UNIL, AIT, TUGRAZ, UNI PASSAU, IRT
This activity report covers the second project year, Feb 2016 – Jan 2017. We report on our on-going activities for disseminating project results into standards and on our plans for the remaining time of the project, and beyond. More precisely, we cover the timespan until about end of Dec 2016, which is practically the last date which can be considered in this deliverable, due end of January 2017.
On the 3rd plenary meeting, 19 – 21 April, 2016, the standards action plan was discussed and accepted by the consortium. One major activity of the plan was to seek liaison to ISO/IEC JTC1/SC27.
Approximately at the same time, in spring 2016, the PRISMACLOUD system architecture was developed, structuring the intended project outcome into eight security and/or privacy providing cloud services, which build upon cryptographic functionality encapsulated in five cryptographic tools.
We attended the ‘Trust in the Digital World’ networking conference 2016 in The Hague2, where we learned about European activities with respect to cloud service level agreements (SLAs) for configuring and specifying service quantities and qualities, and especially security qualities.
Consultations with Dr. Rannenberg/Goethe University Frankfurt, and chair of JTC1/SC27 working group WG, turned out the following standard—in the right state (working draft state) to allow contribution during the run time of the project: ISO/IEC 19086-4: 2015 “Information technology - Security techniques - Information technology – Cloud computing Service Level Agreement (SLA) framework - Part 4: Security and privacy”. Currently, the actual contribution of the project to ISO/IEC 19086-4 is being developed.
We filed an application for liaison (“Liaison Category C”) with JTC1/SC27 WG4, which would enable us “effective technical contribution and participate actively at the working group or project level”3, and attended the 23rd Meeting of ISO/IEC JTC 1/SC 27/WG4, 23 –27 Oct 2016, in Abu Dhabi, United Arab Emirates. Contrary to WG4 common practice, the liaison was accepted.
In order to secure us voting rights (an ISO Liaison Cat. C does not include voting rights), we have sought accreditation and support through national bodies. Currently, the project has taken provision to secure impact through four people, accredited through three national ISO bodies (Austria, Germany, and Sweden).
The development of the PRISMACLOUD services’ and crypto tools’ specifications, and the on-going involvement of the project into the ISO/IEC JTC1 SC27 are the activities of the second project year which enabled us to identify several of our developments, which can potentially lead to contributions for standards currently under development. We have identified the necessary steps for making contributions in the fields of cloud service level agreements (cloud SLA) and the security technique of secret sharing, and intend to initiate two study periods the technology of redactable signatures and for cloud storage security.
In this context it shall be noted that the project coordinator AIT has declared its commitment, and has taken the necessary steps (accreditation of responsible personnel to the national ISO member body), to follow the standardisation path for a cryptographic tool, central to the project (the secure distributed storage enabling advanced, privacy friendly cloud storage services), beyond project end.
In addition to our ISO activities, we have developed and are pursuing activities to create impact through the following standards setting organisations: European Cyber Security Organisation (ECSO), Cloud Security alliance (CSA), Star Audit. Furthermore, we intend to propose to the European Union Agency for Network and Information Security (ENISA) to produce, together with the other currently running H2020 cloud security projects, an ENISA brochure on secure cloud services, their characteristics and capabilities, as well as their (current) reflection in standards.