Structuring the Scope: Enabling Adaptive and Multilateral Authorization Management

Presentation on IEEE CNS 2017 conferenc

Towards Secure Collaboration in Federated Cloud Environments

Public administrations across Europe have been actively following and adopting cloud paradigms at various degrees. By establishing modern data centers and consolidating their infrastructures, many organizations already benefit from a range of cloud advantages. However, there is a growing need to further support the consolidation and sharing of resources across different public entities. The ever increasing volume of processed data and diversity of organizational interactions stress this need even further, calling for the integration on the levels of infrastructure, data and services. This is currently hindered by strict requirements in the field of data security and privacy. In this paper, we present ongoing work aimed at enabling secure private cloud federations for public administrations, performed in the scope of the SUNFISH H2020 project. We focus on architectural components and processes that establish cross-organizational enforcement of data security policies in mixed and heterogeneous environments. Our proposal introduces proactive restriction of data flows in federated environments by integrating real-time based security policy enforcement and its post-execution conformance verification. The goal of this framework is to enable secure service integration and data exchange in cross-entity contexts by inspecting data flows and assuring their conformance with security policies, both on organizational and federation level

Secure data sharing and processing in heterogeneous clouds

The extensive cloud adoption among the European Public Sector Players empowered them to own and operate a range of cloud infrastructures. These deployments vary both in the size and capabilities, as well as in the range of employed technologies and processes. The public sector, however, lacks the necessary technology to enable effective, interoperable and secure integration of a multitude of its computing clouds and services. In this work we focus on the federation of private clouds and the approaches that enable secure data sharing and processing among the collaborating infrastructures and services of public entities. We investigate the aspects of access control, data and security policy languages, as well as cryptographic approaches that enable fine-grained security and data processing in semi-trusted environments. We identify the main challenges and frame the future work that serve as an enabler of interoperability among heterogeneous infrastructures and services. Our goal is to enable both security and legal conformance as well as to facilitate transparency, privacy and effectivity of private cloud federations for the public sector needs. © 2015 The Authors

Structuring the Scope: Enabling Adaptive and Multilateral Authorization Management

In this work, we examine an access scope, a concept in authorization management broadly applied for the specification of access constraints in web service integrations. By analyzing a typical use-case of cross-organizational cloud service automation, we show the suboptimal capabilities of static, coarse-grained and inflexible scopes that negatively impact security and management of service integrations on a web scale. Using the graph-based structure that relies on semantic technologies we introduce dereferenceable and selfdescriptive authorization extents that allow expressive, granular and dynamic specification of security requirements. Through its application in the running scenario, we show how this construct can be administered to support confidentiality, integrity and privacy requirements of service integrations by allowing selective information sharing based on contextual properties

FaaS: Federation-as-a-Service

This document is the main high-level architecture specification of the SUNFISH cloud federation solution. Its main objective is to introduce the concept of Federation-as-a-Service (FaaS) and the SUNFISH platform. FaaS is the new and innovative cloud federation service proposed by the SUNFISH project. The document defines the functionalities of FaaS, its governance and precise objectives. With respect to these objectives, the document proposes the high-level architecture of the SUNFISH platform: the software architecture that permits realising a FaaS federation. More specifically, the document describes all the components forming the platform, the offered functionalities and their high-level interactions underlying the main FaaS functionalities. The document concludes by outlining the main implementation strategies towards the actual implementation of the proposed cloud federation solution.Comment: Technical Report Edited by Francesco Paolo Schiavo, Vladimiro Sassone, Luca Nicoletti and Andrea Margher

Challenges Emerging from Future Cloud Application Scenarios

The cloud computing paradigm encompasses several key differentiating elements and technologies, tackling a number of inefficiencies, limitations and problems that have been identified in the distributed and virtualized computing domain. Nonetheless, and as it is the case for all emerging technologies, their adoption led to the presentation of new challenges and new complexities. In this paper we present key application areas and capabilities of future scenarios, which are not tackled by current advancements and highlight specific requirements and goals for advancements in the cloud computing domain. We discuss these requirements and goals across different focus areas of cloud computing, ranging from cloud service and application integration, development environments and abstractions, to interoperability and relevant to it aspects such as legislation. The future application areas and their requirements are also mapped to the aforementioned areas in order to highlight their dependencies and potential for moving cloud technologies forward and contributing towards their wider adoption

Securing integration of cloud services in Cross-Domain Distributed environments

Traditional cloud integration scenarios, as adopted by many organizations, assume business processes to be executed in a cross-domain context, connecting on-premise and cloud ap- plications. The emerging model of cloud-based integration platforms extends these scenarios by transferring business process execution entirely to the cloud. Although this ap- proach provides numerous bene ts and opens a new range of opportunities, its adoption requires reconsideration of cur- rently applied practices and their adjustment to a new per- spective. In this work, we analyze the existing approaches to cross- domain service composition based on cloud integration plat- forms. We particularly focus on the security of these ap- proaches, considering currently dominant OAuth 2.0 web au- thorization protocol and emerging UMA protocol. For this purpose, we present a new tool that enables UMA support in Apache Camel integration framework. We then analyze and discuss the integration ows relying on both protocols. Finally, based on RMIAS framework, we provide a security assessment of both approaches, presenting an overview of issues and challenges for future work

Balancing Utility and Security: Securing Cloud Federations of Public Entities

<p>Presentation of the paper published at OTM 2016 conference, Cloud and Trusted Computing session</p

Secure Data Sharing and Processing in Heterogeneous Clouds

SUNFISH Project presentatio