Questions&Answers

TREDISEC will develop new systems and techniques which make the cloud a secure and efficient haven to store and process data. The objective is to step away from a myriad of disconneted security protocols or cryptographic algorithms, and to converge on a single framework where all objectives are met.

The project has received funding from the European Commission under the Information and Communication Technologies (ICT) theme of the Horizon 2020 framework programme (H2020-ICT-2014-1). The project started in April 2015, coordinated by Atos with partners NEC Europe (United Kingdom), IBM Research (Switzerland), Eurecom (France), Arsys (Spain), GRNET (Greece), SAP (Germany) and Morpho (France). More information about the project is available at www.tredisec.eu.

For information, please contact the project coordinator, Ms. Beatriz Gallego-Nicasio at beatriz.gallego-nicasio@atos.net.

• Press release published in GPSNews.es, online magazine specialized in Communication and PR.
• Press release published in CIO.es, website specialized in IT trends.
• Press release published in strategicpartner.es, IT CIO.es and techWEEK.es, online channels belonging to ITMedia Network, communication platform addressed to IT professionals.
• Press release published in elcandelerotecnologico.com, website specialized in IT news.
• Press release published in Datacenter Dynamics, information provider addressed to professionals of data centres sector.
• Press release published in ITSeguridad.es, specialized website in CyberSecurity.

The TREDISEC consortium set the first project internal workshop for the definition of the Use Cases, in the context of WP2 Requirements and Architecture for a Secure, Trusted and Efficient Cloud.

The objective of this workshop was to have a clearer description of the context scenarios, their technical requirements and define clearly the set of use cases that will be used for evaluation of the TREDISEC technical developments.

This workshop lasted a 1 full day meeting, hosted by GRNET in their offices in Athens: SAP, ATOS, ARSYS, EURECOM, IBM, MORPHO, NEC y GRNET attended the meeting.

Learn more about the TREDISEC Use Cases at http://www.tredisec.eu/content/use-cases

Arsys, partner belonging to the TREDISEC project consortium, has published today in its blog a post explaining the main features of the project, and how Arsys is going to collaborate on it.

http://www.arsys.info/seguridad/arsys-se-incorpora-al-proyecto-europeo-t...

The paper/extended abstract entitled "TREDISEC: Trust-aware reliable and distributed information security in the cloud" has been accepted for presentation at the conference and for inclusion in the proceedings, subject to registration to the conference.
The paper is a joint work of the TREDISEC consortium, led by Melek Önen (Eurecom).

More information in http://www.edemocracy2015.eu/

Atos has published "enabling trusted European cloud", a document that aims to clarify those fundamental issues that affects cloud developments in Europe, and reassure potential cloud customer that there are ways of steering through them.

It proposes a roadmap in which all parties, including customers, need to be involved to achieve a vibrant and successful cloud environment that is fit for the European purpose.

Atos throurh ARI (Atos Research&Innovation) has run a number of projects that contribute to the concept of Trusted European Cloud. They have run many projects, many supported by funding from the EC, that span security, privacy and cloud.

TREDISEC appears as one of these projects, mentioned in page 34. TREDISEC is focused on research about securing data access in multi-tenant storage systems.

Atos Spain will chair a networking session in the event of reference ICT 2015, organized by European Commsion to promote the knowledge of technological research financed with european funds. the selected projects are TREDISEC; WITDOM and PRISMACLOUD, will be discussed the following topic : "Key challenges in end-to-end privacy/security in untrusted environments".

Currently it´s available the networking session schedule with all details int the website of the event:

https://ec.europa.eu/digital-agenda/events/cf/ict2015/item-display.cfm?i...

There will be three talks given by three speakers, one for every project, that will deal with a specific key challenge related to the main topic.
Ghassan Karame, (NEC laboratories), well-known expert on the subject of the debate will attend from TREDISEC and give the talk titled: “Data protection versus storage efficiency and multi-tenancy”

In Ghassan´s words, the talk approach would be: “Implementing existing end-to-end security solutions unfortunately cancels out the advantages of the cloud technology such as cost effective storage. We will talk about the challenges resulting from the combination of security, functional and non- functional requirements such as storage efficiency and multi-tenancy.”

