Giovanni Mazzeo

Cloud security: Emerging threats and current solutions

Abstract Many organizations are stuck in the cloudify or not to cloudify limbo, mainly due to concerns related to the security of enterprise sensitive data. Removing this barrier is a key pre-condition to fully unleash the tremendous potential of cloud computing. In this paper, we provide a comprehensive analysis of the main threats that hamper cloud computing adoption on a wide scale, and a right to the point review of the solutions that are currently being provided by the major vendors. The paper also presents the (near) future directions of cloud security research, by taking a snapshot of the main research trends and most accredited approaches. The study is done on a best of breed selection of proprietary and Open Source cloud offerings. The paper is thus a useful navigation tool, that can be used by the IT personnel to gain more insight into the security risks related to the use of cloud computing, as well as to quickly weigh the pros and cons of state of the art solutions.

An OpenNCP-based Solution for Secure eHealth Data Exchange

Abstract The European Commission is very focused on the development of possible solutions to allow effective cross-border healthcare provisioning with the aim of guaranteeing a uniform Quality of Service (QoS) level of healthcare systems across Europe. One of the most relevant efforts in this direction was the epSOS Project, with the release of the OpenNCP platform overcoming interoperability issues in health information exchange between nations while complying with both National and European laws. Despite the OpenNCP platform has been adopted in several Member States, allowing them to securely interconnect their eHealth infrastructures, some security issues are still partially addressed. This work shows how the KONFIDO project will address these issues by building on and extending the results of OpenNCP through a sound holistic approach to security at a systemic level. This paper describes in detail the KONFIDO project approach and how it is being deployed via a combination of complementary security enhancing technologies with the ultimate goal of increasing trust and security of eHealth data exchange.

SIL2 assessment of an Active/Standby COTS-based Safety-Related system

Abstract The need of reducing costs and shortening development time is resulting in a more and more pervasive use of Commercial-Off-The-Shelf components also for the development of Safety-Related systems, which traditionally relied on ad-hoc design. This technology trend exacerbates the inherent difficulty of satisfying – and certifying – the challenging safety requirements imposed by safety certification standards, since the complexity of individual components (and consequently of the overall system) has increased by orders of magnitude. To bridge this gap, this paper proposes an approach to safety certification that is rigorous while also practical. The approach is hybrid, meaning that it effectively combines analytical modeling and field measurements. The techniques are presented and the results validated with respect to an Active/Standby COTS-Based industrial system, namely the Train Management System of Hitachi-Ansaldo STS, which has to satisfy Safety Integrity Level 2 requirements. A modeling phase is first used to identify COTS safety bottlenecks. For these components, a mitigation strategy is proposed, and then validated in an experimental phase that is conducted on the real system. The study demonstrates that with a relatively little effort we are able to configure the target system in such a way that it achieves SIL2.

Cloudifying Critical Applications: A Use Case from the Power Grid Domain

The cloud computing paradigm is gaining more and more momentum, to the extent that it is no more confined to its initial application domains, i.e. use by enterprises and businesses that are simply willing to lower costs or to increase computing capacity in a flexible manner. In particular, increasing interest is recently being paid to the dramatic potentials that the use of cloud computing technology by critical infrastructure (CI) operators might bring about, in terms of benefits for the society at large. Since accidental or deliberate damage to a CI may result in devastating consequences, this mandates for dependable and trustworthy security mechanisms in cloud platforms. In this paper, we present a distributed application for real-time monitoring of a Power Grid. The application, which is called PoGriMon, is deployed on top of the SecureCloud platform, a security-enhanced IaaS solution that exploits the Intel Software Guard eXtension (SGX) technology. PoGriMon has been designed based on the requirements of the SCADA network of the Israeli Electric Corporation (IEC), and it is currently being validated in a realistic setup also provided by IEC.

Secure Cloud Micro Services using Intel SGX

The micro service paradigm targets the implementation of large and scalable systems while enabling fine-grained service-level maintainability. Due to their scalability, such architectures are frequently used in cloud environments, which are often subject to privacy and trust issues hindering the deployment of services dealing with sensitive data.

