Community Research and Development Information Service - CORDIS

H2020

ESCUDO-CLOUD Report Summary

Project ID: 644579
Funded under: H2020-EU.2.1.1.3.

Periodic Reporting for period 1 - ESCUDO-CLOUD (Enforceable Security in the Cloud to Uphold Data Ownership)

Reporting period: 2015-01-01 to 2016-06-30

Summary of the context and overall objectives of the project

Cloud computing is increasingly a necessary strategical ICT infrastructure component for European companies to successfully compete in the world-wide economy. The advantages of renting ICT infrastructures, platforms, and services, with easy access to scalability and elasticity, are driving an ever accelerating transfer toward the cloud of data and applications. Unfortunately, such a convenience comes at the price of the data owners losing control over their own data and any consequent misuse or security threats on them. Such lack of clarity on who can access, control or abuse the owners' data often limit the owner's adoption of the cloud's potential capabilities. If security is sometimes listed as one of the reasons for moving into the cloud, it can be one of the major factors slowing and limiting its adoption. On one hand, cloud providers can be assumed to employ basic security mechanisms for protecting data in storage, processing, and communication, devoting resources to ensure security that many medium and small companies may not be able to afford. On the other hand, data owners, when relying on the cloud, lose control over data and their processing, hence leaving them potentially exposed. For instance, providers may wrap the data with an encryption layer for storage, and employ secure communication channels with modern authentication solutions. However, data are decrypted for processing as encryption is seen as an obstacle to the efficient usage of services (like searches and query execution). If stronger encryption under control of the owner is to be applied, service functionalities are considerably affected (as typically it is not possible to perform fine-grained retrieval or queries). In summary, today data owners can i) enjoy functionality but leave their data exposed, or ii) enjoy protection but suffer from limited functionality.

This situation has a strong detrimental impact on the adoption and acceptability of cloud services. Data owners may refrain from relying on the cloud for certain data, which they consider more sensitive or critical, or they use the cloud but remain exposed to the consequences of improper protection and control. Resorting to contractual agreements and obligations is clearly only a partial solution, as it does not guarantee actual protection and ownership control. ESCUDO-CLOUD aims at addressing all these issues and, as the title of the project states, what characterizes it is to provide enforceable security and to uphold data ownership.

The goal of ESCUDO-CLOUD is to empower data owners as first class citizens of the cloud. ESCUDO-CLOUD provides effective and deployable solutions allowing data owners to maintain control over their data when relying on Cloud Service Providers (CSPs) for data storage, processing, and management.

The practical objectives that this project pursues to guarantee reaching the overall objective of empowering data owners with control can be summarized as follows.

Objective 1 - Rich support of requirements. Support a rich set of requirements and scenarios, reaching out to a large community of CSPs and users, considering requirements from large storage and service providers as well as from small companies and of course data owners, producing comprehensive solutions with actual deployment in real operational environments.

Objective 2 - Self-protection of data. Provide techniques ensuring self-protection of data, considering different aspects such as: protection of data at rest, key-management solutions, efficient and effective private data retrieval, and considering a variety of threats under which the proposed techniques will be verified.

Objective 3 - Secure information sharing. Provide techniques for enabling secure and private information sharing in the cloud, considering enforcement of access restrictions demanded by data owners, ensuring integrity of data in presence of multiple writers, supporting queries involving data from different owners.

Objective 4 - Multi cloud and federated cloud. Provide techniques for operating in complex multi cloud and federated cloud environments, offering security metrics and solutions allowing owners to reason about and assess trust in different providers, leveraging multiple providers for security, and operating in federated environments characterized by the presence of multiple CSPs.

Objective 5 - Effective exploitation. Provide effective exploitation in real operational environments, enabling effective realization of data ownership in the cloud and actual impact.

ESCUDO-CLOUD meets all the objectives above by considering use cases providing rich and comprehensive requirements corresponding to real problems and market strategies of main stakeholders.

