To explore the feasibility of the deepening of the Port of Waterford and exploit its commercial potential as a load-on load-off Port
and to maximise new business opportunities that may emerge from recent increased airport security and baggage restrictions.
and level of expertise in the logistics industry can be built upon to create further business opportunities and exploit emerging trends.
Rosslare Europort will need to be very cost-competitive to counter this threat while simultaneously investing in shore-side infrastructure to be in a position to grasp emerging business opportunities
and the associated loss of revenue to the Port, may put this necessary investment at risk
There are opportunities for the ferry companies to maximise visitor numbers with the increasing perceived hassle of airports from recent baggage and security measures.
a major Coastguard base, private and business aviation, cabin crew training, and light aircraft maintenance Albeit from a low base, the airport achieved a fourfold increase in passenger numbers between 2003 and 2008
To explore the feasibility of the deepening of the Port of Waterford and exploit its commercial potential as a load on load off Port
Manufacturing faces a threat from what has become known as the †patent cliffâ€. Cheaper overseas competition will increasingly threaten this sector in Ireland as many drugs are imminently due to fall out of patent
and security systems, to providing lower -end support services such as systems and network administration and user support, â€
the risk of stifling the growth these tech businesses can create, they said Mike Sikorski is CEO of Huggity, a
to the risk of digital issues falling through the cracks, while politicians such as Kroes argue it should be hardwired into all
Of course there are risks, and there will be challenging questions for us to answer as we enter this new reality, a time when
or when new opportunities and threats indicate a need for reinvention (Johnson et al. HBR 2008
national security and the quality of life. Not since the opening of â€oethe atomic age, †with its promises of power
too cheap to meter and threats of nuclear incineration, has a technology so deeply captured the imagination of
security (65.2%)and access to catalogues and price lists (52.8 %Services available on the website Percentage over the total number of companies with 10 or more employees and an Internet connection
Privacy policy statement or certification related to website security 65.2 Access to product catalogues or price lists 52.8
laws (32.3%),the risk of corporate security holes (31%)and the high price of Could Computing services (27.8
ï the risks involved in change. When a person certain risks associated with the expected change in personal, group or organization,
even if its promoters trusts and the end result, he will show some restraint or opposition to engage in change
The ability to take risks, tolerance for ambiguity inherent in innovation, resistance to stress are reduced.
Very few people are prepared to give up ideas for your loved obvious risks. Difficult to give
i e. employees must be shown opportunities and threats in a convincing manner and particularly the EU would achieve it aware of the need for
change, the remaining 39,82%saw the change as a threat Manifestations of resistance to change
usually brings high capital costs and risks. Enhanced cooperation between different actors will help to
yet, there are risks and limitations associated with citizen engagement, and further research is needed to understand the impact of
First, the term risks becoming a buzzword, leading to a loss of credibility and support, as well as unjustified concentration
risks and challenges. For instance, the value of engagement tends to be contingent on the form and practice of that activity, the context in which it
risks associated with a low quality version of it spreading Receptive contexts Lastly, we emphasise the significance of receptive
financial risks that acquiring external growth capital brings, social innovators tend to favour it. However
ways to exploit investment models through more effective mechanisms of reducing investment capital costs †which are the main barrier for this form of
resourcing social innovation may share risks allocate costs, and distribute benefits more effectively Read more
economic risk; a minimum amount of paid work The social dimension consists of three as well:
need the management and business skills to exploit market opportunities to set up and grow a social
First, the term risks becoming a buzzword or a passing fad, as many organisations adopt the
marked by a high degree of risk and uncertainty due inter alia to the specific context wherein they appear†social innovations
•High degree of risk and uncertainty •Disruptive •Can†t presume good from outset
risk taking behavior. Yet another internal variable is investments in R&d (Birchall et al. 1996; Oerlemans et al
innovation due to much higher level of risk and unpredict -ability, which is offset by the product†s possibility to open
at org. apache. pdfbox. pdmodel. encryption. Securityhandler. encryptdata (Securityhandler. java: 312 at org. apache. pdfbox. pdmodel. encryption.
Securityhandler. decryptstream (Securityhandler. java: 413 at org. apache. pdfbox. pdmodel. encryption. Securityhandler. decrypt (Securityhandler. java:
386 at org. apache. pdfbox. pdmodel. encryption. Securityhandler. decryptobject (Securityhandler. java: 361 at org. apache. pdfbox. pdmodel. encryption.
Securityhandler. proceeddecryption (Securityhandler. java: 192 at org. apache. pdfbox. pdmodel. encryption. Standardsecurityhandler. decryptdocument (Standardsecurityhandler. java:
158 at org. apache. pdfbox. pdmodel. PDDOCUMENT. openprotection (PDDOCUMENT. java: 1597 at org. apache. pdfbox. pdmodel.
PDDOCUMENT. decrypt (PDDOCUMENT. java: 943 at org. apache. pdfbox. util. PDFTEXTSTRIPPER. writetext (PDFTEXTSTRIPPER. java: 337
education to harness and maximise the potential benefits while minimising risks of globalisation and innovation.
development of sustainable knowledge societies, identifying potential threats to, and opportunities for, their implementation. Indeed, one of the crosscutting themes in UNESCO€ s Medium Term
cloud computing, enhanced privacy and security features and advanced multimedia capabilities. This core platform will be based on integration of already existing re
⠀ Security and Trust ⠀ Experiments and Experimental Design •Future Internet Areas
Security and Trust Introduction to Part III...163 Security Design for an Inter-Domain Publish/Subscribe Architecture...
167 Kari Visala, Dmitrij Lagutin, and Sasu Tarkoma Engineering Secure Future Internet Services...177 Wouter Joosen, Javier Lopez, Fabio Martinelli, and Fabio Massacci
Towards Formal Validation of Trust and Security in the Internet of Services...193 Roberto Carbone, Marius Minea, Sebastian Alexander Moâ dersheim
mobility, ubiquitous access, usage, security including trust and privacy The content of this area includes eight chapters covering some of the above architec
security, prove -nance, consistency, versioning and availability; it glues together reusable information fragments into meaningful structured and integrated documents without the need of a
In case data protection/encryption meth -ods are employed (even using asymmetric encryption and public key methods data cannot be stored efficiently/handled.
On the other hand, lack of encryption violates the user and data privacy. More investigations into the larger privacy and
data protection ecosystem are required to overcome current limits of how current information systems deal with privacy and protection of information of users, and
Lack of data integrity, reliability and trust, targeting the security and protection of data; this issue covers both unintended disclosure and damage to integrity from
and vulnerabilities to malicious attacks iv. Lack of efficient caching & mirroring: There is no inherited method for on-path
Security requirements of the transmission links: Communications privacy does not only mean protecting/encrypting the exchanged data
-cluding encryption of protocols/information/content, tamper-proof applications etc) but also protect the communication itself,
v. Security of the whole Internet Architecture. The Internet architecture is not intrin -sically secure and is based on add-ons to, e g. protocols,
•Accountability of resource usage and security without impeding user privacy utility and self-arbitration:
•Security: see Subsection. 3. 5 point 5, Subsection 3. 1. Point. 2 and 3
Trust and Security. The authors would like to acknowledge and thank all members of the group for their significant input and the EC Scientific Officers Isidro Laso Balles
promotes diversity, and promises security and increased manageability We define In-Network clouds as an integral part of the differentiated Future Inter
framework services share common security, metadata, administration, and manage -ment services. The DOC enables the following functions across the orchestration
Since each domain may have different SLAS, security and Towards In-Network Clouds in Future Internet 23
supporting context-aware communications that efficiently exploit the available net -work resources. Furthermore, context-aware networking enables new types of appli
with the Context Information Base and supports for access control. The Context Proc -essing Module (CP) is responsible for the context management,
using mechanisms that exploit the business requirements, other forms of context and context usage statistics.
safety, security/identity checking, video surveillance, etc. Predictions state that there will be 225 million cellular M2m devices by 2014 with little traffic per node but re
This problem emerges because current Qos assurance mechanisms in the IP world require improvements to replace the Layer 2 Qos schemes of the tradi
knowledge relating to security functionality and the use of policy rules to control end -to end configuration of this functionality can provide a basis for the support flexible
Proc. of the 13th International security Protocols Workshop, Cambridge, UK (April 2005 27. Jennings, B.,et al.:
Access control functionality is essential to ensure that only authorized resource us -ers are able to access the resources.
and associated security mechanisms that are required to enable dynamic loosely -coupled systems. The number of participants can be m:
A comprehensive security framework provides func -tions for the realization of a variety of different trust relationships.
a security token service for resource users and AAA (Authentication, Authorization and Accounting) service to enforce access at the access controlled entities covering
-censing, security, provenance, consistency, versioning and availability; it glues together reusable information fragments into meaningful structured and inte
privacy, licensing, security, provenance, consistency, versioning and availability 5. IDN glues together reusable information fragments into meaningful structured and
growth of small and/or mobile devices and sensors, of services and of security re -quirements began to show that current Internet is becoming itself a bottleneck.
approach to properly meet new requirements in security, privacy and economic sus -tainability. GENI 6 (Global Environment for Network Innovations) is a virtual labo
towards closed-loop algorithms and procedures which are able to properly exploit appropriate real-time network measurements.
