© Fraunhofer IESE
Future @ Cloud: Cloud Computing meets Smart Ecosystems Joerg Doerr, Fraunhofer IESE, Kaiserslautern, Germany
© Fraunhofer IESE
2
Fraunhofer-Institute for Experimental Software Engineering (IESE)
Leading Institute for Software Engineering
Founded in 1996 in Kaiserslautern, Germany 200 employees Focus on software engineering ! Provide innovative and value-adding
customer solutions with measurable effects
! Advance the state-of-the art in software and system engineering
! Promote the importance of empirically based software and system engineering
www.iese.fraunhofer.de
© Fraunhofer IESE
3
Fraunhofer IESE – Our Competencies
SOFTWARE-ENABLED INNOVATIONS
for innovative Systems
© Fraunhofer IESE
4
Fraunhofer IESE – Our Competencies
SOFTWARE-ENABLED INNOVATIONS
© Fraunhofer IESE
5
Digital Society Business Life: Integration Enables Innovation!
… in Information Systems as well as in Embedded Systems
© Fraunhofer IESE
6
n New business models n that did not work in the past start to work now (Apple Store,
Micropayment, ..)
n Private life pushes business life n Physical objects go digital
n Machinery, things, living objects like plants and animals
n Usage of Big Data to exploit available data n Uncertainty at runtime
Trends and Implications
© Fraunhofer IESE
7
IT Mega Trend: Integration
Big Data / Data Analy-cs
© Fraunhofer IESE
8
Digital Ecosystems
Software Ecosystems n deliver innovations through integrated software systems n are typically driven by multiple organizations at their own pace to interact with
shared markets n operate through the exchange of data, functions, or services
with mutually influencing parts
Smart Ecosystems n integrate non-trivial information systems supporting business goals n integrate non-trivial embedded systems supporting technical goals n function as one unit to achieve a common, superior goal
and share context-dependent information
© Fraunhofer IESE
9
Integration of IS and ES - Differences
Key Goals Optimization of Business Processes
Optimization of Technical Processes (sensors and actuators)
Optimization of both, Business Processes & Technical Processes with Equal Rights
Software Engineering
IS-Driven (Information Systems 2.0) may include embedded data in workflows
ES-Driven (Embedded Systems 2.0) may use information systems for data storage, e.g., in the cloud
ES/IS-Integration Participative Engineering: Across Organizations (sometimes with Equal Rights)
Key Qualities (Examples)
Security Safety Safety & Security
© Fraunhofer IESE
10
Smart Ecosystems A Trend Across Domains
Smart Ecosystems
Industry 4.0
V2X and C2X
eEnergy
…
eHealth
Smart Farming
© Fraunhofer IESE
11
Research in Smart Ecosystems Key Challenges
Diversity
Uncertainty
Complexity
Guaranteed Qualities
e.g., Safety and Security
Lifecycle Management
Big Data
© Fraunhofer IESE
12
Big Data Analysis in Smart Ecosystems
Organiza-on 1
Run$me environment
Data sourcesn
Algorithmics+analyses
Visualiza$on
Modeling
Data Miner & Generator
Organiza-on N
Run$me environment
Data sources
Algorithmics+analyses
Visualiza$on
Modeling
Data Miner & Generator
Virtual run$me environment
Global analyses, algorithmics, data fusion, analysis data base
Visualiza$on
Ecosystem Simulator Crowd Data Miner Data genera$on
Standardized modeling for analyses and released data
Usage control
Usage control …
© Fraunhofer IESE
13
Dealing with Data in Smart Ecosystems– Cloud as Potential Boost for Analytics & Interoperation – Data Usage Control as Key Business Enabler
Moving Data to the Cloud = Moving Data to Third Parties n Data Protection Challenges
n Data Residency (data must be kept within defined geographic borders)
n Data Privacy (enterprise is responsible for any breach to data)
n Compliance (enterprise must comply with applicable laws)
n Data Usage Control (data is accessed from different entities)
è Main concerns for critical infrastructure IT using the Cloud
n Security and Privacy
https://seccrit.eu/upload/CloudCritITSurvey.pdf, 10-03-2014, SECCRIT
© Fraunhofer IESE
14
Motivation SECCRIT in a Nutshell
n Challenges n Analyse and evaluate cloud computing
with respect to security risks in sensitive environments (i.e., critical infrastructures)
n Goal n Development of methodologies, technologies, best practices for secure,
trustworthy, high assurance and legal compliant cloud computing environments for critical infrastructure IT.
