Towards Secure and Leak-Free Workflows Using Microservice Isolation

Data leaks and breaches are on the rise. They result in huge losses of money for businesses like the movie industry, as well as a loss of user privacy for businesses dealing with user data like the pharmaceutical industry. Preventing data exposures is challenging, because the causes for such events are various, ranging from hacking to misconfigured databases. Alongside the surge in data exposures, the recent rise of microservices as a paradigm brings the need to not only secure traffic at the border of the network, but also internally, pressing the adoption of new security models such as zero-trust to secure business processes. Business processes can be modeled as workflows, where the owner of the data at risk interacts with contractors to realize a sequence of tasks on this data. In this paper, we show how those workflows can be enforced while preventing data exposure. Following the principles of zero-trust, we develop an infrastructure using the isolation provided by a microservice architecture, to enforce owner policy. We show that our infrastructure is resilient to the set of attacks considered in our security model. We implement a simple, yet realistic, workflow with our infrastructure in a publicly available proof of concept. We then verify that the specified policy is correctly enforced by testing the deployment for policy violations, and estimate the overhead cost of authorization

Dust Temperatures in the Infrared Space Observatory Atlas of Bright Spiral Galaxies

We examine far-infrared and submillimeter spectral energy distributions for galaxies in the Infrared Space Observatory Atlas of Bright Spiral Galaxies. For the 71 galaxies where we had complete 60-180 micron data, we fit blackbodies with lambda^-1 emissivities and average temperatures of 31 K or lambda^-2 emissivities and average temperatures of 22 K. Except for high temperatures determined in some early-type galaxies, the temperatures show no dependence on any galaxy characteristic. For the 60-850 micron range in eight galaxies, we fit blackbodies with lambda^-1, lambda-2, and lambda^-beta (with beta variable) emissivities to the data. The best results were with the lambda^-beta emissivities, where the temperatures were ~30 K and the emissivity coefficient beta ranged from 0.9 to 1.9. These results produced gas to dust ratios that ranged from 150 to 580, which were consistent with the ratio for the Milky Way and which exhibited relatively little dispersion compared to fits with fixed emissivities.Comment: AJ, 2003, in pres

The ArT\'eMiS wide-field submillimeter camera: preliminary on-sky performances at 350 microns

ArTeMiS is a wide-field submillimeter camera operating at three wavelengths simultaneously (200, 350 and 450 microns). A preliminary version of the instrument equipped with the 350 microns focal plane, has been successfully installed and tested on APEX telescope in Chile during the 2013 and 2014 austral winters. This instrument is developed by CEA (Saclay and Grenoble, France), IAS (France) and University of Manchester (UK) in collaboration with ESO. We introduce the mechanical and optical design, as well as the cryogenics and electronics of the ArTeMiS camera. ArTeMiS detectors are similar to the ones developed for the Herschel PACS photometer but they are adapted to the high optical load encountered at APEX site. Ultimately, ArTeMiS will contain 4 sub-arrays at 200 microns and 2x8 sub-arrays at 350 and 450 microns. We show preliminary lab measurements like the responsivity of the instrument to hot and cold loads illumination and NEP calculation. Details on the on-sky commissioning runs made in 2013 and 2014 at APEX are shown. We used planets (Mars, Saturn, Uranus) to determine the flat-field and to get the flux calibration. A pointing model was established in the first days of the runs. The average relative pointing accuracy is 3 arcsec. The beam at 350 microns has been estimated to be 8.5 arcsec, which is in good agreement with the beam of the 12 m APEX dish. Several observing modes have been tested, like On-The-Fly for beam-maps or large maps, spirals or raster of spirals for compact sources. With this preliminary version of ArTeMiS, we concluded that the mapping speed is already more than 5 times better than the previous 350 microns instrument at APEX. The median NEFD at 350 microns is 600 mJy.s1/2, with best values at 300 mJy.s1/2. The complete instrument with 5760 pixels and optimized settings will be installed during the first half of 2015.Comment: 11 pages, 11 figures. Presented at SPIE Millimeter, Submillimeter, and Far-Infrared Detectors and Instrumentation for Astronomy VII, June 24, 2014. To be published in Proceedings of SPIE Volume 915

L'activite dans les regions centrales de galaxies: l'apport de l'imagerie infrarouge entre 1 et 5 microns

Available from INIST (FR), Document Supply Service, under shelf-number : T 78733 / INIST-CNRS - Institut de l'Information Scientifique et TechniqueSIGLEFRFranc

