Future @ Cloud: Cloud Computing meets Smart Ecosystems Joerg Doerr, Fraunhofer IESE, Kaiserslautern, Germany Joerg.Doerr@iese.fraunhofer.de
Fraunhofer-Institute for Experimental Software Engineering (IESE) Leading Institute for Software Engineering Founded in 1996 in Kaiserslautern, Germany 200 employees www.iese.fraunhofer.de Focus on software engineering Provide innovative and value-adding customer solutions with measurable effects Advance the state-of-the art in software and system engineering Promote the importance of empirically based software and system engineering 2
Fraunhofer IESE Our Competencies for innovative Systems SOFTWARE-ENABLED INNOVATIONS 3
Fraunhofer IESE Our Competencies SOFTWARE-ENABLED INNOVATIONS 4
Digital Society Business Life: Integration Enables Innovation! in Information Systems as well as in Embedded Systems 5
Trends and Implications New business models that did not work in the past start to work now (Apple Store, Micropayment,..) Private life pushes business life Physical objects go digital Machinery, things, living objects like plants and animals Usage of Big Data to exploit available data Uncertainty at runtime 6
IT Mega Trend: Integration Big Data / Data Analytics 7
Digital Ecosystems Software Ecosystems deliver innovations through integrated software systems are typically driven by multiple organizations at their own pace to interact with shared markets operate through the exchange of data, functions, or services with mutually influencing parts Smart Ecosystems integrate non-trivial information systems supporting business goals integrate non-trivial embedded systems supporting technical goals function as one unit to achieve a common, superior goal and share context-dependent information 8
Integration of IS and ES - Differences Key Goals Optimization of Business Processes Optimization of Technical Processes (sensors and actuators) Optimization of both, Business Processes & Technical Processes with Equal Rights Software Engineering IS-Driven (Information Systems 2.0) ES-Driven (Embedded Systems 2.0) ES/IS-Integration Key Qualities (Examples) may include embedded data in workflows may use information systems for data storage, e.g., in the cloud Participative Engineering: Across Organizations (sometimes with Equal Rights) Security Safety Safety & Security 9
Smart Ecosystems A Trend Across Domains Industry 4.0 Smart Farming V2X and C2X Smart Ecosystems ehealth eenergy 10
Research in Smart Ecosystems Key Challenges Diversity Big Data Uncertainty Lifecycle Management Complexity Guaranteed Qualities e.g., Safety and Security 11
Big Data Analysis in Smart Ecosystems Crowd Data Miner Visualization Data generation Ecosystem Simulator Global analyses, algorithmics, data fusion, analysis data base Virtual runtime environment Standardized modeling for analyses and released data Data Miner & Generator Data Miner & Generator Visualization Visualization Organization 1 Algorithmics+analyses Runtime environment Usage control Usage control Organization N Algorithmics+analyses Runtime environment Modeling Modeling Data sourcesn Data sources 12
Dealing with Data in Smart Ecosystems Cloud as Potential Boost for Analytics & Interoperation Data Usage Control as Key Business Enabler Moving Data to the Cloud = Moving Data to Third Parties Data Protection Challenges Data Residency (data must be kept within defined geographic borders) Data Privacy (enterprise is responsible for any breach to data) Compliance (enterprise must comply with applicable laws) Data Usage Control (data is accessed from different entities) Main concerns for critical infrastructure IT using the Cloud Security and Privacy https://seccrit.eu/upload/cloudcrititsurvey.pdf, 10-03-2014, SECCRIT 13
Motivation SECCRIT in a Nutshell Challenges Analyse and evaluate cloud computing with respect to security risks in sensitive environments (i.e., critical infrastructures) Goal Development of methodologies, technologies, best practices for secure, trustworthy, high assurance and legal compliant cloud computing environments for critical infrastructure IT. Enable cloud technologies to be used for critical infrastructure IT 14