IoT and Sensor Networks Security

Abstract This chapter presents a survey about the Internet of Things (IoT). The wide-scale diffusion of the Internet has been the driving force for this emerging trend, namely the use of such global communication infrastructure for enabling machines and smart objects to communicate, cooperate, and take decisions on real word situations. The scope of this survey is to facilitate the first approach to the IoT world. Different visions of this novel paradigm and device constraints are reported and enabling technologies reviewed. IoT Security, Safety, and Privacy risks are presented and analyzed to provide a comprehensive view of current issues due to the adoption of this technology. Furthermore, particular attention is paid to the Wireless Sensor Network, which represents the most used sensors network in many domains such as Smart Home, providing an overview about its main technical challenges, attacks, and related countermeasures.

An Approach for Securing Cloud-Based Wide Area Monitoring of Smart Grid Systems

Computing power and flexibility provided by cloud technologies represent an opportunity for Smart Grid applications, in general, and for Wide Area Monitoring Systems, in particular. Even though the cloud model is considered efficient for Smart Grids, it has stringent constraints in terms of security and reliability. An attack to the integrity or confidentiality of data may have a devastating impact for the system itself and for the surrounding environment. The main security risk is represented by malicious insiders, i.e., malevolent employees having privileged access to the hosting machines. In this paper, we evaluate a powerful hardening approach that could be leveraged to protect synchrophasor data processed at cloud level. In particular, we propose the use of homomorphic encryption to address risks related to malicious insiders. Our goal is to estimate the feasibility of such a security solution by verifying the compliance with frame rate requirements typical of synchrophasor standards.

A GDPR-Compliant Approach to Real-Time Processing of Sensitive Data

Cyber-attacks represent a serious threat to public authorities and their agencies are an attractive target for hackers. The public sector as a whole collects lots of data on its citizens, but that data is often kept on vulnerable systems. Especially for Local Public Administrations (LPAs), protection against cyber-attacks is an extremely relevant issue due to outdated technologies and budget constraints. Furthermore, the General Data Protection Regulation (GDPR) poses many constraints/limitations on the data usage when “special type of data” is processed. In this paper the approach of the EU project COMPACT (H2020) is presented and the solutions used to guarantee the data privacy during the real time monitoring performed by the COMPACT security tools are highlighted.

Integrating Reactive Cloud Applications in SERECA

A consolidated trend in designing cloud-based applications is to make use of a reactive microservice architecture, which allows to divide an application in several well-partitioned software units with specific responsibilities. Such an architecture perfectly fits in cloud environments, ensuring a number of advantages (i.e., high availability and scalability, ease of deployment and development). However, the new way of designing cloud applications introduces challenging security threats. Besides the difficulty in monitoring security of the overall distributed application, an important aspect of concern relates to the risk of break the chain of trust established among the different microservices belonging to the application. That is, a compromised single microservice may bring down the other related ones. In this paper, we present the approach pursued in the context of SERECA1 project to secure microservice based applications. We leveraged the new extension of Intels CPU, namely Software Guard eXtension (SGX), to enhance the security of applications using Eclipse Vert.x, the tool-kit for building reactive cloud applications. We developed an infrastructure composed by several SGX-enabled facilities (e.g. Database, Containers, Coordination Services) to support the process of integration between Intel SGX and micro-service applications. Our platform has been, then, validated through two use cases that made use of the developed secure facilities, i.e., a Critical Infrastructure (CI) monitoring application - having strong requirements in terms of data integrity - and an application for performance analysis of cloud-based services where the confidentiality of data is of main interest.

Data Collection Framework

The data collection for eventual analysis is an old concept that today receives a revisited interest due to the emerging of new research trend such Big Data. Furthermore, considering that a current market trend is to provide integrated solution to achieve multiple purposes (such as ISOC, SIEM, CEP, etc.), the data became very heterogeneous. In this paper a flexible and efficient solution about the data collection of heterogeneous data is presented, describing the approach used to collect heterogeneous data and the additional features (pre-processing) provided with it.