The final program of all Tracks is available here:
An overview of the Tracks is available here:
*** Christian Banse is the head of the department “Service and Application Security” at Fraunhofer AISEC. The primary focus of the department is to develop and research tools and technologies to analysis and strengthen the security of software. This includes mobile application as well as Cloud and Edge Computing. Christian has been an employee of Fraunhofer AISEC since 2011. He has a Master of Science degree in Management Information Systems from the University in Regensburg and is the author of several publications in the field of network and Cloud security.
Establishing Continuous Security in Multi-Cloud Environments
Security is still regarded as the most inhibiting factor for companies moving into the Cloud. While recent trends show that Cloud vendors are increasingly aware of this and are providing the necessary tools to secure the Cloud workloads of their customers, it is still a challenge to continuously ensure security in environments involving multiple Cloud providers. This is especially the case if multiple Cloud offerings include different service levels ranging from IaaS to SaaS, since the shared responsibilities regarding security between Cloud consumer and cloud customer are often not clearly defined.
Additionally, further research has to be done in regards to the meaning of continuous in the context of Cloud security. What are sensible intervals to check certain security configuration settings? While it might suffice to check the expiration of a password on a daily basis, the firewall configuration of a virtual machine might need checks in a per-hour interval or even less. Furthermore, new paradigms such as serverless computing can be leveraged to check security settings on change rather than in a regular interval. Another big challenge the community is facing, is the comparison of evidences generated from differentheterogeneousders because of their heterogenous nature. While there are some Cloud computing standards in the on-premise world, such as OpenStack, the commercial Cloud providers rarely follow these standards and technologies need to be developed to quickly adapt to different APIs of different Cloud providers. On the other hand, the rise of containers and especially the establishment of Kubernetes as the de-facto container management solution can be used to mitigate this to a certain degree.
This talk will highlight how the research department “Service and Application Security” of Fraunhofer AISEC is tackling those questions, especially in the context of Cloud service certification. It will give insight into the works conducted at the Fraunhofer AISEC laboratories, especially Clouditor, which is currently being piloted on a European level in the Horizon 2020 project EU-SEC (www.sec-cert.eu). Clouditor follows a test-based certification approach and can be used to check the security configuration of different Cloud workloads, for example in the course of an compliance audit. To compare security settings of different Cloud providers and even different service offerings, Fraunhofer AISEC is currently developing a domain-specific language based on a context-free grammar to easily model security requirements of Cloud resources.
*** Jesus Luna Garcia has a PhD in Computer Architecture from the ”Technical University of Catalonia” (UPC, Spain 2008) and was a postdoctoral researcher with the CoreGRID NoE (Greece/Cyprus, 2008-2009). He has more than 20 years of experience in the field of computer security working with both public and private sector companies and universities, in America and Europe. His professional experience includes Robert Bosch GmbH (Germany), Cloud Security Alliance (U.K.), and the Technical University of Darmstadt (Germany). Jesus Luna has co-authored more than 40 publications including scientific papers, ISO/IEC and NIST standards, and a patent. Currently, he works with Robert Bosch GmbH where he contributes to the security governance of its cloud ecosystem. His topics of interest include security assessment, security automation, trust management, and risk management.
Holistic IoT security as a digital transformation’s enabler
In the so-called “digital transformation”, industries all over the world are nowadays moving towards an ecosystem of pervasive computing characterized by the notion that “everything is connected” in an Internet of Things (IoT). In this “hyper-connected world”, there is interactive intelligence all around us: physical products and infrastructure are no longer mere objects, but sensible things that can in many cases understand our human intentions and adapt accordingly. Actuators adapt to the environment through the application of machine learning and natural language interfaces, together with cloud-based information resources.
Unfortunately, recent examples of IoT- related security breaches show us that the immense promise of “connected everything” is counterbalanced by the equally immense challenge of securing billions of devices (some of which are not always designed or set up to function securely when connected to the internet). The correct handling of IT security is key to unlocking the full potential of the digital transformation, which composes well-known challenges related to underlying technologies and complex IT systems.
This presentation will offer IT security recommendations for establishing end-to-end trust in these complex ecosystems, in particular by providing answers to the following:
1. Why it is essential to consider the security aspects of the full technology stack from back-end solution components (e.g., cloud) to edge networks, gateways, and devices?
2. Why the full security life-cycle must be taken into account, from conception and design, to continuous operation, and end-of-life decommissioning?
Finally, this presentation will also discuss some positive implications of the holistic IoT security approach in relationship to the upcoming European Cybersecurity Act, in particular related to the continuous security certification of cloud backends.