A so-called Supervisor and Security Module (not shown for clarity reason in Fig. 2 is embedded in each Cognitive Manager supervising the whole Cognitive Manager
and, at the same time, assuring the overall security of the Cognitive Manager itself e g.,, including end-to-end encryption, Authentication, Authorization and Accounting
AAA) at user and device level, Service Security, Intrusion Detection, etc..Another key role of this module is to dynamically decide, consistently with the application
protocols, the Cognitive Manager functionalities which have to be activated to handle 98 M. Castrucci et al
-bility, Qos and security The changing needs of the entities may vary depending on the context of the
OVM (Ontology for Vulnerability Management) to support security needs 35; Netqosont (Network Qos Ontology) to meet the needs of service quality
Payload Size Control equal to 84 Bytes; and; Delivery Guarantee re -quest. In this context, this need is informed, to the Service Layer, by the direct
-tion of the entities and the formalization of security mechanisms for the Entity Title Model.
IEEE/IFIP New Technologies, Mobility and Security Conference (2009 24 Pereira, J. H. S.,Kofuji, S. T.,Rosa, P. F.:
IEEE/IFIP New Technologies, Mobility and Security Conference (2009 25 Pereira, J.,Sato, L.,Rosa, P.,Kofuji, S.:
Security. Information security Journal: A Global Perspective (2010 36 Wong, W.:et al.:An Architecture for Mobility Support in a Next Generation
Internet. In: The 22nd IEEE International Conference on Advanced Information Networking and Applications-AINA (2008
the risks, challenges, and usability aspects of this network of networks As collected by the FISE (Future Internet Socioeconomics) working group within
The investigation of (European) regulation for e-services markets and security regula -tions;( (7) The investigation of the physical environment of e-services in terms of
consideration, since detailed and specific security demands, electronic identities, or Quality-of-Experience (Qoe) will outline societal requirements to be met by techno
resources, exploit the native self-organizing incentive-based mechanisms of over -lays to increase the level of traffic locality within ISPS
and has some security benefit. As a counter -example, IPV6 deployment has a cost to the end host to support the dual stack, but the
the wider scenario requires extra critical functionality †for example, security features if the initial scenario is trusted within a domain.
The framework also ignores factors such as risks (deployment is harder if the associ -ated risk is higher), regulatory requirements and the role of hype and â€oegroup thinkâ€
because signalling in the payload is more likely to get traumatised by some middleboxes â € There is a separate connection-level sequence number, in addition to the stan
TCP-Options for signalling (rather than the payload) is that it should simplify off -loading by network cards that support MPTCP, due to the separate handling of
•These factors reduce the deployment risk, especially as it should also be easier to
CCTA Risk Analysis and Management Method) 7 have similar objectives to our methodology. The former,
and quantifying security risks in organi -zations. The situations analyzed by the aforementioned methodologies are often asso
and expectations, openness to risk and innovation. Furthermore, it should be studied whether and how these attributes,
-pact assessment (3a) could be performed by mathematical models for assessing risk or utility, as well as providing benchmarks like the price of anarchy ratio.
other hand, risk assessment techniques seem more relevant for the second tussle since high congestion can have an impact on ISP€ s plans to offer other real-time services
Risk assessment techniques could be used in this case, as well as models for estimating social welfare loss. A side-effect of this
less informed party, then setting-for example-a low price would increase his risk of being selected by the least profitable customers.
effort and care are suggested as a countermeasure for moral hazard issues. Similarly the proposed way for mitigating the effects of adverse selection is for the less in
secure from unwarranted surveillance. However, the issue turns into a tussle over the very definition of what constitutes unwarranted surveillance, and when surveillance
may be warranted in ways that individual users are willing to forego their privacy concerns in the interest of broader societal concerns.
that in order to protect national security, they must be given access to network com -munication data. Furthermore, ISPS and other companies such as Google and Amazon
the societal risks and values surrounding a platform that could potentially distribute previously secret documents.
-sessed by philosophers and politicians as well as security and trust experts 4 Survey of Work on Social and Economic Tussles as
deal with this security problem and the fears that it raises among end-users. There is a
an ASP€ s revenues (the â€oeconsumerâ€) due to its higher investment risks and opera -tional costs.
allow network providers to offer inter-domain Qos assurance and obtain higher bar -gaining power during negotiations for service terms (e g. pricing.
Security and Trust Part III: Future Internet Foundations: Security and Trust 163 Introduction If you are asking for the major guiding principles of Future Internet technology and
applications, the answer is likely to include â€oesharing and collaborationâ€. Cloud com -puting, for instance, is built on shared resources and computing environments, offer
-gies, applications and users to the next level of evolution, it also raises security and privacy concerns and introduces additional protection needs.
in addition, change the threat model and increase the attack surface. An attack can potentially be launched by a malicious or fake ser
design security and trust solutions that scale to Future Internet complexity and keep the information and resource owner in control, balancing potentially conflicting re
protection needs in terms of declarative policies is key, as well as providing assurance about security properties of exposed services and information
164 Part III: Future Internet Foundations: Security and Trust The chapters presented in the Security
and Trust section of this volume look at the challenges mentioned above from three different angles.
First, Future Internet princi -ples are supported by revised communication paradigms, which address potential security issues from the beginning,
but also imply the need for novel solutions like integrity and availability. The chapter, â€oesecurity Design for an Inter-domain Pub
-lish/Subscribe Architecture†by K. Visala et al. looks into security implications of a data-centric approach for the Future Internet, replacing point-to-point communication
introduce a security architecture based on self-certifying name schemes and scoping that ensure the availability of data
of how clean-slate approaches to the Future Internet can support security needs by design, rather than provided as an add-on to an existing approach,
The second group of chapters investigates the provision of assurance of the secu -rity properties of services and infrastructures in the future Internet.
evidence and a systematic approach to ensure that best security practices are applied in the design and operation of Future Internet components are essential to provide the
-size multilateral security requirements, the composability of secure services, the pro -vision of assurance through formal evidence and the consideration of risk and cost
arguments in the Secure Development Life cycle (SDLC. The authors propose secu -rity support in programming and execution environments for services, and suggest
of Future Internet specific security engineering research strands. One of the major ingredients of this program, the provision of security assurance through formal valida
-tion of security properties of services, is investigated in detail in the chapter †Towards Formal Validation of Trust and Security in the Internet of Services†by R. Carbone et
al. They introduce a language to specify the security aspects of services and a valida
-tion platform based on model-checking. A number of distinguished features ensure the feasibility of the approach to Future Internet scenarios and the scalability to its
complexity: it supports service orchestration and hierarchical reasoning, the language is sufficiently expressive so that translators from commonly used business process
-strate the way towards rigorous security and trust assurance in the future Internet addressing one of the major obstacles preventing businesses and users to fully exploit
the Future Internet opportunities today While engineering and validation approaches provide a framework for the secure
Security and Trust 165 chapters looks into specific instances of the information sharing and collaboration
principle and introduces novel means to establish their security. The chapter â€oetrust -worthy Clouds underpinning the Future Internet†of R. Glott et al. discusses latest
trends in cloud computing and related security issues. The vision of clouds-of-clouds describes collaboration and federation of independent cloud providers to provide
faces new security risks, from the breach of separation between tenants to the compli -ance challenge in case of distribution over different regulatory domains.
discuss these risks and provide an outlook to their mitigation, embedded in a system -atic security risk management process.
In cloud computing, but also in most other Future Internet scenarios like the Internet of Services, the need for data exchange
how security and trust risks emerging from the increased level of sharing and collabo -ration in the future Internet can be mitigated,
Security Design for an Inter-Domain Publish/Subscribe Architecture Kari Visala1, Dmitrij Lagutin1, and Sasu Tarkoma2
In this paper we present a security design through the network stack for a data-centric pub/sub architecture that achieves
and allows application-specific security poli -cies while remaining scalable. We analyse the solution and examine the mini
security properties advertised Keywords: Future Internet, publish/subscribe networking, network security 1 Introduction Data-centric pub/sub as a communication abstraction 2, 3,
4 reverses the control between the sender and the receiver. Publication in the middle decouples the publisher
and the security design presented here covers all these as a whole. In this paper we refine and extend our work in 5
support many types of application-specific security policies. Some of the techniques used in our architecture,
Our security goals concur with 1 except that confidentiality and privacy are ex -pected to be handled on top of the network layer
The security goals are •Availability, which means that the attackers cannot prevent communication be
•Application-specific security policies, which mean that the architecture can cater for the specialized security policies of different types of applications while par
-tially same resources can be shared by them In addition to aforementioned goals, the solution is restricted by the requirements of
determine the distribution policies such as access control, routing algorithm, reach -ability, and Qos for the publication and may support transport abstraction specific
Security Design for an Inter-Domain Publish/Subscribe Architecture 169 scope must be trusted by the communicating nodes to function as promised and much
of the security of our architecture is based on this assumption as we explain in 5
that is used for the payload communication. The data-centric paradigm is a natural match with the communication of topology information that needs to be distributed
-tial latency for the payload communication as popular operations can be completed locally based on cached data
A graphlet defines the network resources used for the payload communication and it can be anything from the path of an IP packet to private virtual circuits.
payload communication. A graphlet adheres to a set of scopes that are responsible for policy-compliant matching of nodes to interaction instances, collecting the needed
Here the security model only guarantees the integrity of the association between an identifier and its content.
can be achieved by encryption of the content and/or the labels Fig. 1 depicts a simplified example of â€oemy movie edit meta-data†publication that
but they are assumed not to have a long life-time as the security mechanism is cou
on a per-segment basis in the payload communication, we use packet level authentica -tion (PLA) 25 that uses elliptic curve cryptography (ECC) 23.
