© Fraunhofer IESE

Future @ Cloud: Cloud Computing meets Smart Ecosystems Joerg Doerr, Fraunhofer IESE, Kaiserslautern, Germany

Joerg.Doerr@iese.fraunhofer.de

© Fraunhofer IESE

2

Fraunhofer-Institute for Experimental Software Engineering (IESE)

Leading Institute for Software Engineering

Founded in 1996 in Kaiserslautern, Germany 200 employees Focus on software engineering ! Provide innovative and value-adding

customer solutions with measurable effects

! Advance the state-of-the art in software and system engineering

! Promote the importance of empirically based software and system engineering

www.iese.fraunhofer.de

© Fraunhofer IESE

3

Fraunhofer IESE – Our Competencies

SOFTWARE-ENABLED INNOVATIONS

for innovative Systems

© Fraunhofer IESE

4

Fraunhofer IESE – Our Competencies

SOFTWARE-ENABLED INNOVATIONS

© Fraunhofer IESE

5

Digital Society Business Life: Integration Enables Innovation!

… in Information Systems as well as in Embedded Systems

© Fraunhofer IESE

6

n New business models n  that did not work in the past start to work now (Apple Store,

Micropayment, ..)

n Private life pushes business life n Physical objects go digital

n Machinery, things, living objects like plants and animals

n Usage of Big Data to exploit available data n Uncertainty at runtime

Trends and Implications

© Fraunhofer IESE

7

IT Mega Trend: Integration

Big  Data  /  Data  Analy-cs  

© Fraunhofer IESE

8

Digital Ecosystems

Software Ecosystems n  deliver innovations through integrated software systems n  are typically driven by multiple organizations at their own pace to interact with

shared markets n  operate through the exchange of data, functions, or services

with mutually influencing parts

Smart Ecosystems n  integrate non-trivial information systems supporting business goals n  integrate non-trivial embedded systems supporting technical goals n  function as one unit to achieve a common, superior goal

and share context-dependent information

© Fraunhofer IESE

9

Integration of IS and ES - Differences

Key Goals Optimization of Business Processes

Optimization of Technical Processes (sensors and actuators)

Optimization of both, Business Processes & Technical Processes with Equal Rights

Software Engineering

IS-Driven (Information Systems 2.0) may include embedded data in workflows

ES-Driven (Embedded Systems 2.0) may use information systems for data storage, e.g., in the cloud

ES/IS-Integration Participative Engineering: Across Organizations (sometimes with Equal Rights)

Key Qualities (Examples)

Security Safety Safety & Security

© Fraunhofer IESE

10

Smart Ecosystems A Trend Across Domains

Smart Ecosystems

Industry 4.0

V2X and C2X

eEnergy

…

eHealth

Smart Farming

© Fraunhofer IESE

11

Research in Smart Ecosystems Key Challenges

Diversity

Uncertainty

Complexity

Guaranteed Qualities

e.g., Safety and Security

Lifecycle Management

Big Data

© Fraunhofer IESE

12

Big Data Analysis in Smart Ecosystems

Organiza-on  1  

Run$me  environment  

Data  sourcesn  

Algorithmics+analyses  

Visualiza$on  

Modeling  

Data  Miner  &  Generator  

Organiza-on  N  

Run$me  environment  

Data  sources  

Algorithmics+analyses  

Visualiza$on  

Modeling  

Data  Miner  &  Generator  

Virtual  run$me  environment  

Global  analyses,  algorithmics,  data  fusion,  analysis  data  base        

Visualiza$on  

Ecosystem  Simulator  Crowd  Data  Miner   Data  genera$on  

Standardized  modeling  for  analyses  and  released  data  

Usage  control  

Usage  control  …  

© Fraunhofer IESE

13

Dealing with Data in Smart Ecosystems– Cloud as Potential Boost for Analytics & Interoperation – Data Usage Control as Key Business Enabler

