=Paper=
{{Paper
|id=Vol-2058/paper-12
|storemode=property
|title=Cross-Cloud Management of Sensitive Data via Blockchain: a Payslip Calculation Use
Case
|pdfUrl=https://ceur-ws.org/Vol-2058/paper-12.pdf
|volume=Vol-2058
|authors=Luca Nicoletti,Andrea Margheri,Federico Lombardi,Vladimiro Sassone,Francesco Paolo Schiavo
|dblpUrl=https://dblp.org/rec/conf/itasec/NicolettiMLSS18
}}
==Cross-Cloud Management of Sensitive Data via Blockchain: a Payslip Calculation Use
Case==
https://ceur-ws.org/Vol-2058/paper-12.pdf
Cross-Cloud Management of Sensitive Data via Blockchain:
a Payslip Calculation Use Case
Luca Nicoletti1 , Andrea Margheri2 , Federico Lombardi2 , Vladimiro Sassone2 ,
and Francesco Paolo Schiavo3
1
SOGEI
lnicoletti@sogei.it
2
Electronics and Computer Science, University of Southampton
{a.margheri;f.lombardi;vsassone}@soton.ac.uk
3
Ministero dell’Economia e delle Finanze
francescopaolo.schiavo@mef.gov.it
Abstract
Federating Cloud systems is an urgent need of the Public Sector. In this paper, we showcase a
recent Cloud Federation-as-a-Service solution empowered by blockchain technology. This solution is
used by the Italian Ministry of Economy and Finance to realise a cross-Cloud application for payslip
calculation of Police Forces. Blockchain offers decentralised means to conciliate the need of keeping
data protected while ensuring certified computation on it. This solution has been adopted as part of the
project CloudifyNoiPA to re-engineer the whole payroll system of the Italian Public Administration.
1 Introduction
Nowadays, the Public Sector is equipped with a large number of private Cloud systems whose
administration is becoming more expensive and less effective due to brief usage picks, barriers
on flexible resource provisioning, and limited access to distributed data sources. An urgent
need is to provide software infrastructures enabling secured and controlled interaction across
multiple Cloud systems. The key driver for creating such cross-Cloud systems stands in the
access to data and services otherwise not available, and in the better utilisation of computational
resources.
Broadly speaking, the governance aspects of cross-Cloud systems are of paramount impor-
tance to encourage wide application and foster systematic integration of private Clouds in the
Public Sector. European countries such as Italy and France suffer from a large proliferation of
small/medium data centres concurrently supporting Public Administrations. This causes inef-
ficiency, costly management and low resource utilisation. To tackle this issue, the SUNFISH
project conceived, designed and implemented so-called Federation-as-a-Service (FaaS) [4], an
innovative federation approach for Cloud systems that allows small/medium data centres to
become first-class citizen in the Cloud provisioning landscape for Public Administrations. FaaS
crucially relies on blockchain to realise a first-time democratic and decentralised governance
model. Blockchain is exploited as an innovative underlying infrastructure underpinning trust-
less federated Clouds with data computation integrity and availability.
Blockchain is an innovative technology that besides fascinating properties on data integrity
ensures full decentralised control on data and its computation. Upon such decentralised in-
frastructure, immutable programs named smart contracts can execute ensuring non repudiable
guarantees to all involved parties. Besides Bitcoin and Ethereum, a large number of blockchain
systems targeting private settings such as cross-Cloud integrations have appeared on the mar-
ket. Hyperledger Fabric (www.hyperledger.org/projects/fabric) is a prominent solution that
offers, among others, controls on data visibility and on where smart contracts are executed.
�Use Case. The Italian Ministry of Economy and Finance (MEF) is currently facing the issue of
overcoming segregation of Public Bodies data among Clouds for calculating payslips of Police
Forces. Specifically, the Italian legal framework forces the Ministry of Interior (MIN) to be the
exclusive controller of Police Force sensitive data. However, MEF needs access to such data to
correctly compute payslips (for the cognitive, local taxes must be computed on actual residence,
which is however sealed for data classification purposes within the MIN). To overcome this issue,
MEF has put in place an intricate cooperation with MIN which locally performs part of the
payroll tax computation then to be used by the MEF. However, this has lead to uncontrolled
cooperations prone to mistake and malicious subversions, e.g. to avoid tax payment or to grant
huge pay rise all of a sudden. Such frauds are subtle to discover and, most of all, MEF is liable
for it even though it has no control on the full payroll data. Therefore, MEF requires different
deployment of such use case to introduce adequate computation guarantees both on the used
sensitive data and on the performed computations.
In the following, we first outline the SUNFISH FaaS solution emphasising the role of
blockchain, then we comment on its exploitation for the presented use case.