Security Design for an Inter-Domain Publish/Subscribe Architecture 171 Fig. 1. Publications can refer to other publications persistently using long-term Aids.
delivery tree) that can then be used for the fast-path payload communication At every level of the hierarchy, the rendezvous core provides an anycast routing to the
-Security Design for an Inter-Domain Publish/Subscribe Architecture 173 tion data or pending subscription alive.
description of the rendezvous security mechanisms Scopes, however, can have varying implementations. When a cached result cannot
security solutions. A data-oriented network architecture DONA 4 replaces a tradi -tional DNS-based namespace with self-certifying flat labels,
Security issues of the content-based pub/sub system have been explored in 7. The work proposes secure event types,
Security Design for an Inter-Domain Publish/Subscribe Architecture 175 5. 1 Security Mechanisms Most of existing network layer security proposals utilize hash chains or Merkle trees
8. Examples of hash chain based solutions include TESLA 9, which is based time hash chain scheme,
and ALPHA 10 that relies on interaction between the sender and receiver. While hash chain approaches are very lightweight,
Accountable Internet Protocol (AIP) 11 aims to improve security by providing accountability on the network layer.
Identity-based encryption and signature scheme (IBE) 12 allows a label, e g.,, the user's e-mail address to be used as user's public key,
Security issues and requirements for Internet-scale publish-subscribe systems. In: HICSS †02, Hawaii, USA (2002
Roles and Security in a Publish/Subscribe Network architecture. In: ISCC€ 10, Riccione, Italy (2010 6. Clark, D.,Wroclawski, J.,Sollins, K.,Braden, R.:
engineering and security engineering. Generic solutions that ignore the characteristics of Future Internet services will fail,
assurance to the stakeholders and enable risk and cost management for the business stakeholders in particular.
order to jointly enable the security and trustworthiness of Future Internet services 1 Introduction 1. 1 Future Internet Services
vulnerabilities and risks as the number of trust domains in an application gets multiplied, the size of attack surfaces grows
and so does the number of threats Furthermore, the Future Internet will be an intrinsically dynamic and evolv
as both risks and assumptions are hard to anticipate. Moreover, both risks and assumptions may evolve;
thus they must be monitored and reassessed continuously 1. 2 The Need for Engineering Secure Software Services
and security breaches in these services may lead to large ï nancial loss and damaged reputation
We need to enable assurance: approving that the developed software is secure. Assurance must be based on justiï able evidence
and the whole process designed for assurance. This would allow the uptake of new ICT-services according to the latest Future Internet paradigms, where services
are composed by simpler services (provided by separate administrative domains integrated using third parties infrastructures and platforms.
Thus, embedding risk/cost analysis in the SDLC is currently one of the key research directions in order to link security concerns with business needs and
thus supporting a business case for security matters Our research addresses the early phases of the development process of ser
-vices, bearing in mind that the discovery and remediation of vulnerabilities dur -ing the early development stages saves resources.
Thus our joint research activi -ties fall in six areas:(1) security requirements for FI services,(2) creating secure
service architectures and secure service design,(3) supporting programming en -vironments for secure and compose-able services,(4) enabling security assurance
integrating the former results in (5) a risk-aware and cost-aware software devel -opment life-cycle (SDLC),
and (6) the delivery of case studies of future internet application scenarios The ï rst three activities represent major and traditional stages of (secure
Both the security assurance programme and the programme on Risk and Cost aware SDLC will interact with each of the initial
three activities, drive the requirements of these activities and leverage upon even integrate their outcome.
2 Security Requirements Engineering The main focus of this research strand is to enable the modeling of high-level
The need for assurance in the future Internet demands a set of novel engi -neering methodologies to guarantee secure system behavior and provide credible
evidence that the identiï ed security requirements have been met from the point of view of all stakeholders.
The security requirements of Future Internet applica -tions will diï €er considerably from those of traditional applications.
in a service composition and each one will have his own security requirements Hence, eliciting, reconciling,
and modeling all the stakeholders†security require -ments become a major challenge 5. Multilateral Security Requirements Anal
-ysis techniques have been advocated in the state of the art 14 but substantial research is needed still. In this respect, agent-oriented and goal-oriented ap
Furthermore, it is important that security requirements are addressed from a higher level perspective, e g.,, in terms of the actors†relationships with each
-sider security only at the technological level. In other words, current approaches provide modeling and reasoning support for encryption,
authentication, access control, non-repudiation and similar requirements. However, they fail to capture the high-level requirements of trust, privacy, compliance, and so on
-ployments inherit security risks from the classical Internet and, at the same time create new and more complex security challenges.
Examples include illicit track -ing of RFID tags (privacy violation) and cloning of data on RFID tags (identity
-ing attackers), the elicitation of high-level security goals for all stakeholders and the identiï cation and resolution of conï icts among diï €erent stakeholder
security goals †The reï nement of security goals into more detailed security requirements for
speciï c services and devices †The identiï cation and resolution of conï icts between security requirements
and other requirements (functional and other quality requirements †The transformation of a consolidated set of security requirements into secu
-rity speciï cations The four objectives listed above obviously remain generic by nature, one should bear in mind though that the forthcoming techniques
so security enforcement mechanisms are indispensable. The design phase of the software service and/or system is a timely moment to enforce
these security mechanisms, since by that phase one must have grasped already a thorough understanding of the application domain and of the requirements to
The security architecture for the system must enforce the visible security prop -erties of components and the relationships between them.
assess and reason about security mechanisms at an early phase in the software development cycle The research topics one must focus on in this subarea relate to model-driven
architecture and security, the compositionality of design models and the study of design patterns for FI services and applications.
high-level security policies. Then, by automation, this model could be converted into another more speciï c model, in which the security policies become more
detailed, closer to the enforcement mechanisms that will fulï l them. This process should be applied until a basic version of the application architecture can be
The integration of security aspects into this paradigm is the so-called model -driven security 6, leading to a design for assurance methodology in which every
step of the design process is performed taking security as a primary goal. A way of carrying out this integration includes ï rst decomposing security concerns
so that the application architecture and its security architecture is decoupled This makes possible for architects to assess more easily tradeoï €s among diï €erent
security mechanisms, simulate security policies and test security protocols before the implementation phase, where changes are typically far more expensive
In order to achieve this, it is needed ï rst to convert the security require -ments models into a security architecture by means of automatic model trans
-formations. These transformations are interesting, since whilst requirements be -long to the problem-domain, the architecture and design models are within the
solution-domain, so there is an important gap to address. In the context of se -curity modeling, it is extremely relevant to incept ways to model usage control
e g.,, see 21,22, 18), which encompasses traditional access control, trust man -agement and digital rights management and goes beyond these building blocks
in terms of deï nition and scope. Finally, by means of transformation patterns, it is required to research on new ways to map the high-level policies established at
what kind of security architecture is required in the context and how to carry out the decomposition of such fairly novel architectures
concerns †security among them †of the whole application have been sepa -rated into diï €erent models,
-ferent concerns †even diï €erent security sub-architectures for diï €erent security requirements †it is required to assure that the composition of all these architec
so threats in the environment may change along the time and some reconï guration may be required to adapt to that changes
and risks usually arisen by uncertainty, leveraging a risk and cost-aware. There are large catalogues and surveys on security patterns available 26,13, but the FI
applications yet to come and the new scenarios enabled by FI need to extend and
tailor these catalogues. In this context, the ï rst step is studying the patterns currently available and, what is more important, to analyze the relationships
be analyzed, both from a general perspective and from a security perspective for security-critical software systems
4 Security Support in Programming Environments Security Support in Programming Environments is not new; still it remains a
grand challenge, especially in the context of Future Internet (FI) Services. Secur -ing Future Internet Service is inherently a matter of secure software and systems
The context of the future internet services sets the scene in the sense that (1
The search for security support in programming environments has to take this context in account.
the expected security value unless the programs (code) respect these security artefacts that have been produced in the preceding stages.