Enable cloud technologies to be used for critical infrastructure IT
© Fraunhofer IESE
15
SECCRIT Research Focus at Fraunhofer IESE
n Multi-layer Policy Decision and Enforcement for Usage Control Policies
n Policy enforcement on different abstraction layers of the cloud (e.g., cloud infrastructure or service level)
n Context-aware policy enforcement mechanisms (e.g., respecting geolocation if data or service is migrated)
n User-friendly Policy Specification
n Elicitation method for security demands and mapping to machine-enforceable security policies
n Reduction of errors and misunderstandings in policy specification
© Fraunhofer IESE
16
Policy Decision and Enforcement
© Fraunhofer IESE
17
Policy Decision and Enforcement Framework: IND²UCE
n Dynamic framework for policy decision and enforcement
n Seamless integration of new components
n Dynamic management during runtime
n Powerful policy language
© Fraunhofer IESE
18
Policy Decision and Enforcement SECCRIT Architectural Framework (Policy-oriented View)
n PEP and PXP as enforcement components on different abstraction levels
n PDP as central decision component
n PIP component as additional information retrieval component for the decision making
n PAP as interface between stakeholders and policy framework
© Fraunhofer IESE
19
Enforcement in the Cloud Infrastructure Level Scenario: Enforcing Anti-Affinity Policy
Scenario: Tenant A runs critical infrastructure services on different machines (VMs) on a virtual datacenter. However, the services are not allowed to share the same physical resources!
Problem: If Tenant A or the cloud infrastructure operator starts migrating virtual machines (VMs) to the same physical host, both critical services run on the same physical host.
à VMware offers affinity rules, but allows their violation
Solution: An anti-affinity policy specifies that critical VMs have to be separated. Migrating critical VMs to the same physical host results in automatically migrating the other critical service away.
© Fraunhofer IESE
20
Enforcement in the Cloud Infrastructure Level Scenario: Enforcing Virtual Machine Snapshots Policy
Scenario: A virtual machine is reserved as a sandbox for evaluating new software. Testers can install software on the machine, but it has to be reverted to previous state after usage. Only administrators are allowed to make persistent changes.
Problem: A tester might forget to revert the machine or an administrator might forget to create a new snapshot. Creating snapshots and reverting has to be triggered manually. The vCenter user management has no automatic mechanisms for this kind of scenario.
Solution: Virtual machine snapshots policies specify that a snapshot is created after an administrator logs out from the virtual machine. If a tester logs out from the virtual machine, the virtual machine is reverted.
© Fraunhofer IESE
21
Enforcement in the Cloud Infrastructure Level Scenario: Enforcing Virtual Machines Geolocation
Scenario: A virtual machine hosts sensitive data and is only allowed to be operated in countries within Europe.
Problem: A cloud operator might trigger the process to migrate the virtual machine to another data center outside Europe.
Solution: A virtual machines geolocation policy specifies that virtual machines are only allowed to be operated in data centers within Europe. Migrating the virtual machine outside Europe will be logged and countermeasures enforced.
© Fraunhofer IESE
22
Enforcement in the Cloud Infrastructure Level Scenario: Enforcing Virtual Machine Power States
Scenario: A cluster contains a virtual machine dedicated to testing new software. The testing machine might interfere with the normal operation of the cluster (e.g., memory leaks, interfering network traffic) and has to be monitored by the testers.
Problem: The resources for the machine can not be restricted any further without an influence to the testing process.
Solution: A virtual machine power state policy specifies that the machine is shutdown or suspended, if no developer is logged into the vCenter management environment to monitor it.
© Fraunhofer IESE
23
Enforcement in the Cloud Infrastructure Level IND²UCE for VMware
VMware vSphere
VMware vSphere
VMware vCenter Server
Manage
SOAP
VMware vSphereClient
ü independent of VMware changes (except for interface changes)
ü no disturbance of other systems
û only detective enforcement
© Fraunhofer IESE
24
Enforcement in the Service Level IND²UCE for HBase/Hadoop Cloud Databases
© Fraunhofer IESE
25
Enforcement in the Service Level IND²UCE for HBase/Hadoop Cloud Databases
n HBase: NoSQL database inspired and modeled after Google‘s Bigtable1
n Hadoop: Distributed File System(HDFSTM) + Hadoop MapReduce
n Idea: n Distribute big data into clusters
n MapReduce algorithm
1 http://research.google.com/archive/bigtable.html
© Fraunhofer IESE
26
Enforcement in the Service Level Scenario: Modify Data in Transit
Scenario: A first level support worker is accessing person-related data for their customers. However, support worker should not have access to fields such as the concrete date of birth.
Problem: The database stores the date of birth in one field and can only return the entire field or nothing. The data usage restriction could only be solved by changing the database fields accordingly.
Solution: A privacy policy specifies to replace day of birth and month of birth with ‘X’. Only year of birth is visible to the first level support worker.