2 The SUNFISH Cloud Federation Solution
Federation-as-a-Service (FaaS) is implemented via the SUNFISH software platform depicted in
Fig. 1(a). Crucially, the platform is conceived to be deployed in a distributed manner on top
of all federated Clouds, thus to avoid any centralised control and component.
The software platform features state-of-the-art Cloud management technology and advanced
security and privacy-preserving functionality. Intuitively, we can logically identified components
related to Data Security, Federation Monitoring and Federation Management.
The Data Security relies on a distributed attributed-based access control system acting as
a backbone of the overall infrastructure [5]. Privacy-preserving components secure storage,
Federated Administration and
Monitoring (FAM)
SUNFISH Identity Manager
PLATFORM (IDM)
Service Ledger Federated Runtime
Interface (SLI) Monitoring (FRM)
Data Security (DS) Federated Security
Audit (FSA)
Anonymization (ANM) FaaS Federation
Dynamic Masking (DM) Blockchain-empowered Service Ledger
Secure MpC (SMC) Intelligent Workload Manager
(IWM)
Cloud 1 Cloud 2
Service Ledger
Service Ledger Interface (SLI)
Interface (SLI) SUNFISH PLATFORM
Service Ledger
Private
Cloud
Public
Cloud
... Federated
Cloud
Interface (SLI)
Cloud N
FEDERATED CLOUD
(a) Software Platform (b) Service Ledger
Figure 1: The SUNFISH FaaS Solution
� Employee’s
annual salary
Payments to
MEF PAL
PALs MEF Payroll Deduction SW MIN Employees
Application
Database
(slave)
(core)
Payslip to
employee
MEF SUNFISH MIN SUNFISH
TENANT TENANT
Employee’s
deduction
Figure 2: Cross-Cloud Payroll Calculation (where PAL stands for Local Public Administration)
sharing and computation of sensitive data; respectively, DM, ANM and SMC components.
The Federation Monitoring consists of both a runtime monitoring and offline auditing, the
FRM and FSA components, respectively.
The Federation Management supports the creation and management of cloud federations.
The IWM enforces optimised workload strategies, while the FAM provides an administration
console to manage, control and monitor the state of the federation. Notably, via the SLI, all
the governance data of a federation, e.g. SLA and access control policies, are stored on the
blockchain-empowered Service Ledger and make available to components accordingly.
Service Ledger Infrastructure. The corner stone of FaaS is an innovative democratic gover-
nance of Cloud federations [3]: none of the federated Cloud rules on the others, but each of
them shares the same authorities and duties. The governance is carried out and enforced in a
decentralised manner via smart contracts. Besides representing the governance rules negotiated
among the federation participants, smart contracts support democratic e-voting and strengthen
the security assurance of data security functionality and Cloud applications.
The underlying blockchain infrastructure named Service Ledger (see Fig. 1(b)) offers resilient
data storage and a decentralised computation facility at hand [1, 2] that alleviates the need for a
trusted-third-party and reduces systemic risks of disputes and frauds in cross-Cloud interactions.
To improve security assurance of privacy-preserving services, smart contracts are used to
shield key ingredients from tampering attacks, e.g. the key used in the masking process and
anonymisation history record of released datasets. Most of all, smart contracts can be used
by cross-Cloud application to enjoy decentralised computation and non repudiable guarantees.
As a matter of fact, part of the logic of a cross-Cloud application can be moved into a smart
contract to benefit of its distinguishing properties.
3 Cross-Cloud Payslip Calculation
To address the use case previously introduced, MEF and MIN must balance two contrasting
needs: certifying to MEF the computation of sensitive data, keeping sensitive data within the
perimeter of MIN. This potential conundrum can be overcome via FaaS and its blockchain-
empowered Service Ledger infrastructure.
Intuitively, the use case can be seen as in Figure 2. The payroll application is split into
two parts, one logically placed on MEF to compute the bulk payroll computation and one
logically placed on MIN to process localised sensitive data. To realise such infrastructure the
� FaaS Federation
MEF MIN
payroll sensitive data
Blockchain-empowered
smart
Service Ledger contract
payroll
Service Ledger Service Ledger
app Interface (SLI) Interface (SLI)
SUNFISH PLATFORM
Figure 3: Use Case Architecture (where MIN’s smart contract is the certified payroll tax cal-
culation logic provided by the MEF and running on the Service Ledger peer part of the MIN)
following is needed: (i) MEF and MIN Clouds must be securely federated, hence there cannot
be unsecured interactions among themselves travelling via the Internet; (ii) MIN’s slave payroll
application must be tamperproof thus offering to MEF the expected assurances on what is
actually computed on MIN side.
