Final Report Summary - SECENTIS (A European Industrial Doctorate on Security and Trust of Next Generation Enterprise Information Systems)
SECENTIS is a European Industrial Doctorate on SECurity and Trust of Next Generation ENTerprise Information Systems. [see logo.png in attachment] The security needs of organizations will increase and be more varied, ranging from the protection of own resources to those managed on behalf of end-users and customers. These needs will be particularly important for vendors of Enterprise Information Systems and Process Management solutions because of the increasing demands for (a) control on business and customer data processed by a large number of diverse applications and (b) overall security of data and services outsourced to third-party providers–stimulated by the increasing adoption of cloud computing, mobile applications, and the Software-as-a-service paradigm. Security solutions addressing these demands are crucial for the future of the digital economy in the EU (and more generally world-wide) as cyber attacks have profound societal and economic consequences in terms of loss of reputation, fines, falling sales, civil and criminal legal proceedings for organizations the data was stolen from, together with financial hardship and significant stress for affected individuals. These negative aspects have been experienced several times by companies of all sizes, including major corporations, that have been targeted in systematic acts of espionage and geopolitical retaliation, as well as hundreds of thousands–potentially millions–of individuals affected by the fallout of data (such as credentials, credit card data, health record information) being stolen and misused.
The main goal of the SECENTIS project was to provide an innovative training program at the Doctoral level to educate a new generation of security experts capable to tackle the scientific and technical challenges raised by the combination of cloud-based technologies and to manage the impact of these changes in industry. Concretely, the security solutions developed by the five selected Early Stage Researchers (ESRs) would result in an increase of both the cyber-security readiness of companies and the awareness of, not only experts, but also society at large. To reach this ambitious goal, the SECENTIS training program was centered around the following five topics with the aim of significantly advance the state-of-the-art of the security solutions for the next generation of Enterprise Information Systems:
# | Topic | Objective
I | Risk-based Access Control | Define a Risk-Based Privacy-Aware Access Control framework for the selective disclosure of security-sensitive information such as that contained in logs produced by enterprise information systems.
II | Security Policy Enforcement and Monitoring | Develop mechanisms to provide guarantees on the control of the physical (i.e. geolocation) and logical (i.e. compliance to data retention regulations) location of data in cloud platforms.
III | Certification of Third-parties Applications | Design techniques to provide software developers of cloud services and applications only the information which is relevant to fix bugs without overwhelming them with too many (often irrelevant) details of the context in which the bug was produced.
IV | Automatic Security Analysis of Business Processes | Develop a uniform approach to the automated synthesis of run-time monitors capable of enforcing authorization policies and constraints in business processes and web applications.
V | Automatic Analysis of Browser-based Security Protocols | Design and deploy techniques for the automated testing of multi-party web applications (such as Single-Sign-On solutions and e-payment services) based on the use of browser-based security protocols.
Besides developing the theoretical foundations on top of which building the security solutions to achieve the assigned goals, the five ESRs have built Proof-of-Concepts (PoCs) to experimentally validate their ideas in industrial scenarios: a tool for risk-based access control (Topic I), mechanisms for data-tracking in the cloud (Topic II), a systematic approach to identify the sources of vulnerabilities in complex software systems using Free and Open Source Software components (Topic III), techniques for the automated synthesis of monitors enforcing authorization policies and constraints in business processes and web applications (Topic IV), and an automated tool for black-box security testing of multi-party protocols (Topic V).
The results of the theoretical and experimental work of the five ESRs have been extensively published in high-quality international conferences and journals in Computer Security, two inventions have been patented (a third patent for another invention has been filed and currently under review), an extensive study of the geo-localization of data in several cloud applications has been published, and several vulnerabilities have been discovered in widely used web services (such as Yahoo, Pinterest, Paypal, and LinkedIn). Some of these achievements have also received attention in the media for the general public. More information about these and related results with pointers to online resources can be found at the project web site http://www.secentis.eu.
