Towards Tracking Data Flows in Cloud Architectures

As cloud services become central in an increasing number of applications, they process and store more personal and business-critical data. At the same time, privacy and compliance regulations such as GDPR, the EU ePrivacy regulation, PCI, and the upcoming EU Cybersecurity Act raise the bar for secure processing and traceability of critical data. Especially the demand to provide information about existing data records of an individual and the ability to delete them on demand is central in privacy regulations. Common to these requirements is that cloud providers must be able to track data as it flows across the different services to ensure that it never moves outside of the legitimate realm, and it is known at all times where a specific copy of a record that belongs to a specific individual or business process is located. However, current cloud architectures do neither provide the means to holistically track data flows across different services nor to enforce policies on data flows. In this paper, we point out the deficits in the data flow tracking functionalities of major cloud providers by means of a set of practical experiments. We then generalize from these experiments introducing a generic architecture that aims at solving the problem of cloud-wide data flow tracking and show how it can be built in a Kubernetes-based prototype implementation.Comment: 11 pages, 5 figures, 2020 IEEE 13th International Conference on Cloud Computing (CLOUD

Towards Self-Protective Multi-Cloud Applications: MUSA – a Holistic Framework to Support the Security-Intelligent Lifecycle Management of Multi-Cloud Applications

The most challenging applications in heterogeneous cloud ecosystems are those that are able to maximise the benefits of the combination of the cloud resources in use: multi-cloud applications. They have to deal with the security of the individual components as well as with the overall application security including the communications and the data flow between the components. In this paper we present a novel approach currently in progress, the MUSA framework. The MUSA framework aims to support the security-intelligent lifecycle management of distributed applications over heterogeneous cloud resources. The framework includes security-by-design mechanisms to allow application self-protection at runtime, as well as methods and tools for the integrated security assurance in both the engineering and operation of multi-cloud applications. The MUSA framework leverages security-by-design, agile and DevOps approaches to enable the security-aware development and operation of multi-cloud applications.European Commission's H202

Methodology to obtain the security controls in multi-cloud applications

What controls should be used to ensure adequate security level during operation is a non-trivial subject in complex software systems and applications. The problem becomes even more challenging when the application uses multiple cloud services which security measures are beyond the control of the application provider. In this paper, a methodology that enables the identification of the best security controls for multicloud applications which components are deployed in heterogeneous cloud providers is presented. The methodology is based on application decomposition and modelling of threats over the components, followed by the analysis of the risks together with the capture of cloud business and security requirements. The methodology has been applied in the MUSA EU H2020 project use cases as the first step for building up the multi-cloud applications’ security-aware Service Level Agreements (SLA). The identified security controls will be included in the applications’ SLAs for their monitoring and fulfilment assurance at operation.European Commission's H202

Cooperative 3D Air Quality Assessment with Wireless Chemical Sensing Networks

n/

A cloud application for security service level agreement evaluation

Cloud security is today considered one of the main limits to the adoption of Cloud Computing. Academic works and the Cloud community (e.g., work-groups at the European Network and Information Security Agency, ENISA) have stated that specifying security parameters in Service Level Agreements actually enables the establishment of a common semantic in order to model security among users and Cloud Service providers (CSPs). However, despite the state of the art efforts aiming at building and representing Cloud SecLAs there is still a gap on the techniques to reason about them. Moreover a lot of activities are being carrying out to clearly state which are the parameters to be shared, their meanings and how they affect service provisioning. In this paper we propose to build up a cloud application that is able to offer Security level Evaluation based on SLA expressed in many different ways. Such application can be offered as a service by Third Parties in order to help customers to evaluate the offerings from providers. Furthermore it can be used to help customers to negotiate security parameters in a Multi-Cloud system and perform Cloud brokering on the basis of a quantitative evaluation of security parameters