Per Håkon Meland Erkuden Rios Velasco David Llewellyn-Jones http://aniketos.eu Aniketos: Supporting Trustworthy and Secure Composition in Service and Cloud Environments 4 th of July 2011 Effectsplus Clustering Event, Amsterdam
Per Håkon MelandErkuden Rios VelascoDavid Llewellyn-Jones
http://aniketos.eu
Aniketos: Supporting Trustworthy and Secure Composition in
Service and Cloud Environments
4th of July 2011
Effectsplus Clustering Event, Amsterdam
Effectsplus July 2011
Contents
� Background� Project overview
� Objective, facts, partners
� Challenges we are facing� and what we can do about them…
2
Box image by ba1969: http://www.sxc.hu/photo/1301543
Effectsplus July 2011
Future Internet� Networked services
� From monolithic full-service stack suppliers
� To dynamic services built using multiple services from multiple providers
� Autonomic computing paradigm� Self-management� Self-healing
� Self-configuration
� Self-protection
� Dynamic mix of Cloud/non-cloud services depending on � Service availability
� Functionality� Price
� Performance
� Trustworthiness� Security features
3
Effectsplus July 2011
Aniketos Project� The main objective of Aniketos is to help establish
and maintain trustworthiness and secure behaviour in a dynamically changing environment of composite services. � Methods, tool support and security services to support
design-time creation and run-time (re-)composition of dynamic services
� Notifications about threats and changes
� Socio-technical evaluations for acceptance and effective security
� ICT FP7 Objective 1.4: Secure, dependable and trusted infrastructures
� Started August 2010 running until February 2014� See http://aniketos.eu
4
Effectsplus July 2011
Compose Service Case Studies
Photo by Joe Lipson, CC license
SESAR
Future telecom services
eGovernance: Land buying
Air traffic service pool
5
Effectsplus July 2011
Aniketos Consortium
� Athens Technology Center SA� Atos Origin� DAEM S.A.� DeepBlue� SELEX ELSAG (ex Elsag Datamat)� Italtel� Liverpool John Moores University� National Research Council of Italy� SAP� SEARCH Lab Ltd� Stiftelsen SINTEF� Tecnalia Research & Innovation� Thales� University of Salzburg� University of Trento� Waterford Institute of Technology� Wind Telecomunicazioni S.p.A.
6
Effectsplus July 2011
Composite Security
� Not just enforcing single security property on all services� Distributed services from multiple providers
� Difficulty knowing if a policy is violated or not� Service providers agree to fulfil a customer’s
policy� Need to know whether their service can fulfil it
� Need to decide whether this is the case
� Need tools to determine security properties based on composition
7
Effectsplus July 2011
Example
� A ‘recursive services’ scenario� Using a service, don’t need to know (or
care) whether it’s a single service or composite service
� When determining the trustworthiness or security of a service, these issues may be critical!
� Data flow: � Where is my data stored?� Who has access to these data?
� How are they stored?
� How are they deleted?� Which laws and policies apply?
8
Effectsplus July 2011
Source: http://www.zdnet.com/blog/igeneration/microsoft-admits-patriot-act-can-access-eu-based-cloud-data/11225
9
Effectsplus July 2011
Composite Trust
� Services require not just security, but also trust� Service provider claims to fulfil a security policy� How can a service consumer trust this?� Need tools for quantification of
trustworthiness and verification
� Composite services introduce� Composite trust� Chains of trust� Requirements on careful attribution
� Who’s trustworthiness rating should be affected if something goes wrong?
10
Effectsplus July 2011
Aniketos Remedies for Composite Security and Trust
� Express security and trustworthiness requirements through graphical modelling
� Generation of security SLA templates� Discovery, matching and planning� Provide design-time and runtime modules for evaluating
and monitoring security and trustworthiness between service stakeholders
� Subscription-based notifications and alerts (“early-warning”)
11
Effectsplus July 2011
Societal Acceptance and Effective Security
� Trust and security are not only technical matters� Depend heavily on the human factors to be effective
� Composite services are often complex� Service end user should have an easy and understandable way of
relying on its trustworthiness
� Aniketos contribution� Define a user-centred view on service trust and security� Investigate user acceptance and practical usability� Use case studies for future European services
12
Effectsplus July 2011
Summary of Security and Trust Challenges for the Future Internet
� Services made up of other services� Service composition may not be obvious externally� Services provided by multiple providers� Service components change; trust information
may not be available� Widespread adoption means security must
be clear for non-technical users
13
Padlock image from arinas74: http://www.sxc.hu/photo/1056349
Effectsplus July 2011
Aniketos Approach
� Make composite services able to establish and maintain security and trustworthiness
14 / 27
Effectsplus July 2011
Aniketos Approach
� Make composite services able to establish and maintain security and trustworthiness
15 / 27
Effectsplus July 2011
Aniketos Approach – Objectives
� Ensure and manage trustworthiness of interoperable and dynamically evolving services (through trust models and metrics)
� Develop integral framework providing methods and tool support for secure interoperable service development, composition, adaptation and management through concept of Security Engineering
� Define how to efficiently analyse, solve and share information on how new threats and vulnerabilities can be mitigated or how services can adapt to them
� Promote and contribute to best practices, standards and own certification work related to security and trust
� Demonstrate and evaluate practical use of security techniques, frameworks, patterns and tools in ordinary development of software and service with end-user trials
16 / 27
Effectsplus July 2011
Aniketos Approach
17 / 27
Effectsplus July 2011
Platform Overview
� This approach is reflected in the platform design� Incorporates
� Design-time support� Run-time support� Community support
� Security properties are defined and evaluated
� Trustworthiness underpins security claims
� Threat context included in analysis� Composite analysis allows trust and security
properties to be understood in the context of composite services
� Support provided in terms of� Reference designs and security patterns� Threat information� Notifications
18 / 27
Trustworthiness definitionand evaluation
Trustworthiness monitoringand evaluation
Security property definitionand evaluation
Runtime validation of secure service behaviour
Composite service analysis and preparation
Composite service adaptation and recomposition
Design-time support Runtime support
The Aniketos platform
Community support
Reference architecture and patterns
End user trust and assurance
Threat analysis and notification
Aniketos market place
Trustworthiness definitionand evaluation
Trustworthiness monitoringand evaluation
Security property definitionand evaluation
Runtime validation of secure service behaviour
Composite service analysis and preparation
Composite service adaptation and recomposition
Design-time support Runtime support
The Aniketos platform
Community support
Reference architecture and patterns
End user trust and assurance
Threat analysis and notification
Aniketos market place
Effectsplus July 2011
Key Concepts
� Trust� Used to determine whether offered security contracts are likely to
be adhered to
� Security� Security requirements are defined by a security contract requested
by the consumer, and fulfilled by a security policy agreed by the provider
� Threats� Threats define the context� Different security may be needed as new threats and
vulnerabilities are identified
19 / 27
Effectsplus July 2011
Threat Detection and Response
� Service deployment environment is dynamic� Fluctuating threats picture for service providers� Changing operating conditions for end users� New attack methods and capabilities emerge� Flaws and vulnerabilities may be discovered in services
� Aniketos contribution� Investigating new threat landscape� Investigate threats to composite services� Undertake work in understanding their nature� Establish how to deal with them
20/27