Exploitation activities

ESCUDO-CLOUD aims at expoiting its result in relevant industrial venues and disseminating the achievements in the scientific literature. More precisely, ESCUDO-CLOUD specifically targets potential customers of data-security solutions in SMEs, governments, and enterprise users. ESCUDO-CLOUD provides a portfolio of security solutions for cloud-hosted data through tools that support multi-dimensional security goals. These tools will consist of a modular family, that will be demonstrated as technology prototypes related to the use cases. The tools will be combined into a common ESCUDO-CLOUD framework, to support compatibility and interoperability among the tools and results. As the family of tools is modular and cloud-ready, they can be combined with each other using current state-of-the-art cloud platforms and standards. Selected building blocks will be released under open-source licenses, which simplifies their bottom-up adoption. Through the dissemination and branding efforts taken by the project, the results are expected to receive wide-spread attention.

UNIMI's exploitation activity falls into two major categories of external and internal exploitation. The external exploitation primarily addresses outreaching and community building via scientifically activities such as hosting, organizing, or participating in scientific forums, seminars, and contribution to open-source software. The internal dissemination comes from the educational component of courses in the areas of data protection and privacy in cloud scenarios, with courses and work on theses.

For the external exploitation, the UNIMI team, in collaboration with the UNIBG team, has produced research results that have been presented in scientific papers appeared in international journals and conferences proceedings and as chapters in edited books. Several talks, seminars, and classes at winter and summer schools have been also delivered about the research work performed in ESCUDO-CLOUD. UNIMI's team is also involved in the organization of several international conferences and workshops (i.e., SECRYPT 2016, WISPT 2016, DPM 2016, WPES 2016, CANS 2016) that will address, among others, problems related to security and trust in cloud environments. Dissemination of project findings will continue through the publication of scientific papers in relevant international conferences and journals as well as talks, seminars, and tutorials addressed to the research community and the community at large.

For the internal exploitation, the members of the UNIMI team are responsible for several courses that also address topics in the area of ESCUDO-CLOUD. In particular, the Computer Science department (which is the department of the members of the UNIMI team) hosts the undergraduate degree program in ``Security of computer systems and networks'' (the only one in Italy), a Master degree program in Security and Privacy, and a curriculum on the same topics in the PhD degree program. The PhD program sees the participation of several foreign students. The members of the UNIMI team have given (and will give) lessons in courses of the undergraduate degree program in ``Security of computer systems and networks'' on the ESCUDO-CLOUD topics and have also given a PhD course within the ``Security, Privacy, and Data Protection'' curriculum fully dedicated to the ESCUDO-CLOUD topics. The members of the UNIMI team have supervised some students who have developed their M.Sc. and B.Sc. theses exploring topics that are at the center of ESCUDO-CLOUD.

In the EU and globally, BT has a wide portfolio of products which are delivered with a service-based approach for the large business and public sector organisations served by BT Global Services. BT Cloud Compute (www.globalservices.bt.com/uk/en/products/cloud_compute) is an IaaS service with a wide range of availability zones including public and private service offerings and geographical locations. In cyber security, our cloud service offerings are complemented by the BT Assure portfolio of security and risk management services. Both exploitation routes, BT Assure and BT Cloud Compute, are opportunities for ESCUDO-CLOUD where BT is developing techniques for protecting data confidentiality and key management, to provide multi cloud data protection services. This will provide protection of heterogeneous data storage modes such as virtual device / virtual directory / files / objects / big data clusters etc. The service employs a key management server that generates, hosts, and manages all the keys as the basis of the various encryption and decryption techniques used by the secure storage service. BT's research is closely aligned with our recently announced 'cloud of clouds' vision (click here). This is making cloud services integration a global reality as BT invests to be the cloud services integrator of choice for customers with diversified IT environments.

In the ESCUDO-CLOUD project, EMC is working with partner Wellness Telecom to develop an elastic cloud that can operate in a multi-cloud environment with end-user tenant security guarantees, which enables cloud service providers to extend their service offerings to new markets through partnerships and joint ventures with other service providers. Providing the technology for enabling the external storage component of the multi-cloud environment ties in with open source Cloud storage initiatives within EMC such as CoprHD and REX-Ray. ESCUDO-CLOUD will provide a platform through which research into Cloud storage solutions can be advanced, prototyped and validated, which will position EMC appropriately to take advantage of emerging market trends in the Cloud computing industry.

