Community Research and Development Information Service - CORDIS

H2020

SUPERCLOUD Report Summary

Project ID: 643964
Funded under: H2020-EU.2.1.1.3.

Periodic Reporting for period 1 - SUPERCLOUD (USER-CENTRIC MANAGEMENT OF SECURITY AND DEPENDABILITY IN CLOUDS OF CLOUDS)

Reporting period: 2015-02-01 to 2016-07-31

Summary of the context and overall objectives of the project

Distributed cloud computing raises many security and dependability concerns, due to increase in complexity and lack of interoperability between heterogeneous, often proprietary infrastructure technologies.
SUPERCLOUD will build a security management architecture and infrastructure for secure and dependable cloud of clouds that are: user-centric for customers to define their own protection requirements and avoid provider lock-ins, and self-managed to reduce administration complexity through automation.
Key expected results include: (1) a security supervision infrastructure for multi-clouds; (2) a data security and storage infrastructure; (3) a secure virtualized network infrastructure. Developed technology will be validated through demonstrators from the healthcare domain: (1) a healthcare Laboratory Information System; (2) a cloud-based image processing and storage platform.

Work performed from the beginning of the project to the end of the period covered by the report and main results achieved so far

"The period started by defining the architecture of SUPERCLOUD Core Technology. Three sub-architectures for secure computation, data management, and networking were defined, with cross-cutting security self-management. Specifications were published for: the overall architecture (D1.1); sub-architectures (D2.1, D3.1, D4.1), and self-management (D1.2) – enabling to pass successfully the Architecture Specification Milestone (M10). A paper on the SUPERCLOUD vision was accepted for publication in a Special Issue of IEEE Cloud Computing on Cloud Security.
In parallel, SUPERCLOUD use cases and requirements were specified (D5.1), focusing mainly on healthcare, but also addressing other verticals (e.g., smart home). A SUPERCLOUD testbed was also started to be deployed. Preliminary analysis of some foreseen SUPERCLOUD ecosystems showed their viability, such results being encouraging for market adoption of SUPERCLOUD technology. Implementation of SUPERCLOUD components then started through a set of prototypes.
The computing infrastructure includes a distributed virtualization infrastructure and a security self-management infrastructure. A horizontal (multi-provider) and vertical (cross-layer) user-centric virtualization architecture and infrastructure combining flexible security control and interoperability were proposed through an orchestration framework named ORBITS to run distributed user-centric clouds (U-Clouds) over multiple Open Stacks, security services being "weaved" under user control, and through a cross-layer U-Cloud prototype running nested VMs over Xen using the NOVA micro-hypervisor. Among hardware security mechanisms, Intel SGX was also chosen as focal technology for VM isolation and trusted execution of services, with extensions for managing of chains of trust.
For self-management of security, components have been proposed for multi-provider policy modelling and enforcement, with features such as user security requirement specification, provider selection, and SLA negotiation, or cross-layer and provider autonomic security monitoring. An integrated proof-of-concept prototype of the security self-management infrastructure has been developed around an availability use case, based on OrBAC policies and enforcement by a Floodlight SDN controller. For compliance checking, a component called CCTV was proposed for automating configuration of VMs and analyze configuration changes. Different levels of access control policies were also enforced, such as usage-control, authorization (e.g., for NFV through a framework called Moon), or at application-level (e.g., geo-location-aware data isolation). A user-centric solution for multi-cloud fault-tolerance for compute services was also developed to manage different types of failures.
The data management infrastructure ensures several data protection requirements from use cases can be fulfilled. Dependability is based on Byzantine fault tolerance and blockchain techniques, with proposition of XFT, a novel resilience model decoupling Byzantine from network faults. The Hyperledger state machine replication fabric was open sourced by IBM in M13 to serve as blockchain substrate for the SUPERCLOUD multi-cloud dependability solution.
Specific modules related to security-enabling data management features and dependable multi-cloud storage have been defined and are under development to be integrated within a Data Access Proxy supporting OpenStack Swift interfaces. Secure data sharing results include a prototype to store, share and deduplicate consistently sensitive data in a multi-cloud system, using well-controlled cryptographic tools (e.g., proxy re-encryption, attribute-based encryption). Regarding privacy, several techniques (multi-party computation, homomorphic encryption, differential privacy) have been explored for verifiability of systems computing statistics on medical data coming from independent hospitals, while protecting privacy, not giving all knowledge to a single entity. A corresponding prototype called Trinocchio has been developed. For dependability, a prototype of software-defined cloud-backed storage service for disaster recovery, integrated with the Maxdata use case was developed. Methods were also proposed to spare replicas to lower latency of geo-replicated protocols.
The network virtualization architecture, based on the SDN paradigm, gives tenants freedom to specify their own virtual network topologies, then deployed across multiple clouds. An initial prototype has been built demonstrating some of the concepts of the architecture. Specific modules related to security and resilience have been defined and developed For instance, novel virtual network embedding algorithms have been proposed to take into consideration user requirements in terms of security and privacy.
An approach has been explored to support and optimize chaining of network security services in a multi-provider context, or self-management of security incidents in the network, prototyping such concepts as SDN applications. A novel solution for real-world assessment and mitigation of phishing attacks through sandboxing has also been proposed.
To improve control plane resilience, a first prototype of replicated SDN controller has been developed while keeping a consistent view of the network state. An approach based on dynamically adjusting the set of leaders in a network agreement protocol has also been implemented for FPGAs. Preliminary results have also been achieved on the design of a distributed control plane (distributed SDN controller), or to enhance data plane resilience.
Progress has also been made towards integration, with definition of a first roadmap, and some preliminary joint partner prototypes for healthcare domain use cases.
The project has been very active regarding dissemination: the SUPERCLOUD project collaborative information platform was regularly updated, with publication of a newsletter. Partners have contributed a significant number of publications, with 19 papers accepted, many of them in top-class conferences or prestigious journals. Orange co-organized two editions of the SEC2 workshop on Cloud Security where keynotes and paper presentations from several SUPERCLOUD partners were given. Regarding training, TUDA organized a Summer School Secure and Trustworthy Computing in collaboration with the FP7 PRACTICE project where SUPERCLOUD partners gave talks on topics such as the SUPERCLOUD architecture, cryptographic protocols for data protection, and secure replication and Byzantine fault tolerance.
SUPERCLOUD made also multiple contributions to standardization, both in open source and in traditional standardization bodies such as on NFV at ETSI, or on encrypted objects and access control in multi-cloud environments for healthcare at SNIA CDMI. For instance, the Moon authorization component of the computation infrastructure was accepted as new collaborative development project by OPNFV, an open platform for deploying NFV solutions; the VESPA self-protection framework was open sourced in the OW2 consortium; standardization roadmaps of SUPERCLOUD and H2020 were synchronized at ITU-T/SG13 to push a new draft recommendation on Trusted Inter-Cloud Computing in terms of framework and requirements.

