Sebastian Zickau

Towards a federated cloud ecosystem: enabling managed cloud service consumption

While cloud computing has seen widespread usage, there exist domains where the diminishing of management capabilities associated with cloud computing prevent adoption. One such domain is the health sector, which is the focus of the TRESOR project. Enabling cloud computing usage under strict compliance constraints such as enterprise policies and legal regulations is the goal of TRESOR. The main approach consists of a distributed cloud proxy, acting as a trusted mediator between cloud consumers and service providers. In this paper we analyze issues which arise within the TRESOR context and show how an architecture for a proposed ecosystem bypasses these issues. The practicability of our solution is shown by a proof of concept proxy implementation. As all components of the architecture will be part of our proposed cloud ecosystem, we provide a holistic and generic proposal to regain management capabilities in cloud computing.

TRESOR – Towards the Realization of a Trusted Cloud Ecosystem

The TRESOR (Trusted Ecosystem for Standardized and Open cloud-based Resources http://www.cloud-tresor.de/) project enables cloud computing solutions for the German health sector. This sector deals with sensitive medical information and is in general not suitable for current cloud-based solutions, which are lacking appropriate privacy and security features. The project evaluates and proposes new architectural components to address these shortcomings. These will be combined into a secure and trustworthy ecosystem that will enable the health industry and other sectors to take advantage of cloud computing. The architecture consists of components, such as a marketplace, a broker, a proxy and a PaaS-platform. TRESOR addresses privacy and data protection issues and aims at providing a standardized solution with reduced lock-in effects that can also be used in other domains. In this paper the specific tasks and the architecture of these components are presented, important challenges of the TRESOR project are highlighted and preliminary results, such as a secure transfer protocol, and policy integration are shown.

Enabling location-based policies in a healthcare cloud computing environment

In a multi-stakeholder cloud computing environment, data access control is of essential importance. Nowadays, it is usually handled in and deployed by every single cloud service on its own which makes the configuration of fine-grained access privileges cumbersome and economically expensive. In this paper, we introduce a novel cloud ecosystem architecture featuring an overall lightweight data access control model. This model is enabling data access policies based on location information of service consumer devices. We apply our architecture in the sensitive healthcare domain, which itself comprises multiple parties with complex data access privileges. Here, we define high-level requirements driven from current data protection regulations and guidelines as well as practice requirements in this area, which we address in the design of our architecture. We implement and test the main components. The results demonstrate the feasibility of our architecture and the applicability of our approach even in the healthcare application domain.

Applying Attribute-Based Encryption on Publish Subscribe Messaging Patterns for the Internet of Things

With the advent of the Internet of Things (IoT), communication between connected machines has become necessity. We simulate the communication of IoT by short-lived instant messaging for group communication. Group communication security requires such measures as group forward and backward secrecy and perfect forward secrecy. We satisfy these security measures by using a group controller and Attributebased Encryption (ABE) to encrypt data on update procedures. The communication overhead is outsourced to a mediating MQ Telemetry Transport broker. Thus, we decrease the costs for group joins and leaves to T(1). The number of attributes used in the system are reduced to O(log(N)), where N represents the maximum number of members. We provide an intuitive approach to fit the maximum number N = 2k members to our requirements and to increase the maximum size of members, if needed by N = 2k+1.

Proximity-based services in mobile cloud scenarios using extended communication models

The progress in positioning technologies and the distribution of mobile devices with data communication capabilities promote the idea of providing proximity-based services. Proximity-based services deliver information and trigger actions, based on the location of users or devices. Recently, such applications became more popular in different facilities, such as shops, museums, and hospitals. Nevertheless, in most systems the service adaption is based solely on the location of a single user making the request. The presence or absence of other users is not considered. Furthermore, there is a need for a system, which can support the extension for different use cases without the need to change the program logic. The location of users is obtained by state-of-the-art wireless radio frequency technologies. How such a system can be designed for accessing mobile cloud data within a cloud computing ecosystem, as well as its feasibility is shown.