SECCRIT Research Focus at Fraunhofer IESE Multi-layer Policy Decision and Enforcement for Usage Control Policies Policy enforcement on different abstraction layers of the cloud (e.g., cloud infrastructure or service level) Context-aware policy enforcement mechanisms (e.g., respecting geolocation if data or service is migrated) User-friendly Policy Specification Elicitation method for security demands and mapping to machineenforceable security policies Reduction of errors and misunderstandings in policy specification 15
Policy Decision and Enforcement Framework: IND²UCE Dynamic framework for policy decision and enforcement Seamless integration of new components Dynamic management during runtime Powerful policy language 16
Policy Decision and Enforcement SECCRIT Architectural Framework (Policy-oriented View) PEP and PXP as enforcement components on different abstraction levels PDP as central decision component PIP component as additional information retrieval component for the decision making PAP as interface between stakeholders and policy framework 17
Enforcement in the Cloud Infrastructure Level Scenario: Enforcing Anti-Affinity Policy Scenario: Tenant A runs critical infrastructure services on different machines (VMs) on a virtual datacenter. However, the services are not allowed to share the same physical resources! Problem: If Tenant A or the cloud infrastructure operator starts migrating virtual machines (VMs) to the same physical host, both critical services run on the same physical host. VMware offers affinity rules, but allows their violation Solution: An anti-affinity policy specifies that critical VMs have to be separated. Migrating critical VMs to the same physical host results in automatically migrating the other critical service away. 18
Enforcement in the Cloud Infrastructure Level Scenario: Enforcing Virtual Machines Geolocation Scenario: A virtual machine hosts sensitive data and is only allowed to be operated in countries within Europe. Problem: A cloud operator might trigger the process to migrate the virtual machine to another data center outside Europe. Solution: A virtual machines geolocation policy specifies that virtual machines are only allowed to be operated in data centers within Europe. Migrating the virtual machine outside Europe will be logged and countermeasures enforced. 19
Enforcement in the Cloud Infrastructure Level IND²UCE for VMware VMware vsphereclient SOAP VMware vcenter Server VMware vsphere Manage VMware vsphere independent of VMware changes (except for interface changes) no disturbance of other systems only detective enforcement 20
Enforcement in the Service Level IND²UCE for HBase/Hadoop Cloud Databases HBase: NoSQL database inspired and modeled after Google s Bigtable 1 Hadoop: Distributed File System(HDFSTM) + Hadoop MapReduce Idea: Distribute big data into clusters MapReduce algorithm 21 1 http://research.google.com/archive/bigtable.html
Enforcement in the Service Level Scenario: Modify Data in Transit Scenario: A first level support worker is accessing person-related data for their customers. However, support worker should not have access to fields such as the concrete date of birth. Problem: The database stores the date of birth in one field and can only return the entire field or nothing. The data usage restriction could only be solved by changing the database fields accordingly. Solution: A privacy policy specifies to replace day of birth and month of birth with X. Only year of birth is visible to the first level support worker. 22
Enforcement in the Service Level IND²UCE for HBase/Hadoop Cloud Databases Zookeeper Ensemble Zookeeper1 Zookeeper2 Zookeeper3 HMaster2 HMaster1 Region Server Region Server HBase Task Tracker Task Tracker Job Tracker Control & Message Signals One way dependency Bi-directional dependency Name Node Secondary Name Node Data Node Map Reduce Data Node Hadoop HDFS 23
Takeaways Companies and Society can strongly benefit from Smart Ecosystems Opportunity and threat at the same time for companies Cloud Computing can be a significant boost for analytics and interoperability Challenges in Smart Ecosystems require guaranteed qualities Data Usage Control will be a business enabler, Security is not a showstopper Fraunhofer IESE provides strong competences for Smart Ecosystem challenges 24
Dr. Jörg Dörr Fraunhofer IESE +49 631 6800 1601 joerg.doerr@iese.fraunhofer.de 25