Cloud computing is undoubtedly the present and the future of software applications; cloud service discovery, composition and execution are becoming more popular and operations easier. However the significant growth in cloud infrastructures, development tools and systems leave behind a number of security problems that are still open due to the “obscurity” of service implementations. This is a double-edged feature: if on one side it allows clients to simply “use” a service in an application (without worrying about software lifecycle aspects like instantiation, maintenance and so on), on the other side it represents a difficulty to understand which security features a service offers, how securely information is stored, used, transmitted and so on. Security requirements for service selection may not be accessed in depth, thus offering potential margin for doubts and concerns in client, but also to illegitimate actions in the case of malevolent service providers.
The EU funded project OPTET will work towards increasing customer trust in service discovery and provisioning, by providing means to evaluate which service to choose for a composition, according to its security “trustworthiness”. This is intended as a process with which a user can decide whether a service can be trusted or not, by considering subjective elements like service provider reputation, but also, and more importantly, by considering objective elements that demonstrate a service’s security features. These elements or evidences can come from certification processes and third-party security assessments, or from a disclosure of some internal details done by a service provider. For example, the use of cryptography for encrypting data in transit to a service implementation can ensure that the security feature “confidentiality” is preserved even if a malicious subject is able to intercept customer-service communications.
Together with academic and industrial partners, SAP Product & Innovation's Product Security Research group are involved in the OPTET project mainly to design and develop a Trustworthy Marketplace, to expose secure services, together with their machine-readable descriptions of functionalities and security features. The marketplace will also provide a security deployment framework, also taking into account services/apps security constraints to achieve a trustworthy environment.
We will provide regular updates to this blog elaborating on different themes.