2. Business Validation & Use Cases
Five industry-driven pilots in different business application
areas
Data Protection in a Multi-tenant xRM Platform (CAS)
Secure Sensor Data Fusion and Analytics (SIEMENS)
Protection of Sensitive Enterprise Information in a Multi-tenant ERP
Environment (Singular Logic)
Encrypted Persistency as PaaS/IaaS Service (SixSq)
Qualified e-Delivery Service (UBITECH)
PaaSword10/11/2016 2
3. BUSINESS CASE: DATA PROTECTION IN
A MULTI-TENANT XRM PLATFORM
Simone Braun & Sebastian Schork – CAS
PaaSword10/11/2016 3
4. CRM / xRM Domain Security Challenges
CRM / xRM solutions store, link and process large amount of
personal and customer data as well as sensitive enterprise
data
Huge variety of data types with varying need for security
Availability everywhere and at any time
CRM / xRM developers are non-security experts
PaaSword10/11/2016 4
5. Benefits from PaaSword
Secure Key Management ensures maximum control over data
usage
Context-aware access control and encryption for specific
highly sensitive data and business operations
Perfectly fitting customers’ security requirements
Security-by-design approach enables non-security experts to
implement security-aware CRM / xRM solutions
PaaSword10/11/2016 5
6. BUSINESS CASE: SECURE SENSOR DATA
FUSION AND ANALYTICS
George Moldovan – SIEMENS
PaaSword10/11/2016 6
7. Internet of Things, Industrial Monitoring,
Smart X Domain Security Challenges
Industrial and governmental clients, services assume being able to
process data on site or central
Deficiencies in the (custom) applications operating on the data can
expose unrelated clients or the underlying infrastructure and resources to
security threats
Joint collaboration on specific topics requiring flexibility in defining access
to the required resources, as well as non-repudiation regarding actions
taken
Deploying/customizing applications running on the Siemens infrastructure
should require validation/checking mechanisms in order to ensure a
minimum compliance regarding privacy and security
PaaSword18/11/2016 7
8. Benefits from PaaSword
Flexible policy models and per-instance (deployment/client)
specific changes – configurable by the end-clients
allowing the more control over how and where the data can
be accessed
Transparency in provided security and privacy-related
mechanisms offloading time and resources from the (normal,
not security-professional) developers and their related
entities through the use of annotation
Proactive, contextual anomaly detection
PaaSword18/11/2016 8
9. BUSINESS CASE: PROTECTION OF
SENSITIVE ENTERPRISE INFORMATION
IN A MULTI-TENANT ERP
ENVIRONMENT
Giannis Ledakis – Singular Logic
PaaSword10/11/2016 9
10. ERP Domain Security Challenges
ERPs usually store information that can be confidential and
sensitive
Data protection is of high importance for any ERP and sensitive data
should be encrypted
Multi-tenancy is supported by running one-schema-per-
tenant in the same installation
Exposure of the data of a tenant to other tenants or to a third party is
the main security consideration
Access management mechanism is important for protecting
user accounts
PaaSword11/18/2016 10
11. Benefits from PaaSword
Support for a searchable encryption of the database
Distribution of database to increase data level security
Providing context-aware access control to protect user
accounts
Easy enablement of security aspects through annotations on
code level
Increasing the provided security to the customers
PaaSword11/18/2016 11
13. PaaS Providers
Data protection and security for cloud applications are
concerns for nearly all developers/operators.
In the spirit of PaaS providers exposing high-level services to
developers/operator, PaaSword components can be made
available through the PaaS
Benefits:
Less costly than developing components “in house”
Faster “time-to-market” for new applications
More confidence in using validated framework
Additional flexibility from policy-based authorization
PaaSword11/18/2016 13
14. BUSINESS CASE: QUALIFIED E-DELIVERY
SERVICE
Panagiotis Gouvas – UBITECH Ltd
PaaSword10/11/2016 14
15. eDelivery Security Challenges
Context
e-Delivery refers to the qualified electronic delivery of data
(e.g. documents and invoices) between two organizations
Qualified e-Delivery requires specific guarantees
e-Signing, e-Timestamping, e-Sealing of all steps
Challenges
Dominant model of e-Delivery Platform is SaaS
Increased need for encrypting e-delivery payloads
Compliance is very strict
GPDR has tremendous impact on SaaS providers
PaaSword10/11/2016 15
16. Benefits from PaaSword
Transparent searchable encryption of e-Delivery metadata
Dynamic update of Policies and Models with zero downtime
Acceleration to compliance (GDPR)
PaaSword10/11/2016 16
17. ASSISTING THE EU GENERAL DATA
PROTECTION REGULATION (GDPR)
PaaSword10/11/2016 17
18. Motivation
The new data protection regulation (GDPR) will
enter into force on 25 May 2018
be valid for public and private sector
Directly effective in Member States without the need for implementing
legislation
The GDPR will apply
to organizations (data processors or data controllers) which have EU
“establishments”,
where personal data are processed “in the context of the activities” of such an
establishment,
irrespective of whether the actual data processing takes place in the EU or not
Non-compliance can lead to a high administrative fine
up to either €20 Mio. or 4% of global annual turnover (the higher one)
09/2016 PaaSword 18
19. New Concepts
Personal Data Breach – a new security breach communication
law
Data protection by design and accountability – organizations
have to demonstrate their GDPR compliance
Enhanced rights – including the right to be forgotten, data
portability rights and the right to object to automated
decision making
Supervisory authorities and the EDPB – introduction of a new
single point of reference for multi-national groups
09/2016 PaaSword 19
20. Assisting GDPR Adoption
How PaaSword contributes in the acceleration of GDPR adoption?
Data Security and Processing
Data Breach communication by the data processor
Data protection by design / default and accountability
Right of Informedness
Right to be forgotten
PaaSword10/11/2016 20
21. How PaaSword Helps
Data Security and Processing:
PaaSword Key Management, DB Encryption and Context-aware Access
Control provide measures to ensure data security and prevent
processing that violates the GDPR
Data Breach communication by the data processor:
PaaSword Encryption as appropriate technical and organizational
protection measures
PaaSword10/11/2016 21
22. How PaaSword Helps
Data protection by design / default and accountability:
Privacy by default with PaaSword Key Management and Encryption
Privacy by design with PaaSword code and data model annotations
and their enforcement through the framework middleware
PaaSword Pilot Demonstrators as best practices and demonstrations
of compliance
Framework as a basis to fulfill certification requirements
PaaSword10/11/2016 22
23. How PaaSword Helps
Right of informedness
Annotated data model can be automatically analyzed to identify
contained personally identifiable information
Increased transparency, also regarding data processing by
applications
Right to be forgotten
Shared key ownership allows every owning party to make information
inaccessible by deleting the owned key part (“erase”)
PaaSword10/11/2016 23
24. Conclusion
Higher privacy with distributed searchable encryption at DB
layer
Increased user control and less dependency on cloud
provider with tenant-controlled Key Management
Appropriate access control with context-awareness and
flexible Policy Management
Easier development of secure cloud applications for non-
security experts with comprehensive Annotation Framework
Making cloud solutions more attractive and ready for the EU
General Data Protection Regulation
10/11/2016 24