From a practical point of view, this boils down to deploy part of the application logic—
viz. the MIN’s slave—on an infrastructure where there is no single-point-of-control and strong
guarantees on logic executions, i.e. non repudiation, accountability and immutability. Such
infrastructure is the SUNFISH Service Ledger.
3.1 The SUNFISH Solution
Being the Clouds of MEF and MIN securely federated via FaaS, thus to enable controlled and
secured inter-Cloud communication, the SUNFISH Service Ledger can be used to implement the
proposed use case achieving all required guarantees on data and code execution. Specifically,
we use a smart contract to certify the code computing the local taxes on sensitive data. Such
execution will be carried out within the boundaries of the MIN, but it will ensure strong
accountability to the MEF.
Practically, the use case is implemented by exploiting the SUNFISH platform as graphically
depicted in Figure 3. On the MEF side, the main payroll application is deployed and interacts
with the localised payroll datasources. The certified code to compute local taxes is provided by
the MEF in the form of a smart contract to be deployed on the Service Ledger. Such deployment
prescribes a localised installation (as per Hyperledger’s jargon) on one of the peer of the MIN.
This peer will then get access to the sensitive data to locally and correctly compute taxes via the
smart contract logic. The tax computation will result into an immutable transaction replicated
throughout the blockchain (hence also on the MEF side) and will allow MEF to have at disposal
all the needed guarantees on computed taxes. Specifically, the generated transactions will store
in plain text the computed tax amounts (which are not sensitive as needed for completing
MEF’s payroll computation) and in an encrypted format the sensitive inputs use by the smart
�contract. The latter inputs are encrypted with MIN’s private key and they never leave in plain
text the MIN Cloud. Such inputs ensure that disputes between MEF and MIN on used data
cannot happen and, most of all, constrain liability on managing sensitive data just to the MIN.
To sum up, this principled exploitation of smart contract and blockchain made possible
the realisation of a cross-Cloud application otherwise hardly possible. The added value of such
Service Ledger is to foster integration between companies (in this case two Public Body Clouds)
while keeping effective control on data, service and access to them. As a matter of fact, this
solution has been adopted as part of the CloudifyNoiPA project, an innovative Cloud-based
solution to re-engineer the whole Italian payroll system for the Public Administration.
4 Conclusion
This use case is a significant blockchain pilot, developed under the SUNFISH project, concerning
a cross-Cloud payroll calculation for the Italian Public Sector. Blockchain permits overcoming
the fragmentation of fiscal information of the Police personnel across the departments of MIN
and MEF, ensuring correctness of tax calculation and payroll accountability. The combined
used of encryption, certified smart contract and decentralisation ensures that tax calculation
for payroll is correct, that no private data is leaked from MIN to MEF, and that there is no
trusted-third-party carrying out part of the computation.
Broadly speaking, the Ministry of Economy and Finance, who coordinates the SUNFISH
project, has recognised in practice the great potential of blockchain and is currently leading a
national initiative to provide the Italian Public Sector with a blockchain-based infrastructure
to foster integration among Government departments and underpin national digital services.
Demonstrator. The use case will be firstly introduced by highlighting its real-world key drivers
and challenges to address. Then, the usage of the SUNFISH platform will be demonstrated,
both from logical and infrastructural point of views. The cross-Cloud application empowered
by the Service Ledger will be showcased pointing out the added value of relying on blockchain.
Acknowledgments
This work has been supported by the EU H2020 project SUNFISH, grant N.644666.
References
[1] Leonardo Aniello, Roberto Baldoni, Edoardo Gaetani, Federico Lombardi, Andrea Margheri, and
Vladimiro Sassone. A prototype evaluation of a tamper-resistant high performance blockchain-based
transaction log for a distributed database. In EDCC. IEEE, 2017.
[2] Edoardo Gaetani, Leonardo Aniello, Roberto Baldoni, Federico Lombardi, Andrea Margheri, and
Vladimiro Sassone. Blockchain-based database to ensure data integrity in cloud computing envi-
ronments. In ITA-SEC, volume 1816. CEUR-WS.org, 2017.
[3] Andrea Margheri, Md. Sadek Ferdous, Mu Yang, and Vladimiro Sassone. A distributed infrastruc-
ture for democratic cloud federations. In CLOUD, pages 688–691. IEEE, 2017.
[4] Francesco Paolo Schiavo, Vladimiro Sassone, Luca Nicoletti, and Andrea Margheri (Eds.). Faas:
Federation-as-a-service. CoRR, abs/1612.03937, 2016.
[5] Bojan Suzic, Bernd Prünster, Dominik Ziegler, Alexander Marsalek, and Andreas Reiter. Balancing
Utility and Security: Securing Cloud Federations of Public Entities. In C&TC, volume 10033 of
LNCS, pages 943–961. Springer, 2016.
