Periodic Reporting for period 2 - RESTASSURED (Secure Data Processing in the Cloud) Période du rapport: 2018-07-01 au 2019-12-31 Résumé du contexte et des objectifs généraux du projet "Secure cloud computing is key for business success and end-user adoption. of cloud services, and thus essential to stimulate the growth of the European Digital Single Market. Yet for many business sectors, the idea of hosting sensitive business or personal data on a public cloud raises concerns over the security and privacy of the data; while encryption techniques can protect the transfer of data to and from the cloud (""data-in-motion"") as well as data stored on the cloud (""data-at-rest""), operating on this data requires decryption, leaving data-in-use in computer memory exposed to security breaches. Additionally, the EU's General Data Protection Regulation which became effective on May 25, 2018, brings additional requirements to data retention within the cloud.RestAssured's goal is to enable the free and seamless movement of data within the EU, while assuring conformance to data protection regulations, as well as offering data security and privacy across the whole life cycle of the data." Travail effectué depuis le début du projet jusqu’à la fin de la période considérée dans le rapport et principaux résultats atteints jusqu’à présent WP3: Architecture, Platform and MethodologyWP3 provided the overall project architecture, as well as a physical hardware test bed for code development and integration.WP 4 Secure Cloud Data Processing and Execution EnvironmentThis WP examined establishing hardware enclaves using hardware with Intel’s SGX technology andidentified ease of use challenges and gaps that prevented adoption of the technology in a Cloud environment. Micro-benchmarking was performed. Additionally, IBM collaborated with the Berkeley RISE lab on the development of Opaque- an implementation of Apache Spark SQL on top of SGX hardware.In the second half of the project, this task examined using AMD SEV technology for secure hardware enclaves.This WP led the development of what became the official standard for Modular Parquet Encryption, which has been accepted by the Apache community.Additionally, IBM developed a reference version of code which runs Parquet encryption integrated into the hadoop environment.Advanced features such as the prevention of tampering with encrypted files were also developed. IBM incorporatedthis work in its Cloud-based Analytics Engine offering.WP5: Run-Time Data Protection AssuranceWP 5 delivers novel monitoring and adaptation solutions for detectingand mitigating violations of data protection policies in the cloud. In the first half of the project, the focuswas on the detection of data protection violations, and in the second half of the project,on adaptation.Task 5.1: Runtime Engine for Detecting Data Protection Policy ViolationsIn Task 5.1 UDE devised a novel model-based approach for detecting cloud configurations with an unacceptablyhigh risk of data protection violation. Task 5.2: Runtime Engine for Restoring Data Protection Policy ComplianceWe devised an approach for data-protection-aware adaptations incloud systems. In this approach, the run-time model of the cloud system is continually analyzed using themethods from Task 5.1 to detect if the cloud configuration is associated with unacceptably high data protectionrisks. Task 5.3: Models@Runtime as a “Shared Knowledge Base” A first, a proprietary meta-model for data protection in the cloud was introduced in D5.1. Later, themeta-model was re-engineered to make it conform to the TOSCA standard. WP6 Decentralized Data Lifecycle ManagementTask 6.1 Methodology for Data Lifecycle ManagementIn accordance with the work plan, the work in WP6, which was led by Thales, focused on the methodologyfor Data Lifecycle Management.In Period 2, the progress of this task mainly focused on the revision of the secure data lifecycle phasesand processes. The runtime phases that were not covered in period 1 were also developed by integrating the context-basedapproach, namely the compliance checking and the change management and adaptation process. WP 7 Engineering for Run-Time Data Protection SummaryTask 7.1 Security and Privacy by Design MethodologyIn the first half of the project, a methodology was devised for incorporating risk assessment into an overallsecurity and privacy by design approach. Task 7.2 Security and Privacy Threat Identification ToolsModels were developed to capture the structure of cloud based systems at the required levels. At thehighest level, we have extended the CSAP approach from UDE by developing patterns suited to cloud basedsystems. The enhanced SSM tool is now the subject of a commercialisation activity supported by the UK government.Task 7.3 Security and Privacy Threat Mitigation ToolsDuring the first half of the project, the main focus was to improve the coverage ofbasic cyber security threats and the commonly used countermeasures such as firewall user authenticationand access control, firewall restrictions, software patching and security testing, etc. In the second period,these threat mitigation models were extended to capture measures introduced by the RestAssured project,such as the use of secure enclaves.WP 8 Use Cases and end-user validationTask 8.1 Validation planning, analysis and evaluationImplementation and Execution of “Self-directed Social Care” Use CaseIn the first half of the project OCC produced SCANT (Social Care Analysis of Needs Tool) to assist localauthorities in identifying unmet social care needs, whilst also preserving the privacy of the potentiallyvulnerable Ami users (volunteers and clients). Implementation and Execution of “Pay as You Go Insurance” Use CaseIn the first half of the project, Adaptant implemented a simple Pay-As-You-Drive system on top of theRestAssured v1 architecture. In the second half of the project, this use case was extended to look at the introduction of further-restrictedsensitive data (in this case, biometric data) in which the handling of the data is subject to varying requirementsas the vehicle moves between countries. WP 9 ImpactThis work package was responsible for the communication and dissemination of the project results andestablishing a strong presence in the research community through both offline and online channels.The acceptance of 30 papers for publication in scientific journals and conferences plus several publicationsfor the general audience in both magazines and online blogs further highlights the major focus fordissemination activities in this area.Additional dissemination was achieved through attendance of workshops and collaboration meetings suchas the RestAssured representation in the DPSP (Data Protection, Security and Privacy in cloud) cluster. Furthermore the RestAssured project coordinated a cluster of projects to complete the CDB(Common Dissemination Booster).This work package resulted in the creation and subsequent dissemination of the RestAssured Handbook (D9.6 FinalRestAssured Handbook 1) as part of the project dissemination strategy. Progrès au-delà de l’état des connaissances et impact potentiel prévu (y compris l’impact socio-économique et les conséquences sociétales plus larges du projet jusqu’à présent) Technical conclusionsRestAssured progressed the SotA both through its scientific publications, and through its technical work.The work on Parquet encryption standard was started in mid-2017 in RestAssured work as a result of IBM’swork on SGX and Opaque Encryption of Parquet data followed as a result of an understanding of the requirements of the RestAssured use cases.The adoption of the Parquet encryption format as a standard by the Apache Parquet community is a major project achievement.