© Fraunhofer IESE
27
Enforcement in the Service Level IND²UCE for HBase/Hadoop Cloud Databases
Name Node Secondary Name Node Data Node Data Node
Job Tracker
Task Tracker Task Tracker
Hadoop
HDFS
HMaster1
Region Server
Region Server
HMaster2
HBase
Map Reduce
Zookeeper1
Zookeeper2Zookeeper3
Zookeeper Ensemble
Control & Message Signals
One way dependency
Bi-‐directional dependency
© Fraunhofer IESE
28
Takeaways
n Companies and Society can strongly benefit from Smart Ecosystems n Opportunity and threat at the same time for companies
n Cloud Computing can be a significant boost for analytics and interoperability
n Challenges in Smart Ecosystems require guaranteed qualities n Data Usage Control will be a business enabler, Security is not a
showstopper
n Fraunhofer IESE provides strong competences for Smart Ecosystem challenges
© Fraunhofer IESE
30
Backup Slides
© Fraunhofer IESE
31
Multi-Layer Policy Enforcement
© Fraunhofer IESE
32
Conclusion
Moving Data to the Cloud = …
n Moving Data to Third Parties
n Loosing Control over Data
Usage Control a generalization of Access Control
n Security policies specify how data usage is handled,
also after access has been granted and data has been released
n Enables compliance with privacy, auditing, and accountability regulations
(e.g., data has to be deleted after 14 days)
è Usage Control keeps control over your data usage
Usage Control
Access Control
© Fraunhofer IESE
33
Enforcement in the Cloud Infrastructure IND²UCE for VMware
© Fraunhofer IESE
34
Enforcement in the Cloud Infrastructure Level
n Policy Enforcement Point (PEP) intercepts events: n Migration, Lifecycle, Powercycle, Cluster, etc.
n Policy Information Point (PIP) retrieves additional attributes: n Performance of virtual machines, cluster, etc. n Runtime status, datastore capacities, configuration
parameters, etc.
n Policy Execution Point (PXP) performs actions n Powercycle (PowerOn/Off, Reset, Shutdown, Reboot) n Lifecycle (Reconfig, Relocate, Migrate, CreateSnapshot) n Reconfigure, Apply/CancelRecommendation
© Fraunhofer IESE
35
Enforcement in the Cloud Infrastructure Level Policy Enforcement Point (PEP)
Types of Events
n Virtual Machines n Migration, Lifecycle, Powercycle, Cluster (Failover, HA Monitoring, etc.)
n Cluster n Lifecycle, Resources, HA Services
n Hosts n Host operations, networking, lifecycle, etc.
n Datastores n Networking
n Lifecycle, Switch (e.g., port state) n Roles and Permissions
© Fraunhofer IESE
36
Enforcement in the Cloud Infrastructure Level Policy Information Point (PIP)
Contextual Information
n Performance of virtual machines, cluster, etc. n Resource load such as CPU, memory, etc.
n Runtime status n Connection or power state, bootTime, maximum CPU usage, etc.
n Datastore n Capacity, free space, etc.
n Configuration parameters of virtual machines or cluster n Mac address, annotation, number of CPUs, etc.
n Information about user or group privileges
© Fraunhofer IESE
37
Enforcement in the Cloud Infrastructure Level Policy Execution Point (PXP)
Execute Actions
n Virtual Machines n Powercycle (PowerOn/Off, Reset, Suspend, Standby, Shutdown, Reboot) n Lifecycle (Reconfig, Relocate, Migrate, Clone, CreateSnapshot, etc.)
n Cluster n Reconfigure, Apply/CancelRecommendation
n Roles and Permissions n Set/Reset/RemoveEntityPermissions
37
© Fraunhofer IESE
38
BACKUP SLIDES
Tenant Infrastructure Level
Physical Cloud Infrastructure Level
CI Service Cri$cal Infrastructure (CI) Service Level
Component A
Abstrac-on Level
CI Service User
Resources
CI Service Provider
Tenant Infrastr. Provider
Service Components
Tenant Infrastructure
Cloud Infrastructure (Data Centre)
Cloud Infrastructure
Provider
Client Devices
Stakeholder
Provides Service (SaaS /Paas)
Provides Virtual Infrastructure (IaaS /PaaS)
Provides Virtual Resources (IaaS)
• Virtual Compute Resources • Virtual Storage • Virtual Network
manages cloud resources
manages virtual resources
manages service resources
• Compute • Storage • Network
Component B
Component C
User Level SLAs
CI Service User
CI Service Operator
Tenant Infrastr.Operator
Cloud Infrastructure Operator
Stakeholder
Opera$ng Support System
Tenant Infrastructure Management
System
Cloud Infrastructure Management
System
VS VM VM VN
VSM VMM VMM VNM
Infrastructure Service Descrip$ons
Resource Descrip$ons
Tenant Infra-‐ structure
Cloud Infrastructure
Service
VImage DB
CI Service
Component A
Component B
Component C
User
• Orchestra$on • Provisioning • Monitoring • Policy Control
Component A
Cloud Infrastructure Provider A
CI Service Users
Cloud Infrastructure Provider B
Data Centre B.1 Data Centre B.2 Data Centre A.1
Other Service
Tenant X Tenant Y
Other Service Users
hosts virtual resources
hosts virtual resources
hosts virtual resources
hosts virtual resources
Physical Cloud Infra-‐ structure Level
Tenant Infrastructure Level
Service Level
User Level
hosts service components
CI Service hosts service components
Component B
Component C
Component A Component
B
Component C Component
D
© Fraunhofer IESE
42
Welcome to Nebula Central Station!
