Securing INSPIREdgeodata cloud services with CLARUS · AKKA Researchroadmap 5 CLOUDS CLARUS private...
Transcript of Securing INSPIREdgeodata cloud services with CLARUS · AKKA Researchroadmap 5 CLOUDS CLARUS private...
![Page 1: Securing INSPIREdgeodata cloud services with CLARUS · AKKA Researchroadmap 5 CLOUDS CLARUS private cloud cloud security demonstrate the feasibility of employing a cloud‐based infrastructure](https://reader034.fdocuments.in/reader034/viewer/2022050100/5f804042f9c3ee340a3ab4d0/html5/thumbnails/1.jpg)
Securing INSPIREd geodatacloud services with CLARUS
INSPIRE conference 2016 (Barcelona)
![Page 2: Securing INSPIREdgeodata cloud services with CLARUS · AKKA Researchroadmap 5 CLOUDS CLARUS private cloud cloud security demonstrate the feasibility of employing a cloud‐based infrastructure](https://reader034.fdocuments.in/reader034/viewer/2022050100/5f804042f9c3ee340a3ab4d0/html5/thumbnails/2.jpg)
Why cloud computing ?
Increase flexibilityon‐demandelasticityubiquitous access
Reduce costsshared resourcespay as you usemetering
Reduce riskshigher availability
Securing INSPIREd geodata cloud services with CLARUS 2
![Page 3: Securing INSPIREdgeodata cloud services with CLARUS · AKKA Researchroadmap 5 CLOUDS CLARUS private cloud cloud security demonstrate the feasibility of employing a cloud‐based infrastructure](https://reader034.fdocuments.in/reader034/viewer/2022050100/5f804042f9c3ee340a3ab4d0/html5/thumbnails/3.jpg)
The main barriersto cloud adoption
3
Geodata providers are often reluctant to move to the cloud
Data security Loss of control Data location
Securing INSPIREd geodata cloud services with CLARUS
![Page 4: Securing INSPIREdgeodata cloud services with CLARUS · AKKA Researchroadmap 5 CLOUDS CLARUS private cloud cloud security demonstrate the feasibility of employing a cloud‐based infrastructure](https://reader034.fdocuments.in/reader034/viewer/2022050100/5f804042f9c3ee340a3ab4d0/html5/thumbnails/4.jpg)
4
PrivateCloud
CloudAccessSecurity Broker
Solutions ?
on‐premises or cloud‐hosted
software that acts as a control point to support threat protection and
security for cloud services
a type of cloud computing that delivers similar
advantages to public cloud but
implemented within the corporate infrastructure
Securing INSPIREd geodata cloud services with CLARUS
![Page 5: Securing INSPIREdgeodata cloud services with CLARUS · AKKA Researchroadmap 5 CLOUDS CLARUS private cloud cloud security demonstrate the feasibility of employing a cloud‐based infrastructure](https://reader034.fdocuments.in/reader034/viewer/2022050100/5f804042f9c3ee340a3ab4d0/html5/thumbnails/5.jpg)
AKKA Research roadmap
5
CLOUDS CLARUS
privatecloud
cloud security
demonstrate the feasibility of employing a cloud‐based infrastructure to provide
seamless access to geospatial public sector information
Securing INSPIREd geodata cloud services with CLARUS
EuropeanCommission
H2020programme
![Page 6: Securing INSPIREdgeodata cloud services with CLARUS · AKKA Researchroadmap 5 CLOUDS CLARUS private cloud cloud security demonstrate the feasibility of employing a cloud‐based infrastructure](https://reader034.fdocuments.in/reader034/viewer/2022050100/5f804042f9c3ee340a3ab4d0/html5/thumbnails/6.jpg)
INSPIRE in the cloud security issues
some geospatial data are sensitive for public security matters for commercial reasons
their exploitation in the cloud raises security issuesthe mission of European geosurvey organisations
includes the management of sensitive environmental data (e.g. drinking water collection points)
beside the legal obligations to share public data to a large audience
6Securing INSPIREd geodata cloud services with CLARUS