Work performed from the beginning of the project to the end of the period covered by the report and main results achieved so far

"Work performed from the beginning of the project has allowed to make progress and obtain preliminary results along all the project's objectives. Main progress and results for the different objectives are as follows.

Objective 1 - Rich support of requirements. In the reporting period, requirements from the four representative use cases considered in ESCUDO-CLOUD have been gathered and analyzed. Each use case corresponds to a real-world problem where one of the industrial partners and the SME is involved and for which there are open security problems (considered by ESCUDO-CLOUD) that cannot be addressed with current technology. The use cases cover diverse application domains and provide scenarios able to promote the innovations expected from ESCUDO-CLOUD. All the use cases have common aspects since in each of them the use of cloud services naturally introduces the spectrum of security problems tackled in ESCUDO-CLOUD. However, each of them stresses specific security aspects, enabling focus on and deployment of specific ESCUDO-CLOUD solutions as well as exploitation in specific scenarios. In the reporting period, the functional and non-functional requirements of all the four use cases have been gathered and analyzed. The work (focus of WP1 - "Use cases") was performed in strong cooperation among all the partners to discuss the collected requirements, identifying commonalities and peculiarities of each use case, and analyze and organize the requirements. The approach was iterative with refinement phases to produce the final list of requirements to be considered by ESCUDO-CLOUD. At the end of the first year of the project, a complete and comprehensive analysis of use case requirements was available. Such requirements have provided input to the research activity and are also being considered for ensuring alignment with research and deployment of technical solutions to the use cases.

Objective 2 - Self-protection of data. In the reporting period, the work on this direction (focus of WP2 - "Protection techniques for outsourced data") has investigated solutions for protecting data at rest, considering encryption as well as alternative approaches such as data fragmentation (applicable to scenarios when what is confidential are not data values themselves but rather their association). In the context of encryption, particular attention has been devoted to deployment with actual technology, and in particular the OpenStack framework, and to the problem of managing keys. Work has also considered the problem of supporting private access, for which a novel technique has been proposed providing access privacy by means of dynamic (encrypted) data allocation supported by a combination of: fake access requests used as cover, caching, and shuffling to randomly produce data re-allocation. Some preliminary work has also been devoted on requirements-based threat analysis to provide a schema for the analysis of the requirements identified in the use cases.

Objective 3 - Secure information sharing. In the reporting period, the work (focus of WP3 - "Information sharing in the cloud") has investigated solutions for enabling selective sharing, (i.e., to enable a data owner to maintain control on the administration of her resources and regulate access to such resources by others). The direction of investigation has considered the enforcement of access control regulations via encryption and hierarchical key-derivation to provide for efficient management. The work has also performed preliminary investigation of the application of such an approach in the context of supply chains (in connection with Use Case 2). Work has also addressed the problem of multi-use interaction obtaining some results on a protocol for verifying the integrity and consistency of cloud object storage. Preliminary study has also been performed on the problem of providing support for collaborative queries, for which a model for expressing and enforcing sharing constraints is under investigation. In this context, the work has also focused on the definition of a technique for verifying the integrity of approximate joins. In the context of secure testing, the work has focused on an analysis and evaluation of the state-of-the-art techniques that could be applicable to ESCUDO-CLOUD.

Objective 4 - Multi cloud and federated cloud. In the reporting period, the work (focus of WP4 - "Multi cloud and federated cloud") has focused on the identification of the security metrics more relevant for the use cases of the project and to provide the basis for SLA-based approaches for CSP security assessment. In particular, considering the input from WP1, an initial effort has been devoted to identify a mapping between the state of art security/privacy metrics to the ESCUDO-CLOUD use case requirements. Then, the work has been dedicated to the design of techniques to specify, reason, and aggregate SLA-based trust specifications into trust metrics, and to compare the trust levels across CSPs. The work in this context has also considered the ongoing standardization initiatives by NIST and ISO (which are in progress and seem to have still a mismatch on the security metrics that should be considered). Considering a multi-cloud scenario, characterized by the presence of multiple providers, the work has produced a new solution for protecting the privacy of accesses that use three different providers for better security and privacy. Some effort has been also devoted to the design and development of a federated object storage based on requirements of Use Case 3 "Federated Secure Cloud Storage".