Besides the research, technical, and innovative contributions summarized above, one (if not the most important) outcome of the SECENTIS programme is the transformation of the ESRs into security experts capable not only of mastering advanced security solutions but also of deploying them in industrial scenarios by striking the right balance between effectiveness and costs. This twofold capability has allowed all ESRs to find positions in European research centers and universities shortly after the completion of their contracts as ESRs. The mobility of the five ESRs is key to spread the vision of the SECENTIS project across Europe and exploit its results to advance the competitiveness of the technological and business ecosystem of the European Union.
The information in this document is provided “as is,” and no guarantee or warranty is given that the information is fit for any particular purpose. The above referenced consortium members shall have no liability for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of these materials subject to any liability which is mandatory due to applicable law. Copyright 2017 by FBK.
The main goal of the SECENTIS project was to provide an innovative training program at the Doctoral level to educate a new generation of security experts capable to tackle the scientific and technical challenges raised by the combination of cloud-based technologies and to manage the impact of these changes in industry. Concretely, the security solutions developed by the five selected Early Stage Researchers (ESRs) would result in an increase of both the cyber-security readiness of companies and the awareness of, not only experts, but also society at large. To reach this ambitious goal, the SECENTIS training program was centered around the following five topics with the aim of significantly advance the state-of-the-art of the security solutions for the next generation of Enterprise Information Systems:
# | Topic | Objective
I | Risk-based Access Control | Define a Risk-Based Privacy-Aware Access Control framework for the selective disclosure of security-sensitive information such as that contained in logs produced by enterprise information systems.
II | Security Policy Enforcement and Monitoring | Develop mechanisms to provide guarantees on the control of the physical (i.e. geolocation) and logical (i.e. compliance to data retention regulations) location of data in cloud platforms.
III | Certification of Third-parties Applications | Design techniques to provide software developers of cloud services and applications only the information which is relevant to fix bugs without overwhelming them with too many (often irrelevant) details of the context in which the bug was produced.
IV | Automatic Security Analysis of Business Processes | Develop a uniform approach to the automated synthesis of run-time monitors capable of enforcing authorization policies and constraints in business processes and web applications.
V | Automatic Analysis of Browser-based Security Protocols | Design and deploy techniques for the automated testing of multi-party web applications (such as Single-Sign-On solutions and e-payment services) based on the use of browser-based security protocols.
Besides developing the theoretical foundations on top of which building the security solutions to achieve the assigned goals, the five ESRs have built Proof-of-Concepts (PoCs) to experimentally validate their ideas in industrial scenarios: a tool for risk-based access control (Topic I), mechanisms for data-tracking in the cloud (Topic II), a systematic approach to identify the sources of vulnerabilities in complex software systems using Free and Open Source Software components (Topic III), techniques for the automated synthesis of monitors enforcing authorization policies and constraints in business processes and web applications (Topic IV), and an automated tool for black-box security testing of multi-party protocols (Topic V).
The results of the theoretical and experimental work of the five ESRs have been extensively published in high-quality international conferences and journals in Computer Security, two inventions have been patented (a third patent for another invention has been filed and currently under review), an extensive study of the geo-localization of data in several cloud applications has been published, and several vulnerabilities have been discovered in widely used web services (such as Yahoo, Pinterest, Paypal, and LinkedIn). Some of these achievements have also received attention in the media for the general public. More information about these and related results with pointers to online resources can be found at the project web site http://www.secentis.eu.
Besides the research, technical, and innovative contributions summarized above, one (if not the most important) outcome of the SECENTIS programme is the transformation of the ESRs into security experts capable not only of mastering advanced security solutions but also of deploying them in industrial scenarios by striking the right balance between effectiveness and costs. This twofold capability has allowed all ESRs to find positions in European research centers and universities shortly after the completion of their contracts as ESRs. The mobility of the five ESRs is key to spread the vision of the SECENTIS project across Europe and exploit its results to advance the competitiveness of the technological and business ecosystem of the European Union.
The information in this document is provided “as is,” and no guarantee or warranty is given that the information is fit for any particular purpose. The above referenced consortium members shall have no liability for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of these materials subject to any liability which is mandatory due to applicable law. Copyright 2017 by FBK.