D3.1 Analysis of Current Baselines and Best Practices for Secure Services

Contributing Partners 

ATOS, LISPA, AIT, XiTrust, FCSR, MPL, IRT, ETRA

Executive Summary

The main aim of this task is to establish the baselines and best practices for security services within the PRISMACLOUD project development. In order to define those security controls this document firstly identifies what the associated security risks are then it defines liabilities and responsibilities. Once those assessments are clearly defined, this deliverable catalogues the different security controls which are broken down into the chapter Information assurance requirements . The most significant chapters of this document can be briefly described below:

Chapter 4 Security Assessments Review
In order to define what would be the best practice and baseline for the security controls that PRISMACLOUD will apply during the development of the project, the consortium considers it necessary to identify the main risks which will arise from this type of project. Once these risks have been identified it will be easier to know and prioritize those controls which must be applied. Hence, this chapter deals with this first critical step.

Chapter 5 Division of Liabilities and responsibilities
In order to define the Security controls it is imperative to define properly liabilities and responsibilities. Cloud Systems can be catalogued into different types of models attending to different characteristics of the system. However the abstract idiosyncrasy of a cloud system makes it difficult to define the liabilities and responsibilities of the different actors. This chapter therefore details who is responsible for what and includes their responsibilities, taking into consideration the different types of delivery models, data management structure, etc. Furthermore this chapter defines the division of liabilities for each pilot: eHealth pilot, eGoverment pilot and Smart city pilot.

Chapter 6 Information Assurance Requirements
This chapter is a catalogue of the different Security Control recommendations for the project. The different Security Controls have been categorized using recommendations defined in the Information Assurance Framework (1). However from the whole list of security services (e.g. Authentication, Authorization, etc.) proposed by this document, the Consortium has filtered them to obtain a short list of the most significant security services for the PRISMACLOUD project. The final list is as follows:

  • Operational security
  • Authorisation
  • Identity provisioning
  • Management of personal Data
  • Authentication
  • Scenario Conclusions

This document has investigated each of these security services, including different standards, best practice and protocols available, in order to propose the most suitable of them for PRISMACLOUD purposes.

Chapter 7 Conclusions
This chapter summarizes the most significant findings taking into consideration their impact over reference pilots that will be developed by PRISMACLOUD with the aim of establish the foundation for the pilots that will be developed within the PRISMCLOUS life in term of the Security Controls needed.