Moving Data to the Cloud = Moving Data to Third Parties n  Data Protection Challenges

n  Data Residency (data must be kept within defined geographic borders)

n  Data Privacy (enterprise is responsible for any breach to data)

n  Compliance (enterprise must comply with applicable laws)

n  Data Usage Control (data is accessed from different entities)

è Main concerns for critical infrastructure IT using the Cloud

n  Security and Privacy

https://seccrit.eu/upload/CloudCritITSurvey.pdf, 10-03-2014, SECCRIT

© Fraunhofer IESE

14

Motivation SECCRIT in a Nutshell

n  Challenges n  Analyse and evaluate cloud computing

with respect to security risks in sensitive environments (i.e., critical infrastructures)

n  Goal n  Development of methodologies, technologies, best practices for secure,

trustworthy, high assurance and legal compliant cloud computing environments for critical infrastructure IT.

Enable cloud technologies to be used for critical infrastructure IT

© Fraunhofer IESE

15

SECCRIT Research Focus at Fraunhofer IESE

n  Multi-layer Policy Decision and Enforcement for Usage Control Policies

n  Policy enforcement on different abstraction layers of the cloud (e.g., cloud infrastructure or service level)

n  Context-aware policy enforcement mechanisms (e.g., respecting geolocation if data or service is migrated)

n  User-friendly Policy Specification

n  Elicitation method for security demands and mapping to machine-enforceable security policies

n  Reduction of errors and misunderstandings in policy specification

© Fraunhofer IESE

16

Policy Decision and Enforcement

© Fraunhofer IESE

17

Policy Decision and Enforcement Framework: IND²UCE

n  Dynamic framework for policy decision and enforcement

n  Seamless integration of new components

n  Dynamic management during runtime

n  Powerful policy language

© Fraunhofer IESE

18

Policy Decision and Enforcement SECCRIT Architectural Framework (Policy-oriented View)

n  PEP and PXP as enforcement components on different abstraction levels

n  PDP as central decision component

n  PIP component as additional information retrieval component for the decision making

n  PAP as interface between stakeholders and policy framework

© Fraunhofer IESE

19

Enforcement in the Cloud Infrastructure Level Scenario: Enforcing Anti-Affinity Policy

Scenario: Tenant A runs critical infrastructure services on different machines (VMs) on a virtual datacenter. However, the services are not allowed to share the same physical resources!

Problem: If Tenant A or the cloud infrastructure operator starts migrating virtual machines (VMs) to the same physical host, both critical services run on the same physical host.

à VMware offers affinity rules, but allows their violation

Solution: An anti-affinity policy specifies that critical VMs have to be separated. Migrating critical VMs to the same physical host results in automatically migrating the other critical service away.

© Fraunhofer IESE

20

Enforcement in the Cloud Infrastructure Level Scenario: Enforcing Virtual Machine Snapshots Policy

Scenario: A virtual machine is reserved as a sandbox for evaluating new software. Testers can install software on the machine, but it has to be reverted to previous state after usage. Only administrators are allowed to make persistent changes.

Problem: A tester might forget to revert the machine or an administrator might forget to create a new snapshot. Creating snapshots and reverting has to be triggered manually. The vCenter user management has no automatic mechanisms for this kind of scenario.

Solution: Virtual machine snapshots policies specify that a snapshot is created after an administrator logs out from the virtual machine. If a tester logs out from the virtual machine, the virtual machine is reverted.

© Fraunhofer IESE

21

Enforcement in the Cloud Infrastructure Level Scenario: Enforcing Virtual Machines Geolocation

Scenario: A virtual machine hosts sensitive data and is only allowed to be operated in countries within Europe.

Problem: A cloud operator might trigger the process to migrate the virtual machine to another data center outside Europe.

Solution: A virtual machines geolocation policy specifies that virtual machines are only allowed to be operated in data centers within Europe. Migrating the virtual machine outside Europe will be logged and countermeasures enforced.

© Fraunhofer IESE

22

Enforcement in the Cloud Infrastructure Level Scenario: Enforcing Virtual Machine Power States

Scenario: A cluster contains a virtual machine dedicated to testing new software. The testing machine might interfere with the normal operation of the cluster (e.g., memory leaks, interfering network traffic) and has to be monitored by the testers.

