Overview

SECCRIT (SEcure Cloud computing for CRitical infrastructure IT)

is a small/medium sized collaborative EU-funded research project in the 7th Framework Programme (FP7-SEC-2012-1). The project consortium comprises 10 partners and the project lasts from 01.01.2013-31.12.2015,

The Mission

The mission of the SECCRIT project is to analyse and evaluate cloud computing technologies with respect to security risks in sensitive environments, and consequently to develop methodologies, technologies, and best practices for creating a secure, trustworthy, and high assurance cloud computing environment for critical infrastructures.

Keywords: cloud computing, security, critical infrastructures, assurance, legal guidelines, cloud risk assessment, policy specification, policy enforcement, best practices

Short Abstract

Cloud Computing is a style of computing where elastic IT-related capabilities are provided as optimized, cost-effective, and on-demand utility-like services to customers using Internet technologies. Being one of the major trends in the IT industry recently, it has gained tremendous momentum and started to revolutionize the way enterprises create and deliver IT solutions. As more sectors adopt cloud services in their computing environment, the trend will also reach ICT services operating critical infrastructures (CI), such as transportation systems or infrastructure surveillance. Hosting CI services in the cloud brings with it security and resilience requirements that existing cloud offerings are not well placed to address. Due to the opacity and elasticity of cloud environments, the risks of deploying CI services in the cloud are difficult to assess – specifically on the technical level, but also from legal or business perspectives. Traditional IT security measures cannot fully tackle the issues (e.g. risk, trust, and resilience) arising from this paradigm shift, especially for operators and manufacturers of CI IT systems. Therefore, the mission of the SECCRIT project is to analyse and evaluate cloud computing technologies with respect to security risks in sensitive environments, and to develop methodologies, technologies, and best practices for creating a secure, trustworthy, and high assurance cloud computing environment for CI. In order to accomplish this mission, the objectives of the SECCRIT project are: identification of the relevant legal framework and establishment of respective guidelines, provision of evidence and data protection for cloud services; understanding and managing risk associated with cloud environments; understanding cloud behaviour in the face of challenges; establishment of best practice for secure cloud service implementations; and the demonstration of SECCRIT research and development results in real-world application scenarios.

Objectives

SECRRIT Objectives

Challenges

SECCRIT Challenges

Work Packages

The Work Packages (WP) are structured as follows:

  • WP1 Project Management (Lead AIT)
  • WP2 Requirements, Use cases and Legal (Lead AMARIS)
  • WP3 Architecture, Specification and Design (Lead Fraunhofer IESE)
  • WP4 Cloud Operational Security and Resilience (Lead Lancaster University)
  • WP5 Cloud Analysis and Assurance (Lead NEC)
  • WP6 Demonstration (Lead Ajuntament De Valencia)
  • WP7 Dissemination and Exploitation (Lead ETRA)

WP 1 Project Management (Lead AIT)

WP1 focuses on the project management to ensure that qualitative and timely work is carried out at the SECCRIT project level. It will provide the central project coordination functions through the organisation of all required Project Steering Committee meetings, in order to facilitate the elaboration and implementation of commonly agreed global strategy, technical decisions and work plans. WP1 will further manage that all necessary administrative issues interfacing with the European Commission (reporting, cost statements, etc.) are covered in due time and supervised by all partners.

WP2 Requirements, Use cases and Legal (Lead Amaris)

In this WP we will elicit requirements from the project partners and the end users through a user group workshop and respective follow-up interactions between the project partners and the end users. Then the consortium will perform an in-depth requirement analysis to derive a set of comprehensive and explicit requirements for the core components to be developed in the project. The resulting requirement specification will be essential to create a common understanding within the consortium in order to focus and concentrate development efforts. Use cases will be proposed by the industrial partners and discussed with the technical partners to ensure mutual understanding and consistent viewpoints from both sides (i.e., research and industry) from the beginning of the project. All these steps will be accompanied by sound legal analysis and guidance, which is further provided throughout the rest of the project runtime. This ensures that the developed technologies are characterized by legal compliance and are thus of practical relevance.

WP3 Architecture, Specification and Design (Lead Fraunhofer IESE)

In this WP we set out to investigate and develop approaches for designing and specifying novel cloud architectures for security, trust, and resilience. This will be aided by the development of a methodology for understanding the nature of the risk associated with deploying infrastructures in the cloud, including investigation of socio-technical approaches to managing the risks that have been identified. Based on this, we plan to develop a methodology that can be applied in preliminary stages of deploying critical infrastructure services in the cloud and suitable policy vocabulary, policy mechanisms and a policy editor that support the users in specifying security requirements and in deriving the resulting, machine enforceable security policy. To summarise our findings we will develop a security guideline and best practice for cloud-based critical infrastructure IT systems.

WP4 Cloud Operational Security and Resilience (Lead Lancaster University)

Built on the security policy work in WP3 we will focus in this work package on how such policies can be implemented. For capturing disadvantageous situations which then trigger policy actions we apply anomaly detection approaches. This will aid to the provision of: 1) Anomaly-based detection techniques to discover deviations in system and network behaviour. 2) Technologies for implementing policy enforcement for cloud computing environments. 3) Concepts for policy deployment and redeployment to the cloud in a secure manner.

WP5 Cloud Analysis and Assurance (Lead NEC)

In order to increase trustworthiness of cloud environments SECCRIT has defined three activities: First, a methodology to assess the security of a cloud environment and services provided is developed. For this the well-established Common Criteria methodology, widely used in assessing security of software applications, is adopted and enhanced to meet the challenges of assessing a remote and distributed system. Second, SECCRIT will develop technologies to lawfully monitor and record service data. This requires suitable mechanisms to efficiently deal with the huge amount of data, especially with respect to the on-the-fly anonymization of data to meet EU privacy directives. This recorded data can later be used to assist a root-cause analysis in case of a service failure. The third activity deals with tools and APIs for root-cause analysis in cloud environments. For that purpose, SECCRIT will exploit and extend the system virtualization layer used to equip clouds with efficient, non-disruptive data extraction and analysis mechanisms.

WP 6 Demonstration (Lead Ajuntament De Valencia)

A very important part of the project is the validations and reality check of the developed approaches in two demonstrators, i.e. pilot studies. One of these planned pilot studies will focus on tools and services required to securely operate video surveillance data in virtualized environments. The basic functional requirements are: (a) access to secure and scalable storage technology (b) methods for fast and reliable processing of video content. This includes services like data archival/encryption, processing/analysis, as well as on-demand access/rendering. The sensitive data includes but is not limited to video recordings that are stored in cloud resident storage media. An example application is cloud based analysis of video data in order to extract meta data describing detected objects, their properties and behaviour. Concepts, methods, and technologies which were developed as part of the project will be applied to instantiate an appropriate prototype system. The distinct capabilities of this system with respect to the requirements of this demo case will further be investigated under realistic conditions. The other pilot study will cover the validation process to be carried out within a ‘Hosting critical mobility services’ scenario. The activity will apply and analyse project results. The task will also tackle the implementation and integration of the necessary tools to deploy the demonstrator, which will be focused on the cloud hosting of several critical services currently existing in the traffic control centre of the city of Valencia (Spain).

WP7 Dissemination and Exploitation (Lead ETRA)

The work planned for WP7 will be split into four separate but closely interconnected tasks devoted to management of the Users and Advisory Board, all dissemination actions - activity planning, website creation and maintenance, development of dissemination materials and means -, standardisation activities, and finally production of deployment and exploitation plans for the project and for individual partners.