Taiwan Academic Cybersecurity Center

This project aims to design a cloud-agnostic security-native cyber-physical context awareness-based zero-trust architecture (CASN-ZTA). Cloud-agnostic applications are not limited to one cloud service provider (CSP), and storage, computation, and analysis can be conducted through multiple CSPs to achieve a combination of the most suitable cloud-agnostic services. However, the threats of cloud-agnostic services are associated with the differences of security policies among CSPs, which lead to the limited access, transmission, and computation of cloud-agnostic resources and risks of information leakage. Moreover, conventional CSPs deploy mechanisms against external attacks but fail to prevent threats from internal attackers effectively. Therefore, a zero-trust architecture that grants trust to nothing and continuously conducts identity authentication and authorization and implements the least privilege access control mechanism is regarded as essential for cloud-agnostic service technologies. This project proposes a strategy based on cyber-physical context awareness to define the conditions of access for resources that must be protected. The context awareness regarding the who, what, when, where, and how of the accessing subject is verified. An identity authentication mechanism is designed by combining multi-factor authentication with physically unclonable functions based on environmental variation awareness to verify the information such as the identity of the accessing subject (either human or machine), the access time, the access location, and the access purpose. Threats to cloud agnostic security are evaluated, and the subject' s security context is continuously monitored. The authorization status of the subject is determined by sensing the security contexts of the entity, system, and networking environment to which the subject belongs. Finally, cloud-agnostic resource access control and secure computing are conducted through a multi-authority attribute-based encryption and multi-key homomorphic encryption. This project will also design a mechanism for poisoning-attack detection and mitigation by embedding CASN-ZTA in a federated learning architecture to achieve trustworthy privacy-preserving federated learning. In addition, this project will develop a zero-trust architecture with cloud-agnostic versatility for resource access control, with the resources, users, equipment, transmission, computation, and applications being processed by sensing the cyber-physical context of the accessing subject. This architecture will be able to make dynamic access decisions to ensure that the threshold value of trust ability is achieved even when the resource access is provided.