With Cloud providers becoming easier and cheaper to use, businesses are increasingly moving data and processing from the more traditional in-house infrastructures. However, where personal data is concerned this can create privacy and security risks coming from other Cloud tenants or the Cloud provider. Data controllers and processors are obliged by regulations to assess and manage such risks on a continuous basis, which is extremely challenging in a dynamic Cloud based environment.
When data is moved from an internal, trusted, infrastructure to a remote multi-tenant system, it becomes less transparent who has access to what data. Cloud systems are dynamic by design and adjust to the demands on them. For example, if you travel to a different country the provider may move data so you can access it more quickly. If you want other organisations to use your data, it may be moved or cached in a data centre closer to them. Your data may end up in several different locations, some of which may offer lower levels of legal protection for your data, or it may lack technical security measures that were previously used.
RestAssured plans to address this issue by developing a framework to help protect data in the Cloud while maintaining the benefits of agile system configuration and optimisation.
The new framework will take advantage of advanced encryption and hardware security features in the latest microprocessors (e.g. Intel's SGX or AMD's SME), and continuously protect data according to policies agreed by the data subject. For example, consumers may only want their data to be accessed by organisations that are subject to EU data protection rules. This may exclude both the cloud provider and their other tenants. In this situation the RestAssured framework will ensure data cannot be transferred outside the EU without encryption, and can only be processed in a trusted domain protected by software or hardware security mechanisms from other users of the same cloud infrastructure. This will also make it easier for data controllers and processors and their cloud providers to comply with the latest data protection regulations.
Our role in the project is to develop a methodology that is able to capture risks to data in the Cloud. We are the lead partner in the developing the models and tools that will support a risk-based analysis to identify and specify privacy and security requirements.
This work advances the state of the art research to meet regulatory and business constraints by developing a methodology for both design time and runtime risk management in an automated, machine readable, way. We are building upon our work in ASSURED, which is also extended in recently started projects such as 5G-ENSURE (mobile network security) and SHiELD (cross-border e-health).
The RestAssured project is a 36 month project funded by the EC H2020 ICT framework programme.
Coordinator: IBM Israel.
This project has received funding from the European Union's Horizon 2020 research and innovation programme under grant agreement No 731678.