10 research outputs found
Towards Tracking Data Flows in Cloud Architectures
As cloud services become central in an increasing number of applications,
they process and store more personal and business-critical data. At the same
time, privacy and compliance regulations such as GDPR, the EU ePrivacy
regulation, PCI, and the upcoming EU Cybersecurity Act raise the bar for secure
processing and traceability of critical data. Especially the demand to provide
information about existing data records of an individual and the ability to
delete them on demand is central in privacy regulations. Common to these
requirements is that cloud providers must be able to track data as it flows
across the different services to ensure that it never moves outside of the
legitimate realm, and it is known at all times where a specific copy of a
record that belongs to a specific individual or business process is located.
However, current cloud architectures do neither provide the means to
holistically track data flows across different services nor to enforce policies
on data flows. In this paper, we point out the deficits in the data flow
tracking functionalities of major cloud providers by means of a set of
practical experiments. We then generalize from these experiments introducing a
generic architecture that aims at solving the problem of cloud-wide data flow
tracking and show how it can be built in a Kubernetes-based prototype
implementation.Comment: 11 pages, 5 figures, 2020 IEEE 13th International Conference on Cloud
Computing (CLOUD
Poster: Patient Community -- A Test Bed For Privacy Threat Analysis
Research and development of privacy analysis tools currently suffers from a
lack of test beds for evaluation and comparison of such tools. In this work, we
propose a benchmark application that implements an extensive list of privacy
weaknesses based on the LINDDUN methodology. It represents a social network for
patients whose architecture has first been described in an example analysis
conducted by one of the LINDDUN authors. We have implemented this architecture
and extended it with more privacy threats to build a test bed that enables
comprehensive and independent testing of analysis tools.Comment: 3 pages, 1 figur
MEDINA Orchestrator - User Manual
The Orchestrator is a central component of the MEDINA framework and processes and stores all evidence and assessment results. It receives them from the evidence collection and security assessment tools, and forwards them to the appropriate components, such as the Continuous Certificated Evaluation[1] (CCE). Furthermore, it provides a database that stores evidence and assessment results, as well as metrics, and other data
Application-Oriented Selection of Privacy Enhancing Technologies
To create privacy-friendly software designs, architects need comprehensive
knowledge of existing privacy-enhancing technologies (PETs) and their
properties. Existing works that systemize PETs, however, are outdated or focus
on comparison criteria rather than providing guidance for their practical
selection. In this short paper we present an enhanced classification of PETs
that is more application-oriented than previous proposals. It integrates
existing criteria like the privacy protection goal, and also considers
practical criteria like the functional context, a technology's maturity, and
its impact on various non-functional requirements. We expect that our
classification simplifies the selection of PETs for experts and non-experts
A Continuous Risk Assessment Methodology for Cloud Infrastructures
Cloud systems are dynamic environments which make it difficult to keep track
of security risks that resources are exposed to. Traditionally, risk assessment
is conducted for individual assets to evaluate existing threats; their results,
however, are quickly outdated in such a dynamic environment. In this paper, we
propose an adaptation of the traditional risk assessment methodology for cloud
infrastructures which loosely couples manual, in-depth analyses with
continuous, automatic application of their results. These two parts are linked
by a novel threat profile definition that allows to reusably describe
configuration weaknesses based on properties that are common across assets and
cloud providers. This way, threats can be identified automatically for all
resources that exhibit the same properties, including new and modified ones. We
also present a prototype implementation which automatically evaluates an
infrastructure as code template of a cloud system against a set of threat
profiles, and we evaluate its performance. Our methodology not only enables
organizations to reuse their threat analysis results, but also to collaborate
on their development, e.g. with the public community. To that end, we propose
an initial open-source repository of threat profiles
Cloud Property Graph: Connecting Cloud Security Assessments with Static Code Analysis
In this paper, we present the Cloud Property Graph (CloudPG), which bridges
the gap between static code analysis and runtime security assessment of cloud
services. The CloudPG is able to resolve data flows between cloud applications
deployed on different resources, and contextualizes the graph with runtime
information, such as encryption settings. To provide a vendor- and
technology-independent representation of a cloud service's security posture,
the graph is based on an ontology of cloud resources, their functionalities and
security features. We show, using an example, that our CloudPG framework can be
used by security experts to identify weaknesses in their cloud deployments,
spanning multiple vendors or technologies, such as AWS, Azure and Kubernetes.
This includes misconfigurations, such as publicly accessible storages or
undesired data flows within a cloud service, as restricted by regulations such
as GDPR
Ion-specific thermodynamics of multicomponent electrolytes: a hybrid HNC/MD approach
Using effective infinite dilution ion-ion interaction potentials derived from explicit-water molecular dynamics (MD) computer simulations in the hypernetted-chain (HNC) integral equation theory we calculate the liquid structure and thermodynamic properties, namely, the activity and osmotic coefficients of various multicomponent aqueous electrolyte mixtures. The electrolyte structure expressed by the ion-ion radial distribution functions is for most ions in excellent agreement with MD and implicit solvent Monte Carlo (MC) simulation results. Calculated thermodynamic properties are also represented consistently among these three methods. Our versatile HNC/MD hybrid method allows for a quick prediction of the thermodynamics of multicomponent electrolyte solutions for a wide range of concentrations and an efficient assessment of the validity of the employed MD force-fields with possible implications in the development of thermodynamicall
Terroristas como pessoas no direito?
A punição de terroristas, em larga medida preliminar, ou os severos interrogatórios, não se adequam a um perfeito Estado de direito. Pertencem ao direito de exceção. Um Estado de direito que tudo abarque não poderia travar esta guerra, pois ele deveria tratar seus inimigos como pessoas e, conseqüentemente, não poderia tratá-las como fonte de perigo. Em Estados de direito que operam na prática de modo ótimo procede-se de outra maneira, e isso lhes dá a chance de não se quebrarem durante o ataque a seus inimigos.<br>The preemptive punishment of terrorists and the use of harsh interrogation techniques are not within the classical standards of the Rule of Law. They belong rather to a state of exception. A State committed to all the usually accepted requirements of the Rule of Law would not be allowed to carry such a war, because it would have the duty to treat its enemies as persons. Therefore, it would not be authorized to treat them as a source of danger. Nevertheless, these classical standards have been challenged in the last two decades by major institutional changes that are now being discussed both in theoretical as in practical levels