Enforceable Security in the Cloud to Uphold Data Ownership

Cloud computing is increasingly a necessary strategical ICT infrastructure component for European companies to successfully compete in the world-wide economy. Unfortunately, the convenience of using Cloud services comes at the price of the data owners losing control over their own data. This situation has a strong detrimental impact on the adoption and acceptability of cloud services. ESCUDO-CLOUD aims to address this problem and provide enforceable security to uphold data ownership. Empowering data owners as first-class citizens of the cloud, ESCUDO-CLOUD allows data owners to maintain control over their data when relying on Cloud Service Providers (CSPs) for data storage, processing, and management.

The practical objectives of ESCUDO-CLOUD are as follows.

Objective 1 - Rich support of requirements: reaching out to a large community of CSPs and users, considering requirements from large storage and service providers as well as from small companies and data owners, producing comprehensive solutions with actual deployment in real operational environments.

Objective 2 - Self-protection of data: providing protection of data at rest, key-management solutions, efficient and effective private data retrieval, and considering a variety of threats.

Objective 3 - Secure information sharing: considering enforcement of access restrictions demanded by data owners, ensuring integrity of data in presence of multiple writers, supporting queries involving data from different authorities.

Objective 4 - Multi cloud and federated cloud: offering security metrics and solutions allowing owners to reason about and assess trust in different providers, leveraging multiple providers for security, and operating in federated environments characterized by the presence of multiple CSPs.

Objective 5 - Effective exploitation: considering in real operational environments, and enabling effective realization of data ownership in the cloud with actual impact.


ESCUDO-CLOUD has met all the objectives above by considering use cases providing rich and comprehensive requirements corresponding to real problems and market strategies of main stakeholders.

The project has advanced state of the art and produced innovations on all the planned objectives.

Objective 1 - Rich support of requirements. The project has considered four use cases, corresponding to real-world problems of the industrial/SME partners. Thanks to the richness and complementarity of the use cases, the project has provided a comprehensive list of requirements to be addressed in different cloud-based scenarios. The requirement analysis covers different aspects of the problem of ensuring effective protection to data in the cloud, from basic storage, to fine-grained retrieval, controlled sharing, and federated contexts.

Objective 2 - Self-protection of data. The project has produced novel solutions for providing self-protection for data, hence empowering owners with effective control on their resources. These solutions have been realized in cloud platforms and some have also been made available open source. The solutions included advanced approaches for key management, fork-consistency, fine-grained retrieval and query execution on encrypted data.

Objective 3 - Secure information sharing. The project has developed novel solutions for enabling data owners to effectively regulate access to their data, even when such data are not under their direct control. ESCUDO-CLOUD new technology enables selective and controlled information sharing, among users as well as among data authorities/providers involved in collaborative distributed computations. In the context of distributed query processing, the project has also developed novel probabilistic techniques for enabling data owners to assess the integrity of the result of queries performed by possibly untrusted providers.

Objective 4 - Multi cloud and federated cloud. The project has investigated multi-cloud and federated cloud scenarios, developing approaches to support users in the definition of requirements and in the identification of suitable services. The project has also developed an innovative solution in the form of Data Protection as a Service (DPaaS) framework, allowing data owners to store and control the access to their data in a multi-cloud environment.

Objective 5 - Effective exploitation. Thank you to the participation of industrial partners representing first-class players in the cloud scenarios, and to the use cases provided by them, the technological solutions developed in the project have seen direct exploitation, and their exploitation will continue after the end of the project. IBM data-at-rest protection and key management have contributed to the OpenStack open-source distribution, and some of the technologies are already included in the current stable released; SAP has developed technology suitable for use in the company's HANA database; BT DPaaS framework is part of the portfolio of services offered to BT’s customers; WT and EMC has employed custom solutions tailored to the need of the companies. In addition, also solutions developed by academic partners have been made available open-source to the wide research and development community, enabling others to build on the project results.

ESCUDO-CLOUD has designed and developed novel technological approaches to advance the state-of-the-art, producing effective and deployable solutions, allowing data owners to maintain control over their data. ESCUDO-CLOUD provides impact by: i) increasing the quality of user experience and trust in clouds, ii) demonstrating the developed solutions in federated and multi cloud scenarios, iii) increasing innovation opportunities for service providers, iv) demonstrating the advantage of developed solutions through appropriate use cases.

In addition to the impact given by the direct exploitation and deployment of ESCUDO-CLOUD solutions by industrial partners and SME, ESCUDO-CLOUD has also achieved impact through several dissemination, communication, and exploitation-enabling activities. ESCUDO-CLOUD has also participated in the Cluster on "Data Protection, Security and Privacy (DPSP) in the Cloud," and is part of a portfolio of offers for trusted and secure services from Unit E2 projects.

The availability of the techniques supporting data ownership developed in ESCUDO-CLOUD can be beneficial for both data owners and CSPs. Data owners can give more trust to the CSPs and use their services for a wider range of applications, possibly moving most of their resources to the cloud. CSPs significantly benefit, in addition to the increased market penetration that robust data ownership would provide, from reduced regulatory risks, audit costs, and general security threats that they would have to face in the absence of such protection. Freeing providers from the worries of protecting data, allows them to even handle the data outside their own control. For instance, it would enable a provider itself to rely on other services for outsourcing storage and computation, behaving as a broker providing a virtualized cloud service, without worrying about the possible improper exposure of user information, which is guaranteed to be self-protected.