PaaSword's main idea, technical architecture and scientific challenges

www.paasword.eu

Dr. Julia Vuong, Andreas Schoknecht

CAS Software AG, Karlsruhe Institute of Technology PANOPTESEC Workshop

September 08, 2015, Brussels

Agenda

Introduction/Motivation PaaSword in a Nutshell

Consortium

Goals

Business Challenges

PaaSword Concepts Overview

Basic Concepts

PaaSword Requirements Methodology

Functional Requirements

Security Requirements

PaaSword 08/09/2015 2

PaaSword Architecture Overview

PaaSword Policies

PaaSword Scientific Challenges Searchable Encryption

Access Policies

Insecure APIs

Conclusion

INTRODUCTION

PaaSword 08/09/2015 3

PaaSword in a Nutshell

Holistic framework to unlock valuable business benefits of Cloud Computing by providing data privacy and security by design

safeguarding both corporate and personal data for cloud infrastructures and storage services

Protecting the data persistency layer and the database itself as the most critical targets

PaaSword 08/09/2015 4

PaaS Provider

PaaSword API

DB with

Indexers on encrypted data

Queries using Searchable

Trusted IaaS Provider

AdversaryUser

Developer

Publishes Application

Encryption Scheme

using PaaSword API

encrypted data

Consortium

• Industrial Partner • Scientific Partner

PaaSword 08/09/2015 5

Goals for PaaSword

Leverage the security and trust of Cloud infrastructures and services

Facilitate context-aware, ad-hoc decryption and access to encrypted and physically distributed datasets stored in Cloud infrastructures and services,

Enable the engineering of data privacy and security by design Cloud services and applications

Ensure the protection, privacy and integrity of the data stored in Cloud infrastructures and services

Prove the applicability, usability, effectiveness and value of the PaaSword concepts, models and mechanisms in industrial, real-life Cloud infrastructures, services and applications

PaaSword 08/09/2015 6

Use Cases & Business Challenges

PaaSword Framework outcome is demonstrated by means of 5 Use Cases situated in different application areas

Secure Senors Analytics for IoT applications

Cloud-based Multi-tenant CRM software

Encrypted Persistency included in PaaS/SaaS Services

Multi-tenant ERP Environments

Platform for Cross-border Document Exchange

Business Challenges are derived as a result of the analysis of the Use Cases

PaaSword 08/09/2015 7

Secure Sensors Data Fusion and Analytics Siemens SRL

Sensor Middleware: fine grained ICT monitoring system for both static and mobile distributed critical infrastructures

Public utilities (PU) or supply chains (SC)

The system provides

Reports in order to support the end-user in deciding whether to accept a shipment (SC) or public service (PU) through e.g. QoS monitoring

Real-time alerts and early warnings in order to guarantee the quality of a provided service, i.e. enabling transporters (SC) and public service & safety providers (PU) to proactively avoiding or minimizing damages

Automatic control operational states (i.e. of storage and transport conditions for SC, public services distribution and scaling for PU) in order to comply with product and service requirements

Data stored in a NoSQL storage engine due to the linear scaling factor, scaling is achieved through Sharding

PaaSword 08/09/2015 8

Secure Sensors Data Fusion and Analytics

The resulting security framework should:

provide redundancy capabilities for the management, storage and processing systems in case of failures;

provide support for performing failure and forensic analysis on data-storage and processing components;

identify ways to detect and report security and system failures.

PaaSword 08/09/2015 9

Protection of Personal Data in a Multi-Tenant CRM Environment

CAS Software AG

CRM software stores, links and processes huge amount of personal and customer data as well as sensitive enterprise

This data is an interesting target for mainly passive adversaries

Another huge thread are internal adversaries who has access to unencrypted data of multi-tenants directly in the data center

CRM software developers are mainly non-security experts who needs to write security-aware code.

Data encryption needs to be included at the persistence layer.

Performance impact needs to be limited to those data part what must be protected.

Data is stored in relational databases.

PaaSword 08/09/2015 10

Protection of Personal Data in a Multi-Tenant CRM Environment

The resulting security framework should

support security as a part of the application/data lifecycle management;

support tenant isolation in order to support the multiple-tenant structure of a CRM solution, especially the “one DB per tenant” approach;

provide developer documentation and guidelines for security features in the platform in order to enable non-security experts to develop security-aware CRM software;

provide patch management for secure platform components;

provide secure key management;

support permissions based on the situation of the user.