This sets the stage for model driven security in which transformations of architecture and design
artefacts is essential, as well as the veriï cation of code compliance with various 184 W. Joosen et al
Some of these properties have been embedded in the security spe -ciï c elements of the software design;
other may simply be high priority security requirements that have articulated †such as the appropriate treatment of con
Supporting security requirements in the programming †code †level requires a comprehensive approach. The service creation means must be improved and
extended to deal with security needs. Service creation means both aggregating and composing services from preexisting building blocks (services and more tra
One could argue that security support for service creation must focus on and enable better static veriï cation.
and building blocks that facilitate eï €ective security enforcement at run-time. Dependent on the needs and the state-of-the-art this
the application logic consistently interacts with underpinning security mecha -nisms such as authentication or audit services.
the underpinning security mechanisms and services (e g. supporting mutual non repudiation, attribute based authorization in a cloud platform etc.
security characteristics. The business compositions are very dynamic in nature and span multiple trust domains, resulting in a fragmentation of ownership of
-position languages must support means to preserve at least the security policy of those services being composed. The research community needs to consider the
Many security vulnerabilities arise from programming errors that allow an ex -ploit. Future Internet will further reinforce the prominence of highly distributed
ensure that no security hole arises from implementations that exploit the com -putational infrastructure of the Future Internet.
language-based security, in particular type systems, to enforce best-practises currently used in order to prevent cross-site scripting attacks and similar vul
while still maintaining security 4. 3 Platform Support for Security Enforcement Future Internet applications span multiple trust domains,
and the hybrid aggre -gation of content and functionality from diï €erent trust domains requires com
-plex cross-domain security policies to be enforced, such as end-to-end informa -tion ï ow, cross-domain interactions and usage control.
In eï €ect, the security enforcement techniques that are triggered by built-in security services and by
realistic in the FI setting, must address the challenge of complex interactions and of ï nely grained control 15.
the enforcement of ï ne-grained security policies via execution monitoring 186 W. Joosen et al Secure Cross-Domain Interactions.
-tions, and from a security perspective, the SOP is not strong enough to achieve the appropriate application isolation
run-time execution monitors that can provably enforce advanced security policies 19,3 including ï ned-grained access control policies usage control policies and
information ï ow policies 24 Supporting Security Assurance for FI Services. Assurance will play a
central role in the development of software based services to provide conï dence about the desired security level.
Assurance must be treated in a holistic manner as an integral constituent of the development process, seamlessly informing and
giving feedback at each stage of the software life cycle by checking that the related models and artefacts satisfy their functional and security requirements
and constraints. Obviously the security support in programming environments that must be delivered will be essential to incept a transverse methodology that
enables to manage assurance throughout the software and service development life cycle (SDLC. The next section clariï es these issues
5 Embedding Security Assurance and Risk management during SDLC Engineering secure Future Internet services demands for at least two traversal
issues, security assurance and risk and cost management during SDLC 5. 1 Security Assurance The main objective is to enable assurance in the development of software based
services to ensure conï dence about their trustworthiness. Our core goal is to incept a transverse methodology that enables to manage assurance throughout
the software development life cycle (SDLC. The methodology is based on two strands: A ï rst sub-domain covers early assurance at the level of requirements
architecture and design. A second sub-domain includes the more conventional and complementary assurance techniques based on implementation
Assurance during the Early Stages of SDLC. Early detection of security failures in Future Internet applications reduces development costs and improves
assurance in the ï nal system. This ï rst strand aims at developing and applying
assurance methods and techniques for early security veriï cation. These methods are applied to abstract models that are developed from requirements to detailed
designs One main area of research is stepwise reï nement of security, by develop -ing reï nement strategies, from policies down to mechanisms, for more complex
Engineering Secure Future Internet Services 187 secure protocols, services, and systems. This involves the deï nition of suitable
service and component abstractions (e g.,, secure channels) and the setup of the corresponding reasoning infrastructure (e g.,
, facts about such channels. More -over, we need to extend the reï nement framework with compositional techniques
for model-based secure service development. Model decomposition supports a divide-and-conquer approach, where functional and security-related design as
-pects can be reï ned independently. Model composition must preserve the reï ne -ment relation and component properties.
Our aim is to oï €er developers support for smoothly integrating security aspects into the system development process
at any step of the development Enabling rigorous and formal analysis processes. There is an increasing de
automated) reasoning about the security policies models The methodologies must be supported by automatic protocol veriï cation
-plex primitives and security properties. Moreover, the Dolev-Yao attacker model 9 used by these tools needs to be extended to include new attack possibilities
In addition, for assurance, there is the need to extend model checking methods to enable automatic generation of protocol correctness proofs
Security Assurance in Implementation. Several assurance techniques are available to ensure the security at the level of an implementation.
Security poli -cies can be implemented correctly by construction through a rigorous secure programming discipline. Internet applications can be validated through testing
In that case, it is possible to develop test data generation that speciï cally targets the integration of services, access control policies or speciï c attacks.
Moreover implementations can be monitored at run-time to ensure that they satisfy the required security properties
Complementing activities are related to secure programming. This strand addresses a comprehensive solution for program veriï cation,
while adding a par -ticular focus on session management in concurrent and distributed service com -positions
maximize the eï ciency in the security testing process, and testing of policies 188 W. Joosen et al
latter part will focus on access control policies. i Finally, an important set of activities relates to run-time veriï cation.
provide the ï nal assurance that the latter cannot deliver, be it for scientiï c and
Security concerns are speciï ed at the business-level but have to be implemented in complex distributed and adaptable
We need comprehensive assurance techniques in order to guarantee that security concerns are taken correctly into account through the
whole SDLC. A chain of techniques and tools crossing the above areas is planned Security Metrics.
Measurements are essential for objective analysis of secu -rity systems. Metrics can be used directly for computing risks (e g.,
, probability of threat occurrence) or indirectly (e g.,, time between antivirus updates. Se -curity metrics in the future Internet applications become increasingly impor
-tant. Service-oriented architectures demand for assurance indicators that can explicitly indicate the quality of protection of a service,
and hence indicate the eï €ective level of trustworthiness. These metrics should be assessed and commu
-nicable to third parties. Clients want to be sure that their data outsourced to other domains, which the clients cannot control,
5. 2 Risk and Cost Aware SDLC There is the need of the creation of a methodology that delivers a risk and cost
aware SDLC for secure FI services. Such a life cycle model aims to ensure the stakeholders†return of investment when implementing security measures during
various stages of the SDLC. We can envision several aspects of this kind of SDLC support (see also 4
incremental phases, the risk and cost analysis will undergo new iterations for each phase. As such the results of the initial risk
one needs to develop methods and techniques for the reï nement of risk analysis documentation.
Such reï nement can be obtained both by reï ning the risk mod -els, e g. by detailing the description of relevant threats and vulnerabilities, and
by accordingly reï ning the system and service models Aggregation: In order to accommodate to a modular software development pro
analysis of risks and costs. In a compositional setting, also risks become compo -sitional and should be analysed
and understood as such. This requires, however methods for aggregating the global risk level through risk composition which
will be investigated Evolution: The setting of dynamic and evolving systems furthermore implies that risk models and sets of chosen mitigations are dynamic
and evolving. Thus in order to maintain risk and cost awareness, there is a need to continuously reassess risks and identify cost-eï cient means for risk mitigation as a response
to service or component substitution, evolving environments, evolving security requirements, etc. both during system development and operation.
Based on the modular approach to risk and cost analysis one needs methods to manage the dynamics of risks.
In particular, the process for risk and cost analysis is highly iterative by supporting updates of global analysis results through the
analysis of only the relevant parts of the system as a response to local changes
and evolvements Interaction: The methodology of this strand spans the orthogonal activities of security requirement engineering, secure architecture and design, secure pro
-gramming as well as assurance and the relation to each of these ingredients must be investigated. During security requirements engineering risk analysis fa
-cilitates the identiï cation of relevant requirements. Furthermore, methods for risk and cost analysis oï €er support for the prioritization and selection among
requirements through e g. the evaluation of trade-oï € between alternatives or the impact of priority changes on the overall level of risks and cost.
In the identiï ca -tion of security mechanisms intended to fulï l the security requirements, risk and
cost analysis can be utilized in selecting the most cost eï cient mechanisms. The following architecture and design phase incorporates the security requirements
into the system design. The risk and cost models resulting from the previous development phase can at this point be reï ned
and elaborated to support the management of risks and costs in the design decisions. Moreover, applying cost
metrics to design models and architecture descriptions allows early validation of cost estimates. Such cost metrics may also be used in combination with security
metrics for the optimization of the balance between risk and cost. The assurance techniques can therefore be utilized in providing input to risk
and cost analy -sis, and in supporting the identiï cation of means for risk mitigation based on
security metrics 190 W. Joosen et al 6 Conclusion We have advocated in this paper the need and the opportunity for ï rmly es
-tablishing a discipline for engineering secure Future Internet Services, typically based on research in the areas of software engineering, security engineering and
of service engineering. We have clariï ed why generic solutions that ignore the characteristics of Future Internet services will fail:
the peculiarities of FI services must be reï ected upon and be addressed in the proposed and validated solution
The various lines of research and the strands within each of research line have been articulated while founding the NESSOS Network of Excellence (www. nessos
The AVISPA tool for the automated validation of internet security protocols and applications. In: Etessami, K.,Rajamani, S. K. eds.