The H2020 projects WITDOM (www.witdom.eu), TREDISEC (www.tredisec.eu) and PRISMACLOUD (www.prismacloud.eu), addressing to the H2020-ICT-2014-1 call, organize a joint networking session at the ICT 2015 – Innovate, Connect, Transform event, held on October 22nd 2015 at 14:50CET in Room 8 of Centro de Congressos de Lisboa, Lisbon (Portugal). The joint networking session will discuss challenges to both security and end-users´ privacy when outsourcing data to untrusted environments, such as privacy protection, integrity, data storage efficiency or multi-tenancy.

The networking session organized by WITDOM, TREDISEC and PRISMACLOUD is also supported by the project WISER (www.cyberwiser.eu) from the call H2020-DS-2014-1, acting as conductor of the session.
Mr. Nick Ferguson from Trust-IT Services and coordinator of the EC-funded CloudWATCH2 project, will set the stage with a presentation focussing on the key challenges related to the cloud. These challenges will be later presented by recognized researchers in the field to discuss where the trends are moving. Finally, a questions and answers slot is offered to interact with the audience about the proposed topics.

Presentation 1: “Cloud challenges to high-demanding privacy scenarios.” Abstract: “Distributed environments, in particular cloud ones, are generally perceived as being untrusted for storing sensitive personal data. Unless specific data protection measures are implemented, Cloud Providers and malicious parties could gain access to such data and make an unlawful use of them, beyond the specific context of explicitly authorized purposes. In case of scenarios with high-demanding privacy needs (such as eHealth or financial data), moving operations to the cloud requires the provisioning of strict guarantees to all involved parties, in full compliance with the law and according to state-of-the-art technology and best privacy-by-design and cloud security practices. In this talk some of these privacy challenges will be presented, as well as some approaches to overcome them.”
Speaker: Nicolas Notario McDonnell (Atos). Project WITDOM.

Presentation 2: “Verifiability and Authenticity of Data and Beyond” Abstract: “In this talk we discuss aspects related to reliably checking that third party infrastructure (i.e., the cloud) behaves as expected when storing and processing data. The focus is on cryptographic measures that ensure and sometimes even enforce honest behaviour and at least allow cryptographically holding the cloud accountable when it deviates from the expected behaviour.”
Speaker: Mr. Henrich C. Pöhls (Passau University). Project PRISMACLOUD.

Presentation 3: “Data protection versus storage efficiency and multi-tenancy” Abstract: “Implementing existing end-to-end security solutions unfortunately may reduce the advantages of the cloud technology such as cost effective storage. We will talk about the challenges resulting from the combination of security, functional and non- functional requirements such as storage efficiency and multi-tenancy.”
Speaker: Ghassan Karame (NEC). Project TREDISEC.

Abstract

Cloud storage providers such as Dropbox and Google drive heavily rely on data deduplication to save storage costs by only storing one copy of each uploaded file. Although recent studies report that whole file deduplication can achieve up to 50% storage reduction, users do not directly benefit from these savings—as there is no transparent relation between effective storage costs and the prices offered to the users.
In this paper, we propose a novel storage solution, ClearBox, which allows a storage service provider to transparently attest to its customers the deduplication patterns of the (encrypted) data that it is storing. By doing so, ClearBox enables cloud users to verify the effective storage space that their data is occupying in the cloud, and consequently to check whether they qualify for benefits such as price reductions, etc. ClearBox is secure against malicious users and a rational storage provider, and ensures that files can only be accessed by their legitimate owners. We evaluate a prototype implementation of ClearBox using both Amazon S3 and Dropbox as back-end cloud storage. Our findings show that our solution works with the APIs provided by existing service providers without any modifications and achieves comparable performance to existing solutions.

Publication related to WP4.

Abstract

With the continuous increase of cloud storage adopters, data deduplication has become a necessity for cloud providers. By storing a unique copy of duplicate data, cloud providers greatly reduce their storage and data transfer costs. Unfortunately, deduplication introduces a number of new security challenges. We propose PerfectDedup, a novel scheme for secure data deduplication, which takes into account the popularity of the data segments and leverages the properties of Perfect Hashing in order to assure block-level deduplication and data condentiality at the same time. We show that the client-side overhead is minimal and the main computational load is outsourced to the cloud storage provider.

ICT 2015 networking session: Privacy/security in untrusted environments

The H2020 projects WITDOM, TREDISEC and PRISMACLOUD organize a joint networking session at the ICT 2015 – Innovate, Connect, Transform event, held on October 22nd 2015 at 14:50 CET in Room 8 of Centro de Congressos de Lisboa, Lisbon (Portugal). The joint networking session will discuss challenges to both security and end-users’ privacy when outsourcing data to untrusted environments, such as privacy protection, integrity, data storage efficiency or multi-tenancy.

