"CUMULUS" Research Project Investigates Certification Infrastructure for Multi-Layer Cloud Services

Rome, Italy – February 28th, 2013 – Eight partners from European science and industry have joined forces in the CUMULUS research project to investigate how in future cloud services can be made more secure and trustworthy for end users. Cloud computing is the use of hardware and software resources that are delivered as a service over a network. CUMULUS stands for “Certification infrastrUcture for MUlti-Layer cloUd Services”. The project name is related to the cumulus cloud type in meteorology, a cloud that can have noticeable vertical development. This is an analogy to the vertical structure of services in cloud computing, which security and trustworthiness shall be optimized and standardized in the CUMULUS project. Cloud technology offers a powerful approach to the provision of infrastructure, platform and software services without incurring the considerable costs of owning, operating and maintaining the computational infrastructures required for this purpose. Despite its appeal from a cost perspective, cloud technology still raises concerns regarding the security, privacy, governance and compliance of the data and software services offered through it. Such concerns arise from the difficulty to guarantee security properties of the different types of services available through clouds. Service providers are reluctant to take full responsibility of the security of their services once the services are uploaded and offered through a cloud. Also, cloud suppliers have historically refrained from accepting liability for security leaks. This reluctance stems from the fact that the provision and security of a cloud service is sensitive to changes due to cloud operation, as well as to potential interference between the features and behavior of all the interdependent services in all layers of the cloud stack. Still many cloud users, including institutional ones, would like to rely on cloud-based services they use to exhibit certified security properties. CUMULUS will address these limitations by developing an integrated framework of models, processes and tools supporting the certification of security properties of infrastructure (IaaS), platform (PaaS) and software application layer (SaaS) services in cloud. CUMULUS framework will bring service users, service providers and cloud suppliers to work together with certification authorities in order to ensure security certificate validity in the ever-changing cloud environment. CUMULUS will rely on multiple types of evidence regarding security, including service testing and monitoring data and trusted computing proofs, and based on models for hybrid, incremental and multilayer security certification. Whenever possible, evidence gathering will build upon existing standards and practices (e.g., interaction protocols, representation schemes etc.) regarding the provision of information for the assessment of security in clouds. To ensure large-scale industrial applicability, the CUMULUS framework will be evaluated in reference to cloud application scenarios in some key industrial domains, namely Smart Cities and eHealth services and applications. The CUMULUS project was started in October 2012 and will end in September 2015. The research work receives funding from the European Union’s Seventh Framework Programme (FP7) in order to further develop Europe’s foothold as a leading innovator in the sphere of cloud technology, especially with respect to the security and trustworthiness of cloud services. CUMULUS is aligned with the recommendations of a recent industrial consultation to the European Commission that identified certification of cloud services as an enabling technology for building trust for end users through the deployment of standards and certification schemes relevant to cloud solutions, and included it in the ten key recommendations and actions for a cloud strategy in Europe. The CUMULUS project has a total budget of about Euro 4.35 Million. The European Union contributes Euro 2.94 Million, while the partners from business and research are shouldering the rest. The following project partners are participating in CUMULUS: Fondazione Ugo Bordoni (http://www.fub.it) is an Italian non-profit organisation governed by representatives from public Institutions and Authorities, including the Presidency of the Minister Council, the Ministry of Economic Development, and the AGCOM. FUB performs and supports scientific and applied research in the fields of communications, computer science, electronics and multimedia, in order to promote scientific progress and technological innovation. FUB is the coordinator of CUMULUS and is responsible for the interactions with the Advisory Board. FUB is also involved in the definition and validation of CUMULUS certification models and infrastructure and in the dissemination of CUMULUS results. FUB will mainly act as a bridge between CUMULUS and the security certification community to provide a continuous assessment of the CUMULUS approach to security certification. Atos (http://www.atos.net) is an international information technology services company with annual 2010 pro forma revenues of EUR 8.6 Billion and 74,000 employees in 42 countries at the end of September 2012. Serving a global client base, it delivers hi-tech transactional services, consulting and technology services, systems integration and managed services. Last year, Atos, together with EMC and VMware decided to