Composing security policies with polymer. SIG -PLAN Not. 40, 305†314 (2005 4. Braber, F.,Hogganvik,
Model-driven security in prac -tice: An industrial experience. In: Schieferdecker, I.,Hartman, A. eds.
and analysis of security protocols. In: Gupta, A.,Malik, S. eds. CAV 2008. LNCS, vol. 5123, pp. 414†418
On the security of public key protocols. In: Proceedings of the 22nd Annual Symposium on Foundations of Computer science, Washing
-ceedings of the 2000 IEEE Symposium on Security and Privacy, WASHINGTON DC USA, pp. 246†255.
Modelling security and trust with secure tropos. In: Integrating Security and Software engineering: Advances and Future
Vision, IDEA (2006 13. Group, O.:Security design pattern technical guide http://www. opengroup. org/security/gsp. htm
14. Guâ rses, S f.,Berendt, B.,Santen, T.:Multilateral security requirements analysis for preserving privacy in ubiquitous environments.
In: Proc. of the Workshop on Ubiquitous Knowledge Discovery for Users at ECML/PKDD, pp. 51†64 (2006
15. Hamlen, K. W.,Morrisett, G.,Schneider, F. B.:Computability classes for en -forcement mechanisms.
Extracting relations among security pat -terns. In: SPAQU€ 08 (Int. Workshop on Software Patterns and Quality)( 2008
Usage control in computer security: A survey Computer science Review 4 (2), 81†99 (2010 19. Le Guernic, G.,Banerjee, A.,Jensen, T.,Schmidt, D. A.:
Security services architecture for secure mobile grid systems. Journal of Systems Architecture. In Press (2010
Language-based information-ï ow security. IEEE Jour -nal on Selected Areas in Communications 21 (1), 2003 (2003
A survey on security patterns Progress in Informatics 5, 35†47 (2008 Towards Formal Validation of Trust and Security
in the Internet of Services Roberto Carbone1, Marius Minea2, Sebastian Alexander Moâ dersheim3 Serena Elisa Ponta4, 5, Mathieu Turuani6,
1 Security & Trust Unit, FBK, Trento, Italy 2 Institute e-Austria, Timisâ¸oara, Romania
the trust and security impact of an option, a minor change, a combination of functionalities, etc.
The formal veriï cation of trust and security of the Internet of Services will signiï cantly boost its development and public acceptance
of trust and security issues, but solving them is extremely hard since making the service components trustworthy is not suï cient:
to new, subtle and dangerous, vulnerabilities due to interference between com -ponent services and policies, the shared communication layer, and application
-port for the discovery of important vulnerabilities and associated exploits that are already plaguing complex web-based security-sensitive applications, and thus
severely aï €ect the development of the future internet. Moreover, security vali -dation should be carried out at all phases of the service development process
in particular during the design phase by the service designers themselves or by security analysts that support them in their complex tasks, so as to prevent the
production and consumption of already ï awed services Fortunately, a new generation of analyzers for automated security validation
at design time has been recently put forth; this is important not just for the results these analyzers provide,
-sumption time, thereby signiï cantly improving the all-round security of the Ios In this chapter, we give a brief overview of the main scientiï c and industrial chal
and automated validation of trust and security of service-oriented architectures SOAS). ) This technology, which involves the design of a suitable speciï cation lan
network and service infrastructures, enhance their security and robustness, and thus increase the development and public acceptance of the Ios
that have been developed for the veriï cation of trust and security of services. In Section 4,
and security of SOAS is complex due to three main characteristics of service orientation First, SOAS are heterogeneous:
Towards Formal Validation of Trust and Security in the Internet of Services 195 Second, SOAS are also distributed systems, with functionality and resources
Third, SOAS and their security requirements are continuously evolving: ser -vices may be composed at runtime, agents may join or leave, and client creden
-tials are aï €ected by dynamic changes in security policies (e g.,, for incidents or emergencies). ) Hence, security policies must be regarded as part of the service
speciï cation and as ï rst-class objects exchanged and processed by services The security properties of SOAS are,
moreover, very diverse. The classical data security requirements include conï dentiality and authentication/integrity of the communicated data.
More elaborate goals are structural properties (which can sometimes be reduced to conï dentiality and authentication goals) such as
authorization (with respect to a policy), separation or binding of duty, and accountability or non-repudiation. Some applications may also have domain
Various languages have been proposed to model trust and security of SOAS e g.,, BPEL 24, π calculus 19, F#5, to name a few.
-cated to specifying trust and security aspects of services, their composition, the properties that they should satisfy
deï ned to be close to speciï cation languages for security protocols/services and to procedural and object-oriented programming languages.
they can be used to describe service workï ows and steps in security protocols. For instance, an employee (Alice) changing group membership at the
Finally, we need to model the security properties. While this can be done by using diï €erent languages,
Towards Formal Validation of Trust and Security in the Internet of Services 197 purposes, no agent can access both ï les f1 and f2.
their required security properties and associated policies. In particular, one has to consider the various ways in which component services can be coordinated
-neous security contexts is to integrate diï €erent technologies into a single analysis tool, in such way that they can interact and beneï t from each other†s features
a variety of e-business scenarios possibly bound to complex security policies When security constraints are to be respected,
it can be very complex to dis -cover or even to describe composition scenarios. This motivates the introduction
-structed with respect to security goals using the techniques we developed for the veriï cation of security protocols
3. 2 Model Checking of SOAS Model checking 13 is a powerful and automatic technique for verifying con
been obtained for the analysis of security protocols. In the context of SOAS, a model-checking problem is the problem of determining whether a given model â€
†enjoys the security properties speciï ed by a given formula. As mentioned in Section 2,
these security properties can be complex, requiring an expressive logic Most model-checking techniques in this context make a number of simplify
Yet we might be interested in establishing the security of a service that relies on a less insecure channel.
enjoying some given security properties (e g. TLS is used often as a unilateral or a bilateral communication authentic and/or conï dential channel),
communication channels enjoying security-relevant properties, such as authen -ticity, conï dentiality, and resilience Among general model-checking techniques,
trace-based security properties. In particular, the AVANTSSAR Platform in -tegrates a bounded model-checking technique for SOAS 1 that allows one to
express complex security goals that services are expected to meet as well as assumptions on the security oï €ered by the communication channels
3. 3 Channels and Compositional Reasoning A common feature of SOAS is an organization in layers:
Towards Formal Validation of Trust and Security in the Internet of Services 199 of course, undesirable to verify the entire system as a whole:
on Proverif 7, exploits abstract interpretation for veriï cation of web services that use SOAP messaging, using logical predicates to relate the concrete SOAP
and security require -ments of a goal service and a description of the available services (including
a speciï cation of their security-relevant behavior, possibly including the local policies they satisfy)
build an orchestration of the available services that meets the security require -ments stated in the policy.
†The Validator takes as input an orchestration and a security goal formally speciï ed in ASLAN,
meets the security goal. If this is the case, then the ASLAN speciï cation of the validated orchestration is given as output, otherwise a counterexam
existence of vulnerabilities that need to be ï xed Towards Formal Validation of Trust and Security in the Internet of Services 201
Vu ln er ab ili ty Po lic y To ol in pu t/o
The landscape of services that require validation of their security is very broad The validation is made more diï cult by the tension between the need for ï exibil
-sary to factor out the access control policies and meta-policies from the possible workï ow,
security mechanisms that implement them independently of their use in partic -ular workï ows. There is thus a clear advantage in having a language allowing
-ity, trust management, workï ow security, federation and privacy A highlight of the eï €ectiveness of the AVANTSSAR methods and tools is
security standard is written in natural language that is often subject to inter -pretation. Since the many conï guration options, proï les, protocols, bindings
Towards Formal Validation of Trust and Security in the Internet of Services 203 proï le and which are not.
