Service & Application Security

In the year 2009, the Fraunhofer AISEC (using its former term Fraunhofer SIT) published the first comprehensive, German-language study of security in the field of cloud computing. Key results comprised of a systematic taxonomy for the analysis of security as well as guidance for the users of cloud computing services. A detailed, subsequent analysis of the market leaders in cloud computing on behalf of the Federal Office for Information Security (BSI), which ended in spring 2011, revealed deep insights into the state-of-the-art of developments and technology of the most widespread, commercial service offerings in cloud computing. In addition to this, we conduct interoperability and practical comparative analysis of these offerings with open-source solutions in our laboratory.

Fraunhofer AISEC supports customers with the conception, the design, the realization and evaluation of security and reliability related aspects, as well as the robustness of SOA and Cloud solutions. Consultation of users of cloud computing service offerings, such as small and midmarket businesses, is carried out by Fraunhofer AISEC in the areas of business process outsourcing and applications in cloud computing environments. We conduct security research and analysis and, where appropriate, develop tailored applications that enable the secure and comfortable usage of cloud computing service offerings. This includes the use of innovative technologies, which enable Security-as-a-Service, e.g. identity management in the sense of Identity-as-a-Service.

• Compliance to Web Application Security standards in accordance to OWASP
• Systematic identification of risks and scenarios of improper use in service infrastructures (including analysis for a need of protective measures, abuse-case-modeling, threat modeling)
• Implementation and introduction of monitoring concepts for the vertical surveillance of cloud infrastructures
• Execution of seamless resource migrations between cloud ecosystems using cloud roaming techniques
• Implementation of particular cryptographic algorithms in order to secure service infrastructures
• Integration and safeguarding of the interoperability of identity management systems in general and the New Identity Card in particular

• C. Banse, P. Stephanow and M. Moein. “Continuous Location Validation of Cloud Service Components”. In: Proceedings of the 9th IEEE International Conference on Cloud Computing Technology and Science, CloudCom 2017.
• M. Schanzenbach and S. Zickau. “Identity and access management in a doping control use case”. In: Datenschutz und Datensicherheit DuD 41.12 (2017), pp. 724–728. ISSN: 18622607. DOI: 10.1007/s11623-017-0867-z. URL: https://doi.org/10.1007/s11623-017-0867-z.
• A. Ahadipour and M. Schanzenbach. “A Brief History of Authorization in Distributed Systems: Information Storage, Data Retrieval and Trust Evaluation”. In: Proceedings of the International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom), August 2017.

• C. Banse and J. Schuette. “A Taxonomy-based Approach for Security in Software-defined Networking”. In: 2017 IEEE International Conference on Communications, ICC 2017, Paris, France, May 21-25, 2017.

• I. Kunz and P. Stephanow. “A process model to support continuous certification of cloud services”. In: 31th International Conference on Advanced Information Networking and Applications (AINA). IEEE, 2017.

• P. Stephanow and C. Banse. “Evaluating the performance of continuous test-based cloud service certification”. In: 17th International Symposium on Cluster, Cloud and Grid Computing (CCGrid). IEEE, 2017.

• P. Stephanow and K. Khajehmoogahi. “Towards continuous security certification of Software-as-a-Service applications using web application testing”. In: 31th International Conference on Advanced Information Networking and Applications (AINA). IEEE, 2017.
• B. Gulmezoglu, A. Zankl, T. Eisenbarth and B. Sunar. “PerfWeb: How to Violate Web Privacy with Hardware Performance Events”. In: Computer Security – ESORICS 2017: 22^nd European Symposium on Research in Computer Security, Oslo, Norway, September 1115, 2017. to appear. Cham: Springer International Publishing, 2017.
• J. Sepúlveda, A. Zankl and O. Mischke. “Cache Attacks and Countermeasures for NTRUEncrypt on MPSoCs: Post-quantum Resistance for the IoT”. In: 2017 30th IEEE International System-on-Chip Conference (SOCC). to appear. 2017.

• G. Settanni, F. Skopik, Y. Shovgenya, R. Fiedler, M. Carolan, D. Conroy, K. Böttinger, M. Gall, G. Brost, C. Ponchel, M. Haustein, H. Kaufmann, K. Theuerkauf and P. Olli. “A Collaborative Cyber Incident Management System for European Interconnected Critical Infrastructures”. In: Journal of Information Security and Applications Special Issue on ICS & SCADA Cyber Security, 2016.

• M. Schanzenbach and C. Banse. "Managing and Presenting User Attributes over a Decentralized Secure Name System". 11th DPM International Workshop on Data Privacy Management (DPM), September 2016.

• J. Schütte, P. Stephanow and G. Srivastava. “Test-based cloud service certification of opportunistic providers”. In: The 8th IEEE International Conference on Cloud Computing (CLOUD), June 2016.
• P. Stephanow, C. Banse and J. Schütte. "Generating Threat Profiles for Cloud Service Certification Systems". In: 17th IEEE High Assurance Systems Engineering Symposium (HASE), January 2016.
• J. Schütte and G. Brost. "A Data Usage Control System using Dynamic Taint Tracking". In: Proceedings of the International Conference on Advanced Information Network and Applications (AINA), March 2016.
• M. Gall and G. Brost. "K-word Proximity Search on Encypted Data". In: Proceedings of the International Conference on Advanced Information Network and Applications (AINA), March 2016.