create Canopy (http://www.canopy-cloud.com). Canopy is a one-stop-Cloud-shop for enterprises. Through Canopy, Atos provides strategic consultancy; development, migration and test environments; secure on and off-premise private Cloud implementation; and access to a growing eco-system of business solutions and processes through a SaaS enterprise application store. In CUMULUS project, ATOS will lead the definition, implementation and integration of the CUMULUS framework. Also, ATOS will contribute in the definition of the certification models and processes, participate in the core certification mechanisms implementation definition, adaptation and validation in the eHealth scenario provided (WP6) and dissemination and exploitation of the CUMULUS project results (WP7) by fostering their inclusion in Canopy solutions portfolio. The City University of London (http://www.city.ac.uk/) was founded in 1894 and is currently host to more than 20000 students and 2000 staff from 156 countries and in the top 5% of Universities worldwide according to international rankings. City participates in CUMULUS with a multidisciplinary team led by the Software Engineering Research Group in the School of Informatics (SE@CITY group) that also involves researchers from the School of Law. SE@CITY has more than 10 years of experience of in the area of service oriented systems and software systems security and has participated in several EU R&D projects, including SECSE, PEPERS, SERENITY, SLA@SOI, SCUBE, OPTIMIS, ASSERT4SOA and NESSoS (associate partner) having received a total of more than 4.5m Euro of research funding. City is the technical coordinator of CUMULUS and is leading the R&D activities regarding the development of monitoring, incremental and hybrid certification models and the related supporting tools. It is also taking a key role in evaluating the outcomes of the project covering both from a technical and legal perspective." Universidad de Málaga (http://www.uma.es/) is leading R&D activities related to CUMULUS-aware cloud systems engineering, particularly, defining an engineering process allowing identification of certification requirements and representation of those into cloud applications. UMA will also lead development of tools supporting the engineering process and integration of mechanisms allowing cloud applications communicate certification requirements to the CUMULUS infrastructure by means of retrieval, assessment and exchange of certificates. Based on the expertise of its members, UMA will also have a focus on the relation between trusted computing proofs and software certifications, and on the smart city scenario. UMA will target dissemination of CUMULUS results to the EU communities on security engineering as playing an active role and participation in major events and forums in that area. Università degli Studi di Milano (http://www.unimi.it) is a major higher education and research institutions in Italy, offering degrees in all areas of science and humanities. The Service Oriented Software Architectures Research (SESAR) Lab that was established in 2003 is located at the Department of Computer Science. UMIL’s SESAR Lab has an extensive experience in EU project management and participation, being involved in and responsible for Work Packages within several collaborative projects funded by the European Commission. SESAR will contribute to CUMULUS in the field of cloud certification model and processes, designing an infrastructure for test-based certification definition, and contributing to the definition of a monitoring approach for cloud certification. To do that, SESAR will leverage on its practical knowledge and deep understanding of software/service security certifications, and of cloud computing paradigm and existing mechanisms for service deployment over the cloud. Infineon Technologies AG (http://www.infineon.com) offers semiconductor and system solutions for automotive, industrial and multi-market sectors and applications in communication. Infineon's Security business unit is market leader for semiconductor based security and system solutions with smart card security controllers. Infineon contributes its strong background in Trusted Computing and the development of security software to the project. Wellness Telecom (http://en.wtelecom.es) is an IT company located in Seville, Spain. Its main specialization areas are based on horizontal IT technologies applied to different action fields: Cloud Computing, Smart City, Energy, Environment, etc. In CUMULUS project, Wellness Telecom will provide cloud services and scenarios (Smart Lighting) for the validation phase. It will also participate in the definition of security specifications for the certification cloud services. Furthermore, it will lead some dissemination and exploitation activities due to its commercial experience. Cloud Security Alliance (Europe): CSA’s (https://cloudsecurityalliance.org) role is in the definition of the certification model, process and mechanisms. CSA will also provide support to scenario validation and dissemination activities by leveraging its wide community of experts and cloud providers (CSA corporate members), and the numerous cloud security events and workshops. CSA also facilitates interaction between CUMULUS and standards development organisation (SDOs) through the recently established CSA Standards Secretariat and CSA’s International Standardisation Council (ISC). This news release is available online on the CUMULUS web site http://www.cumulus-project.eu/ .