![Page 7: Securing INSPIREdgeodata cloud services with CLARUS · AKKA Researchroadmap 5 CLOUDS CLARUS private cloud cloud security demonstrate the feasibility of employing a cloud‐based infrastructure](https://reader034.fdocuments.in/reader034/viewer/2022050100/5f804042f9c3ee340a3ab4d0/html5/thumbnails/7.jpg)
The CLARUS solution
7
in the context of honest‐but‐curious cloud service providers (CSP)
Securing INSPIREd geodata cloud services with CLARUS
![Page 8: Securing INSPIREdgeodata cloud services with CLARUS · AKKA Researchroadmap 5 CLOUDS CLARUS private cloud cloud security demonstrate the feasibility of employing a cloud‐based infrastructure](https://reader034.fdocuments.in/reader034/viewer/2022050100/5f804042f9c3ee340a3ab4d0/html5/thumbnails/8.jpg)
The « honest‐but‐curious » threat model
8
Secure the transport
Secure the access
Trust the service provider
Secure communication
HTTPSSFTPSSH
Access controlAuthenticationAuthorization
?
Securing INSPIREd geodata cloud services with CLARUS
![Page 9: Securing INSPIREdgeodata cloud services with CLARUS · AKKA Researchroadmap 5 CLOUDS CLARUS private cloud cloud security demonstrate the feasibility of employing a cloud‐based infrastructure](https://reader034.fdocuments.in/reader034/viewer/2022050100/5f804042f9c3ee340a3ab4d0/html5/thumbnails/9.jpg)
The « honest‐but‐curious » threat model
9
Secure the transport
Secure the access
Trust the service provider
HONEST
butCURIOUS
Securing INSPIREd geodata cloud services with CLARUS
![Page 10: Securing INSPIREdgeodata cloud services with CLARUS · AKKA Researchroadmap 5 CLOUDS CLARUS private cloud cloud security demonstrate the feasibility of employing a cloud‐based infrastructure](https://reader034.fdocuments.in/reader034/viewer/2022050100/5f804042f9c3ee340a3ab4d0/html5/thumbnails/10.jpg)
10
data set
Cloud Service Provider
UNTRUSTEDZONE
TRUSTED ZONE
Securing INSPIREd geodata cloud services with CLARUS
![Page 11: Securing INSPIREdgeodata cloud services with CLARUS · AKKA Researchroadmap 5 CLOUDS CLARUS private cloud cloud security demonstrate the feasibility of employing a cloud‐based infrastructure](https://reader034.fdocuments.in/reader034/viewer/2022050100/5f804042f9c3ee340a3ab4d0/html5/thumbnails/11.jpg)
11
data set
search query
data set
transformedsearch
obfuscatedresults
clearresults
2
3
4 5
61
Cloud Service Provider
UNTRUSTEDZONE
TRUSTED ZONE
Proxy
Securing INSPIREd geodata cloud services with CLARUS
![Page 12: Securing INSPIREdgeodata cloud services with CLARUS · AKKA Researchroadmap 5 CLOUDS CLARUS private cloud cloud security demonstrate the feasibility of employing a cloud‐based infrastructure](https://reader034.fdocuments.in/reader034/viewer/2022050100/5f804042f9c3ee340a3ab4d0/html5/thumbnails/12.jpg)
Application cases considered
12Securing INSPIREd geodata cloud services with CLARUS
![Page 13: Securing INSPIREdgeodata cloud services with CLARUS · AKKA Researchroadmap 5 CLOUDS CLARUS private cloud cloud security demonstrate the feasibility of employing a cloud‐based infrastructure](https://reader034.fdocuments.in/reader034/viewer/2022050100/5f804042f9c3ee340a3ab4d0/html5/thumbnails/13.jpg)
Data operations
13
data anonym. encryption
data splitting
searchableencryption
data coarsening
homo‐morphic
encryption
clear data protected dataProxy
Securing INSPIREd geodata cloud services with CLARUS
![Page 14: Securing INSPIREdgeodata cloud services with CLARUS · AKKA Researchroadmap 5 CLOUDS CLARUS private cloud cloud security demonstrate the feasibility of employing a cloud‐based infrastructure](https://reader034.fdocuments.in/reader034/viewer/2022050100/5f804042f9c3ee340a3ab4d0/html5/thumbnails/14.jpg)
Encryption techniques
14
data anonym. encryption
data splitting
searchableencryption
data coarsening
homo‐morphic
encryption
Proxy protected dataclear data
