Publications & Conferences

Authors Title Type Event Date Place Link
Desprez, F. DIET, a scalable platform for clusters, grids and Clouds Invited Keynote ICT Cloud'12 September 24-25, 2012 Mannheim - Germany View more

View abstract

In recent years, large-scale (and distributed) storage and computing have proven to be mandatory in IT. Internet Computing and Storage have considerably evolved from small isolated nodes to large-scale cluster-like architectures driven by efficiency and scalability, which we now know as "Clouds". Their goal is to be dynamically scalable and offer virtualized resources as a service over the Internet. Usually, solutions deployed in Clouds are aimed at web browsers and are load balanced when it comes to computational power and storage. Clouds can also be used in more computational-intensive domains as scalable computational resources. From a middleware standpoint, Cloud infrastructures introduce new sets of resources with different features. For this reason, middleware environments should be extended to manage these platforms.
Started in 2001, the DIET project is focused on the development of a scalable middleware, with initial efforts concentrated on distributing the scheduling problem across a hierarchy of agents. At the top of that hierarchy sits the Master Agent (MA), with Service Daemon agents at the leaf level. First focused on Grids, the project evolved to target Clouds platforms as well. Validated over Grid'5000, the French large-scale instrument for computer science, it has now been transfered to SysFera, an Inria spin-off for providing seamless access to clusters, grids and Clouds (in particular through a simple web portal). Using the DIET Cloud, it is possible to deploy a large-scale distributed and secure HPC platform that spans a large pool of resources, aggregated from different providers. Moreover, thanks to cutting-edge advances in research, the platform is made easier to use and can automatically adapt to the users' needs. Users will be able to submit large computational jobs as well as Big Data jobs, without losing control of their data. With almost no additional cost, they can take advantage of all the resources they can access. In this talk, we will deal with the whole platform, its use over grids and Clouds, and our most recent work around Clouds and virtualized platforms.

DIET - A Scalable Platform for Clusters, Grids and Clouds
Authors Title Type Event Date Place Link
Savola, R. and Ahola, J. Towards Remote Security Monitoring in Cloud Services Utilizing Security Metrics Conference The 6th International Conference on Application of Information and Communication Technologies (AICT 2012) October 17-19, 2012 Tbilisi, Georgia View more

View abstract

Large amounts of business-critical data are transferred, processed and stored in cloud services, raising concerns about their security level. Adequate security management of cloud services is vital to their success. Systematically developed and maintained security metrics can be used to offer evidence of the security effectiveness of cloud services. We propose a metrics based approach for remote security correctness monitoring in the Cloud. The approach was investigated by building a monitoring system within an experimental cloud system set-up. Moreover, we discuss how risk-driven security metrics modeling based on the decomposition of security objectives is used to manage monitoring activities.

Authors Title Type Event Date Place Link
S. Betgé-Brezetz, G.B. Kamga, M. Ghorbel and M.P. Dupont Privacy control in the Cloud based on Multilevel Policy Enforcement Conference The 1st IEEE International Conference on Cloud Networking (CloudNet 2012) November 28-30, 2012 Paris, France View more

View abstract

The cloud computing paradigm is revolutionizing the delivery of information services as it offers several advantages in terms of cost reduction, time-to-market and flexibility. However, such flexibility raises many concerns related to security and privacy which are strong obstacles for the large adoption of the cloud by users who have to delegate too much control to the cloud provider. In this paper, we propose a new privacy control approach notably based on multilevel privacy policies bound to user data and enforced in the cloud at different levels (application and infrastructure). This approach allows the cloud users to control their data stored, processed and moved in the cloud.

Authors Title Type Event Date Place Link
S. Betgé-Brezetz et al. Seeding the Cloud: An Innovative Approach to Grow Trust in Cloud Based Infrastructures Book chapter "The Future Internet - Future Internet Assembly 2013: Validated Results and New Horizons", Lecture Notes in Computer Science, Vol. LNCS 7858 - ISBN 978-3-642-38081-5, Springer April, 2013 View more

View abstract

Complying with security and privacy requirements of appliances such as mobile handsets, personal computers, servers for customers, enterprises and governments is mandatory to prevent from theft of sensitive data and to preserve their integrity. Nowadays, with the rising of the Cloud Computing approach in business fields, security and privacy are even more critical. The aim of this article is then to propose a way to build a secure and trustable Cloud. The idea is to spread and embed Secure Elements (SE) on each level of the Cloud in order to make a wide trusted infrastructure which complies with access control and isolation policies. This article presents therefore this new approach of trusted Cloud infrastructure based on a Network of Secure Elements (NoSE), and it illustrates this approach through different use cases.

