Papers by philippe massonet
With a growing number of infrastructure cloud services becoming available there are many benefits... more With a growing number of infrastructure cloud services becoming available there are many benefits to interconnecting several cloud services. However, seamless cloud interoperability is the complex issue, especially when different cloud platforms are interconnected. One of the major aspects of federating clouds resources is network federation. Federated networks must deal not only with heterogeneous cloud platforms, but also with different virtualization technologies and the added complexity of multi-layer virtualization. In order to allow monitoring and analysis of the complex heterogeneous environment, there is a need to present a user with the full aggregated view of the federated network including cloud interconnect and with the match between different layers and platforms. In this paper we present a framework that uses Skydive tool for network monitoring and analysis in BEACON federated network environment.
Communications in computer and information science, 2016
Cloud federation enables cloud providers to collaborate in order to create a large pool of virtua... more Cloud federation enables cloud providers to collaborate in order to create a large pool of virtual resources at multiple network locations. Different types of federated cloud architectures have been proposed and implemented up to now. In this context, an effective, agile and secure federation of cloud networking resources is a key aspect for the deployment of federated applications. This paper presents the preliminary security requirements analyzed in the H2020 BEACON Project that aims at researching techniques to federate cloud network resources and defining an integrated cloud management layer that enables an efficient and secure deployment of federated cloud applications. The paper analyses both how to protect the cloud networking infrastructure, and how cloud users can customize the network security for their distributed applications.
2017 IEEE 5th International Conference on Future Internet of Things and Cloud (FiCloud), 2017
Smart IoT applications require connecting multiple IoT devices and networks with multiple service... more Smart IoT applications require connecting multiple IoT devices and networks with multiple services running in fog and cloud computing platforms. One approach to connecting IoT devices with cloud and fog services is to create a federated virtual network. The main benefit of this approach is that IoT devices can then interact with multiple remote services using an application specific federated network where no traffic from other applications passes. This federated network spans multiple cloud platforms and IoT networks but it can be managed as a single entity. From the point of view of security, federated virtual networks can be managed centrally and be secured with a coherent global network security policy. This does not mean that the same security policy applies everywhere, but that the different security policies are specified in a single coherent security policy. In this paper we propose to extend a federated cloud networking security architecture so that it can secure IoT devices and networks. The federated network is extended to the edge of IoT networks by integrating a federation agent in an IoT gateway or network controller (Can bus, 6LowPan, Lora, ...). This allows communication between the federated cloud network and the IoT network. The security architecture is based on the concepts of network function virtualisation (NFV) and service function chaining (SFC) for composing security services. The IoT network and devices can then be protected by security virtual network functions (VNF) running at the edge of the IoT network.
2017 IEEE International Conference on Smart Computing (SMARTCOMP), 2017
Smart Internet of Things (IoT) applications will rely on advanced IoT platforms that not only pro... more Smart Internet of Things (IoT) applications will rely on advanced IoT platforms that not only provide access to IoT sensors and actuators, but also provide access to cloud services and data analytics. Future IoT platforms should thus provide connectivity and intelligence. One approach to connecting IoT devices, IoT networks to cloud networks and services is to use network federation mechanisms over the internet to create network slices across heterogeneous platforms. Network slices also need to be protected from potential external and internal threats. In this paper we describe an approach for enforcing global security policies in the federated cloud and IoT networks. Our approach allows a global security to be defined in the form of a single service manifest and enforced across all federation network segments. It relies on network function virtualisation (NFV) and service function chaining (SFC) to enforce the security policy. The approach is illustrated with two case studies: one for a user that wishes to securely access IoT devices and another in which an IoT infrastructure administrator wishes to securely access some remote cloud and data analytics services.
Communications in Computer and Information Science, 2016
Cloud federation enables cloud providers to collaborate in order to create a large pool of virtua... more Cloud federation enables cloud providers to collaborate in order to create a large pool of virtual resources at multiple network locations. Different types of federated cloud architectures have been proposed and implemented up to now. In this context, an effective, agile and secure federation of cloud networking resources is a key aspect for the deployment of federated applications. This paper presents the preliminary security requirements analyzed in the H2020 BEACON Project that aims at researching techniques to federate cloud network resources and defining an integrated cloud management layer that enables an efficient and secure deployment of federated cloud applications. The paper analyses both how to protect the cloud networking infrastructure, and how cloud users can customize the network security for their distributed applications.