Indoor mapping for location-based policy tooling using Bluetooth Low Energy beacons

Most service providers and data owners desire to control the access to sensitive resources. The user may express restrictions, such as who can access the resources, at which point in time and from which location. However, the location requirement is difficult to achieve in an indoor environment. Determining user locations inside of buildings is based on a variety of solutions. Moreover, current access control solutions do not consider restricting access to sensitive data in indoor environments. This article presents a graphical web interface based on OpenStreetMap (OSM), called Indoor Mapping Web Interface (IMWI), which is designed to use indoor maps and floor plans of several real-world objects, such as hospitals, universities and other premises. By placing Bluetooth Low Energy (BLE) beacons inside buildings and by labeling them on digital indoor maps, the web interface back-end will provide the stored location data within an access control environment. Using the stored information will enable users to express indoor access control restrictions. Moreover, the IMWI enables and ensures the accurate determination of a user device location in indoor scenarios. By defining several scenarios the usability of the IMWI and the validity of the policies have been evaluated.

Dynamic Location Information in Attribute-Based Encryption Schemes

Attribute-based encryption (ABE) allows users to encrypt (cloud) data with fine-grained Boolean access control policies. To be able to decrypt the ciphertext, users need to have a private key with the associated attributes. If the attributes satisfy the formula, the plaintext can be recovered. In this paper, ABE is extended with dynamic attributes. This allows attributes to be added to an existing private key. A server component named Attribute Authority is introduced. By using these dynamic attributes, it is now possible to have the decryption depend on data that changes often, such as location information of a mobile device. Two schemes were developed that convert location data into usable ABE attributes. To demonstrate our results, an Android application was implemented and evaluated in a field test.

Securing Mobile Cloud Data with Personalized Attribute-Based Meta Information

With the spread of fast mobile Internet connections, such as 3G and LTE and the increasing processor power of mobile devices accessing cloud computing services on-the-go is common among all users. Sharing private information with friends and family members are options of popular cloud services, such as storage and social media services. But recent headlines show that the access to private information is often not sufficiently secured on the service level. The approach presented in this paper aims to use attribute-based meta-information to secure data on the level of files without relying on additional functionality of third-party services. A mobile device app is used to access and alter the meta-information. Attribute-based encryption mechanisms secure the private data and define access policies for friends and other users simultaneously.

Trust Level Based Data Storage and Data Access Control in a Distributed Storage Environment

In the face of enormously increasing amount of personal digital data distributed over various devices, end users are challenged to efficiently store and administrate them. Mostly, users are making use of public storage services in the cloud and local storage devices. Whereas, people with IT expertise make use of sophisticated and expensive network attached storage solutions or self-managed server solutions. Moreover, besides the pure data storage process itself, privacy aware data handling will become important in the future which enables access control to the data in order to avoid malicious access from other users, applications and / or services. For taking advantages from the benefits of the aforementioned different approaches, we advocate an integrated solution. Due to privacy concerns, the most important aspect to take into consideration in such a combined solution is trustworthiness. This paper introduces a trust level based data storage and trust level based data access control solution which changes the control process of data storage and data access. The introduced solution enables user-friendly data handling based on assigned trust levels to storage solutions in a distributed data storage environment and the classified sensitivity level of the data to be stored.

Datenschutz und Dopingkontrollen

ZusammenfassungNicht erst seit den jüngsten Dopingenthüllungen stehen alle Athleten im Spitzensport unter einem Doping-Generalverdacht. Der Welt-Anti-Doping-Code hat die Unschuldsvermutung der Athleten schon seit Jahren abgeschafft. Sie können nur durch die Duldung massiver Eingriffe in ihre Privat- und Intimsphäre beweisen, dass sie »sauberen« Sport betreiben. Der Beitrag zeigt auf, dass diese massiven Eingriffe durch die Anwendung von PETs bald der Vergangenheit angehören können.