Seeding the Cloud An Innovative Approach to Grow Trust in Cloud Based Infrastructures.pdf
Authors Title Type Event Date Place Link
López Pérez, O. Security: Spreading trust in cloud. Seed4C. Conference XV Conference on IT Security June 27, 2013 Bilbao, Spain View more

View abstract

SEED4C project approach is centred on security enhancement in the cloud from a cooperative enforcement standpoint. As a consequence, the concept of Network of Secure Elements (NoSEs) is introduced in Seed4C. NoSEs are made of individual secure elements attached to computers, user or network appliances and possibly preprovisioned with initial secret keys. The range of use cases addressed by this concept is very broad and related use case developed in SEED4C will be explained.

Sembrando confianza en el Cloud.ppt
Authors Title Type Event Date Place Link
Caron E., Lee A., Lefray A., Toinard C. Definition of security metrics for the Cloud Computing and security-aware virtual machine placement algorithms Workshop CSP 2013 (CyberC workshop) Oct. 10-12, 2013 Beijing, China View more

View abstract

Nowadays, Cloud Computing is becoming a key factor in computer science. Besides the great benefits it brought to the information technology and to the economy, Cloud Computing shows some weakness when looking at the security. An IaaS client should be able to specify its security requirements. But the lack of a system of security metrics leads to the incapability of quantifying the security level of a client deployment in a Cloud. Therefore, we propose a system of security metrics specific to the Cloud Computing and use it to develop virtual machines placement algorithms.

Authors Title Type Event Date Place Link
S. Betgé-Brezetz, G.B. Kamga, M.P. Dupont and A. Guesmi End-to-End Privacy Policy Enforcement in Cloud Infrastructure Conference 2nd IEEE International Conference on Cloud Networking (CloudNet 2013) Nov. 11-13, 2013 San Francisco, USA View more

View abstract

Privacy in the cloud is still a strong issue for the large adoption of cloud technologies by enterprises which fear to actually put their sensitive data in the cloud. There is indeed a need to have an efficient access control on the data stored and processed in the cloud infrastructure allowing to support the various business and country-based regulation constraints (e.g., on data location and co-location, data retention duration, data processing, node security level, tracing and audit). In this perspective, this paper presents a novel approach of end-to-end privacy policy enforcement over the cloud infrastructure and based on the sticky policy paradigm (a policy being bound to each sensitive data). In our approach the data protection is performed within the cloud nodes (e.g., within the internal file system of a VM or its attached volume) and is completely transparent for the applications (no need to modify the applications). This paper describes the concept and the proposed end-to-end architecture (from the client to the cloud nodes) as well as an implementation based on the FUSE (Filesystem in Userspace) technology. This implementation is executed on a scenario of data access and transfer control, and is also used to achieve performance evaluations. These evaluations show that, with a reasonable additional computation cost, this approach offers a flexible and transparent way to enforce various privacy constraints within the cloud infrastructure.

Authors Title Type Event Date Place Link
S. Betgé-Brezetz, G.B. Kamga, M.P. Dupont and A. Guesmi Privacy Control in Cloud VM File Systems Conference 5th IEEE International Conference on Cloud Computing Technology and Science (CloudCom 2013) Dec. 2-5, 2013 Bristol, UK View more

View abstract

Cloud Computing offers great benefits such as reduced IT costs and an improved business agility. Nevertheless, enterprises are still hesitant to put their sensitive data in the cloud as they notably fear privacy issues (e.g., violation of country-based regulations regarding the storage location of a sensitive data). In this context, this paper presents the demonstration of a privacy control technology that allows to protect sensitive files stored, processed, and moved in an IaaS cloud. In our approach, the privacy control is performed within the file system of the Virtual Machines (VM) and allows to control the access done by any application to each sensitive file. It notably covers business applications (e.g., provided by the cloud user) and system applications such as FTP (e.g., to prevent the transfer of a sensitive file in a not authorized country). Moreover, our technology allows to generate tamper-proof traces for any action performed on a sensitive file. In the demonstration, we then also show how the cloud user has a full view of the usage of his sensitive files (e.g., number of copies, storage locations, performed actions). Finally, the demonstration shows these different capabilities through a scenario of file access and cross-country transfer in a multi-platform cloud environment.

