when the service provider must deal with several consumers, each demanding a different QoS for the service. In such an scenario, cloud resources provisioning must deal with trade-offs between different QoS, while fulfilling these QoS, within the same service deployment. In this paper we propose an elasticity-aware governance platform for cloud service delivery that reacts to the dynamic service load introduced by consumers demand. Such a reaction consists of provisioning the required amount of cloud resources to satisfy the different QoS that is offered to the consumers by means of several service level agreements. The proposed platform aims to keep under control the QoS experienced by multiple service consumers while maintaining a controlled cost.Junta de Andalucía P12--TIC--1867Ministerio de Economía y Competitividad TIN2012-32273Agencia Estatal de Investigación TIN2014-53986-RED

Authorization Policy Federation in Heterogeneous Multicloud Environments

Current Infrastructure as a Service (IaaS) cloud platforms have their own authorisation system, containing different access control policies and models. Clients with accounts in multiple cloud providers struggle to manage their rules in order to provide a homogeneous access control experience to users. This work proposes a solution: an Authorisation Policy Federation (APF) of heterogeneous cloud accounts. These federated accounts share a centrally managed policy written in Disjunctive Normal Form (DNF) using a cloud-independent ontology. This shared abstract policy can be translated to local cloud formats, and back again. Prototypes were implemented for OpenStack and Amazon Web Services (AWS) cloud formats, and rules were successfully translated with a Level of Semantic Equivalence (LSE) higher than 80

Verteilte Nutzungskontrolle und Provenance Tracking am Beispiel von Cloud-Technologien

In den letzten Jahrzehnten haben sich Daten zu einem der wertvollsten Rohstoffe entwickelt. Im Zuge dessen werden Forderungen nach einem transparenten und kontrollierbaren Umgang mit Daten immer lauter. Nutzungskontrolle und Provenance Tracking sind Konzepte, mit denen diese Forderungen umgesetzt werden können. Nutzungskontrolle ergänzt hierzu die Zugriffskontrolle um den Umstand, dass die Nutzung von Daten – auch nachdem sie verbreitet wurden – kontrolliert werden kann. Provenance Tracking dient hingegen zur Bestimmung der Herkunft eines Datums. Das für Nutzungskontrolle und Provenance Tracking notwendige Fundament – die Infrastruktur - könnte hierbei durch Cloud-Technologien, wie Kubernetes, bereitgestellt werden. Dahingehend bietet diese Arbeit einen Überblick über den aktuellen Forschungsstand zu Nutzungskontrolle und Provenance Tracking. Dies umfasst insbesondere mögliche Bezüge zum Themengebiet Cloud Computing und aktuelle Forschungsprojekte, wie International Data Spaces (IDS) und deren Referenzarchitektur. Des Weiteren wird ein grundlegendes Verständnis für den Begriff Cloud geschaffen. Im Besonderen wird auf die Aspekte Sicherheit und Recht im Kontext von Cloud Computing eingegangen. Schlussendlich werden die dadurch gewonnen Erkenntnisse zur Ausbringung einer prototypischen Nutzungskontroll- sowie Provenance sammelnden Infrastruktur genutzt. Die Cloud-Technologie Kubernetes sowie hierfür entwickelte Dummy-Komponenten der Referenzarchitektur bilden das Fundament dieser Infrastruktur. Die Modellierung und Implementierung ist daraufhin Gegenstand einer Evaluation und Diskussion mit Fokus auf operativen und sicherheitsrelevanten Aspekten

Gestão de informações médicas em unidades básicas de saúde : análise de um caso real e proposta de um modelo de controle de uso de informações médicas sensível ao contexto