Securing INSPIREd geodata cloud services with CLARUS
![Page 15: Securing INSPIREdgeodata cloud services with CLARUS · AKKA Researchroadmap 5 CLOUDS CLARUS private cloud cloud security demonstrate the feasibility of employing a cloud‐based infrastructure](https://reader034.fdocuments.in/reader034/viewer/2022050100/5f804042f9c3ee340a3ab4d0/html5/thumbnails/15.jpg)
Privacy‐preserving techniques
15
data anonym. encryption
data splitting
searchableencryption
data coarsening
homo‐morphic
encryption
Proxy protected dataclear data
Securing INSPIREd geodata cloud services with CLARUS
![Page 16: Securing INSPIREdgeodata cloud services with CLARUS · AKKA Researchroadmap 5 CLOUDS CLARUS private cloud cloud security demonstrate the feasibility of employing a cloud‐based infrastructure](https://reader034.fdocuments.in/reader034/viewer/2022050100/5f804042f9c3ee340a3ab4d0/html5/thumbnails/16.jpg)
Data anonymisation
16
data anonym. encryption
data splitting
searchableencryption
data coarsening
homo‐morphic
encryption
Proxy protected dataclear data
Sensitive data are made indistiguishable
in order to avoidreidentification
and confidential data disclosure
Securing INSPIREd geodata cloud services with CLARUS
![Page 17: Securing INSPIREdgeodata cloud services with CLARUS · AKKA Researchroadmap 5 CLOUDS CLARUS private cloud cloud security demonstrate the feasibility of employing a cloud‐based infrastructure](https://reader034.fdocuments.in/reader034/viewer/2022050100/5f804042f9c3ee340a3ab4d0/html5/thumbnails/17.jpg)
Data coarsening
17
data anonym. encryption
data splitting
searchableencryption
data coarsening
homo‐morphic
encryption
Proxy protected dataclear data
Data are generalized in order to lower their level
of details and thus avoid disclosure
Securing INSPIREd geodata cloud services with CLARUS
![Page 18: Securing INSPIREdgeodata cloud services with CLARUS · AKKA Researchroadmap 5 CLOUDS CLARUS private cloud cloud security demonstrate the feasibility of employing a cloud‐based infrastructure](https://reader034.fdocuments.in/reader034/viewer/2022050100/5f804042f9c3ee340a3ab4d0/html5/thumbnails/18.jpg)
Data splitting
18
data anonym. encryption
data splitting
searchableencryption
data coarsening
homo‐morphic
encryption
Proxy protected dataclear data
Data are fragmented into different cloud providers so that individual pieces do
not cause disclosure
Securing INSPIREd geodata cloud services with CLARUS
![Page 19: Securing INSPIREdgeodata cloud services with CLARUS · AKKA Researchroadmap 5 CLOUDS CLARUS private cloud cloud security demonstrate the feasibility of employing a cloud‐based infrastructure](https://reader034.fdocuments.in/reader034/viewer/2022050100/5f804042f9c3ee340a3ab4d0/html5/thumbnails/19.jpg)
19
Data coarsening
![Page 20: Securing INSPIREdgeodata cloud services with CLARUS · AKKA Researchroadmap 5 CLOUDS CLARUS private cloud cloud security demonstrate the feasibility of employing a cloud‐based infrastructure](https://reader034.fdocuments.in/reader034/viewer/2022050100/5f804042f9c3ee340a3ab4d0/html5/thumbnails/20.jpg)
20
Data anonymization
![Page 21: Securing INSPIREdgeodata cloud services with CLARUS · AKKA Researchroadmap 5 CLOUDS CLARUS private cloud cloud security demonstrate the feasibility of employing a cloud‐based infrastructure](https://reader034.fdocuments.in/reader034/viewer/2022050100/5f804042f9c3ee340a3ab4d0/html5/thumbnails/21.jpg)
21
Data splitting
![Page 22: Securing INSPIREdgeodata cloud services with CLARUS · AKKA Researchroadmap 5 CLOUDS CLARUS private cloud cloud security demonstrate the feasibility of employing a cloud‐based infrastructure](https://reader034.fdocuments.in/reader034/viewer/2022050100/5f804042f9c3ee340a3ab4d0/html5/thumbnails/22.jpg)
What about encryption ?
