Community Research and Development Information Service - CORDIS

H2020

TREDISEC Report Summary

Project ID: 644412
Funded under: H2020-EU.2.1.1.

Periodic Reporting for period 1 - TREDISEC (Trust-aware, REliable and Distributed Information SEcurity in the Cloud.)

Reporting period: 2015-04-01 to 2016-09-30

Summary of the context and overall objectives of the project

Cloud computing services are increasingly being adopted by individuals and companies thanks to their various advantages such as high storage and computation capacities, reliability and low maintenance costs. Yet, data security and user privacy remain the major concern for cloud customers since by moving their data and their computing tasks into the cloud they inherently lend the control to cloud service providers. Therefore, customers nowadays call for end-to-end security solutions in order to retain full control over their data. Implementing existing end-to-end security solutions unfortunately cancels out the advantages of the cloud technology such as cost effective storage. For example, cloud storage providers constantly look for techniques aimed to maximize space savings. One of the most popular techniques adopted by many major providers to minimize redundant data is data deduplication. Unfortunately, deduplication and encryption are two conflicting technologies.
In TREDISEC, we aim at designing new security primitives that not only ensure data protection and user privacy but also maintain the cost effectiveness of cloud systems. With this goal, we first identified the functional requirements that are crucial to the cloud business and explore non-functional requirements such as storage efficiency and multi-tenancy. We further analysed the conflicts between these requirements and security needs in order to develop new solutions that address these shortcomings and enhance security.
In the TREDISEC project, we develop systems and techniques which make the cloud a secure and efficient heaven to store data. We plan to step away from a myriad of disconnected security protocols or cryptographic algorithms, and to converge on a unified framework that facilitates meeting these objectives to the higher possible extent. By doing so, TREDISEC aims at creating technology that will impact existing businesses and will generate new profitable business opportunities long after the project is concluded.

Work performed from the beginning of the project to the end of the period covered by the report and main results achieved so far

During this period, the activities performed can be structured along the following lines of work:
• Definition and execution of the project management procedures (quality, reporting, risk management, document/output storage and management, deliverable quality review, etc.), implementation of the management structure, guidelines and supporting tools to enable a seamless and fruitful collaboration among the consortium partners as described in the project handbook deliverable document released by June 2015 (M3), entitled “D1.1 Project Quality Assurance Plan”.
• Definition, consolidation and execution of the Innovation strategy agreed for the project, released in M3 as “D1.5 Innovation Strategy and Plan”. During this period, a continuous innovation monitoring has been done by the Innovation Director (from NEC) with the work-package leaders in relation to the identified key innovations of TREDISEC. The result was that, so far, there are no identified threats in the market to the expected TREDISEC innovations. The details of this monitoring activity, together with the alignment of the project architecture designs and developments to the current technological and market trends, will be released in November 2016 (M20) as “D1.6 Innovation management report“.
• Definition of a common project strategy for dissemination and communication of project advances and results, to set the base-line for individual partner’s activities, in order to reach the maximum impact possible. The strategy is accompanied with a plan that establishes a series of activities to promote the project along its entire duration, as well as a complete set of graphical material that supports these activities. The graphical material entails the project branding (i.e. logo, colour code, templates for documents, a poster and a promotional brochure/flyer); the project website (www.tredisec.eu) online since M2, is publicly accessible; social media accounts (i.e. dedicated LinkedIn group and twitter account); infographics ( within this period, one infographic has been made available through the website); and press releases and campaigns, to promote the project (some examples are the networking session at the ICT 2015 event and the SECODIC16 workshop which were co-organised and where there was a scheduled talks about the project research lines). The TREDISEC website is considered as the main point of contact from externals and as the first means for dissemination and communication of project advances and regular achievements (the website constitutes a deliverable and is described in the accompanying document “D7.1 TREDISEC public website”).
The communication and dissemination activities are grouped into phases, each one focusing on the promotion of certain aspects of the project, with customized key messages and targeting different type of audience (i.e. scientific, research, industry, citizens, public administration, policy-makers, etc.), making use of the most appropriate channel in each case. Implementation of the project strategy for dissemination and communication of project innovations and results defined in two deliverable documents “D7.2 Dissemination plan” and “D7.3 Communication strategy and plan” respectively, both released in September 2015 (M6). After the release, we have followed the above commented strategy for dissemination and communication that establish the base-line of the activities, at a consortium and individual partner’s level, for reaching the maximum impact possible. As a result of this activity, the report “D7.4 First Dissemination and Communication activities reporting” released in March 2016 (M12) collects all the activities developed within the 1st year of the project, using the selected means described in D7.2 and D7.3, and evaluates if the progress reached to achieve dissemination and communication goals is satisfactory.
• Consolidation of the technical work-packages devoted to the research, design and development of the security primitives. Each of these work-packages, namely WP3, WP4 and WP5, focus in analysing first the different conflicts that may arise, when trying to satisfy at the same time cloud functional requirements (e.g. efficiency, reduced costs) while providing security guarantees (e.g. confidentiality, integrity); and second, researching on different schemes and primitives that overcome those conflicts. During this period we continued working on the identification of the requirements for the different security primitives compiled into three deliverable documents released by M12, entitled “D3.1 Requirements and trade-off between verifiability and data reduction”, “D4.1 A Proposal for Access Control Models for Multitenancy” and “D5.1 Design of Provisioning Framework”. Additionally, we started the design phase that concluded with the initial design of some security primitives documented in two documents released by M18, entitled “D3.2 Specification and Preliminary Design of Verifiability mechanisms” and “D5.2 Optimization of outsourcing activities and initial design of privacy preserving data processing Primitives”. The delivery of those documents almost constitutes the achievement of the third project milestone: “MS3: Design of the security primitives and TREDISEC framework” that will be completed in M20 with the release of the final version of the TREDISEC architecture entitled “D2.4 Final architecture and design of the TREDISEC framework”.
• Description of the context scenarios and specification of the use cases that will be used to drive the technical developments and evaluate the project results. Four partners of the project (SAP, GRNET, ARSYS and MORPHO) described their context scenarios and use cases, which will be used in the project with two purposes: (i) to elicit a series of end-user requirements that will influence the design of the TREDISEC framework architecture and the security primitives developed in the technical work-packages (i.e. 3, 4 and 5); and (ii) to set up the context for the evaluation activities that will take place in the last year of the project in the context of WP6. The descriptions have been compiled into a deliverable document released by M6, entitled “D2.1 Description of the context scenarios and use cases definition”, which constitutes the achievement of the first project milestone: “MS1: Use cases and scenario context definition”. Definition of the architectural models and design of the TREDISEC framework, meeting the requirements resulting from Task 2.1 and supporting the technical characteristics of the security primitives defined in WP3, 4 and 5. The evaluation of the different architectural models together with the initial design of the TREDISEC framework in a deliverable document released in March 2016 (M12), entitled “D2.3 TREDISEC architecture and initial framework design”, which constitutes the achievement of the second project milestone: “MS2: Consolidated requirements and architectural models for TREDISEC”.
• Specification of the requirements for the TREDISEC framework and the security primitives. As indicated in the previous point, the use case scenarios propose a series of requirements for TREDISEC technical activities from the user point of view. Besides these, the actual technological challenges the project aims to face, that is the lack of practical solutions that enable combining efficiency and security aspects in current cloud solutions, are also a source of requirements for the TREDISEC developments. All these requirements are listed and a trade-off analysis is described in a deliverable document entitled “D2.2 Requirements analysis and consolidation”, released in M9.
• Outline a proposal of the models for integration and delivery of the TREDISEC framework, taking as a starting point the TREDISEC architecture defined in WP2 and released in March 2016 (M12), assessing different integration approaches, and taking into account the business models defined in WP7 that influenced the framework architecture, the implementation approach and operational model. Additionally, we also started the implementation activities required to deliver a framework for orchestrating the services and components developed in WP3, WP4 and WP5 for their operation in different cloud settings.
• Identification and design of three business models (taking into account different channels, end users, players and potential products) that will allow us to move all the innovation generated along the project towards the companies and organizations that will bring these results to the EU markets.