Orientador : Carlos Alberto MazieroTese (doutorado) - Universidade Federal do Paraná, Setor de Ciências Exatas, Programa de Pós-Graduação em Informática. Defesa: Curitiba, 31/07/2017Inclui referências : f. 111-117Área de concentração : Ciência da computaçãoResumo: No Brasil, o Setor Primário de atendimento de saúde que corresponde às Unidades Básicas de Saúde - UBS, estão, atualmente, em processo de evolução digital. Os prontuários Eletrônicos - PE são direcionados apenas para vacinas e exames e os demais procedimentos e atendimentos são registrados em prontuários de papel. Contudo, os PE carecem de tecnologias de autorização de acesso, ou seja, recursos computacionais que possam determinar qual usuário poderá acessar o PE do paciente e por quanto tempo. A partir destas informações, o objetivo desta tese foi desenvolver um modelo de controle de acesso sensível ao contexto que faça o processamento das requisições de autorizações para o uso controlado do PE. Para este estudo, foram pesquisados os ambientes de saúde das UBS, através de pesquisa qualitativa; averiguação da legislação acerca de prontuários em saúde; levantamento de conceitos do modelo de controle de uso UCONabc, e da aplicação das informações contextuais, bem como a compreensão da aplicação destes conceitos através da linguagem XACML. Em seguida foram elaborados os requisitos do modelo, a sua modelagem conceitual, e a sua implementação prática através do desenvolvimento de um protótipo. Os resultados mostraram (i) que os usuários (equipe multidisciplinar e administrativa) das UBS, possuem acesso liberado aos PE e em papel dos pacientes; (ii) que há dificuldade de compartilhamento das informações dos prontuários entre as UBS; (iii) que o armazenamento dos prontuários em papel é vulnerável; (iv) que as políticas de regras desenvolvidas processaram corretamente as requisições de autorizações; (v) que através das políticas de regras é possível a implementação da delegação de direitos de uso; (vi) que a utilização do PE pode ser controlado por tempo; (vii) que as informações contextuais podem ser aplicadas nesse processo; (viii) e que o desempenho do modelo proposto quando utilizado apenas um servidor para sua hospedagem e processamento apresentam resultado satisfatório. Com isto, conclui-se que o Setor Primário de atendimento em saúde necessita de uma ampliação do uso de PE, abrangendo o registro de todos os procedimentos realizados e a aplicação das tecnologias de controle de acesso. Conforme sugerido no modelo de controle de uso sensível ao contexto para prontuário eletrônico. Palavras-chave: Controle de Acesso, Informação Contextual, Prontuário Eletrônico, Unidades Básicas de Saúde.Abstract: In Brazil, the Primary Sector of health care that corresponds to the Basic Health Units - UBS, are currently in the process of digital evolution. Electronic records - PE are directed only to vaccines and exams and the other procedures and appointments are recorded in paper charts. However, PEs lack access authorization technologies, that is, computational resources that can determine which user can access the patient's PE and for how long. From this information, the purpose of this thesis was to develop a context sensitive access control model that will process the requisitions of authorizations for the controlled use of the EP. For this study, the health environments of the UBS were searched through qualitative research; verification of legislation on health records; a survey of concepts of the UCONabc use control model, and the application of contextual information, as well as the understanding of the application of these concepts through the XACML language. Next, the requirements of the model, its conceptual modeling, and its practical implementation through the development of a prototype were elaborated. The results showed that the users (multidisciplinary and administrative team) of the BHUs have access to the PEs and on paper of the patients; (ii) that there is difficulty in sharing the information of the medical records between the UBS; (iii) that the storage of medical records is vulnerable; (iv) that the rule rules developed correctly processed the requisitions of authorizations; (v) that through the rules policies it is possible to implement the delegation of rights of use; (vi) that the use of PE can be time controlled; (vii) that contextual information can be applied in this process; (viii) and that the performance of the proposed model when using only one server for its hosting and processing presents satisfactory results. With this, it is concluded that the Primary Sector of health care needs an extension of the use of PE, covering the registration of all the procedures performed and the application of access control. As suggested in the context-sensitive use control model for electronic medical records. Keywords: Usage Control, Context Aware, Electronic Medical Record, Basic Healthcare Unit

Usage Control in Cloud Federations

Cloud Federation is a promising approach to enhance cross-cloud application execution. Nevertheless, such approach emphasizes open challenges in Cloud Computing, such as revoking long-lasting authorization on resources as soon as conditions granting the access right are no longer valid. To tackle this kind of issues, we built a prototype of Cloud Federation that leverages the concept of Usage Control (UCON), by continuously monitoring and reassessing the users right on resources. We exploited an extension of the XACML standard and measured the overhead caused by different security policies and distributions of requests. Results suggest that the UCON model can be effectively applied in Cloud Federations and its performance is sustainable when applied to the relevant actions of the lifecycle of applications