Authors Title Type Event Date Place Link
M. Blanc, A. Bousquet, J. Briffaut, L. Clevy, D. Gros, A. Lefray, J. Rouzaud-Cornabas, C. Toinard, and B. Venelle Mandatory Access Protection within Cloud Systems Book chapter Security, Privacy and Trust in Cloud Systems December, 2013 View more

View abstract

In order to guarantee security properties, such as confidentiality and integrity, cryptographic mechanisms provide encryption and signature of data, but protection is required to control the data accesses. The recent attacks on Facebook and Twitter show that the protection must not be limited to the infrastructure i.e. the hosts and the guest virtual machines.

Authors Title Type Event Date Place Link
Teemu Kanstren, Tuomas Kekkonen Distributed Online Test Generation for Model-Based Testing Conference Software Engineering Conference (APSEC, 2013 20th Asia-Pacific (Volume:1) December, 2013 Bangkok - Thailand View more

View abstract

In online model-based testing, test execution is interleaved with test generation. Test cases should be generated and executed with minimal delay, while still achieving targeted coverage criteria quickly. Extensive model analysis in such case is not possible as any delays in choosing the next step will immediately impact the response times of test execution. The algorithms thus need to be as fast as possible, where a limiting factor is the available computing power. Experts working on the test models used for the generation often need to be able to quickly edit the models, generate test cases, and use the feedback to further evolve the models. Reserving large-scale computing resources while editing the model is unnecessary, but performing the analysis on them for test generation can improve the execution response time significantly. In this paper, we present an approach and algorithm for distributing the online test generation analysis part concurrently over the network, while enabling the expert to work on the models and execute the test cases locally at the same time.

Authors Title Type Event Date Place Link
Tuomas Kekkonen, Teemu Kanstren and Kimmo Hätönen Towards Trusted Environment in Cloud Monitoring Conference 11th International Conference on Information Technology: New Generations (ITNG 2014) April, 2014 Las Vegas - USA View more

View abstract

This paper investigates the problem of providing trusted monitoring information on a cloud environment to the cloud customers. The general trust between customer and provider is taken as a starting point. The paper discusses possible methods to strengthen this trust. It focuses on establishing a chain of trust inside the provider infrastructure to supply monitoring data for the customer. The goal is to enable delivery of state and event information to parties outside the cloud infrastructure. The current technologies and research are reviewed for the solution and the usage scenario is presented. Based on such technology, higher assurance of the cloud can be presented to the customer. This allows customers with high security requirements and responsibilities to have more confidence in accepting the cloud as their platform of choice.

Authors Title Type Event Date Place Link
L. Bobelin, A. Bousquet, J. Briffaut, E. Caron, J-F. Couturier, A. Lefray, J. Rouzaud-Cornabas, and C. Toinard An Advanced Security-Aware Cloud Architecture Conference The 2014 International Conference on High Performance Computing & Simulation July, 2014 Bologna - Italy View more

View abstract

Nowadays, Cloud offers many interesting features such as on-demand and pay-as-you-go resources, but induces new security problems in case a company wants to outsource its critical services. But since Clouds are shared between multiple tenants, both applications and execution environments need to be secured consistently in order to avoid possible attacks from malicious tenants. Moreover, if a large range of security mechanisms can improve the Cloud security, the configuration of those mechanisms to guarantee a global security property remains an open problem. Nowadays Clouds solutions lack two key features in order to realize it: an easy expression of security requirements and an actual enforcement of those requirements. This paper describes an overall architecture providing those features and an experiment run in order to demonstrate its validity. Our solution includes a language, a distribution engine and a security enforcement agent. The language eases the definition of the security properties required to plug an application into a Cloud. The distribution engine computes the sub-properties related to the different resources that must be deployed into the Cloud and coordinates the different enforcement agents associated to the provisioned resources. Our use-case addresses private hosting of customer data into the Cloud. The implementation and experiments show that the global security requirements (authentication and confidentiality) are satisfied when the application is scheduled within virtual machines and shared resources. 