Objective 5 - Effective exploitation. All industrial partners and the SME working on ESCUDO-CLOUD have devised an exploitation plan for the project. The exploitation activity (focus of WP5 "Dissemination, communication, and exploitation") started in the second year of the project and industrial partners have already started exploitation presenting ESCUDO-CLOUD and some preliminary findings to customers, industrial events, and meetings. ESCUDO-CLOUD results are also used by partners to enhance their internal research and product development. Exploitation plans include a specific deployment of technical solutions developed by the project within the specific use cases considered by the different partners. Such deployment and exploitation activity has started in the second year of the project, with the release of preliminary prototypes of the solutions to be deployed. In particular: IBM has presented ESCUDO-CLOUD key management solutions in the context of OpenStack; SAP has been working towards supporting sharing and query processing on protected data, extending HANA; BT is working towards exploiting the federated storage and data protection as a service solution developed in ESCUDO-CLOUD in their portfolio of services; EMC has presented the project to a number of internal product, solution and service groups and has also discussed the project concepts with a number of strategic customers in the financial services sector; WT is investigating exploitation opportunities within their 'elastic cloud' plans."

Progress beyond the state of the art and expected potential impact (including the socio-economic impact and the wider societal implications of the project so far)

"ESCUDO-CLOUD is designing and developing novel technological approaches to advance the state-of-the-art that empower data owners as first class citizens of the cloud. Such novel technical approaches, on which several progresses have been made in the first reporting period of the project, provide effective and deployable solutions, allowing data owners to maintain control over their data. They support protection of data in storage, selective and secure data sharing and querying, as well as consideration of multi and federated provider scenarios. In summary, ESCUDO-CLOUD provides impact by: i) increasing the quality of user experience and trust in clouds, ii) demonstrating the developed solutions in federated and multi cloud scenarios, iii) increasing innovation opportunities for service providers, iv) demonstrating the advantage of developed solutions through appropriate use cases.

In addition to the impact given by the direct exploitation and deployment of ESCUDO-CLOUD solutions by industrial partners and SME, ESCUDO-CLOUD also achieves impact through several dissemination, communication, and exploitation-enabling activities, which are being performed by all partners. These activities mainly aim at promoting the project and outreaching to the research and industrial communities. In particular, dissemination and communication activities include: the release of the project web site and promotional material; talks, keynotes, seminars, and conference presentations on the project objectives and work; scientific publications at international journals, conferences, and workshops, and chapters in international books; establishment of a dedicated workshop (now at its second edition in the second year of the project); chairing of different events on the project's topics (several conferences and workshops); courses in the B.Sc. and M.Sc. programs as well as PhD courses of the academic partners where the ESCUDO-CLOUD topics have been discussed. ESCUDO-CLOUD also participates in the Cluster on "Data Protection, Security and Privacy (DPSP) in the Cloud", and is part of a portfolio of offers for trusted and secure services from Unit E2 projects.

The availability of the techniques supporting data ownership developed in ESCUDO-CLOUD can be beneficial for both data owners and CSPs. Data owners can give more trust to the CSPs and use their services for a wider range of applications, possibly moving most of their resources to the cloud. CSPs significantly benefit, in addition to the increased market penetration that robust data ownership would provide, from reduced regulatory risks, audit costs, and general security threats that they would have to face in the absence of such protection. Freeing providers from the worries of protecting data, allows them to even handle the data outside their own control. For instance, it would enable a provider itself to rely on other services for outsourcing storage and computation, behaving as a broker providing a visualised cloud service, without worrying about the possible improper exposure of user information, which is guaranteed to be self-protected."

Related information

Record Number: 192837 / Last updated on: 2016-12-14
Follow us on: RSS Facebook Twitter YouTube Managed by the EU Publications Office Top