TREDISEC is a Research and Innovation Action co-funded by the European Commission under the Horizon 2020 programme.
More details here.

The project is coordinated by Atos, an international firm leader in digital services, leading a consoritum of European representatives from industry and research institutes from different countries (NEC in UK, Eurecom in France, GRNET in Greece, Arsys in Spain, IBM in Switzerland, SAP SE in Germany and Morpho in France).

The different TREDISEC consortium partners contribute as providers of Cloud services, solutions and infrastructures, participating in the research and development of beyond the state-of-the-art technologies and solutions, in the field of secure and trust-worthy ICT.

TREDISEC is a 3 years duration project (36 months). The project started on April 1st 2015 and is planned to finish by March 30th 2018.

The work plan is organised in 7 work packages, whose interdependencies and relations are depicted in the project structure section.

The European Commission states that businesses and consumers still do not feel confident enough to adopt cross-border cloud services for storing or processing data, because of concerns relating to security, compliance with fundamental rights and data protection more generally.

Improving security and privacy features contributes to increase the differentiating character, placing on the market services and solutions (new or improved) that are aligned with the european directives of security and privacy. On the other hand, offering services and solutions more secure, users can gain greater control over their data, increasing trust in IT technologies and services online.

Another priority objectives of the EU, is to protect our networks and critical infrastruture and respond effectively to cyber-threats, and have adopted both national and EU-level cybersecurity strategies and regulation.
Currently, cloud infrastructures services are increansingly the more extended option by most business of the EU, therefore protect them against cyber attacks is critical.
Clearly, the development of technologies that allow cloud infrastructures to be stronger and qualified against possible attacks, with a major ability to recover quicker and better after a cyber security incident, results in enhancing security and business preparedness.

Cloud Computing for EU is one of the main competitiveness drivers for all enterprises in EU, independently of its size and sector, therefore it has become one of the main priorities in the European Digital Agenda, and main player in numerous initiatives started up within the member countries.

Arsys, partner belonging to the TREDISEC project consortium, has published in its blog a post talking about CODEMOTION, one of the biggest events for developers, set in Madrid.

TREDISEC project will be presented in this event, introduced by Olof Sandstrom, Arsys Manager Operations, as an EC initiative that has as objective the development of procedures and technological solutions that combine security, efficiency, and technical functionalities, making easier cloud adoption among european enterprises.

Complete Arsys post here (text in spanish): http://www.arsys.info/eventos/codemotion-el-mayor-evento-sobre-programac...

On 19th - 20th November TREDISEC consortium got together in order to report on the project status and progress of the managerial/administrative, financial, technical and dissemination/communication activities carried out in the past 8 months.

Attendants presented the work conducted in the different work packages, advances and deliverables submitted.

Besides, next steps were decided according to roadmap designed for the project.

The meeting hosted in Sophia Antipolis by EURECOM.

Article entitled "TREDISEC: Towards Realizing a Truly Secure and Trustworthy Cloud" has been published in issue no. 104 (corresponding to January 2016) of the magazine ERCIM News, in the section devoted to present Research and Innovation initiaves.

The article is a joint work of the project consortium and authored by Beatriz Gallego-Nicasio (ATOS), Melek Önen (EURC) and Ghassan Karame (NEC), and presents an overview of the project, its main research and innovation challenges and an outline of the validation approach that is going to be followed.

The issue is published online at http://ercim-news.ercim.eu/en104 and can be also download as PDF or EPUB formats:
http://ercim-news.ercim.eu/images/stories/EN104/EN104-web.pdf
http://ercim-news.ercim.eu/images/stories/EN104/EN104.epub

The TREDISEC project started officially on the 1st of April, 2015. Today, 28th of January 2016, and after 10 months of intense collaboration among security researchers, business technologists and cloud experts, we are proud to say that we are now a step closer towards achieving the project objectives.

Problem context

End-to-end security comes at odds with current functionality offered by the cloud. Existing state of the art solutions completely give up one requirement for the other. End-to-end security aims to endow the users with full control over their outsourced data, but cloud service providers may not be able to efficiently process clients' data, nor may they be able to take full advantage of cost-effective storage solutions which rely on existing deduplication and compression mechanisms.

