SECCRIT - SEcure Cloud computing for CRitical infrastructure IT

  • contact:

    Prof. Dr. Ing. Frank Pallas,
    Silvia Balaban,
    Dr. iur. Oliver Raabe

  • funding:

    EU FP7

  • Partner:

    AIT Austrian Institute of Technology,
    ETRA Investigación y Desarrollo S.A.,
    Fraunhofer IESE,
    NEC Europe,
    University of Lancaster, School of Computing and Communications,
    Mirasys,
    OTE (Hellenic Telecommunications Organization),
    Ajuntament de València,
    Thales Information Systems

  • startdate:

    01/2013

  • enddate:

    12/2015

Projektbeschreibung / Project Summary

Cloud Computing is a style of computing where elastic IT-related capabilities are provided as optimized, cost-effective, and on-demand utility-like services to customers using Internet technologies. Being one of the major trends in the IT industry recently, it has gained tremendous momentum and started to revolutionize the way enterprises create and deliver IT solutions. As more sectors adopt cloud services in their computing environment, the trend will also reach ICT services operating critical infrastructures (CI), such as transportation systems or infrastructure surveillance.

Hosting CI services in the cloud brings with it security and resilience requirements that existing cloud offerings are not well placed to address. Due to the opacity and elasticity of cloud environ- ments, the risks of deploying CI services in the cloud are difficult to assess – specifically on the technical level, but also from legal or business perspectives. Traditional IT security measures cannot fully tackle the issues (e.g. risk, trust, and resilience) arising from this paradigm shift, especially for operators and manufacturers of critical infrastructure IT systems. Therefore, the mission of the SECCRIT project is to analyse and evaluate cloud computing technologies with respect to security risks in sensitive environments, and to develop methodologies, technologies, and best practices for creating a secure, trustworthy, and high assurance cloud computing environment for CI.

In order to accomplish this mission, the objectives of the SECCRIT project are: identification of the relevant legal framework and establishment of respective guidelines, provision of evidence and data protection for cloud services; understanding and managing risk associated with cloud environments; understanding cloud behaviour in the face of challenges; establishment of best practice for secure cloud service implementations; and the demonstration of SECCRIT research and development results in real-world application scenarios.

To reach these objectives, the SECCRIT consortium will take a user-driven and multi-disciplinary approach. Underpinning all the technical objectives of the project will be legal guidance, ensuring the compliance and applicability of our results. An outcome from the project will be a set of (legal) guidelines about the use of cloud services for CI providers. In addition, SECCRIT will develop risk assessment and management methodologies, and give broader insights into risk perception, transfer and migration, such that CI providers can make decisions about cloud computing adoption with a clear view on the potential risks. Critical infrastructure providers have stringent security assurance and resilience requirements that reflect business, regulatory and legal obligations. To ensure these are met when providers use the cloud, techniques for assurance evaluation will be produced. Furthermore, tools that support specifying policies and ensuring their enforcement will be created. Understanding the operational behaviour of cloud services, particularly when challenged, is a paramount concern for CI providers. Root cause analysis techniques that provide insights into the operational behaviour of clouds will be developed in order to address this important need. Critical infrastructure services provided in the cloud will surely be a prime target for attack. Furthermore, faults and human mistakes, for example, will challenge the operation of CI services, potentially with significant impact. Consequently, SECCRIT will develop a resilience management approach that allows the use of specific techniques, such as vendor diversity and controlled dynamic adaptation of networks and services, in cloud environments. Implementations of our project results and pro- cess-oriented guidelines will be developed. This will be done in close cooperation with project partners who are either users or providers of CI solutions and cloud computing. The research and development results will be rigorously evaluated and validated in two demonstration scenarios.

To ensure wide adoption and maximise the impact of SECCRIT results, the project solutions will be strongly end user-driven. A user group that spans through multiple application domains, e.g., energy, healthcare, industry automation, finance etc. has been formed to reinforce and complement the user organisations in the consortium in the requirements specification phase. Another specific purpose of this group is to enable effective dissemination of project results, ensure a strong link to industry and public authorities, and facilitate the building of a community in this important area.