22Securing INSPIREd geodata cloud services with CLARUS
![Page 23: Securing INSPIREdgeodata cloud services with CLARUS · AKKA Researchroadmap 5 CLOUDS CLARUS private cloud cloud security demonstrate the feasibility of employing a cloud‐based infrastructure](https://reader034.fdocuments.in/reader034/viewer/2022050100/5f804042f9c3ee340a3ab4d0/html5/thumbnails/23.jpg)
The challenges of encryption
Full encryption is advised(Partial encryption reveals search patterns to the CSP that can be used to deriveinformation about the protected data)
…. but ….How to fully encrypt without breaking functionality ?
For vector datasets stored in a spatial DB, it is not possible
23Securing INSPIREd geodata cloud services with CLARUS
![Page 24: Securing INSPIREdgeodata cloud services with CLARUS · AKKA Researchroadmap 5 CLOUDS CLARUS private cloud cloud security demonstrate the feasibility of employing a cloud‐based infrastructure](https://reader034.fdocuments.in/reader034/viewer/2022050100/5f804042f9c3ee340a3ab4d0/html5/thumbnails/24.jpg)
Combining techniques
24
data anonym. encryption
data splitting
searchableencryption
data coarsening
homo‐morphic
encryption
clear data protected dataProxy
USE CASEKriging computation
(geoprocessing)
Measurements (z) are encrypted and
outsourced to one cloud
Outsourced coordinates (x,y) are split
(latitude/longitude) in different clouds
Kriging computation on protected data is
possible
Securing INSPIREd geodata cloud services with CLARUS
![Page 25: Securing INSPIREdgeodata cloud services with CLARUS · AKKA Researchroadmap 5 CLOUDS CLARUS private cloud cloud security demonstrate the feasibility of employing a cloud‐based infrastructure](https://reader034.fdocuments.in/reader034/viewer/2022050100/5f804042f9c3ee340a3ab4d0/html5/thumbnails/25.jpg)
Searchable encryptionfor geo‐referenced data
25
data anonym. encryption
data splitting
searchableencryption
data coarsening
homo‐morphic
encryption
Proxy protected dataclear data
RESEARCH PAPER
Securing INSPIREd geodata cloud services with CLARUS
![Page 26: Securing INSPIREdgeodata cloud services with CLARUS · AKKA Researchroadmap 5 CLOUDS CLARUS private cloud cloud security demonstrate the feasibility of employing a cloud‐based infrastructure](https://reader034.fdocuments.in/reader034/viewer/2022050100/5f804042f9c3ee340a3ab4d0/html5/thumbnails/26.jpg)
Homomorphic encryption for secure geoprocessing
26
data anonym. encryption
data splitting
searchableencryption
data coarsening
homo‐morphic
encryption
Proxy protected dataclear data
RESEARCH PAPER
Securing INSPIREd geodata cloud services with CLARUS
![Page 27: Securing INSPIREdgeodata cloud services with CLARUS · AKKA Researchroadmap 5 CLOUDS CLARUS private cloud cloud security demonstrate the feasibility of employing a cloud‐based infrastructure](https://reader034.fdocuments.in/reader034/viewer/2022050100/5f804042f9c3ee340a3ab4d0/html5/thumbnails/27.jpg)
Proxy
under the magnifying glass
27
clear data protected data
data protection
ANON.