Another important point that should not be overlooked when designing security mechanisms for cloud systems is their integration into a single framework. Typically, a security primitive is devised for a single use-case and/or a specific application. Although such a design approach may reduce the complexity of the solution, it may lead to situations where security primitives are incompatible to the point that they cannot be implemented using the same interface or the same framework.

Progress towards the objectives and advance beyond the state of the art

During this reporting period, the TREDISEC consortium partners have been focusing in designing novel end-to-end security solutions for scenarios with conflicting functional and security requirements, using as bases the representative scenarios and use-cases defined by the end-user partners. We first had to identify the functional requirements that are crucial to the cloud business and explore non-functional requirements such as storage efficiency and multi-tenancy. Next, we had to analyse the conflicts between these requirements and security needs in order to develop new solutions that address these shortcomings and enhance security. Moreover, state of the art mechanisms and solutions have been analysed thoroughly in technical work-packages (WP2, WP3, WP4 and WP5). In particular, some partners of the consortium have already achieved the following advances:

• devise new primitives to support data confidentiality and data deduplication, including the analysis of its compatibility with Proof of Ownership (PoW) mechanisms;
• actively analyse the state of the art with respect to searchable encryption, secure biometric computations, and possible parallel computation and migration mechanisms;
• describe mechanisms for an optimized storage of encrypted data based on the analysis of historical or anticipated SQL queries;
• conduct a thorough survey on the state of the art on verifiable storage, verifiable computation and verifiable ownership topics in order to identify the TREDISEC specific requirements have been conducted;
• proposed a new security model for outsourced proof of retrievability;
• propose a study on the possibility of applying verifiable computing techniques to biometric comparison;
• investigating approaches to vulnerability discovery and isolation in file systems that are used to provide storage for cloud services;
• proposed a novel mechanism which enables the emerging many-core processor architectures to provide secure isolation properties for cloud platforms and especially IaaS deployments.

The design of the TREDISEC framework which efficiently integrates the required security primitives, without incurring extra processing and storage cost at the cloud service providers or end-users, has been also a key activity during these last months. The ultimate goal of the TREDISEC framework is to facilitate the orchestration of different security primitives deployed into real cloud systems.

A first architectural model of the framework has been outlined, taking into account business, quality and operational requirements, since it should support a range of stakeholders (e.g. security administrators, developers, or cloud system engineers) and target cloud offerings.

By using the framework, security primitives can be tested in isolation or combined with others, in order to produce pre-packaged security solutions ready to be deployed, which are guaranteed of being free of incompatibilities, but also should permit cloud system engineers and security experts to select, according to their own system needs, the functional and non-functional (security and privacy) requirements they wish TREDISEC to fulfil.

Summary of work performed and main achievements

Since the project kick-off, on the 1st of April, until the 31st of December 2015, which spans from M1-M9 according to the project plan, the activities performed by the TREDISEC consortium can be structured along the following lines of work:

• Launching of the project and setting up the different procedures (quality, reporting, risk management, document/output storage and management, deliverable quality review, etc.), management structure, guidelines and supporting tools to enable a seamless and fruitful collaboration among the consortium partners, in order to achieve the project objectives and develop the work promised in the DoA according to the schedule. This has been described in a deliverable document released by M3, entitled “D1.1 Project Quality Assurance Plan”.
• Definition of the Innovation strategy for the project and agree on a plan to implement and deploy it within the existing project structures. This consisted in identifying the project key innovation points and specifying “innovation-related activities” such as monitoring, emergency plans, or take-up activities, definition of a framework for assessment of the project innovation health level and strategies to identifying and acquiring feedback from different entities and communities to better align the project results with users’ expectations. This has been described in a deliverable document released by M3, entitled “D1.5 Innovation Strategy and Plan”. In the last quarter of the period, a first innovation check has been done by the Innovation Director (from NEC) with the work-package leaders in relation to the identified key innovations of TREDISEC. The result was that, so far, there are no identified threats in the market to the expected TREDISEC innovations.
• Definition of a common project strategy for dissemination and communication of project advances and results, to set the base-line for individual partner’s activities, in order to reach the maximum impact possible. The strategy is accompanied with a plan that establishes a series of activities to promote the project along its entire duration, as well as a complete set of graphical material that supports these activities. The graphical material entails the project branding (i.e. logo, colour code, templates for documents, a poster and a promotional brochure/flyer); the project website (www.tredisec.eu) online since M2, is publicly accessible; this website is considered as the main point of contact from externals and as the first means for dissemination and communication of project advances and regular achievements (the website constitutes a deliverable and is described in the accompanying document “D7.1 TREDISEC public website”); social media accounts (i.e. dedicated LinkedIn group and twitter account); infographics ( within this period, one infographic has been made available through the website); and press releases and campaigns, to promote the project official start and the networking session at the ICT 2015 event, which TREDISEC was co-organised and where there was a scheduled talk about one specific project line of research. The communication and dissemination activities are grouped into phases, each one focusing on the promotion of certain aspects of the project, with customized key messages and targeting different type of audience (i.e. scientific, research, industry, citizens, public administration, policy-makers, etc.), making use of the most appropriate channel in each case. The dissemination and communication strategy and the associated implementation plans have been defined in two deliverable documents “D7.2 Dissemination plan” and “D7.3 Communication strategy and plan” respectively, both released in M6.
• Launching of the technical work-packages devoted to the research and development of the security primitives. Each of these work-packages, namely WP3, WP4 and WP5, focus in analysing first the different conflicts that may arise, when trying to satisfy at the same time cloud functional requirements (e.g. efficiency, reduced costs) while providing security guarantees (e.g. confidentiality, integrity); and second, researching on different schemes and primitives that overcome those conflicts.
• Description of the context scenarios and specification of the use cases that will be used to drive the technical developments and evaluate the project results. Four partners of the project (SAP, GRNET, ARSYS and MORPHO) described their context scenarios and use cases, which will be used in the project with two purposes: (i) to elicit a series of end-user requirements that will influence the design of the TREDISEC framework architecture and the security primitives developed in the technical work-packages (i.e. 3, 4 and 5); and (ii) to set up the context for the evaluation activities that will take place in the last year of the project in the context of WP6. The descriptions have been compiled into a deliverable document released by M6, entitled “D2.1 Description of the context scenarios and use cases definition”, which constitutes the achievement of the first project milestone: “MS1: Use cases and scenario context definition”.
• Specification of the requirements for the TREDISEC framework and the security primitives. As indicated in the previous point, the use case scenarios propose a series of requirements for TREDISEC technical activities from the user point of view. Besides these, the actual technological challenges the project aims to face, that is the lack of practical solutions that enable combining efficiency and security aspects in current cloud solutions, are also a source of requirements for the TREDISEC developments. All these requirements are listed and a trade-off analysis is described in a deliverable document entitled “D2.2 Requirements analysis and consolidation”, released in M9.
• Outline a proposal of architectural model for the TREDISEC framework, taking into account the requirements identified in Task 2.1. This first draft analysed first, various state of the art reference architectures of cloud systems, and second, proposed an approach that permits combinations of security primitives holistically working together in a range of cloud-based settings.
• Conduct an Initial prospect of the market and identification of suitable commercialization options for the TREDISEC outputs (i.e. the framework and the security primitives). In order to evaluate the most appropriate business model for TREDISEC that will influence the framework architecture, the implementation approach and operational model, on the one hand, and the exploitation strategies on the other hand.

Abstract

With the advent of cloud computing, individuals and companies alike are looking for opportunities to leverage cloud resources not only for storage but also for computation. Nevertheless, the reliance on the cloud to perform computation raises the unavoidable challenge of how to assure the correctness of the delegated computation. In this regard, we introduce two cryptographic protocols for publicly verifiable computation that allow a lightweight client to securely outsource to a cloud server the evaluation of highdegree univariate polynomials and the multiplication of large matrices. Similarly to existing work, our protocols follow the amortized verifiable computation approach.
Furthermore, by exploiting the mathematical properties of polynomials and matrices, they are more efficient and give way to public delegatability. Finally, besides their efficiency, our protocols are provably secure under well-studied assumptions.

Atos Research & Innovation group (ARI), hub for research and development in new technologies and a key reference for the whole Atos group has launched the yearly report of Atos Research & Innovation (ARI) activities in 2015.

ARI focus is to investigate emerging technologies and anticipate market demand with innovative solutions.

This year, ARI has proved its success in several projects, providing innovative services to customers.

For instance, ARI has led TREDISEC project, which aims at increasing trust in cloud computing by designing new security
primitives ensuring data security and user privacy and supporting the underlying storage and computation technology at the same time.

In pages 37,38 of the booklet, it is available more details about on-going cybersecurity projects of the group, and more specifically about TREDISEC.