Authors Title Type Event Date Place Link
T. Kanstrén, S. Lehtonen, R. Savola, H. Kukkohovi, K. Hätönen Architecture for High Confidence Cloud Security Monitoring Conference Proc. IEEE International Conference on Cloud Engineering (IC2E) March, 2015 (Accepted) Tempe, Arizona, USA

View abstract

Operational security assurance of a networked system requires providing constant and up-to-date evidence of its operational state. In a cloud-based environment we deploy our services as virtual guests running on external hosts. As this environment is not under our full control, we have to find ways to provide assurance that the security information provided from this environment is accurate, and our software is running in the expected environment. In this paper, we present an architecture for providing increased confidence in measurements of such cloud-based deployments. The architecture is based on a set of deployed measurement probes and trusted platform modules (TPM) across both the host infrastructure and guest virtual machines. The TPM are used to verify the integrity of the probes and measurements they provide. This allows us to ensure that the system is running in the expected environment, the monitoring probes have not been tampered with, and the integrity of measurement data provided is maintained. Overall this gives us a basis for increased confidence in the security of running parts of our system in an external cloud-based environment.


Authors Title Type Event Date Place Link
T. Kanstren, S. Lehtonen and H. Kukkohovi Opportunities in Using Trusted Platform Module to Increase Confidence in Cloud Monitoring Conference 8th IEEE International Conference on Cloud Computing June 27 –July 2, 2015 (Submitted) New York, USA

View abstract

This paper discusses the different applications of a secure element such as a trusted platform module (TPM) for increasing confidence in cloud monitoring. Monitoring cloud-based systems is similar in many ways to traditional in-house networks, but with the difference that the actual hardware is hosted by an external party and not under our control. Thus we need to consider the security and trust we place on the infrastructure and how much we can rely on the measurement data we get. In this paper, we consider different ways to use a TPM to increase the trust in monitoring data collected from cloud-based systems from the cloud customer viewpoint. This is based on three different use cases identified together with our industry partners. These are the monitoring of elements of the host infrastructure, monitoring our virtualized guest instances running on this infrastructure, and collecting and archiving log data for later external auditing of the cloud customer services. For each of these, we describe the problem area and different ways to use TPM to increase trust and visibility.



Other Publications and Conferences

Authors Title Type Event Date Place Link
Marquet, B. Secure Embedded Element and Data Protection Conference IEEE International Conference on Communications 2012 - Industry Forum, Infrastructure/Cloud Security June 10-15, 2012 Ottawa - Canada View more

Secure Embedded Element and Data Protection
Lambert, JM SEED4C: Can we plant a seed to build trsuted clouds? Security Forum Chip to Cloud September 19-20, 2012 Nice, French Riviera View more
Rouzaud-Cornabas J., Caron E. Seed4C: A High-security project for Cloud Infrastructure Talk on Inria Booth at SC'12 SC12. The International Conference for High Performance Computing, Networking, Storage and Analysis November 10-16, 2012 Salt Lake City - USA View more
Rouzaud-Cornabas, J. Seed4C: A High-security project for Cloud Infrastructure Workshop Journée Cloud, France Grilles November 30, 2012 Bordeaux - France View more

Seed4C - A High-security project for Cloud Infraestructure
Rouzaud-Cornabas J., Caron E., Marquet B. Seed4C: A High-security project for Cloud Infrastructure Workshop Grid5000: School 2012 December 3-6, 2012 Nantes - France View more
A. Bousquet, J. Briffaut, and C. Toinard An autonomous system for the enforcement of security properties in a Cloud Summer School 14th International School on Foundations of Security Analysis and Design September, 2014 Bertinoro - Italy View more
A. Bousquet, J. Briffaut, and C. Toinard An autonomous Cloud management system for in-depth security Conference The 2014 IEEE CloudNet Conference October, 2014 Luxembourg View more