The vulnerability was detected by the SATMC backend of the AVANTSSAR Platform and the attack was reproduced in an actual deployment
Google and the US Computer Emergency Readiness Team (US-CERT) were informed and the vulnerability was kept con
-ï dential until Google developed a new version of the authentication service and Google†s customers updated their applications accordingly.
vulnerability has been rated High in a note issued by the National Institute of Standard and Technology (NIST
based on SATMC, has automatically found vulnerabilities in PKCS#11-based products by Aladdin, Bull, Gemalto, RSA,
#11 speciï es an API for performing cryptographic operations such as encryption and signature using cryptographic tokens (e g.,
to perform the same security-critical operations as the legitimate token user Formal validation of trust and security will become a reality in the Internet
of Services only if and when the available technologies will have migrated to in -dustry, as well as to standardization bodies (which are driven mostly by industry
to migrate AVANTSSAR results within SAP Netweaver Security and Identity Management (SAP NW SIM) with the objective of exploiting the AVANTSSAR
provider services fulï ll expected the security desiderata in the considered SAP relevant scenarios. This has included the evaluation of those conï gurations of the
SAP have been identiï ed. All discovered risks and ï aws in the SAML protocol have been addressed in NW-NGSSO implementation
and countermeasures have been taken. The results have been collected in tables that can be used by SAP in setting-up the NW-NGSSO services on customer production systems
insights in the SAML standard than the security considerations described in Towards Formal Validation of Trust and Security in the Internet of Services 205
there and helped SAP Research to better understand the vulnerability itself and to consolidate the results
The AVANTSSAR technology has been integrated also into the SAP Net -Weaver Business Process Management (NW BPM) product to formally validate
security-critical aspects of business processes. An eclipse plug-in extension for NW BPM was proposed through the design and development of a security val
-idation plug-in that enables a business process modeler to easily specify the security goals one wishes to validate such as least privilege
which can be ac -complished by means of the Need-to-Know principle (giving to the users enough
a loan origination process case study with a few security goals and on a more complex aviation maintenance process (designed with 70 human activities.
of assurance within industrial BPM systems, as it allows for validating all the potential execution paths of the BP under-design against the expected security
desiderata. In particular, the migration activity succeeded in overcoming obsta -cles for the adoption of model-checking techniques to validate security desiderata
in industry systems by providing an automatic generation of the formal model on which to run the analysis,
practitioner nor a security expert. As a successful result, the security validation plug-in is listed currently in the productization road-map of SAP products for
business process management 6 Conclusions and Outlook As exempliï ed by these case studies and success stories, formal validation tech
-nologies can have a decisive impact for the trust and security of the Ios. The
research innovation put forth by AVANTSSAR aims at ensuring global security of dynamically composed services and their integration into complex SOAS by
advances will signiï cantly improve the all-round security of the Ios, and thus boost its development and public acceptance
LTL Model Checking for Security Pro -tocols. Journal of Applied Non-classical logics, special issue on Logic and Infor
-mation Security, 403†429 (2009 2. Armando, A.,Carbone, R.,Compagna, L.,Cueâ'llar, J.,Pellegrino, G.,Sorniotti, A
Formal Methods in Security Engineering (FMSE 2008), pp. 1†10. ACM Press New york (2008 4. AVANTSSAR:
Automated Validation of Trust and Security of Service-Oriented Architectures. FP7-ICT-2007-1, Project No. 216471, http://www. avantssar. eu
WS-Security Protocols. In: Bravetti, M.,Nuâ'nëoeez, M.,Zavattaro, G. eds. WS-FM 2006.
A security tool for web services. In: de Boer, F. S.,Bonsangue, M m.,, Graf, S.,de Roever, W.-P
Proceedings of the 14th IEEE Computer security Foundations Workshop, pp 82†96. IEEE Computer Society Press, Los Alamitos (2001
of security protocols. Journal of Computer security 13 (3), 347†390 (2005 9. Boichut, Y.,Heâ'am, P.-C.,Kouchnarenko, O.:
TA4SP (2004 http://www. univ-orleans. fr/lifo/Members/Yohan. Boichut/ta4sp. html 10. Bortolozzo, M.,Centenaro, M.,Focardi, R.,Steel, G.:
PKCS#11 Security tokens. In: Proceedings of the 17th ACM conference on Com -puter and Communications security (CCS 2010), pp. 260†269.
ACM Press, New York (2010 11. Chevalier, Y.,Mekki, M. A.,Rusinowitch, M.:Automatic Composition of Services
with Security policies. In: Proceedings of Web Service Composition and Adaptation Workshop (held in conjunction with SCC/SERVICES-2008), pp. 529†537.
-ceedings of 23rd IEEE Computer security Foundations Symposium, pp. 322†336 IEEE Computer Society Press, Los Alamitos (2010
Safely composing security protocols. Formal Methods in System Design 34 (1), 1†36 (2009 16.
Towards Formal Validation of Trust and Security in the Internet of Services 207 17. Dolev, D.,Yao, A.:
On the Security of Public-Key Protocols. IEEE Transactions on Information theory 2 (29)( 1983 18.
Abstraction by Set-Membership †Verifying Security Protocols and Web Services with Databases. In: Proceedings of 17th ACM conference on
Computer and Communications security (CCS 2010), pp. 351†360. ACM Press New york (2010 22. Moâ dersheim, S.,Vigano`,L.:
Symbolic Analysis of Security Protocols. In: Aldini, A.,Barthe, G.,Gorrieri, R eds.)) FOSAD 2007/2008/2009.
The Transport Layer Security (TLS) Protocol, Version 1. 2. IETF RFC 5246 (Aug. 2008 27.
This article introduces upcoming security challenges for cloud services such as multi-tenancy, transparency and establishing trust into correct
operation, and security interoperability. For each of these challenges, we introduce existing concepts to mitigate these risks and survey related
research in these areas 1 Cloud computing and the Future Internet Cloud computing is expected to become a backbone technology of the Future
-lenges for trust and security architectures and mechanisms 4 For which the Internet pioneer Vint Cerf has suggested recently the term â€oeinter
Trust and security are regarded often as an afterthought in this context, but they may ultimately present major inhibitors for the cloud-of-clouds vision.
and discuss the complex trust and security requirements. Fur -thermore, we survey existing components to overcome these security and privacy
risks. We will explain the state-of-the-art in addressing these requirements and give an overview of related ongoing international,
and particularly EU research activities as well as derive future directions of technology development 2 Trust and Security Limitations of Global
Cloud Infrastructures 2. 1 Cloud Security Oï €erings Today According to the analyst enterprise Forrester research and their study â€oesecurity
and the Cloud†17 the cloud security market is expected to grow to 1. 5 billion
$ by 2015 and to approach 5%of overall IT SECURITY spending. Whereas today identity management and encryption solutions represent the largest share of this
market, particular growth can be expected in three directions 1. securing commercial clouds to meet the requirements of speciï c market seg
-ments 2. bespoke highly secure private clouds 3. a new range of providers oï €ering cloud security services to add external
security to public clouds Trustworthy Clouds Underpinning the Future Internet 211 An example for the ï rst category is the Google gov. app cloud launched in
September 2009 that oï €ers a completely segregated cloud targeted exclusively at US government customers.
Other cloud providers also adapt basic service security to the needs of spe -ciï c markets and communities.
This allows tailor made solutions to speciï c security concerns-in particular in view of the needs of larger customers.
the base security of Microsoft public cloud services is adapted to the targeted market. Whereas Microsoft uses, e g.,
Vault) use SSL encryption by default On the other hand commodity public cloud services such as the Amazon EC2 are still growing
even though they oï €er only limited base security and largely transfer responsibility for security to the customer.
Therefore in parallel to the diï €erentiated security oï €erings via bespoke private or community clouds, there
is also a growing complementary service market to enable enhanced security for public clouds. Here a prime target is the small to mid-size enterprise market
Examples for supplementary services are threat surveillance (e g,., Alertlogic access-and identity management (e g.,, Novell, IBM), virtual private network
-ing (e g.,, Amazon Virtual Private cloud), encryption (e g.,, Amazon managed encryption services) and web traï c ï ltering services (e g.,
, Zscaler, Scansafe 2. 2 Today†s Datacenters as the Benchmark for the Cloud Using technology always constitutes a certain risk.
If the IT of any given business failed, the consequences for most of today†s enterprises would be severe.
Even if multiple lines of defense are used (e g.,, ï rewalls, intrusion defense, and protection of each host), all systems usually contain errors that can be exploited found and
For the security objectives when adopting clouds for hosting critical systems we believe that today†s datacenters are the benchmark for new cloud deploy
risks. While the cost and ï exibility beneï ts of using clouds are easy to quan
-tify, potential disadvantages and risks are harder to qualitatively assess or even quantitatively measure. An important aspect for this equation is perceived the
not allow enterprises to make such risk management decisions and thus will only allow hosting of uncritical workloads on the cloud
For security this argument leads to two requirements for cloud adoption by enterprises: The ï rst is that with respect to security and trust, new solutions
such as the cloud or cloud-of-clouds will be compared and benchmarked against existing solutions such as enterprise or outsourced datacenters.
must enable enterprises to integrate cloud infrastructures into their overall risk management. We will use these requirements in our subsequent arguments
3 New Security and Privacy Risks and Emerging Security Controls Cloud computing being a novel technology introduces new security risks 7 that
need to be mitigated. As a consequence, cautious monitoring and management of security risks 13 is essential (see Figure 1 for a sketch following 12
We now survey selected security and privacy risks where importance has been increased by the cloud and identify potential security controls for mitigating
those risks 1. Survey of Risks 2. Design of Controls 3. Implement of Controls 4. Monitoring
of Effectiveness Fig. 1. Simpliï ed Process for Managing Security Risks 12 Trustworthy Clouds Underpinning the Future Internet 213
3. 1 Isolation Breach between Multiple Customers Cloud environments aim at eï ciencies of scale by increased sharing resources
between multiple customers. As a consequence, data leakage and service disrup -tions gain importance and may propagate through such shared resources.