PaaSword 08/09/2015 11

Encrypted Persistency as PaaS/IaaS-Service-Pilot Implementation

SixSq

SlipStream, a cloud application management platform, facilitates management of the full cloud application lifecycle

Most cloud applications are n-tier web applications that need appropriate levels of security, privacy and confidentiality.

Developing the data protection infrastructure with respect to ISO standards and EU-data handling requirements is time consuming and costly.

PaaSword 08/09/2015 12

Encrypted Persistency as PaaS/IaaS-Service-Pilot Implementation

The security framework should

Produce components that can be parameterized and integrated with other application services (including external user authentication mechanisms);

Provide a complete set of components that can demonstrably meet the requirements of the EU data protection legislation and similar other regulatory requirements around the world.

PaaSword 08/09/2015 13

Protection of Sensible Enterprise Information on Mulit-Tenant ERP Environments

Singular Logic

Enterprise Resource Planning solution with single-tenant and multi-tenant scenarios relying on IaaS deployment schemes.

Data being exposed to third parties in a multi-tenant environment is one of the main risks.

Virtualized infrastructure includes the risk that one machine in this setting could monitor what ist neighbours are doing.

Poor implementation of access management includes the risk that customer data will get exposed to other users.

PaaSword 08/09/2015 14

Protection of Sensible Enterprise Information on Mulit-Tenant ERP Environments


Support searchable encryption of database;

Be able to support encryption/decryption through all steps the application and data lifecycle;

Support tenant isolation in order to support the multiple-tenant ERP solution, based on the “one DB per tenant” approach;

Not introduce extreme computational overhead;

Offer encryption in data transportation layer;

Provide extended developer documentation and guidelines for the security features in order to be properly integrated to the existing solution;

Provide secure key management.

PaaSword 08/09/2015 15

Intergovernmental Secure Document and Personal Data Exchange

Ubitech

Intergovernmental Exchange Platform facilitate international co-operation in civil-status matters and to further enable the exchange of information between civil registrars

The platform needed to adhere to very high security standards for the generation and transmission of highly sensitive personal data taking under consideration that the transmission channel is going to be the Internet, a totally hostile environment for sensitive data.

problem of end-to-end electronic exchange, one of the most vulnerable parts of the platform is the so-called Exchange Server where the exchange (inbound/outbound) queues and routing databases reside

protection of the raw data that reside in central database

PaaSword 08/09/2015 16

Intergovernmental Secure Document and Personal Data Exchange


Produce components that re-assure as much as possible that inter-changeable data are secure from malicious users that are either external or internal i.e. they belong to the ecosystem of the operational environment. This is very crucial since these types of applications have complex operational environment.

Produce components that can apply security policies that take under consideration the specificities of cross-border exchange (e.g. restrict the interaction of users based on their location)

Produce components that are in-line with the eIDAS regulation (such as electronic signatures, electronic seals, time stamp, electronic delivery service and website authentication) while in parallel they contribute in seamless encryption of data

PaaSword 08/09/2015 17

Business Challenges

Encryption of distributed existing databases and corresponding transaction logs

Context-driven policies for accessing the stored information

Object annotations modelling access rights for specific purposes, easily understood and defined by application developers, and a corresponding interpreter generating policy enforcement rules

Virtualization of data storages, i.e. SQL and No-SQL, realizing the appropriate query synthesis and aposynthesis capabilities

Key management mechanisms making the key usage transparent to the cloud-based applications and services

Asymmetric encryption, enabling the per-user encryption of the stored data and the per-user definition of policies regarding said data

PaaSword 08/09/2015 18

Walkthrough PaaSword

PaaSword provides an IDE-specific plug-in incorporating all PaaSword features used by the developer for his MVC-based application

Developer creates annotations at the Data Access Objects referring to sensitive data that should be protected, according to the XACML-based Context-aware Policy Access Model

PaaSword performs validity check of the DAO annotations

According to the DAO annotations applications persistence layer is distributed and the data encrypted

Each query and processing request is forwarded by the enhanced Controller to the Query Handling mechanism

PaaSword 08/09/2015 19

Walkthrough PaaSword

Policy Enforcement Mechanism grants the incoming request access to the data or not taking into account the user-defined access policies;

Query Handling mechanism submits the enhanced query to the augmented persistence layer;

Database Proxy registers the distributed query to the distributed and encrypted parts and federates the respective data from the distributed parts of the database;

Federated data synthesis and ad-hoc decryption utilizing the key of the end-user that is transparently (to the application) propagated to the Query Handling mechanism;

Decrypted data is delivered to the application controller forwarding it to the end-user

PaaSword 08/09/2015 20

PAASWORD CONCEPTS

Overview of Basic Concepts

PaaSword 08/09/2015 22

what is this artefact?

