PaaSword Reference Architecture

The PaaSword Reference Architecture aims to satisfy the different types of requirements following a use-case driven approach. The overall goal was to identify all stakeholders and as many as possible functionalities that would be required towards the formulation of a secure PaaS framework.

The scope of the Reference Architecture is a) to define the architectural components that cover the functional aspects of the requirements b) to map the identified roles to the aforementioned components and c) to elaborate on each component by providing a usage walkthrough. The architecture is considered as ‘reference’ since it can be subjected to multiple ‘instantiations’. Furthermore, specific components can be implemented in a completely different way. In the frame of the project’s implementation phase a specific ‘instantiation’ of the components is performed and tailored to the need of the use-cases.

The above figure provided an overview of the high level components that comprise the Reference Architecture. As shown, a security/privacy-by-design framework involves many stakeholders/roles. Each of these stakeholders relies on different components that complement each other. A functional description of the components can be read in the delivery D1.3 Paasword Reference Architecture.

Above picture provides an overview of how these components are orchestrated in order to support an end-to-end scenario that engages all identified roles. The high level components are grouped in layers (or zones). The components of PaaSword architecture that facilitate the model-driven security control are underlined with red line as parts of the overall architecture.

The interaction between components (and sub-components) is modelled in a non-normative format. The interfaces are formulated in the technical deliverables which document the detailed structure of the components and the interactions among them.

In the frame of PaaSword, different Encryption/Decryption Policies will be supported. These policies involve different mechanisms that entail different characteristics during runtime. Since security aspects are the focal point on this project, special emphasis has been given in the analysis of the various policies.

Furthermore, the PaaSword architecture is not bound to a specific programming language or framework. However, the architecture raises some implementation requirements such as:

  • the ability of a programming language to support annotations (or any other metadata framework) which is an essential prerequisite of the PaaSword architecture since transparent encryption/decryption policies and web-endpoints that are controlled by PaaSword policies are defined using annotations;
  • the ability of an execution container to support dynamic class-loading which is also an essential prerequisite of the PaaSword architecture since various context evaluation libraries can be dynamically provided to an execution container.

There are many programming languages that support these features; yet the entire set of the use cases that should be supported are JAVA oriented and therefore, the reference implementation is also JAVA oriented.