Skip to main content

A Holistic Data Privacy and Security by Design Platform-as-a-Service Framework Introducing Distributed Encrypted Persistence in Cloud-based Applications

Periodic Reporting for period 2 - PaaSword (A Holistic Data Privacy and Security by Design Platform-as-a-Service Framework Introducing Distributed Encrypted Persistence in Cloud-based Applications)

Reporting period: 2016-07-01 to 2017-12-31

Despite its compelling benefits, only few enterprises make use of cloud computing. Security and data privacy concerns impede its wide adoption. The EU research & innovation project PaaSword addresses these challenges by developing a holistic security and privacy preserving framework.

Context, Motivation and Challenge:
Current cloud applications and storage volumes often leave information at risk to theft, unauthorized exposure or malicious manipulation. Thus, the benefits of cloud computing are still underexploited by many businesses and individuals. In order to unlock these valuable business benefits, security and data privacy concerns as main barriers in cloud adoption must be effectively addressed in a holistic way. PaaSword aims at fortifying the trust of individuals and corporate customers in cloud services and increasing the adoption rate of cloud-based solutions by securing the most critical target, the data persistency
layer and the database itself. The focus is on safeguarding both corporate and personal data for cloud infrastructures and storage services. The project addresses the current major data security challenges, posed by the Cloud Security Alliance, and provides essential knowledge to organizations that wish to securely migrate to the cloud.

PaaSword introduces a holistic data privacy and security by design framework with main aim to protect users’ sensitive data stored in the cloud. The framework is based on a searchable encryption scheme enhanced with sophisticated context-aware access control mechanisms. An innovative approach for key management maximizes customers‘ control over their data. PaaSword extends the Cloud Security Alliance‘s cloud security principles by capitalizing on recent innovations in virtual database middleware technologies that introduce a scalable secure cloud database abstraction layer with sophisticated data distribution and encryption methods.
The implementation of enterprise security governance in cloud environments is supported by a novel approach towards context-aware access control mechanisms that incorporate dynamically changing contextual information into access control policies and context-dependent access rights to data stored in the cloud. Finally, PaaSword supports developers of cloud applications through code annotation techniques that allow specifying an appropriate level of protection for the application‘s data.
The first project phase – the design phase (months M1-M12) – has seen the kick-off of WP 1 – WP 4 and WP 7 and the structuring of the main work environments, management structures and administrative templates in work package 8. The main focus of the project during the design phase was:
• The analysis of the state-of-the-art with respect to cloud storage security and techniques, context-awareness and security policies as well as the derivation of technical, non-technical and security requirements that will guide the development of PaaSword concepts, architecture and mechanisms;
• The definition of the PaaSword reference architecture describing the main components and the conceptual interaction between them as well as implementation guidelines on how interested parties can build their own PaaSword-enabled services by creating variations that will better fit their specific needs;
• The definition of security use cases describing the implementation scenarios within the pilots as well as the definition of acceptance criteria for the validation of the mechanisms to be developed;
• The development of a model for semantically describing associations between types of access depending on the data objects and (contextual) circumstances under which this access should be granted or denied;
• The description of ontologically access control policies taking into account all the relevant contextual attributes pertaining to the data objects, the entities that are trying to access them and the operations that they desire to perform.

The second project phase – the development and integration phase (months M13-M27) - covered mainly the research activities of WP3, WP4 and WP5, concerning the technical design, implementation and integration of all the mechanisms comprising the PaaSword framework, adopting a two-cycle development and integration approach:
• The final implementation of all the appropriate mechanisms forming the PaaSword policies access, decision and enforcement middleware that encapsulates capabilities for annotating and managing data access object annotations, for controlling their validity, for dynamically interpreting them into policy enforcement rules, for enforcing these policies based on asymmetric cryptography principles, corresponding to the WP3 entitled “Policies Access, Decision and Enforcement Middleware” – with the results documented in Deliverable D3.2 Policies Enforcement Middleware Mechanisms – Final Release (M29);
• The final implementation of the distribution and encryption mechanism of PaaSword – with the results documented in Deliverable D4.3 Physical Distribution, Encryption and Query Middleware – Final Release (M27);
• The integration of the software components and mechanisms developed, in two iterations – with results documented in D5.2 PaaSword framework – Early release (M22) and D5.3 Final release (delivered in month M27).
The third phase of the project, the demonstration, evaluation and validation phase, included validation and impact creation activities, as part of WP6:
• Five distinct industrial pilots, validating PaaSword technical results and iteratively delivering feedback. These results have been documented in the deliverables D6.2 Pilots implementation (M31) and D6.3 Validation results and performance evaluation (M37);
• Based on experiences gained with the adoption of PaaSword toolset in the frame of the pilots, we have developed the PaaSword adoption methodology for potential adopters, documented in D6.4 PaaSword Methodology (M38).
• Adapted Payback Framework, in order to determine assessment criteria for the quality of the impact of these activities. The results have been documented in D6.5 PaaSword Impact Assesment (delivered in month M38).
Finally, we are happy to report several successes with respect to dissemination and communication, as part of WP7. Examples include 18 research publications, contributions to 9 scientific events and 3 white papers, more than 90 communication activities, participation in more than 30 communication events, over 300 tweets (54% re-tweets) and 30 members in the industrial focus group (CS-IFG).
PaaSword directly addresses one of the most critical issues with security of cloud technologies. The novel aspects provided by PaaSword have two main pillars: (i) one is the access control mechanisms, the other, the (ii) second one being the transparent encryption and decryption database engine. They may maximise the trust of individuals and corporate customers in cloud applications and services. Thus, PaaSword is expected to enable European enterprises to unlock valuable business, economic and operational benefits of migrating to the cloud. It aims to attract new groups of customers and thus unlock significant economic growth and impact.
The EU General Data Protection Regulation adopted on 27 April 2016 shows the urgent need for solutions like PaaSword, as validated in the frame of five industrial demonstrators.