Problem: The resources for the machine can not be restricted any further without an influence to the testing process.

Solution: A virtual machine power state policy specifies that the machine is shutdown or suspended, if no developer is logged into the vCenter management environment to monitor it.

© Fraunhofer IESE

23

Enforcement in the Cloud Infrastructure Level IND²UCE for VMware

VMware vSphere

VMware vSphere

VMware vCenter Server

Manage

SOAP

VMware vSphereClient

ü  independent of VMware changes (except for interface changes)

ü  no disturbance of other systems

û  only detective enforcement

© Fraunhofer IESE

24

Enforcement in the Service Level IND²UCE for HBase/Hadoop Cloud Databases

© Fraunhofer IESE

25

Enforcement in the Service Level IND²UCE for HBase/Hadoop Cloud Databases

n  HBase: NoSQL database inspired and modeled after Google‘s Bigtable1

n  Hadoop: Distributed File System(HDFSTM) + Hadoop MapReduce

n  Idea: n  Distribute big data into clusters

n  MapReduce algorithm

1 http://research.google.com/archive/bigtable.html

© Fraunhofer IESE

26

Enforcement in the Service Level Scenario: Modify Data in Transit

Scenario: A first level support worker is accessing person-related data for their customers. However, support worker should not have access to fields such as the concrete date of birth.

Problem: The database stores the date of birth in one field and can only return the entire field or nothing. The data usage restriction could only be solved by changing the database fields accordingly.

Solution: A privacy policy specifies to replace day of birth and month of birth with ‘X’. Only year of birth is visible to the first level support worker.

© Fraunhofer IESE

27

Enforcement in the Service Level IND²UCE for HBase/Hadoop Cloud Databases

Name  Node Secondary  Name  Node Data  Node Data  Node

Job  Tracker

Task  Tracker Task  Tracker

Hadoop

HDFS

HMaster1

Region  Server

Region  Server

HMaster2

HBase

Map  Reduce

Zookeeper1

Zookeeper2Zookeeper3

Zookeeper  Ensemble

Control  &  Message  Signals

One  way  dependency

Bi-­‐directional  dependency

© Fraunhofer IESE

28

Takeaways

n  Companies and Society can strongly benefit from Smart Ecosystems n  Opportunity and threat at the same time for companies

n  Cloud Computing can be a significant boost for analytics and interoperability

n  Challenges in Smart Ecosystems require guaranteed qualities n  Data Usage Control will be a business enabler, Security is not a

showstopper

n  Fraunhofer IESE provides strong competences for Smart Ecosystem challenges

© Fraunhofer IESE

29

Dr.  Jörg  Dörr  Fraunhofer  IESE  +49  631  6800  1601  joerg.doerr@iese.fraunhofer.de  

© Fraunhofer IESE

30

Backup Slides

© Fraunhofer IESE

31

Multi-Layer Policy Enforcement

© Fraunhofer IESE

32

Conclusion

Moving Data to the Cloud = …

n  Moving Data to Third Parties

n  Loosing Control over Data

Usage Control a generalization of Access Control

n  Security policies specify how data usage is handled,

also after access has been granted and data has been released

n  Enables compliance with privacy, auditing, and accountability regulations

(e.g., data has to be deleted after 14 days)

è Usage Control keeps control over your data usage

Usage Control

Access Control

© Fraunhofer IESE

33

Enforcement in the Cloud Infrastructure IND²UCE for VMware

© Fraunhofer IESE

34

Enforcement in the Cloud Infrastructure Level

n  Policy Enforcement Point (PEP) intercepts events: n  Migration, Lifecycle, Powercycle, Cluster, etc.

n  Policy Information Point (PIP) retrieves additional attributes: n  Performance of virtual machines, cluster, etc. n  Runtime status, datastore capacities, configuration

parameters, etc.

