PRISMACLOUD provides a box of five flexible tools, fully encapsulating strong cryptographic functionality, from which secure and privacy aware cloud services can be constructed. We address storage and data sharing security, data minimising and privacy providing authentication and authorisation mechanisms, topology certification, anonymisation, and an encryption proxy for legacy applications.
We target individual and organisational end users, as e.g. administrations, health systems, and other community cloud users with common interest or particular compliance requirements, as well as businesses of different sizes and operating in different markets. We specifically address small and medium-sized enterprises, a sector with enormous economic growth potential enabled by the scalability of cloud services. We also want to address cloud providers that might be interested in providing your secure and privacy preserving services for the customers, compliant to the upcoming European General Data Protection Regulation, GDPR.
In a post Snowden world, the currently prevailing threat modelling, with its focus on outsiders (hackers, rogue criminals etc.), is probably insufficient for modelling privacy threats in the cloud context. We assume that the “nature of clouds” requires the consideration of an expanded threat posture represented by insiders, e.g. the cloud processor, or other parties down the cloud provisioning chain.
This concerns not only the actual (private) data of an end user, but any Personally Identifiable Information (PII), including metadata that accrue by accessing the cloud and performing operations on-line. Several groups of end users are currently barred from moving to the cloud because of the strong confidentiality required for their data and processing. In particular, the upcoming GDPR will require data controllers to keep precautions for the protection of PII which might only be practically realised by the use of strong cryptography.
End users, such as individuals and organisational end users, including administrations, communities, and commercial enterprises, can potentially benefit from security and privacy in the cloud that is not only supported by contractual provisions – but proactively guaranteed by cryptographic measures. Such measures allow cloud customers to retract data from a cloud provider, or enforce the deletion of data at a cloud provider at their own discretion, without depending on good will and cooperation. Thus, several of our solutions support a re-empowerment of end users in the cloud context.
But also on the cloud provider side, our solutions can provide their benefit: Cloud providers will be able to provide advanced services to end users that value privacy and governance in the cloud. Cloud providers (“processors”) will be able to provide “GDPR compliance as a service” to their customers, and will also reduce the responsibilities which would be imposed upon them in the case of processing PII in plaintext.