Opendata, web and dolomites
  1. home
  2. trasparenza
  3. open h2020
  4. restassured
  5. reports

Report

Teaser, summary, work performed and final results

Periodic Reporting for period 1 - RESTASSURED (Secure Data Processing in the Cloud)

Teaser

\"Secure cloud computing is key for business success and end-user adoption. of cloud services, and thus essential to stimulate the growth of the European Digital Single Market. Yet for many business sectors, the idea of hosting sensitive business or personal data on a public...

Summary

\"Secure cloud computing is key for business success and end-user adoption. of cloud services, and thus essential to stimulate the growth of the European Digital Single Market. Yet for many business sectors, the idea of hosting sensitive business or personal data on a public cloud raises concerns over the security and privacy of the data; while encryption techniques can protect the transfer of data to and from the cloud (\"\"data-in-motion\"\") as well as data stored on the cloud (\"\"data-at-rest\"\"), operating on this data requires decryption, leaving data-in-use in computer memory exposed to security breaches. Additionally, the EU\'s General Data Protection Regulation which become effective on May 25, 2018, brings additional requirements to data retention within the cloud.

RestAssure\'s goal is to enable the free and seamless movement of data within the EU, while assuring conformance to data protection regulations, as well as offering data security and privacy across the whole life cycle of the data.\"

Work performed

WP3: Architecture, Platform & Methodology
WP3 focused on three topics in this reporting period:
1) The RestAssured architecture. UDE led the activities to design an overall, end-to-end architecture for RestAssured. To this end, deliverable D3.1 first identified several, complementary architectural views (data flow view, risk analysis view, adaptation view, component view) to capture the different concerns of importance to RestAssured.
2) UDE set up and maintains a testbed consisting of six SGX-enabled computers. The testbed is actively used by the partners as a joint development, integration, and testing platform.
3) An overall RestAssured methodology was defined for meeting data protection requirements including those imposed by GDPR. This includes risk evaluation, using the tools and methodology for that as developed in WP7.

WP4 Secured cloud data processing and execution environments
W4 led by IBM aims to deliver end to end cloud architectures and methodologies for assuring secure data processing in the cloud.
IBM built a trusted analytic platform based on a combination of hardware and software components. The platform uses the Intel SGX (Software Guard Extension) technology.

Apache Spark SQL is the analytic engine of the RestAssured platform. Opaque open source technology from the Berkeley RISELab integrates Spark SQL with Intel SGX hardware, and offers data protection by running SQL transformations inside trusted enclaves. IBM have experimented with Opaque, identified key gaps and limitations and have worked to resolve and augment Opaque with key mechanisms for secure data processing in SGX enclaves by integrating Opaque with the RestAssured trust management framework. In addition, we designed and developed a component that serves as a gateway between RestAssured use case applications and Opaque clusters.

IBM has contributed some of this work to open source projects, including contributions to Opaque and open sourcing the Trust Management Framework.

WP5 Run-Time Data Protection Assurance
The work in WP5 focused on the detection of data protection violations at run time and how this can be supported by run-time models. A run-time model-based approach for the detection of data protection violations in cloud systems was developed. The approach is based on two types of artifacts: a run-time model of the cloud system and a set of so-called risk patterns. Graph pattern matching techniques were proposed to detect the existence of risk patterns in the run-time model of the cloud system during deployment or at run time.

A meta-model for the run-time model of cloud systems was devised. The results were published in multiple scientific publications authored by UDE.

WP6 Decentralized Data lifecycle Management
The activities of WP6 related to the first period were focused on the definition of a methodology for data lifecycle security management in a decentralized cloud environment and the specification of the architecture of the Gatekeeper, the data protection framework that manages the data protection policies and the services governing the data life-cycle based on the defined methodology.

WP7 Engineering for Run-Time Data Protection:
A methodology was devised for incorporating risk assessment into an overall security and privacy by design approach. This is based on the use of design time system modeling and risk analysis supported by RestAssured models and tools, yielding models that can be used at run-time to evaluate risks from system adaptations. Models and tools were developed to capture the structure of cloud based systems at the required levels.

WP8 Use Cases and End-User Validation:
WP8 focuses on the end-user validation through a series of diverse use cases that each exhibit their own unique data protection concerns. WP8 leverages the work developed by the technical work packages and applies them in in a range of real-world use cases, while also providing the means by which evolving end-user requirements ca

Final results

RestAssured is going beyond the state of the art through its integration of multiple disparate components, the totality of which presents a unique holistic solution to protecting data in the cloud. RestAssured\'s creation and open sourcing of TRuCE opens up the use of SGX hardware to a wider range of programmers. Its work on risk management and run-time data protection are able to take into account secure enclaves in their modeling, which goes beyond the capability of any such efforts done in the past.

RestAssured will continue to add breadth to its components, examining such concepts as emerging secure enclave technologies and the implications of running large 3d party applications inside of enclaves, extending the work on adaptation, risk identification and monitoring, and auditability and compliance of a running RestAssured system to defined sticky policies.

As a research initiative, RestAssured is expected to present a blueprint to others in the industry on how to create a far more secure cloud ecosystem. This in turn, can lead to higher confidence amongst data providers to not only host their data on the cloud, but to securely share it with authorized 3d parties, while respecting data subject privacy requirements.

Website & more info

More info: https://restassuredh2020.eu/.