n  Policy Execution Point (PXP) performs actions n  Powercycle (PowerOn/Off, Reset, Shutdown, Reboot) n  Lifecycle (Reconfig, Relocate, Migrate, CreateSnapshot) n  Reconfigure, Apply/CancelRecommendation

© Fraunhofer IESE

35

Enforcement in the Cloud Infrastructure Level Policy Enforcement Point (PEP)

Types of Events

n  Virtual Machines n  Migration, Lifecycle, Powercycle, Cluster (Failover, HA Monitoring, etc.)

n  Cluster n  Lifecycle, Resources, HA Services

n  Hosts n  Host operations, networking, lifecycle, etc.

n  Datastores n  Networking

n  Lifecycle, Switch (e.g., port state) n  Roles and Permissions

© Fraunhofer IESE

36

Enforcement in the Cloud Infrastructure Level Policy Information Point (PIP)

Contextual Information

n  Performance of virtual machines, cluster, etc. n  Resource load such as CPU, memory, etc.

n  Runtime status n  Connection or power state, bootTime, maximum CPU usage, etc.

n  Datastore n  Capacity, free space, etc.

n  Configuration parameters of virtual machines or cluster n  Mac address, annotation, number of CPUs, etc.

n  Information about user or group privileges

© Fraunhofer IESE

37

Enforcement in the Cloud Infrastructure Level Policy Execution Point (PXP)

Execute Actions

n  Virtual Machines n  Powercycle (PowerOn/Off, Reset, Suspend, Standby, Shutdown, Reboot) n  Lifecycle (Reconfig, Relocate, Migrate, Clone, CreateSnapshot, etc.)

n  Cluster n  Reconfigure, Apply/CancelRecommendation

n  Roles and Permissions n  Set/Reset/RemoveEntityPermissions

37

© Fraunhofer IESE

38

BACKUP SLIDES

Tenant  Infrastructure  Level  

Physical  Cloud  Infrastructure  Level  

CI  Service  Cri$cal  Infrastructure  (CI)  Service  Level  

Component  A  

Abstrac-on  Level  

CI  Service  User  

Resources  

CI  Service  Provider  

Tenant  Infrastr.  Provider  

Service  Components  

Tenant  Infrastructure    

Cloud  Infrastructure  (Data  Centre)  

Cloud  Infrastructure  

Provider  

Client  Devices  

Stakeholder  

Provides  Service  (SaaS  /Paas)  

Provides    Virtual    Infrastructure  (IaaS  /PaaS)  

Provides    Virtual    Resources  (IaaS)  

• Virtual  Compute  Resources  • Virtual  Storage  • Virtual  Network  

manages  cloud  resources  

manages  virtual  resources  

manages  service  resources  

• Compute  • Storage  • Network  

Component  B  

Component  C  

User  Level   SLAs  

CI  Service  User  

CI  Service  Operator  

Tenant  Infrastr.Operator  

Cloud  Infrastructure  Operator  

Stakeholder  

Opera$ng  Support  System  

Tenant    Infrastructure  Management  

System  

Cloud  Infrastructure  Management    

System  

VS   VM   VM   VN  

VSM   VMM   VMM   VNM  

Infrastructure    Service  Descrip$ons  

Resource  Descrip$ons  

Tenant  Infra-­‐  structure  

Cloud    Infrastructure  

Service  

       

VImage  DB  

CI  Service  

Component  A  

Component  B  

Component  C  

User  

• Orchestra$on  • Provisioning  • Monitoring  • Policy  Control    

Component  A  

Cloud  Infrastructure    Provider  A  

CI  Service  Users  

Cloud  Infrastructure  Provider  B  

Data  Centre  B.1   Data  Centre  B.2  Data  Centre  A.1  

Other  Service  

Tenant  X   Tenant  Y  

Other  Service  Users  

hosts    virtual    resources  

hosts    virtual    resources  

hosts    virtual    resources  

hosts    virtual    resources  

Physical  Cloud  Infra-­‐  structure  Level  

Tenant  Infrastructure  Level  

Service  Level  

User  Level  

hosts  service    components  

CI  Service  hosts  service    components  

Component  B  

Component    C  

Component  A   Component  

B  

Component  C   Component  

D  

© Fraunhofer IESE

42

Welcome to Nebula Central Station!

n  Nebula Central is a large subway station in a European metropolis. Three subway lines cross at the station and thousands of people pass through it daily.

n  The station is open from 4.30 am till 1.30 am on weekdays and throughout the whole weekend. During the rest of the time, all entrances are closed with massive grates.

n  There are about 45 stores, bars and restaurants within the station.