EMC is also investigating the security and privacy assurance requirements and providing solutions that will give tenants confidence that appropriate trust boundaries exist for their data and workloads in multi-cloud environments. EMC often acts as a third party storage services provider, and therefore faces the challenge of establishing trust and confidence in the services, and helping customers meet their regulatory requirements. The solutions proposed in ESCUDO-CLOUD will enhance EMC’s ability to establish that trust and confidence, and provide the structures to enable customers use EMC services while remaining compliant with their requirements.

In the first year of ESCUDO-CLOUD, EMC has presented the project to a number of internal product, solutions and service groups and has also discussed the project concepts with a number of strategic customers in the financial services sector.

IBM builds on the results of ESCUDO-CLOUD in the domains of key management, data encryption, and integrity protection, for cloud-storage systems.

OpenStack Swift is the object-storage platform in OpenStack, providing a highly available, distributed, eventually consistent object/blob store. Many organizations use Swift to store lots of data efficiently, safely, and cheaply. IBM has led the initial push towards providing server-side encryption in the Swift platform (wiki.openstack.org/wiki/Swift/server-side-enc) and has contributed to the design and implementation of this feature in the production code. The current specification of server-side encryption is final ( ), the implementation has been thoroughly tested and is awaiting integration into the next release of Swift. The extended key management features that will be provided by IBM build on this effort.

Orthogonal to data encryption for confidentiality IBM also addresses verification techniques for data integrity on object stores. Towards this goal IBM has been extending the prototype system for Verification of Integrity and Consistency for Cloud Object Storage (VICOS). It enables a group of mutually trusting clients to detect data-integrity and consistency violations when accessing cloud storage, for example, data modification, replay attacks, or selective hiding of data updates by a corrupted cloud storage service. It is planned to release VICOS as part of ESCUDO-CLOUD's open-source tool contributions in 2016.

Furthermore IBM has presented the ESCUDO-CLOUD technology at multiple occasions to customers, at public seminars, and industrial and scientific conferences.

As part of the ESCUDO-CLOUD project, SAP is primarily working with the project partners on a concept for multi-user shared data and related key management. Similar to all of SAP's EU projects in applied cryptography and anonymization, the research efforts are tied to internal research projects - in this case on a searchable, yet encrypted HANA database (SEEED project). SAP's expected results of ESCUDO-CLOUD will thus directly feed into an ongoing effort to deliver an industrial-strength client-controlled encryption solutions to SAP customers as part of SAP's overall cloud strategy.

In the first months of ESCUDO-CLOUD, the SAP team has presented the project to the Security Advisory Board of SAP, introduced the encryption concept to selected customers, presented at a highly coveted spot at SAP DKOM to the entire product development organization, presented at the SAP Product Security Expert Summit to internal and external stakeholders in information security, and has won the 2nd place in the software development organization for a SAP internal award selected by SAP's board member Bernd Leukert himself.

TU Darmstadt's academic exploitation covers both external and internal exploitation. The external exploitation addresses community building and academic-industry technology transfer in the form of publications, workshops, and seminars for advocacy of ESCUDO-CLOUD technical areas of security testing and SLA based trust metrics. The internal dissemination primarily covers the educational component of developing students and enhancing technology knowhow.

TUD's external exploitation resulted in publications (e.g., AsiaCCS-2016, ICSE-2015, IEEE Trans. Cloud Computing-2015). For publications with a tools component, TUD open sourced the experimental environments for wider adoption as in www.deeds.informatik.tu-darmstadt.de/research/tools/pain. TUD co-chaired the Workshop on ``Quantitative Aspects of Security Assurance (QASA 2015)'' that highlighted academic-applied research transition exploitation related to ESCUDO-CLOUD trust metrics. TUD conducted active academia-industry-policy exploitation with seminars/meeting/panels across EU-WG's (e.g., C-SIG SLA WG), EC projects (e.g.. SPECS, SLA-READY, NECS), policy coverage (e.g., NIST, US-DoD, US-FTC, ENISA and fora such as CSA EMEA Workshop on Governance Accountability Compliance, csacongress.org/event/emea-2015/#worksops). Multiple technology transfer seminars were conducted at Deutsche Bahn, Siemens, AT&T, Microsoft, and at universities such as Duke Univ, Univ of North Carolina, Southern Methodist University, Univ of British Columbia, IIT-Roorkee, Academia Sinica Taiwan, PolyU Hong Kong, among others. TUD's university-industry EC training program advocacy for Cybertrust quantification was successful resulting in the Marie Curie ITN-MC-NECS (Network for CyberSecurity, necs-project.eu).

