M. Azraoui, M. Önen, R. Molva, “Framework for Searchable Encryption with SQL Databases”, Conference CLOSER 2018, 19-21 March 2018, Medeira, Portugal. [Conference website http://closer.scitevents.org/]
The security as a service (SECaaS) infrastructure and concept for the CLARUS framework differs from usual security as a service business models like anti-virus software or intrusion detection services. While these security services are located in the trusted cloud, a main assumption of CLARUS is that there is no general trust against the cloud provider. The proposed SECaaS for CLARUS therefore consists of the possibility of securing and accessing data, but still being able to profit from cloud service providers, their hardware, services and offers and thus circumventing the contradictions.
In total, five SECaaS services have been identified that offer the full set of CLARUS security services to all relevant actors encompassing end users within and outside the trusted zone, security managers and Cloud Service Providers:
- Continuous monitoring and risk assessment of the platform: Monitoring capabilities to supervise, at run time, the data accesses and exchanges between the users, the CLARUS proxies and the cloud providers. This continuous monitoring enables the early identification of security issues that can affect the correct operation of the system and that may represent a risk in terms of security and data privacy.
- CLARUS communication with the CSP: A CLARUS proxy holds information and metadata about the outsourced files in the cloud. If data in the cloud is accessed, the CLARUS proxy establishes a connection to the CSP and triggers specific cloud computations modules to process and return the data.
- CLARUS end user access to the CLARUS proxy: The CLARUS end user connects to the CLARUS proxy through a user authentication module. To integrate the CLARUS proxy and the entire CLARUS usage as much as possible in existing workflows, existing authentication mechanism will be supported by the CLARUS proxy.
- Exchange in between multiple CLARUS proxy entities: Data should be shared between multiple CLARUS proxies. This introduces the need for an elaborated secure service to authenticate proxies against each other and to securely exchange and route the data.
- Provision of CLARUS secured data to an external user: External users that are located outside of the trusted zone and that do not have an on-premise CLARUS proxy should not be excluded from an access to data that has been safeguarded by the obfuscation and encryption security primitives provided by CLARUS. For this reason, a dedicated SECaaS service has been developed that is based on the creation and secure transmission of secure containers to heterogeneous targeted devices owned by external entities.
Thanks to this, CLARUS goes beyond the current state of the art by proposing new and outstanding security models, techniques and ways of thinking.