© Fraunhofer IESE

43

A new video surveillance system

MetroSub CitySec TelCom

The Subway Operator

The Security Service Provider

The Tenant System Mgmt

And everything goes fine – for a while. Then two incidents happen...

CloudCorp

The Cloud Mgmt Provider

TenSys

The Telecom Operator

© Fraunhofer IESE

44

A new case of vandalism

n  One night, the station is demolished again during closing hours. The direct damages exceed 100.000 € and the station is closed for a day.

n  The mess is discovered in the morning when the station is opened. n  The security guards have not intervened as they have not received an

alarm. n  MetroSub claims for indemnification from the operators. n  Nobody knows what caused the trouble – CitySec, TelCom, TenSys and

CloudCorp blame each other. MetroSub sues them all...

© Fraunhofer IESE

45

Another problem – a data leak

n  Another night, a known politician travels through the station after a evening party . Having had a few glasses too much, he needs to vomit in a trash can. No one sees this except one of the cameras.

n  Next morning, the picture of the vomiting politician is in a tabloid newspaper. Nobody knows how it has come to the editors, who refuse to recveal the source.

n  The politician files against MetroSub for breach of privacy – and MetroSub sues the operators, who, as usually, blame each other.

© Fraunhofer IESE

46

Valencia Traffic Control System

! Main functionality is to control the traffic in an urban area ! It is a scalable control system, ready to be used from small to large urban areas

© Fraunhofer IESE

47

Architecture

VARIABLE  MESSAGES  SIGNALS  

TRAFFIC  CONTROLLER  TRAFFIC  LIGHTS  

SENSORS   VIDEODETECTION  ENVIRONMENTAL  

SENSORS  

© Fraunhofer IESE

48

Moving to the Cloud

Opportunities ! Constantly growing and increasing information that requires infrastructure investments à Use

of cloud services to save effort and budget ! Third parties that want to access public information and can compromise the critical data à

Use of cloud mechanisms to secured the critical data and make public one easily accessible ! Updates of the running software services and legacy systems à transparent updates and

patching for traffic center operators End-User Requirements ! High assurance of the data and services ! Policy compliant mechanisms ! Cyber resilience in case of cyber attacks or

other conditions (natural disasters, human mistakes, etc.) ! Legal issues: compliance with relevant regulations

(e.g. need for anonymizing/aggregating detailed traffic data for data protection/privacy reasons)

© Fraunhofer IESE

49

Moving to the Cloud

Use Cases, Hosting Critical Mobility Services in the Cloud:

! Moving data and services to the cloud

! Evaluating risks with data in the cloud

! Data not available due to a malfunction or misbehaviour

© Fraunhofer IESE

50

Tailored Services are our Industry Business

© Fraunhofer IESE

51

Agenda

1)  Motivation

2)  Policy Decision and Enforcement

3)  Enforcement in the Cloud Infrastructure

4)  Enforcement in the Service Level

5)  Conclusion

© Fraunhofer IESE

52

MOTIVATION

© Fraunhofer IESE

53

Biological and Digital Ecosystems Survival of the Fittest

Biological Ecosystems

Software Ecosystems Smart Ecosystems

Subjects n  living organisms n  organizations n  organization

Objects n  systems n  systems

Value n  fitness à potential to produce viable offspring

n  fitness à potential to earn money (directly or indirectly)

n  fitness à potential to earn money (directly or indirectly)

Resources n  entities n  manpower n  money n  code

n  manpower n  money n  code n  entities

Environment n  physical n  digital n  physical n  digital