TUD's internal educational-component exploitation offered BS/MS courses on Cloud Trustworthiness (e.g., Building \& Breaking Complex Software Systems, Security and the Cloud, Issues and Metrics etc.). The approach is to expose the students to the multiple research and educational offerings to grow their research/technical competencies for both research and applications. Topics related to ESCUDOCLOUD on security testing and trust metrics were advertised for BS/MS/PhD theses resulting in a completed BS thesis on ``Formal verification of distributed cloud services,'' an ongoing MS thesis on ``Security level based scheduling for IaaS Clouds'' and three ongoing PhD theses on the topics of validating and quantifying Cloud security trust using SLAs.

As for the other academic partners, UNIBG exploitation falls into two major categories of external and internal exploitation. The external exploitation primarily addresses scientific innovation and the dissemination of novel project results, in the form of publications, release of open-source software, hosting resp. participating in scientific workshops focused on these topics, and seminars for the presentation of the results on enforceable cloud security studied in ESCUDO-CLOUD. The internal dissemination comes from the educational component of courses in the areas of computer security, with courses and work on theses.

For the external exploitation, the UNIBG group has produced a number of papers, many of them in strict cooperation with UNIMI. The topics discussed in the papers consider several aspects that are at the center of ESCUDO-CLOUD goals. Techniques have been designed that permit the management of index structures that are robust against servers that keep track of the history of accesses to the data. Solutions have been designed that both work using a single server and on a multiplicity of servers, showing a significant improvement in the protection. Work has also considered the management of Mandatory Access Control policies looking at the structure that modular policies can have. There is a very promising opportunity in adapting these solutions to the domain of the management of multi-tenant services. The SELinux system is already used to guarantee isolation of applications in several cloud platforms and it is possible to adopt a more flexible and robust organization of policies in this domain. Open source prototypes are being developed and are expected to be released according to the project schedule. UNIBG was invited to InfoSec summer school on computer security (Bilbao, July 6-10 2015), where the research done in the project was presented in a series of classes.

For the internal exploitation, the members of the UNIBG group are responsible for several courses in the B.Sc. and M.Sc. programs in Computer Science and Engineering. ESCUDO-CLOUD topics have been discussed in many courses. Specific attention has been dedicated to the project in the current and previous edition of the ``Computer Security'' course (the Italian title is ``Sicurezza dei Sistemi Informatici''), held in the 2014-2015 and 2015-2016 academic years M5 within the M.Sc. program in Computer Science and Engineering (Laurea Magistrale in Ingegneria Informatica). The students have attended lectures where the ESCUDO-CLOUD domain and approaches have been explored. Several students have developed their M.Sc. and B.Sc. theses exploring subjects that fall within the ESCUDO-CLOUD domain, under the supervision of members of the UNIBG unit. A Ph.D. student is focusing his thesis on these topics.

Elastic cloud is the next step of the evolution of Wellness Telecom. ESCUDO-CLOUD will permit Wellness Telecom (WT) to become a ``virtual cloud provider,'' leveraging computational and storage infrastructures (i.e., IaaS) by third providers, and to secure its services offering certifiable secure data management in the cloud. Moreover, customers will be able to trust the WT elastic cloud because their data files will be encrypted (even the files hosted in third parties cloud). The ESCUDO-CLOUD project will progress in four different phases for exploitation by WT. In the current, first phase, a market study about potential customers is performed. It aims at dividing potential customers into groups according to their requirements in terms of security, performance, resilience and so on. This will clarify the set of potential customers for the services delivered by WT in ESCUDO-CLOUD.