n Nebula Central is a large subway station in a European metropolis. Three subway lines cross at the station and thousands of people pass through it daily.
n The station is open from 4.30 am till 1.30 am on weekdays and throughout the whole weekend. During the rest of the time, all entrances are closed with massive grates.
n There are about 45 stores, bars and restaurants within the station.
© Fraunhofer IESE
43
A new video surveillance system
MetroSub CitySec TelCom
The Subway Operator
The Security Service Provider
The Tenant System Mgmt
And everything goes fine – for a while. Then two incidents happen...
CloudCorp
The Cloud Mgmt Provider
TenSys
The Telecom Operator
© Fraunhofer IESE
44
A new case of vandalism
n One night, the station is demolished again during closing hours. The direct damages exceed 100.000 € and the station is closed for a day.
n The mess is discovered in the morning when the station is opened. n The security guards have not intervened as they have not received an
alarm. n MetroSub claims for indemnification from the operators. n Nobody knows what caused the trouble – CitySec, TelCom, TenSys and
CloudCorp blame each other. MetroSub sues them all...
© Fraunhofer IESE
45
Another problem – a data leak
n Another night, a known politician travels through the station after a evening party . Having had a few glasses too much, he needs to vomit in a trash can. No one sees this except one of the cameras.
n Next morning, the picture of the vomiting politician is in a tabloid newspaper. Nobody knows how it has come to the editors, who refuse to recveal the source.
n The politician files against MetroSub for breach of privacy – and MetroSub sues the operators, who, as usually, blame each other.
© Fraunhofer IESE
46
Valencia Traffic Control System
! Main functionality is to control the traffic in an urban area ! It is a scalable control system, ready to be used from small to large urban areas
© Fraunhofer IESE
47
Architecture
VARIABLE MESSAGES SIGNALS
TRAFFIC CONTROLLER TRAFFIC LIGHTS
SENSORS VIDEODETECTION ENVIRONMENTAL
SENSORS
© Fraunhofer IESE
48
Moving to the Cloud
Opportunities ! Constantly growing and increasing information that requires infrastructure investments à Use
of cloud services to save effort and budget ! Third parties that want to access public information and can compromise the critical data à
Use of cloud mechanisms to secured the critical data and make public one easily accessible ! Updates of the running software services and legacy systems à transparent updates and
patching for traffic center operators End-User Requirements ! High assurance of the data and services ! Policy compliant mechanisms ! Cyber resilience in case of cyber attacks or
other conditions (natural disasters, human mistakes, etc.) ! Legal issues: compliance with relevant regulations
(e.g. need for anonymizing/aggregating detailed traffic data for data protection/privacy reasons)
© Fraunhofer IESE
49
Moving to the Cloud
Use Cases, Hosting Critical Mobility Services in the Cloud:
! Moving data and services to the cloud
! Evaluating risks with data in the cloud
! Data not available due to a malfunction or misbehaviour
© Fraunhofer IESE
50
Tailored Services are our Industry Business
© Fraunhofer IESE
51
Agenda
1) Motivation
2) Policy Decision and Enforcement
3) Enforcement in the Cloud Infrastructure
4) Enforcement in the Service Level
5) Conclusion
© Fraunhofer IESE
52
MOTIVATION
© Fraunhofer IESE
53
Biological and Digital Ecosystems Survival of the Fittest
Biological Ecosystems
Software Ecosystems Smart Ecosystems
Subjects n living organisms n organizations n organization
Objects n systems n systems
Value n fitness à potential to produce viable offspring
n fitness à potential to earn money (directly or indirectly)
n fitness à potential to earn money (directly or indirectly)
Resources n entities n manpower n money n code
n manpower n money n code n entities
Environment n physical n digital n physical n digital