Aniketos 2nd cluster meeting

Per Håkon MelandErkuden Rios VelascoDavid Llewellyn-Jones

http://aniketos.eu

Aniketos: Supporting Trustworthy and Secure Composition in

Service and Cloud Environments

4th of July 2011

Effectsplus Clustering Event, Amsterdam

Effectsplus July 2011

Contents

� Background� Project overview

� Objective, facts, partners

� Challenges we are facing� and what we can do about them…

2

Box image by ba1969: http://www.sxc.hu/photo/1301543


Future Internet� Networked services

� From monolithic full-service stack suppliers

� To dynamic services built using multiple services from multiple providers

� Autonomic computing paradigm� Self-management� Self-healing

� Self-configuration

� Self-protection

� Dynamic mix of Cloud/non-cloud services depending on � Service availability

� Functionality� Price

� Performance

� Trustworthiness� Security features

3


Aniketos Project� The main objective of Aniketos is to help establish

and maintain trustworthiness and secure behaviour in a dynamically changing environment of composite services. � Methods, tool support and security services to support

design-time creation and run-time (re-)composition of dynamic services

� Notifications about threats and changes

� Socio-technical evaluations for acceptance and effective security

� ICT FP7 Objective 1.4: Secure, dependable and trusted infrastructures

� Started August 2010 running until February 2014� See http://aniketos.eu

4


Compose Service Case Studies

Photo by Joe Lipson, CC license

SESAR

Future telecom services

eGovernance: Land buying

Air traffic service pool

5


Aniketos Consortium

� Athens Technology Center SA� Atos Origin� DAEM S.A.� DeepBlue� SELEX ELSAG (ex Elsag Datamat)� Italtel� Liverpool John Moores University� National Research Council of Italy� SAP� SEARCH Lab Ltd� Stiftelsen SINTEF� Tecnalia Research & Innovation� Thales� University of Salzburg� University of Trento� Waterford Institute of Technology� Wind Telecomunicazioni S.p.A.

6


Composite Security

� Not just enforcing single security property on all services� Distributed services from multiple providers

� Difficulty knowing if a policy is violated or not� Service providers agree to fulfil a customer’s

policy� Need to know whether their service can fulfil it

� Need to decide whether this is the case

� Need tools to determine security properties based on composition

7


Example

� A ‘recursive services’ scenario� Using a service, don’t need to know (or

care) whether it’s a single service or composite service

� When determining the trustworthiness or security of a service, these issues may be critical!

� Data flow: � Where is my data stored?� Who has access to these data?

� How are they stored?

� How are they deleted?� Which laws and policies apply?

8


Source: http://www.zdnet.com/blog/igeneration/microsoft-admits-patriot-act-can-access-eu-based-cloud-data/11225

9


Composite Trust

� Services require not just security, but also trust� Service provider claims to fulfil a security policy� How can a service consumer trust this?� Need tools for quantification of

trustworthiness and verification

� Composite services introduce� Composite trust� Chains of trust� Requirements on careful attribution

� Who’s trustworthiness rating should be affected if something goes wrong?

10


Aniketos Remedies for Composite Security and Trust

� Express security and trustworthiness requirements through graphical modelling

� Generation of security SLA templates� Discovery, matching and planning� Provide design-time and runtime modules for evaluating

and monitoring security and trustworthiness between service stakeholders

� Subscription-based notifications and alerts (“early-warning”)

11


Societal Acceptance and Effective Security

� Trust and security are not only technical matters� Depend heavily on the human factors to be effective

� Composite services are often complex� Service end user should have an easy and understandable way of

relying on its trustworthiness

� Aniketos contribution� Define a user-centred view on service trust and security� Investigate user acceptance and practical usability� Use case studies for future European services

12


Summary of Security and Trust Challenges for the Future Internet

� Services made up of other services� Service composition may not be obvious externally� Services provided by multiple providers� Service components change; trust information

may not be available� Widespread adoption means security must

be clear for non-technical users

13

Padlock image from arinas74: http://www.sxc.hu/photo/1056349


Aniketos Approach

� Make composite services able to establish and maintain security and trustworthiness

14 / 27


Aniketos Approach

� Make composite services able to establish and maintain security and trustworthiness

15 / 27


Aniketos Approach – Objectives

� Ensure and manage trustworthiness of interoperable and dynamically evolving services (through trust models and metrics)

� Develop integral framework providing methods and tool support for secure interoperable service development, composition, adaptation and management through concept of Security Engineering

� Define how to efficiently analyse, solve and share information on how new threats and vulnerabilities can be mitigated or how services can adapt to them

� Promote and contribute to best practices, standards and own certification work related to security and trust

� Demonstrate and evaluate practical use of security techniques, frameworks, patterns and tools in ordinary development of software and service with end-user trials

16 / 27


Aniketos Approach

17 / 27


Platform Overview

� This approach is reflected in the platform design� Incorporates

� Design-time support� Run-time support� Community support

� Security properties are defined and evaluated

� Trustworthiness underpins security claims

� Threat context included in analysis� Composite analysis allows trust and security

properties to be understood in the context of composite services

� Support provided in terms of� Reference designs and security patterns� Threat information� Notifications

18 / 27

Trustworthiness definitionand evaluation

Trustworthiness monitoringand evaluation

Security property definitionand evaluation

Runtime validation of secure service behaviour

Composite service analysis and preparation

Composite service adaptation and recomposition

Design-time support Runtime support

The Aniketos platform

Community support

Reference architecture and patterns

End user trust and assurance

Threat analysis and notification

Aniketos market place

Trustworthiness definitionand evaluation

Trustworthiness monitoringand evaluation

Security property definitionand evaluation

Runtime validation of secure service behaviour

Composite service analysis and preparation

Composite service adaptation and recomposition

Design-time support Runtime support

The Aniketos platform

Community support

Reference architecture and patterns

End user trust and assurance

Threat analysis and notification

Aniketos market place


Key Concepts

� Trust� Used to determine whether offered security contracts are likely to

be adhered to

� Security� Security requirements are defined by a security contract requested

by the consumer, and fulfilled by a security policy agreed by the provider

� Threats� Threats define the context� Different security may be needed as new threats and

vulnerabilities are identified

19 / 27


Threat Detection and Response

� Service deployment environment is dynamic� Fluctuating threats picture for service providers� Changing operating conditions for end users� New attack methods and capabilities emerge� Flaws and vulnerabilities may be discovered in services

� Aniketos contribution� Investigating new threat landscape� Investigate threats to composite services� Undertake work in understanding their nature� Establish how to deal with them

20/27