COARS.
SPLIT.
ENCRYP
S.E.
H.E.
sensitive dataidentification
PGSQL
WFS WPSWFST
S3
+PLUGINS
protocol parsing request /responseprocessing
STREAMING
BUFFERING SECURITYPOLICY
Securing INSPIREd geodata cloud services with CLARUS
![Page 28: Securing INSPIREdgeodata cloud services with CLARUS · AKKA Researchroadmap 5 CLOUDS CLARUS private cloud cloud security demonstrate the feasibility of employing a cloud‐based infrastructure](https://reader034.fdocuments.in/reader034/viewer/2022050100/5f804042f9c3ee340a3ab4d0/html5/thumbnails/28.jpg)
28
Geospatial datasetsfor CLARUS
containgeographicalcoordinates
contain scientificattributes
(measurements)
require a certain level of security
(confidential)
relating to one of the INSPIRE thematic groups held by public
authorities or third-parties
conforming to standards (OGC, ISO)
Securing INSPIREd geodata cloud services with CLARUS
![Page 29: Securing INSPIREdgeodata cloud services with CLARUS · AKKA Researchroadmap 5 CLOUDS CLARUS private cloud cloud security demonstrate the feasibility of employing a cloud‐based infrastructure](https://reader034.fdocuments.in/reader034/viewer/2022050100/5f804042f9c3ee340a3ab4d0/html5/thumbnails/29.jpg)
INSPIRE use cases for CLARUS
29
groundwaterboreholes
energy supplynetworks
geology(kriging)
any
storage geo publication
geoprocessing
geocollaboration
Securing INSPIREd geodata cloud services with CLARUS
![Page 30: Securing INSPIREdgeodata cloud services with CLARUS · AKKA Researchroadmap 5 CLOUDS CLARUS private cloud cloud security demonstrate the feasibility of employing a cloud‐based infrastructure](https://reader034.fdocuments.in/reader034/viewer/2022050100/5f804042f9c3ee340a3ab4d0/html5/thumbnails/30.jpg)
INSPIRE use cases for CLARUS
30
storage geopublication
geoprocessing
geocollaboration
WFS WPS WFST
PGSQLS3
Securing INSPIREd geodata cloud services with CLARUS
![Page 31: Securing INSPIREdgeodata cloud services with CLARUS · AKKA Researchroadmap 5 CLOUDS CLARUS private cloud cloud security demonstrate the feasibility of employing a cloud‐based infrastructure](https://reader034.fdocuments.in/reader034/viewer/2022050100/5f804042f9c3ee340a3ab4d0/html5/thumbnails/31.jpg)
Other (possible) applications
Health geostatisticsprivacy‐preserving statistics and geography
Location privacyprivacy‐preserving location based services (LBS)for smart cities, smart phones, connected cars
Satellite imageryprotect high resolution products
31Securing INSPIREd geodata cloud services with CLARUS
![Page 32: Securing INSPIREdgeodata cloud services with CLARUS · AKKA Researchroadmap 5 CLOUDS CLARUS private cloud cloud security demonstrate the feasibility of employing a cloud‐based infrastructure](https://reader034.fdocuments.in/reader034/viewer/2022050100/5f804042f9c3ee340a3ab4d0/html5/thumbnails/32.jpg)
THANK YOUThierry Chevallier
(AKKA Technologies)
www.clarussecure.eu | [email protected] | @Clarusecure CLARUS has received funding from the European Union's Horizon 2020 programme ‐ DG CONNECT Software & Services, Cloud. Contract No. 644024