A set of security tools, mechanisms and recommendations has been developed under techno-legal guidance to make cloud computing transparent, safer and more resilient when used in critical infrastructures and applications.

Digital Economy

Security

Cloud computing is facilitating knowledge exchange, new services, and access to information in unprecedented ways, but carries with it security risks and challenges. The EU-funded SECCRIT (Secure cloud computing for critical infrastructure IT) has investigated cloud-computing technologies and associated risks that affect critical infrastructure in order to strengthen cloud security and to add resilience. Bringing together expert institutions and organisations from Austria, Finland, Germany, Greece, Italy, Spain and the UK, the project worked on several research pillars to advance security and resilience in critical infrastructures and applications. At the outset, the team developed a vulnerability catalogue as input for a novel risk assessment methodology, furthering risk assessment tools and contributing to European standardisation in the field. It worked on policy specification, decision and enforcement for secure data handling in the cloud, as well as a resilience framework including anomaly-detection-as-a-service. Another important project objective was to develop tools for audit trails and root cause analysis, which involved new open-source software prototypes. The team also elaborated a cloud assurance profile evaluation method with proof of concept scripts. The software components and tools were enhanced with security guidelines that support critical infrastructure stakeholders in using the cloud, as well as techno-legal guidance with recommendations on relevant technical and legal issues. Fulfilling the legal requirements from the very beginning of this project was a major focus, as the developed systems needed to be legally compliant in order to use them in practice. Therefore, a privacy-by-design approach was followed in SECCRIT towards the development of legally conformant outcomes. Beyond developing and testing the above tools and mechanisms, the project team produced 38 peer-reviewed scientific papers, in addition to organising four user workshops and a seminar on cloud security. The results have also contributed to student theses, lectures and follow-up projects, with plans for commercialisation of the software tools. Keeping the cloud secure and resilient for critical-infrastructure users will ensure uninterrupted productivity and efficiency in business and industry. It will also indirectly help to promote a better standard of living for Europeans.

Keywords

Critical infrastructure, cloud computing, SECCRIT, anomaly detection, resilience, cloud security