An important requirement is that data cannot leak between customers and that malfunction or misbehavior by one customer must not lead to violations of the
service-level agreement of other customers Fig. 2. Multi-tenancy at Multiple Levels 25 Traditional enterprise outsourcing ensures the so-called â€oemulti-tenant isolationâ€
through dedicated infrastructure for each individual customer and data wiping before reuse. Sharing of resources and multi-tenant isolation can be implemented
In order to mitigate this risk in a cloud computing environment, multi-tenant isolation ensures customer isolation. A principle to structure isolation manage
control, mechanisms such as access control that ensures that machines and applications of one customer cannot access data or resources from other
A second important security risk is the accidental or malicious misbehavior of in -siders that increased due to global operations and a focus on low cost.
This risk is hard to mitigate since security controls need to strike a balance between the power needed to administrate and
the security of the administrated systems A practical approach to minimize this risk is to adhere to a least-privilege
approach for designing cloud management systems. This means that cloud man -agement systems should provide a ï ne-grained role hierarchy with clearly deï ned
†Security administrators can design and deï ne policies but cannot play any other roles
Due to the corresponding logging, the security auditors can later determine which employee has held what privileges at any given point in time.
While the proposed mechanisms to mitigate the identiï ed risks are important security incidents are largely invisible to a customer:
Data corruption may not be detected for a long time. Data leakage by skilled insiders is unlikely to be detected.
3. 5 What about Privacy Risks To enable trusted cloud computing, privacy protection is an essential require
the right to correction and deletion as well as the necessity of reasonable security safeguards for the collected data
well as the data subject might face risks of data loss, corruption or wiretap -ping due to the transfer to an external cloud provider.
and organizational security safeguards and contractual commitments (e g.,, Ser -vice Level Agreements, Binding Corporate Rules
and which security measures are deployed. Therefore, the utmost transparency Trustworthy Clouds Underpinning the Future Internet 217
cloud service provider could prove to have an appropriate level of security mea -surements by undergoing acknowledged auditing and certiï cation processes on
such as encryption, data minimization or enforcement of processing according to predeï ned policies 4 Open Research Challenges
schemes to mitigate the risk of insider fraud. The goal is to minimize the set
Security Integration and Transparency. The third challenge is to allow customers to continue operating a secure environment.
This means that security infrastruc -ture and systems within the cloud such as intrusion detection, event handling
and access control need to be integrated into an over -all security landscape for each individual customers.
Depending on the type of systems, this can be achieved by providing more transparency (e g.,, visibility of log-ï les) but may also require security technology within the cloud.
One ex -ample is intrusion detection: In order to allow customers to †see†intrusions on the network within the cloud and correlate these intrusions with patterns in the
From a security perspective, this will raise new challenges. Customers need to provide a consistent security state over multiple clouds
and provide means to securely fail-over across multiple clouds. Similarly, services will be composed from underlying services from other clouds.
on security and privacy mechanisms that were developed for service-oriented ar -chitectures and outsourcing. Unlike outsourcing, clouds are deployed on a global
We surveyed security risks that gain importance in this setting and surveyed potential solutions Today, demand for cloud security has increased
but the oï €ered security is still limited. We expect this to change and clouds with stronger security guarantees
will appear in the market. Initially, they will focus on security mechanisms like isolation, conï dentiality through encryption,
and data integrity through authen -tication. However, we expect that they will then move on to the harder problems
such as providing veriï able transparency, to integrate with security management systems of the customers, and to limit the risks imposed by misbehaving cloud
providers and their employees Acknowledgments. We thank Ninja Marnau and Eva Schlehahn from the Independent Centre for Privacy Protection Schleswig-Holstein for substantial
and very helpful input to our chapter on privacy risks. We thank the reviewer for helpful comments that enabled us to improve this chapter
This research has been supported partially by the TCLOUDS project http //www. tclouds-project. eu funded by the European Union†s Seventh Framework
Programme (FP7/2007-2013) under grant agreement number ICT-257243 Open Access. This article is distributed under the terms of the Creative Commons
-ing and security in the cloud. SIGOPS Oper. Syst. Rev. 44, 86†94 (2010 doi:
Towards automated security policy enforcement in multi-tenant virtual data centers. J. Comput. Secur. 18, 89†121
ACM Workshop on Cloud computing Security (CCSW€ 09), pp. 85†90 ACM Press, New york (2009 7. Cloud Security Alliance (CSA:
Top threats to cloud computing, ver -sion 1. 0. March 2010), http://www. cloudsecurityalliance. org/topthreats
/csathreats. v1. 0. pdf 8. Computer and Communication Industry Association (CCIA: Cloud comput -ing (2009), http://www. ccianet. org/CCIA/files/cclibraryfiles/Filename
Toward risk assessment as a service in cloud environ -ments. In: Proceedings of the 2nd USENIX conference on Hot topics in cloud com
Security and the cloud: Looking at the opportunity beyond the obstacle Forrester research (October 2010 18.
-ings of the 16th ACM conference on Computer and communications security Chicago, Illinois, USA. CCS †09, pp. 199†212.
Privacy and data security risks in cloud computing. Electronic commerce & Law Report 15,186 (2010 23. Van dijk, M.,Juels, A.:
Cloud computing and security. Lecture Univ. Stuttgart (November 2009 26. Weichert, T.:Cloud computing und Datenschutz (2009
In addition, the risk, for personal data to travel across boundaries and business domains, is that the usage conditions agreed
and integrating access control policies †Providing the data owner with a user friendly way to express their prefer
†Access control: PPL inherits from the XACML 8 language the access control capabilities that express how access to which resource under
which condition can be achieved †Data Handling: the data handling part of the language deï nes two condi
†The access control engine: it checks if there is any access restriction for the data before sending it to any server.
provider and acts as a user-side engine invoking access control and matching modules, and the third party plays the role of data collector invoking the obli
these new capabilities may entail privacy risks. From the user perspective, the risk is that of losing control of his personal information once they are released in
the risk of violating the agreed privacy policy The concept of sticky policy may be used to address some of the privacy
privacy-aware access control system. J. Comput. Secur. 16, 369†397 (2008 2. Ashley, P.,Hada, S.,Karjoth, G.,Powers, C.,Schunter, M.:
-formation Security and Privacy, pp. 121†167. Springer, New york (2010 4. Bussard, L.,Neven, G.,Preiss, F. S.:
extensible access control markup language (xacml) version 3. 0, ex -tensible access control markup language (xacml) version 3. 0, oasis (August 2008
9. Shostack, A.,Syverson, P.:What price privacy? In: Camp, L.,Lewis, S. eds Economics of Information security, Advances in Information security, vol. 12, pp
129†142. Springer, New york (2004 10. Trabelsi, S.,Njeh, A.,Bussard, L.,Neven, G.:The ppl engine:
approaches that exploit extend or redesign current Internet architecture and protocols The Pan-European laboratory 1, Panlab, is a FIRE 2 initiative and builds on a fed
has diï €erent requirements with regard to quality, reliability and security from the underlying networks. The number of stakeholders who partici
-tween domains as well as inter-domain security have to be addressed in federated testbeds as well as in the real Internet.
increase situation awareness (and with this overall security) by sharing infor -mation. Nevertheless, the operators of the testbeds we considered in our setup
Applications, Security, Safety, and Architec -tures. IEEE Communications Surveys 2 (1)( 1999), http://www. comsoc. org/pubs
•Trust Management and Security, privacy and data protection mechanisms of dis -tributed data •An addressing scheme, where identity and location are embedded not in the same
•Support of security, reliability, robustness, mobility, context, service support, or -chestration and management for both the communication resources and the ser
-vacy, security and governance and with a diversity of issues related to Internet†s ef -fectiveness and inclusive character.
