Description

The scientific goal is to advance the state of the art with respect to security-driven engineering of Cloud-based applications. To solve the security problem, together with technological advances, advances on the level of development process, architecture and programming will be investigated.An in-depth analysis of the problem was made by the different partners in the consortium. The conclusion is that the proactive introduction of security in Cloud-based applications can impact software companies in several ways:1) They might have to reconsider the architecture of their Cloud-based application: Cloud computing is driving significant changes in the way applications are architected,deployed, used and maintained. Unlike traditional software application architectures, Cloud-based application architectures are dynamic compositions of loosely coupled Cloud services [Chuck, 2009]. This loose coupling allows to release frequent Cloud- based applications upgrades, giving all clients seamless access to the latest version of the service. Moreover, in contrast to the multi-user model of traditional application architectures, Cloud-based applications adopt multi-tenancy architectures. Multi-tenancy requires designing the single instance according to the multi-faceted requirements of many tenants [Kwok, 2008]. 2) They might have to select and adopt new security infrastructure, protocols and standards. Cloud computing is facing security and privacy issues. The possible lack of security, integrity, confidentiality and privacy of the data stored on cloud infrastructures are one of main aspects that can made users reluctant to use cloud technologies. Correctly securing cloud computing infrastructures is the mandatory step to increase the feeling of trust. Many cloud-based solutions available today offer no solution in terms of integrity and confidentiality, and to some extent in terms of privacy of stored data.3) Companies might have to reconsider the programming technology used to secure cloud software. Safeguarding the integrity of a cloud application and the confidentiality of its data requires meticulous control over where and under what form data flows between cloud services and across tiers. Application-specific control over this flow cannot be exerted at a sustainable effort with existing technology. Secure programming idioms (e.g., for handling potentially tainted input or for implementing access control policies), at the low-tech end of the spectrum, are error-prone as they have to be applied consistently throughout the entire source code. Formal software verification, at the high- tech end of the spectrum, is in a cognitive dissonance with the praxis of software development. Formalizing application-specific control requires significant effort and expertise. A balance can only be struck by reconsidering the secure programming technology that complements infrastructure-level security technologies at the application level.4) Companies might have to change the organizational and development process used to create the solution: security is not a purely technical issue, but also an organisational concern and a legal requirement embedded in a broader legal framework concerning the protection of personal data and e-commerce. The application of these legal frameworks on cloud-based applications demands specific attention to requirements engineering and the translation of these requirements in and during the development process. It also raises specific governance issues, which demand attention to establishing a stable legal environment with a clear distribution of roles and responsibilities, to monitoring compliance, and more generally to good business practices to integrate these concerns into the business process.The project will investigate and integrate the four aforementioned security perspectives by focusing on specific scientific areas in which the different partners will provide a scientific contribution.
AcronymBRGIMP4
StatusFinished
Effective start/end date1/09/1531/08/18

    Research areas

  • Cloud-based applications, security-driven engineering

ID: 8759051