Progress beyond the state of the art and expected potential impact (including the socio-economic impact and the wider societal implications of the project so far)

End-to-end security comes at odds with current functionality offered by the cloud. Existing state of the art solutions completely give up one requirement for the other. End-to-end security aims to endow the users with full control over their outsourced data, but cloud service providers may not be able to efficiently process clients' data, nor may they be able to take full advantage of cost-effective storage solutions which rely on existing deduplication and compression mechanisms. This explains the reason for which, none of today’s cloud storage services provide security guarantees in their Service Level Agreements (SLAs), in spite of the plethora of cloud security solutions that populate the literature.
Another important point that should not be overlooked when designing security mechanisms for cloud systems is their integration into a single framework. Typically, a security primitive is devised for a single use-case and/or a specific application. Although such a design approach may reduce the complexity of the solution, it may lead to situations where security primitives are incompatible to the point that they cannot be implemented using the same interface or the same framework.
During this period, the TREDISEC consortium partners have been focusing in identifying the requirements and designing novel end-to-end security solutions for scenarios with conflicting functional and security requirements, using as bases the representative scenarios and use-cases defined by the end-user partners. In order to do that, state of the art mechanisms and solutions have been analysed thoroughly in technical work-packages (WP2, WP3, WP4 and WP5). In particular, some partners of the consortium have already achieved the following advances:
• devise new primitives to support data confidentiality and data deduplication, including the analysis of its compatibility with Proof of Ownership (PoW) mechanisms;
• actively analyse the state of the art with respect to searchable encryption, secure biometric computations, and possible parallel computation and migration mechanisms;
• describe mechanisms for an optimized storage of encrypted data based on the analysis of historical or anticipated SQL queries;
• conduct a thorough survey on the state of the art on verifiable storage, verifiable computation and verifiable ownership topics in order to identify the TREDISEC specific requirements;
• proposed a new security model for outsourced proof of retrievability and an initial design of proof of retrievability solution compatible with secure deduplication;
• propose a study on the possibility of applying verifiable computing techniques to biometric comparison; investigate approaches to vulnerability discovery and isolation in file systems that are used to provide storage for cloud services; proposed a novel mechanism which enables the emerging many-core processor architectures to provide secure isolation properties for cloud platforms and especially IaaS deployments.
The design of a framework which efficiently integrates the required security primitives, without incurring extra processing and storage cost at the cloud service providers or end-users, has been completed with the release of the TREDISEC architecture and initial version of the framework design (D2.3). The ultimate goal of the TREDISEC framework is to facilitate the lifecycle, integration and deployment of different security primitives into real cloud systems. Using these architectural models defined in D2.3, an assessment of the different models for integrating, testing and operating the security primitives inside the TREDISEC framework has been conducted in the context of WP6. Once the integration model has been clarified and agreed, the implementation activities of the TREDISEC framework have started which will conclude with the release of the framework by September 2017(M30).

Related information

Follow us on: RSS Facebook Twitter YouTube Managed by the EU Publications Office Top