PaaSword Semantic Models is a set of Ontological models that aim to conceptualize two things:

possible encryption/decryption policies that can be used during runtime by an application in order to protect specific columns in a database

possible policies that can be applied in the web-endpoints of an application

who is using it?

They are used after their interpretation in libraries

who manages it?

A PaaSword Administrator is able to extend these models

PaaSword Semantic Models

PaaSword 08/09/2015 23

Typesafe Development Libraries


It is a set of Java Annotation Libraries (JSR-175 compliant) that provide to developers the ability to annotate specific part of their code.

These parts include @Entities. @Path(“/restendpoint”) etc

Annotations will drive specific ‘business logic’ during runtime.

who is using it?

A Cloud Application Developer during the development of an application that will be hosted in a PaaS environment

who manages it?

It is autogenerated by a Semantic Model Interpreter

PaaSword 08/09/2015 24

PaaSword Application


This is not practically an actual artefact of the project. Though it is an application that uses the Typesafe Development Libraries

who is using it?

Upon the deployment in a JEE container the application is available to end-users.

who manages it?

The PaaSword Application is managed by a DevOps in the sense that it performs all apropriate steps that are needed prior to deployment

PaaSword 08/09/2015 25

PaaSword-enabled Container


It is a JEE container that is able to interpret during runtime the (PaaSword) annotations that the developer has used.

A PaaSword-enabled container is able to

Interpret and implement encryption/decryption policies for specific columns of a database

handle policies that are declaratively defined

who is using it?

A DevOps user that is responsible for the operation of an application

who manages it?

The PaaS provider

PaaSword 08/09/2015 26

Outsourced Database


It is a plain RDBMS engine that operates in a completely untrusted IaaS zone

who is using it?

The PaaSword-enabled application will use this RDBMS in order to host encrypted data

who manages it?

The IaaS provider

PaaSword 08/09/2015 27

REQUIREMENTS

Requirements Methodology

Capturing of Requirements was a multi-step procedure.

Initially we discriminated between Functional Requirements and Security Requirements

Functional requirements affected the Architecture and will affect the reference implementation

Security requirements affect the Encryption/Decryption policies and the Key-Management policies that will be developed

Our end-users drove this procedure

As a first step, all PaaSword stakeholders have been identified

PaaSword 08/09/2015 29

Different Requirements per Role

PaaSword 08/09/2015 30

PaaSword Administrator & Developer

•

PaaSword 08/09/2015 31

DevOps’s & PaaS Provider’s F.R.

PaaSword 08/09/2015 32

Application User’s FR

PaaSword 08/09/2015 33

Capturing Security Requirements

The core asset that has to be protected is the database

Following a risk-management methodology we ended up in identifying Assets, Threats and Vulnerabilities that relate to the database

Based on the identified Threats, end-users raised there concrete security requirements

These requirements have been collected and ranked

Ranking is a guide for reference implementation

PaaSword 08/09/2015 34

Security Requirements Meta-model

PaaSword 08/09/2015 35

PaaSword 08/09/2015 36

Ranking

Description CAS UBI SILO SixSq SIE Ave

PSw SHALL guarantee that the credentials of a user can be revoked without affecting the Transparent Data Encryption (TDE) scheme that is used at the database level

9 10 9 9 9 9.2

PSw SHALL guarantee that the revocation of the credentials of one user does not affect the credentials or the TDE scheme of the other users

9 10 9 9 9 9.2

PSw SHOULD use a key generation algorithm (for keys associated to users/roles) that should guarantee that when a user key is compromised the rest of the keys MUST not be revoked

9 10 9 9 9 9.2

PSw SHALL support symmetric TDE of sensitive data. 9 10 9 7 7 8.4

PSw SHALL be operational only if transport level encryption is configured

9 9 9 6 5 7.6

PSw SHOULD ensure that deployed applications in the Application Server are trusted using a mature trust model

8 7 8 8 9 7.6

PSw SHALL interact with its underlying persistency layer using an encrypted connection

7 8 7 7 7 7.6

TDE SHOULD be supported on top of a monolithic database 9 10 9 5 5 7.6

PAASWORD ARCHITECTURE

Overview of Architecture

PaaSword 08/09/2015 38

PaaSword Central Administration

It is a centralized component that hosts the Semantic Models and the libraries that are autogenerated by these models. Its main sub-components include:

Semantic Model Management manages semantic artefacts

Design Time Library Management generates JSR-175 Annotation libraries

Runtime Library Management

generates runtime libraries that are deployed in the PaaS Container

PaaSword User Administration manages PaaSword users (i.e. ISVs that use the libraries)

PaaSword 08/09/2015 39

Application Development Zone

PaaSword libraries can be used by the developers of ISVs in order to create PaaSword enabled applications. Libraries can be extended using a specific methodology. There is only one component that belongs to this zone:

Trusted Deployment Generator it injects the deployment archive with the proper certificates/configurations that are needed

it signs the deployment archive

PaaSword 08/09/2015 40

PaaSword Execution Container

A JEE container which is able to interpret the annotations during runtime and perform all policies. Its main components include:

PaaSword Deployment Management responsible to validate the deployment archive

Transparent Encryption & Decryption Mechanism responsible to bootstrap the database and handle TDE queries

Key Management Mechanism responsible to perform key management operations

Security Policy Evaluation and Enforcement & Security Policy Management

responsible to handle the policies that are defined by annotations and possibly edited by the DevOps

HTTP Request interceptor responsible to forward the HTTP request to PaaSword handlers

PaaSword 08/09/2015 41

Tenant Trusted Operational Zone

This is a special zone which belongs to the tenant which contains some components that facilitate searchable encryption. The main components in this zone include:

Trusted Key Generator responsible to generate and handle tenant keys

Re-encryption Proxy it facilitates searchable encryption

PaaSword 08/09/2015 42

PaaSword Policy 1 – Monolithic Installation

Encryption/Decryption process is performed by using a PaaS Container

Encryption key exists constantly in memory.

Key is generated by TKP and provided once during bootstrapping.

PaaSword 08/09/2015 43


Easy to implement.

No operational reconditions have to be fullfilled by the application provider.

Business Login can perform SCRUD operations transparently.

No theoretical proof that a key can not be circumvented by a compromised container.

DB's data resides in one place, so brute force attacks can be performed upon their compromisation.

Key is continuously stored in memory.

• Disadvantages • Advantages

PaaSword 08/09/2015 44


Encryption and Decryption process is performed using a PaaS Container

Encryption key exists constantly in memory.

In contrast to PaaSword Policy 1: Key is resynthesized on demand in every entity's usage.

Key is generated by TKP which is interconnected with IDM.

PaaSword 08/09/2015 45


Business Logic can perform SCRUD operations transparently.

Asymmetric key is not stored permanently in memory.

Revocation of one key is not affecting the platform.

More complex to implement than PaaSword Policy 1.

No theoretical proof that a key can not be circumvented by a compromised container.

DB's data resides in one place, so brute force attacks can be performed upon their compromisation.

• Disadvantages • Advantages

PaaSword 08/09/2015 46


Encryption and Decryption process is performed using an Encryption Proxy

Key is based on a tenant key that is generated by the TKP

Key is generated by the TKP

PaaSword 08/09/2015 47


Container has no access to plain text.

Business Logic can not perform all SCRUD operations.

• Disadvantage • Advantage

PaaSword 08/09/2015 48

PaaSword Policy 4 – Distributed Installation

PaaSword 08/09/2015 49

Hardware of

data owner

Certified

cloud provider

Storage

cloud provider

Fully trusted zone Trusted zone Semi-trusted zone Untrusted zone

Da

ta

Ind

ex

Ind

ex

Data base

proxy

Zone Model

Secure Database Proxy

PaaSword 08/09/2015 50

Data Index2 Index1

(no)SQL

(no)SQL DB-Proxy (trusted)

SQL

Cloud (untrusted)

User/Application

Data (not encrypted)

Data/Indexes (encrypted)

Transformation

PaaSword 08/09/2015 51

ID First Name Last Name Town Date Of Birth

1 Paul Fischer Hannover 01.01.1979

2 Hans Müller Karlsruhe 02.02.1974

3 Frank Schmidt Stuttgart 03.03.1972

4 Frank Maier Hamburg 04.04.1983

ID encrypted Data

1 Enc(Paul,Fischer, Hannover,01.01.1979)

2 Enc(Hans,Müller,Karlsruhe,02.02.1974)

3 Enc(Frank,Schmidt,Stuttgart,03.03.1972)

4 Enc(Frank,Maier,Hamburg,04.04.1983)

Data

Keyword IDs

FirstName:Paul Enc(1)