Veröffentlichungen zu diesem Projekt
Titel place short description

Building Trust in Cloud, Austrian Federal Computing Center, Vienna

e & i Elektrotechnik und Informationstechnik, 12/2013

DSRI Herbstakademie 2013

Aus rechtlicher Sicht wirft die Auslagerung von IT-Strukturen mit Mitteln des Cloud Computings zahlreiche Fragen auf, von denen hier nur der Ausschnitt des Haftungs- und Beweisrechts näher beleuchtet werden soll. Dabei wird insbesondere ein Schwerpunkt auf die grundlegenden, haftungsrechtlichen Fragen des Cloud Computings gelegt, vordergründig aus dem Bereich des Privat- und Prozessrechts. Primärer Gegenstand der Untersuchung sind dabei die Fragen, ob der Cloud-Provider als Erfüllungsgehilfe des Cloud-Nutzers einzustufen ist, in welchen Fällen eine Haftung des Cloud-Providers aussichtsreich erscheint und im weiteren Verlauf schließlich, ob eine technische Beweisführung angesichts der Vielschichtigkeit und Komplexität von Cloud-Diensten notwendig werden wird.

Kurzbeitrag zur Woche der IT-Sicherheit

Den Beitrag finden Sie hier.

Bits That Byte, FH Burgenland

Cloud Computing wirft neben den in der öffentlichen Diskussion bereits ausgesprochen präsenten Datenschutzaspekten insbesondere auch aus haftungs- und beweisrechtlicher Sicht zahlreiche Fragen auf. So birgt sowohl die systembedingte, gewollte Opazität komponierter Cloud-Dienste als auch die Vielzahl üblicherweise zu betrachtender Akteure erhebliche juristische Schwierigkeiten. Dies gilt nicht nur bzgl. der Frage, wer letztlich im Falle einer Fehlfunktion des Systems haften muss, sondern darüber hinaus auch hinsichtlich der prozessualen Durchsetzbarkeit bestehender Ansprüche. Insbesondere kristallisiert sich heraus, dass die derzeit existierenden prozessrechtlichen Mechanismen nicht hinreichend sind, um bei einer fehlenden Transparenz adäquate gerichtliche Entscheidungen zu erzielen. Schon jetzt zeigt sich daher, dass zur Auflösung derartiger Fragestellungen technische Mechanismen als prozessual verwertbare Beweise zwingend herangezogen werden müssen. Der Vortrag greift die hier angedeuteten Probleme auf und spannt den Bogen zwischen den tatsächlichen rechtlichen Gegebenheiten und den noch zu etablierenden, erforderlichen technischen Mechanismen anhand eines Fallbeispiels.

Zeitschrift zum Innovations- und Technikrecht (InTeR) 4/2013

Aus rechtlicher Sicht wirft das Cloud Computing zahlreiche Fragen auf. Insbesondere gilt dies für solche Szenarien, in denen unterschiedliche Akteure an der Bereitstellung eines aus unterschiedlichen Teildiensten zusammengesetzten Cloud-Dienstes beteiligt sind. In diesem Zusammenhang sollen in vorliegendem Beitrag insbesondere haftungs- und beweisrechtliche Fragen wie die Einordnung des Cloud- Providers, potenzielle Haftungsfälle sowie mögliche Ansät- ze zur technischen Beweisführung diskutiert werden.

IEEE CloudCom 2013

The Cloud Computing operational model is a major recent trend in the IT industry, which has gained tremendous momentum. This trend will likely also reach the IT services that support Critical Infrastructures (CI), because of the potential cost savings and benefits of increased resilience due to elastic cloud behaviour. However, realizing CI services in the cloud introduces security and resilience requirements that existing offerings do not address well. For example, due to the opacity of cloud environments, the risks of deploying cloud-based CI services are difficult to assess, especially at the technical level, but also from legal or business perspectives. This paper discusses challenges and objectives related to bringing CI services into cloud environments, and presents an architectural model as a basis for the development of technical solutions with respect to those challenges.

Proc. GECON2014 – 11th International Conference on Economics of Grids, Clouds, Systems, and Services; Sept. 16-18, Cardiff, UK

The field of cloud computing is strongly affected by conflicts of interest between providers and users of resources. A comprehensive and integrative model for representing and analyzing these conflicts on a theoretically well-founded basis is, however, still lacking. Therefore, this paper establishes such a model based on economic agency theory. Employing two realistic example scenarios, we identify representative challenges faced by cloud users and generalize them as typical problems present in agency relations. Based on this conception, we correlate ex- isting practices and strategies from cloud computing with corresponding abstract instruments from agency theory. Finally, we identify approaches that are – even if suggested by economic theory – not practically em- ployed in the cloud domain and discuss the potential to utilize them in future technical and non-technical developments.

(preliminary publication of full-text)