The capability to perform comparisons of city performances can be an important guide for stakehol... more The capability to perform comparisons of city performances can be an important guide for stakeholders to detect strengths and weaknesses and to set up strategies for future urban development. Today, the rise of the Open Data culture in public administrations is leading to a larger availability of statistical datasets in machine-readable formats, e.g. the RDF Data Cube. Although these allow easier data access and consumption, appropriate evaluation mechanisms are still needed to perform proper comparisons, together with an explicit representation of how statistical indicators are calculated. In this work, we discuss an approach for analysis and comparison of statistical Linked Data which is based on the formal and mathematical representation of performance indicators. Relying on this knowledge model, a set of logic-based services are able to support novel typologies of comparison of different resources.
2021 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW), 2021
The growing digitalisation of our economies and societies is driving the need for increased conne... more The growing digitalisation of our economies and societies is driving the need for increased connectivity of critical applications and infrastructures to the point where failures can lead to important disruptions and consequences to our lives. One growing source of failures for critical applications and infrastructures originates from cybersecurity threats and vulnerabilities that can be exploited in attacks. One approach to mitigating these risks is verifying that critical applications and infrastructures are sufficiently protected by certification of products and services. However, reaching sufficient assurance levels for product certification may require detailed evaluation of product properties. An important challenge for product certification is dealing with product evolution: now that critical applications and infrastructures are connected they are being updated on a more frequent basis. To ensure continuity of certification, updates must be analysed to verify the impact on certified cybersecurity properties. Impacted properties need to be re-certified. This paper proposes a lightweight and flexible incremental certification process that can be integrated with DevSecOps practices to automate as much as possible evidence gathering and certification activities. The approach is illustrated on the Common Criteria product certification scheme and a firewall update on an automotive case study. Only the impact analysis phase of the incremental certification process is illustrated.
Future Generation Computer Systems, 2018
Multi-cloud adaptive application provisioning can solve the vendor lock-in problem and allows opt... more Multi-cloud adaptive application provisioning can solve the vendor lock-in problem and allows optimizing user requirements by selecting the best from the multitude of services offered by different cloud providers. To this end, such provisioning type is increasingly supported by new or existing research prototypes and platforms. One major concern, actually preventing users from moving to the cloud, comes with respect to security, which becomes more complex in multi-cloud settings. Such a concern spans two main aspects: (a) suitable access control on user personal data, VMs and platform services and (b) planning and adapting application deployments based on security requirements. As such, this paper addresses both security aspects by proposing a novel model-driven approach and architecture which secures multi-cloud platforms, enables users to have their own private space and guarantees that application deployments are not only constructed based on but can also maintain a certain user-required security level. Such a solution exploits state-of-theart security standards, security software and secure model management technology. Moreover, it covers different access control scenarios involving external, web-based and programmatic user authentication.
Automation, Communication and Cybernetics in Science and Engineering 2015/2016, 2016
Due to globalisation, supply chains face an increasing number of risks that impact the procuremen... more Due to globalisation, supply chains face an increasing number of risks that impact the procurement process. Even though there are tools that help companies address these risks, most companies, even larger ones, still have problems for adequately quantifying the risks on their current process as well as on alternative process. The aim of our work is to provide companies with a software supported method for quantifying procurement risks and establishing adequate strategies for risk mitigation at an optimal cost. Based on the results of a survey on risk management practices and industrial needs, we developed a tool that enables them quantifying these risks. The tool makes it easier to express key risks via a process model that offers an adequate granularity for expressing them. A simulator incorporated in our tool can efficiently evaluate these risks through Monte-Carlo simulation technique. Our main technical contribution lies in the development of an efficient Discrete Event Simulation (DES) engine, together with a Query Language that can be used to measure business risks from the simulation results. We show the expressiveness and performance of our approach by benchmarking it on a set of cases that are taken from industry and cover a large set of risk categories.
Communications in Computer and Information Science, 2016
Cloud federation refers to a mesh of Cloud providers that are interconnected by using agreements ... more Cloud federation refers to a mesh of Cloud providers that are interconnected by using agreements and protocols necessary to provide a decentralized computing environment. Federation is raising many challenges in different research fields but is also creating new business opportunities. Nowadays, the combination between Cloud federation, Software Defined Networking (SDN), and Network Function Virtualization (NFV) technologies offers new business opportunities to Cloud providers that are able to offer new innovative federated Cloud networking services to customers. In this paper, we focus on federated Cloud networking services considering multiple OpenStack Clouds. In particular, we present a preliminary outcome of an innovative design of a Federation Management system acting as an external service provider dealing with federated networking services among multiple federated OpenStack Clouds. More specifically, we describe how virtual resources, virtual networking, and security management can be accomplished.