FirstName:Hans Enc(2)

FirstName:Frank Enc(3,4)

Index1

Keyword IDs

LastName:Fischer Enc(1)

LastName:Müller Enc(2)

LastName:Schmidt Enc(3)

LastName:Maier Enc(4)

Index2

Attributes are lost in the crowd

Original

hidden association

Example (1/4)

PaaSword 08/09/2015 52

Data Index2 Index1 SELECT ID FROM Index1

WHERE Keyword =‘FirstName:Frank’

SELECT ID FROM Index2

WHERE Keyword =‘LastName:Maier’

Transform query

DB-Proxy

SELECT * FROM Person

WHERE FirstName = ‘Frank’

AND LastName = ‘Maier’

SELECT * FROM Personen WHERE FirstName

= ‘Frank’ AND LastName = ‘Maier’






Example (2/4)

PaaSword 08/09/2015 53

Data Index2 Index1

Decrypt

and compose

DB-Proxy








IDs Enc(3,4)

IDs Enc(4)

ID 4

Example (3/4)

PaaSword 08/09/2015 54

Data Index2 Index1

Fetch Data

DB-Proxy








SELECT * FROM Data

WHERE ID in {4}

Example (4/4)

PaaSword 08/09/2015 55

Data Index2 Index1

Decrypt and

send result

DB-Proxy








Frank, Maier, Hamburg,

04.04.1983

Enc(Frank, Maier, Hamburg, 04.04.1983)

PAASWORD SCIENTIFIC CHALLENGES

PaaSword 08/09/2015 56

Searchable Encryption Scheme

Define a Searchable Encryption (SE) scheme which is able to work with encrypted data basd on defined policies

SE needs to allow multi-read, multi-write and needs to provide keywords privacy

SE needs to offer revocation functionalities in order to tackle misbehaving users

SE needs to be efficient and able to run on multiple devices with different resources

Possible offer of different SE schemes with different functionalities/security level

PaaSword 08/09/2015 57

Access Control Policies

Access Control Policies are based on the Access Control Model

Developer choose the applied Access Control Model

Key-Police Attribute Based Encryption – Ciphertext-Policy Attribute Based Encryption

Which one can be applied in the PaaSword setting?

Move to revocable version?

Access Control Policies are Context-Aware by using a Context Model

Context Model is based on LinkedUSDL taking into account context attributes, i.e. geolocation, device, …

Each data type has its own context attributes

PaaSword 08/09/2015 58

Insecure APIs

Transport Security

Protect APIs carrying sensitive data within a secure channel

Use SSL/TLS

How to generate/manage valid certificates from internal/external certificate authority?

Issues with configuring platform services and software integration

Issues with end-to-end protection if any prxying platforms are required as intermediaries

Code and Development Practices

Test any API that pass JSON/XML messages or accept input from users/applications for standard injection flaws and cross-site request forgery attacks

PaaSword 08/09/2015 59

Insecure APIs

Authentication & Authorization

Open Issues

Can APIs manage the encryption of usernames and password?

Is it possible to manage two-factor authentication attributes?

Can fine-grained authorization policies be created and maintained?

Is there continuity between internal identity management systems and attributes, and those extended by APIs from cloud providers?

Reusable tokens/password?

API dependencies?

Limited monitoring/logging capabilities?

Inflexible access control?

PaaSword 08/09/2015 60

Conclusion I

PaaSword provides a holisitic framework providing data privacy and security by design

Added value exemplified on 5 business demonstrations

Based on the concepts of

PaaSword Semantic Models

Typesafe Development Libraries

PaaSword Application

PaaSword-enabled Container

Outsourced Database

Architecture and Reference Implementation defined with the help of Requirements & Security Requirements from Stakeholders

PaaSword 08/09/2015 61

Conclusion II

Architecture consists of PaaSword Central Administration

Application Development Zone

PaaSword Execution Container

Tenant Trusted Operational Zone

PaaSword Policies for Security 1,2,3,4

PaaSword Scientific Challenges Searchable Encryption working with encrypted data based on defined policies – Combine Seachable Encryption with Access Control Policies

Insecure APIs

PaaSword 08/09/2015 62

PaaSword 08/09/2015 63

Questions?

Visit us:

www.paasword.eu Acknowledgements: This project has received funding from the

European Union’s Horizon 2020 research and innovation programme under grant

agreement No 644814.

Date post:	11-Feb-2017
Category:	Technology
Upload:	paasword-eu-project
View:	548 times
Download:	2 times