ensuring trust, security and data protection with transparent and democratic governance and control of offered services as guiding principles (10,11
Dependability and security; scal -ability; services (i e.:cost, service-driven configuration, simplified services composi -tion over heterogeneous networks, large scale and dynamic multi-service coexistence
In addition, security risks currently present in network environments request for immediate attention. This could be achieved by building trustworthy network environments to assure security
levels and manage threats in interoperable frameworks for autonomous monitoring 1. 2 The Vision of a Modern Self-Managing Network
The future vision is that of a self-managing network whose nodes/devices are de
-signed in such a way that all the so-called traditional network management functions defined by the â€oefcaps†management framework (Fault, Configuration, Accounting
Performance and Security) 14, as well as the fundamental network functions such as routing, forwarding, monitoring, discovery, fault-detection and fault-removal,
Mechanisms, tools and methodology construction for the verification and assurance of diverse self-capabilities that are â€oeguiding systems†and their adaptations, correctly
guarantee higher levels of scalability, mobility, flexibility, security, reliability and Enhanced Network Self-Manageability in the Scope of Future Internet Development 283
device monitoring, service levels and application management, security, ongoing maintenance, troubleshooting, planning, and other tasks †ideally all coordinated and
security and manageability is -sues, considered as non-priority features in the 70s 3 should be addressed now
-ing with guaranteed performance and Qos, including manageable security services †A new layered architecture for the Control and Management Plane that
The proposed architecture also addresses two major security aspects: secure oper -ation of the VI provisioning process,
and provisioning dynamic security services to address challenge#5. Fig. 1 shows the reference model of our architecture as it
data security, cost aspect, feasibility, etc. Our architecture will result in a new role for telecom operators that own their infrastructure to oï €er their optical
influence future investment decisions based on capital, security, compute power and energy efficiency In order to enable realistic and effective reasoning at provisioning
Management, Mobility, Qoe, Qos and Security This ontology at the intermediate layers is represented in FINLAN by the
is the encryption for security at the intermediate layer. In this example, in the actual TCP IP protocols architecture, the layers 3 and 4 are not able to un
-derstand the security need in a context and its complexities usually must be controlled by the Application layer.
can inform semantically this security need to the Net-Ontology layer. By this the related complexities can be handled at the Net-Ontology layer level, instead
delivery guarantee, Qos, security and others 2. 1 Collaboration to the Autoi Planes One of the Autonomic Internet project expectations is to support the needs
-ability, security and Qos. The FINLAN project can contribute in its challenges some described in 1, 3, 12,
storage, encryption, location, indexing and others Related to the content-centric it is presented in 19 the diï culties of the cur
Security, can be requested to the network, making the {user, service, content -centric approaches simpler, as shown in the sample code below
Security "/>owl: Individual ><owl: Individual rdf: about="&entity; Multimediaconference "><rdf: type rdf: resource="&entity; Content
IEEE/IFIP New Technologies, Mobility and Security Conference (2009 8 Pereira, J. H. S.,Kofuji, S. T.,Rosa, P. F.:
IEEE/IFIP New Technologies, Mobility and Security Conference 2009 9 Pereira, J. H. S.,Kofuji, S. T.,Rosa, P. F.:
WS-Messaging and WS-Security complement the stack of technologies On the other hand, an increasing number of popular Web and Web 2. 0 applications
autonomous systems to supply users with the necessary infrastructure and a security framework Concerning the second point,
core parts, with Qos assurance is seen. A flexible way of usage †based on virtual -ised overlays †can offer a strong support for the transportation of multimedia
-ing, security, etc. Thus, the HB, which can be seen as the evolution of today†s Home
media flow adaptation, routing/forwarding and security The goal of the Virtual CAN layer is to offer to higher layers enhanced connectivity
-tion, security, and monitoring features. The set of MANES form together a Virtual Content-Aware Network,
from different purposes (content-aware forwarding, Qos, security, unicast/multicast etc.).) The architecture supports creation of parallel VCANS over the same network
degree of security, etc. The amount of VCAN resources can be changed during net -work functioning based on monitoring developed at CAN layer
Application Payload Classif Content aware flow classification SM@SP MANE CANMGR@AS1 Intranrm@AS1 3. MANE configuration for CAN
3. 3 CAN Layer Security The aim of the security subsystem within the CAN Layer is twofold:
1) data confiden -tiality, integrity and authenticity; and 2) intelligent and distributed access control policy-based enforcement
The first objective is characterized by offering, to the Service Provider (SP), a se -lection of three degrees of security, being:
public traffic, secret content, and private communications. In public traffic no security or privacy guarantees are enforced
Secret content addresses content confidentiality and authentication by applying com -mon cryptographic techniques over the packets†payload.
Private communications is to be adopted when the confidentiality and authenticity of the entire packets, includ
security along all CAN domains and discretely apply the security mechanisms only where necessary to guarantee the required security level, with respect to the security
degree invoked. The evaluation algorithm considers the user flow characteristics CAN policies and present network conditions.
In order to attain the required flexibil -ity, the related security architecture was designed according to the hop-by-hop model
7 on top of the MANES routers The second objective will pursue a content-aware approach that will be enforced
Such security enforcement will be done ac -cordingly to policies and filtering rules obtained from the CANMGR.
and traffic filtering rules by executing security related algo -rithms over information gathered by the monitoring subsystem.
Content-aware security technologies typically perform deep content inspection of data traversing a security element placed in a specific point in the net
-work. The proposed approach differs by being based on MANE routers, which will be used to construct CANS
MANE€ s related security functions are then to perform attacks†identification (e g port-scan, IP spoofing,
out collaborative work with homologous entities in order to implement access control policies definition and distribution, identify large scale attacks†(e g. network scans
-vice/Experience, security, and monitoring features, in cooperation with the other ele -ments of the ecosystem.
found in these days, e g. as video streaming, video conferencing, surveillance, broad -cast, e-learning and storage.
In order to exploit the opportunities of services enabled by the Future Internet for smart cities, there is a
including assessment of impact and risks In this paper, we intend to further elaborate on these challenges.
Users will be able to get access control over optical de -vices like optical switches, to configure important properties of its cards and ports
cybercrime, tracking, identification, military control over cities Digital cities, from digital representation of cities, virtual cities, digital metaphor of cities
and reduce the risk of poverty Other hot societal issues are sustainable development, reducing greenhouse gases
security and privacy as well as IPR protection; operation and research monitoring as well as experiment control; and the issue of defining and
and cultural heritage with safety and security in urban spaces. This approach draws on and integrates Future Internet technologies (such as augmented reality services for the
-tural heritage in their city and also to an exploration of the privacy and security issues
development of essential services for health, security, police and fire departments governance and delivery of public services
-sure the required level of security and privacy of information •Open Urban Services Development.
remote assistance and medical surveillance for disabled or elderly people •Public Safety and Security:
sensor-activated video surveillance systems; location -aware enhanced security systems; estimation and risk prevention systems (e g. sen
-sitivity to pollution, extreme summer heating •Remote working and e-commerce services for businesses, entertainment and com
-munications for individuals. Advanced location based services, social networking and collaborative crowdsourcing collecting citizens†generated data
By analyzing these different Smart Cities application scenarios, together with the need of a broadband communication infrastructure that is becoming,
as well as security, privacy, and trust 12 13. Cross-domain NG Iot platforms may foster the creation of new services taking advantage of the increasing levels of effi
trust, security, and privacy) in a standard, easy and flexible way. Now that a number of
sensor data (for example for energy monitoring, video surveillance or traffic con -trol). ) This functionality will provide a repository where observations/sensors†data
Security Privacy and Trust Smart Santander Node WISELIB User Developed App Tinyos Contiki Sunspot  Tinyos Contiki Sunspot Â
i) Access control and IOT Node Security subsys -tem, ii) Experiment Support Subsystem, iii) the Facility Management Support Sub
Security and Trust Introduction to Part III Security Design for an Inter-Domain Publish/Subscribe Architecture
Introduction Basic Concepts Architecture Phases of Communication Related Work Conclusion and Future Work References Engineering Secure Future Internet Services
Security Requirements Engineering Secure Service Architecture and Design Security Support in Programming Environments Secure Service Composition
Secure Service Programming Platform Support for Security Enforcement Embedding Security Assurance and Risk management during SDLC
Security Assurance Risk and Cost Aware SDLC Conclusion Towards Formal Validation of Trust and Security in the Internet of Services
Introduction Specification Languages Automated Validation Techniques Orchestration Model Checking of SOAS Channels and Compositional Reasoning
Abstract Interpretation The AVANTSSAR Platform and Library Case studies, Success Stories, and Industry Migration Conclusions and Outlook
Trustworthy Clouds Underpinning the Future Internet Cloud computing and the Future Internet Trust and Security Limitations of Global Cloud Infrastructures
Cloud Security Offerings Today Today's Datacenters as the Benchmark for the Cloud New Security and Privacy Risks and Emerging Security Controls
Isolation Breach between Multiple Customers Insider Attacks by Cloud Administrators Failures of the Cloud Management Systems
Lack of Transparency and Guarantees What about Privacy Risks Open Research Challenges Outlook †The Path Ahead
Data Usage Control in the future Internet Cloud Introduction Primelife Privacy Framework Open Challenges Towards Privacy Policy Enforcement in the Cloud
Conclusions Part IV: Future Internet Foundations: Experiments and Experimental Design Introduction to Part IV A Use-Case on Testing Adaptive Admission Control and Resource Allocation Algorithms on the Federated Environment of Panlab
Overtext Web Module V3.0 Alpha
Copyright Semantic-Knowledge, 1994-2011