Lecture Notes in Computer Science, 2016
Multi-cloud application management can optimize the provisioning of cloud-based applications by e... more Multi-cloud application management can optimize the provisioning of cloud-based applications by exploiting whole variety of services offered by cloud providers and avoiding vendor lock-in. To enable such management, model-driven approaches promise to partially automate the provisioning process. However, such approaches tend to neglect security aspects and focus only on low-level infrastructure details or quality of service aspects. As such, our previous work proposed a security meta-model, bridging the gap between high- and low-level security requirements and capabilities, able to express security models exploited by a planning algorithm to derive an optimal application deployment plan by considering both types of security requirements. This work goes one step further by focusing on runtime adaptation of multi-cloud applications based on security aspects. It advocates using adaptation rules, expressed in the event-condition-action form, which drive application adaptation behaviour and enable assuring a more-or-less stable security level. Firing such rules relies on deploying security metrics and adaptation code in the cloud to continuously monitor rule event conditions and fire adaptation actions for applications when the need arises.
The increasing number of cloud service providers (CSP) is creating opportunities for multi-cloud ... more The increasing number of cloud service providers (CSP) is creating opportunities for multi-cloud deployments, where components are deployed across different CSP, instead of within a single CSP. Selecting the right set of CSP for a deployment then becomes a key step in the deployment process. This paper argues that deployment should take security into account when selecting CSP. This paper makes two contributions in this direction. First the paper de-scribes how industrial standard security control frameworks may be integrated into the deployment process to select CSP that provide sufficient levels of secu-rity. It also argues that ability to monitor CSP security should also be considered. The paper then describes how security requirements may be modelled as con-straints on deployment objectives to find optimal deployment plans. The im-portance of using cloud security standards as a basis for reasoning on required and provided security features is discussed.
Lecture Notes in Computer Science, 2015
The adoption of ICT technologies in healthcare for recording patients' health events and progress... more The adoption of ICT technologies in healthcare for recording patients' health events and progression in Electronic Health Records (EHRs) and Clinical Information Systems (CLIS) has led to a rapidly increasing volume of data which is, in general, distributed in autonomous heterogeneous databases. The secondary use of such data (commonly anonymised for privacy reasons) for purposes other than healthcare (such as patient selection for clinical trials) comprises an emerging trend. However, this trend encapsulates a great challenge; semantic interlinking of two different, yet highly related, domains (in terms of semantics) i.e., clinical research and healthcare. This paper aims at presenting an analysis of the heterogeneity issues met in this effort and describing the semantically-enabled multi-step process followed within the PONTE project for achieving the interlinking of these two domains for the provision of the size of the eligible patients for participation in a trial at the cooperating sites.
2011 IEEE International Symposium on Parallel and Distributed Processing Workshops and Phd Forum, 2011
... As a case of study, it will be illustrated and applied to the French e ... and infrastructure... more ... As a case of study, it will be illustrated and applied to the French e ... and infrastructure space to meet isolation and confidentiality objectives of the federated cloud infrastructure. ... is responsible for translating the data export constraints into placement and migration constraints to be ...
2012 Eighth International Conference on the Quality of Information and Communications Technology, 2012
With the growing popularity of cloud computing, it is important to have guarantees on the quality... more With the growing popularity of cloud computing, it is important to have guarantees on the quality of the protection. This is particularly true for infrastructure as a service (IaaS) and the need for protecting applications that are deployed in a cloud. Applications come with different levels of required protection and thus require different levels of protection at the infrastructure level. Quality of protection should be commensurate with the risks. In the cloud responsibility for protecting the application is split between the cloud user (the one who deploys the application) and the cloud provider that manages the infrastructure. The responsibility for securing the application is still in the hands of the cloud user. However the responsibility for securing the infrastructure on which the application runs is in the hands of the cloud provider. For the cloud user to be able to guarantee a given level of protection he must obtain some guarantees in quality of protection from the cloud infrastructure in which the application runs. This article describes and compares a client side (transparent) and a provider side (less transparent) model for specifying and monitoring quality of protection in IaaS, and discusses the benefits and pitfalls of the two models. The paper concludes by comparing these models to assess which one is the most adequate for IaaS. The contribution of this paper is to suggest the need for more transparent quality of protection management in clouds and to provide a method for moving from non-transparent quality of protection models to more transparent quality of protection models based on risk analysis of threats and the identification of the security controls to be monitored. The approach is illustrated with an example for monitoring VM/data location in a cloud.
Uploads
Papers by philippe massonet