Path Diversity in Energy-Efficient Wireless Sensor Networks

Abstract—Energy efficiency is one of the most important issue to be tackled in wireless sensor networks. Activity scheduling protocols aim at prolonging the network lifetime by reducing the proportion of nodes that participate in the application. Among the vast range of criteria existing to schedule nodes activities, area coverage by connected sets is one of the most studied. Active nodes must ensure area coverage while remaining connected in order to guarantee proper data collection to the sink stations. As wireless communications stand for the main source of energy consumption, we investigated the communication redundancy of the active nodes set. We define a path diversity based metric that allows to characterize the communication redundancy of a given set of nodes. We show that one of the most used connectivity criterion is far from building minimal connected sets in terms of communicating nodes involved. Our results open new directions to design localized connected sets solutions. I

Securing Workflows Using Microservices and Metagraphs

International audienceCompanies such as Netflix increasingly use the cloud to deploy their business processes. Those processes often involve partnerships with other companies, and can be modeled as workflows where the owner of the data at risk interacts with contractors to realize a sequence of tasks on the data to be secured. In this paper, we first show how those workflows can be deployed and enforced while preventing data exposure. Second, this paper provides a global framework to enable the verification of workflow policies. Following the principles of zero-trust, we develop an infrastructure using the isolation provided by a microservice architecture to enforce owner policy. We implement a workflow with our infrastructure in a publicly available proof of concept. This work allows us to verify that the specified policy is correctly enforced by testing the deployment for policy violations, and find the overhead cost of authorization to be reasonable for the benefits. In addition, this paper presents a way to verify policies using a suite of tools transforming and checking policies as metagraphs. It is evident from the results that our verification method is very efficient regarding the size of the policies. Overall, this infrastructure and the mechanisms that verify the policy is correctly enforced, and then correctly implemented, help us deploy workflows in the cloud securely

Infrared and submillimeter space missions in the coming decade: programmes, programmatics, and technology

A revolution similar to that brought by CCDs to visible astronomy is still ahead in IR and submillimeter astronomy. There is certainly no wavelength range which has, over the past several years, seen such impressive advances in technology: large-scale detector arrays, new designs for cooling in space, lightweight mirror technologies. Scientific cases for observing the cold universe are outstanding. Observations in the FIR/Submm range will provide answers to such fundamental questions as: What is the spectrum of the primordial fluctuations? How do primeval galaxies look? What are the first stages of star formation? Most of the international space missions that have been triggered by these questions are presented in detail here. Technological issues raised by these missions are reviewed, as are the most recent achievements in cooling and detector technologies

Verification of cloud security policies

Companies like Netflix increasingly use the cloud to deploy their business processes. Those pro-cesses often involve partnerships with other companies, and can be modeled as workflows where the owner of the data at risk interacts with contractors to realize a sequence of tasks on the data to be secured. In practice, access control is an essential building block to deploy these secured workflows. This com-ponent is generally managed by administrators using high-level policies meant to represent the requirements and restrictions put on the workflow. Handling access control with a high-level scheme comes with the benefit of separating the problem of specification, i.e. defining the desired behavior of the system, from the problem of implementation, i.e. enforcing this desired behavior. However, translating such high-level policies into a deployed implementation can be error-prone. Even though semi-automatic and automatic tools have been proposed to assist this translation, policy verification remains highly challenging in practice. In this paper, our aim is to define and propose struc- tures assisting the checking and correction of poten-tial errors introduced on the ground due to a faulty translation or corrupted deployments. In particular, we investigate structures with formal foundations able to naturally model policies. Metagraphs, a generalized graph theoretic structure, fulfill those requirements : their usage enables to compare high-level policies to their implementation. In practice, we consider Rego, a language used by companies like Netflix and Plex for their release process, as a valuable representative of most common policy languages. We propose a suite of tools transforming and checking policies as metagraphs, and use them in a global framework to show how policy verification can be achieved with such structures. Finally, we evaluate the performance of our verification method

De l'utilisation des métagraphes pour la vérification de politiques de sécurité

Les processus métier multi-agents aux interactions complexes sont généralement modélisés en tant que workflows. Le propriétaire des données confidentielles interagit avec des sous-traitants pour réaliser une séquence de tâches, en déléguant aux différents acteurs des droits limités sur les données sensibles. Cette délégation repose sur le contrôle d'accès aux données. Pour faciliter sa configuration, les administrateurs proposent une spécification des politiques d'accès et se reposent ensuite souvent sur un traducteur. Cependant, la traduction de la spécification vers l'implémentation peut mener à des erreurs lors d'un déploiement effectif entre les différentes entités du workflow et ainsi engendrer des failles de sécurité. Dans cet article, nous proposons des structures facilitant la détection et la correction d'erreurs potentiellement introduites en raison d'une traduction défectueuse ou d'un déploiement défaillant. En particulier, nous considérons une structure aux fondations formelles capables de modéliser naturellement et surtout très finement les politiques de sécurité : les métagraphes. Nous proposons une suite d'outils de traduction permettant de détecter ces erreurs potentielles et évaluons ses performances

Workflow Policy Verification Using Metagraphs

Data and code accompanying the paper 'Workflow Policy Verification Using Metagraphs'