The SUPERCLOUD Intermediate Business Plan and Exploitation Report (D6.3) was released. SUPERCLOUD also gave to DG Connect an overview on the technological state of the art on cloud and virtualization security, data protection, and network security – identifying technology trend gaps in this area and how SUPERCLOUD overcomes some of them. Throughout that period, the project set up the communication infrastructure for internal and external information sharing, and released its quality, risk management and data management plans.
One key milestone was the presentation the project results to the Advisory Board with a very rich technical program and several demonstrations, resulting in in-depth discussions and highly valuable feedback. Overal results were reported as solid, and the project as healthy and showing good progress. Recommendations from external advisors have notably been into account in further deliverables (e.g., D6.3)."

Progress beyond the state of the art and expected potential impact (including the socio-economic impact and the wider societal implications of the project so far)

The SUPERCLOUD computing virtualization architecture enables successful flexible but efficient user-centric trade-offs, both in terms of interoperability and security for the multi-cloud, while still guaranteeing automation, unlike many distributed virtualization and protection automation techniques existing today. SUPERCLOUD also enables user-centric data encryption unlike current cloud-based data storage solutions. It also provides dependability guarantees across multiple administrative domains, and through open protocols, unlike replications solutions proposed by major IaaS providers. Finally, thanks to SDN-based network virtualization, SUPERCLOUD provide tenants freedom to create virtual networks with customized topologies and addressing schemes spanning multiple datacenters while guaranteeing the required level of isolation. Such networks may belong to distinct cloud providers, while including private facilities owned by the tenant, unlike current solutions targeting datacenters of single cloud providers with full control over the infrastructure.
Several markets are particularly relevant for SUPERCLOUD technology: healthcare, to improve existing cloud-based services and launch new products; blockchain, target of strategic investments of key SUPERCLOUD partners across many business cases supported by a major open source project (e.g. Hyperledger); cloud brokerage, providers grouping together into small user-centric market places leveraging SUPERCLOUD technology, the open source approach being key for widening technology acceptance; and SDN for multi-clouds, providing unique exploitation opportunities for finer decisions to place virtual machines, avoiding single points of failure, and decreasing costs.
Thus, SUPERCLOUD will allow the creation of a secure multi-cloud execution environment, enhancing current cloud computing with innovative technologies and services, creating new business opportunities for partners along several verticals of the multi-cloud ecosystem.

Related information

Record Number: 192926 / Last updated on: 2016-12-15
Follow us on: RSS Facebook Twitter YouTube Managed by the EU Publications Office Top