Skip to main content



Reporting period: 2015-02-01 to 2016-07-31

Distributed cloud computing raises many security and dependability concerns, due to increase in complexity and lack of interoperability between heterogeneous, often proprietary infrastructure technologies.
SUPERCLOUD will build a security management architecture and infrastructure for secure and dependable cloud of clouds that are: user-centric for customers to define their own protection requirements and avoid provider lock-ins, and self-managed to reduce administration complexity through automation.
Key expected results include: (1) a security supervision infrastructure for multi-clouds; (2) a data security and storage infrastructure; (3) a secure virtualized network infrastructure. Developed technology will be validated through demonstrators from the healthcare domain: (1) a healthcare Laboratory Information System; (2) a cloud-based image processing and storage platform.
"The period started by defining the architecture of SUPERCLOUD Core Technology. Three sub-architectures for secure computation, data management, and networking were defined, with cross-cutting security self-management. Specifications were published for: the overall architecture (D1.1); sub-architectures (D2.1 D3.1 D4.1) and self-management (D1.2) – enabling to pass successfully the Architecture Specification Milestone (M10). A paper on the SUPERCLOUD vision was accepted for publication in a Special Issue of IEEE Cloud Computing on Cloud Security.
In parallel, SUPERCLOUD use cases and requirements were specified (D5.1) focusing mainly on healthcare, but also addressing other verticals (e.g. smart home). A SUPERCLOUD testbed was also started to be deployed. Preliminary analysis of some foreseen SUPERCLOUD ecosystems showed their viability, such results being encouraging for market adoption of SUPERCLOUD technology. Implementation of SUPERCLOUD components then started through a set of prototypes.
The computing infrastructure includes a distributed virtualization infrastructure and a security self-management infrastructure. A horizontal (multi-provider) and vertical (cross-layer) user-centric virtualization architecture and infrastructure combining flexible security control and interoperability were proposed through an orchestration framework named ORBITS to run distributed user-centric clouds (U-Clouds) over multiple Open Stacks, security services being ""weaved"" under user control, and through a cross-layer U-Cloud prototype running nested VMs over Xen using the NOVA micro-hypervisor. Among hardware security mechanisms, Intel SGX was also chosen as focal technology for VM isolation and trusted execution of services, with extensions for managing of chains of trust.
For self-management of security, components have been proposed for multi-provider policy modelling and enforcement, with features such as user security requirement specification, provider selection, and SLA negotiation, or cross-layer and provider autonomic security monitoring. An integrated proof-of-concept prototype of the security self-management infrastructure has been developed around an availability use case, based on OrBAC policies and enforcement by a Floodlight SDN controller. For compliance checking, a component called CCTV was proposed for automating configuration of VMs and analyze configuration changes. Different levels of access control policies were also enforced, such as usage-control, authorization (e.g. for NFV through a framework called Moon), or at application-level (e.g. geo-location-aware data isolation). A user-centric solution for multi-cloud fault-tolerance for compute services was also developed to manage different types of failures.
The data management infrastructure ensures several data protection requirements from use cases can be fulfilled. Dependability is based on Byzantine fault tolerance and blockchain techniques, with proposition of XFT, a novel resilience model decoupling Byzantine from network faults. The Hyperledger state machine replication fabric was open sourced by IBM in M13 to serve as blockchain substrate for the SUPERCLOUD multi-cloud dependability solution.
Specific modules related to security-enabling data management features and dependable multi-cloud storage have been defined and are under development to be integrated within a Data Access Proxy supporting OpenStack Swift interfaces. Secure data sharing results include a prototype to store, share and deduplicate consistently sensitive data in a multi-cloud system, using well-controlled cryptographic tools (e.g. proxy re-encryption, attribute-based encryption). Regarding privacy, several techniques (multi-party computation, homomorphic encryption, differential privacy) have been explored for verifiability of systems computing statistics on medical data coming from independent hospitals, while protecting privacy, not giving all knowledge to a single entity. A cor"
The SUPERCLOUD computing virtualization architecture enables successful flexible but efficient user-centric trade-offs, both in terms of interoperability and security for the multi-cloud, while still guaranteeing automation, unlike many distributed virtualization and protection automation techniques existing today. SUPERCLOUD also enables user-centric data encryption unlike current cloud-based data storage solutions. It also provides dependability guarantees across multiple administrative domains, and through open protocols, unlike replications solutions proposed by major IaaS providers. Finally, thanks to SDN-based network virtualization, SUPERCLOUD provide tenants freedom to create virtual networks with customized topologies and addressing schemes spanning multiple datacenters while guaranteeing the required level of isolation. Such networks may belong to distinct cloud providers, while including private facilities owned by the tenant, unlike current solutions targeting datacenters of single cloud providers with full control over the infrastructure.
Several markets are particularly relevant for SUPERCLOUD technology: healthcare, to improve existing cloud-based services and launch new products; blockchain, target of strategic investments of key SUPERCLOUD partners across many business cases supported by a major open source project (e.g. Hyperledger); cloud brokerage, providers grouping together into small user-centric market places leveraging SUPERCLOUD technology, the open source approach being key for widening technology acceptance; and SDN for multi-clouds, providing unique exploitation opportunities for finer decisions to place virtual machines, avoiding single points of failure, and decreasing costs.
Thus, SUPERCLOUD will allow the creation of a secure multi-cloud execution environment, enhancing current cloud computing with innovative technologies and services, creating new business opportunities for partners along several verticals of the multi-cloud ecosystem.