Research projects

This page contains automatically translated content.

Federation Architecture for Composed Infrastructure Services (FACIS)

FACIS stands for Federation Architecture for Composed Infrastructure Services.

FACIS is at the forefront of shaping the future of digital ecosystems and overcoming critical challenges related to interoperability, governance and the increasing demand for flexible, decentralized infrastructures. By combining leading-edge technologies such as Federation Architecture Patterns (FAPs), machine-readable Service Level Agreements (SLAs) and low-code solutions with robust governance frameworks, FACIS promotes a seamless multi-provider cloud-edge continuum.

This approach ensures improved scalability, security and compliance while allowing organizations to maintain control over their data. FACIS also champions open source innovation, promoting transparency and inclusion in Europe's digital landscape. By enabling seamless collaboration between different providers and users, FACIS paves the way for scalable, innovative and sovereign cloud-edge solutions and their seamless integration into cloud-edge environments.

The department supports the FACIS project in the development of an SLA governance framework.

Research project 1

...

Research project 2

...

Completed research projects

AUDITOR: European Cloud Service Data Protection Certification

The "AUDITOR" research project aims to design, exemplarily implement and test a sustainably applicable EU-wide data protection certification of cloud services. Certification in accordance with the General Data Protection Regulation serves the interests of all stakeholders: cloud customers, who may only work with cloud providers that can provide sufficient guarantees of data protection compliance; cloud providers, who can provide such proof with certification; certifiers, for whose business area the General Data Protection Regulation provides mandatory rules; and end users potentially affected by the use of data, whose protection of personal data is the focus of the certification of cloud services. In order to design a sustainable data protection certification, a catalog of criteria for the certification of cloud services in accordance with the General Data Protection Regulation will first be developed and a corresponding standardization will be sought. In addition, suitable organizational structures and procedures for the implementation of a Europe-wide recognized data protection certification will be designed. This includes, in particular, the specification of modular certification and auditing processes. Finally, business models for a sustainably successful AUDITOR procedure will be examined to ensure the sustainable use and widespread dissemination of AUDITOR. Finally, the certification process and the criteria developed and prepared for standardization in the AUDITOR project will be tested and validated in practice during the course of the project. The AUDITOR project is funded by the Federal Ministry for Economic Affairs and Energy (BMWi) in order to further establish trustworthy cloud services for the economy - especially for SMEs - on the European internal market and to ensure the best possible compliance with data protection law by promoting certification.

GAIA-X Federation Services

As part of the GAIA-X project, the foundations are being laid for the development of a networked, open data infrastructure based on European values. The networking of decentralized infrastructure services is to result in a data infrastructure that will be merged into a homogeneous, user-friendly system in which data can be made available and shared securely and confidentially.

In order to further support the GAIA-X project, the Federal Ministry for Economic Affairs and Energy has awarded research funding under the project name "GAIA-X Federation Services", which is coordinated by eco e.V. as a first step.

The department is supporting the "Compliance" work package as part of a subcontract. In particular, the research group supports the following activities

Design of a process for onboarding services, providers and data assets into the GAIA-X ecosystem based on the existing GAIA-X certification concept. The department provides support in identifying and describing key process steps and their interdependencies.
Description of governance and policy rules. In particular, the department draws on the findings of its AUDITOR project and examines the extent to which data protection requirements from AUDITOR are also relevant for GAIA-X.
Creation of a basic framework for the implementation of continuous monitoring. The research group supports the creation of a socio-technical monitoring concept for three selected controls (e.g. geo-location, availability and encryption). In particular, the findings from the preliminary work from the NGCert project are incorporated here. The research group provides support in the conception and design of monitoring-based test procedures in order to be able to check the selected controls on an ongoing basis. Implementation work is not carried out.

Gaia-X 4 ICM: Infrastructure for end-to-end digitization of production based on GAIA-X

The digitalization of production is an industry-wide strategic goal and the most important driver of innovation. However, there is still a large gap between ideas, concepts and visions on the one hand and industrial reality on the other. This is particularly the case with purely data-based methods and solutions that are based on highly scalable platforms. In addition, the digitalization of production often ends at the plant level, and there are hardly any cross-company approaches. In the IT environment, these hurdles have been overcome by approaches such as edge and cloud computing as well as uniform standards and data models, but these are difficult to transfer to production technology. The compatibility of architectures and methods is limited, connectivity is complex, there is a lack of uniform data models and there are far-reaching questions regarding the control of systems and the security of data. The European GAIA-X project aims to create a data infrastructure that remedies these deficits. The initiative, which is jointly supported by industry and research, is based on open standard IT solutions, extends these and uses both centralized cloud and distributed edge approaches. Although great progress has already been made within GAIA-X, a basic architecture is in place and initial services have been created, neither science nor industry have benefited from this to date. The research and further development of the architecture and components developed to date is also critical, as there is a lack of concrete implementations and experience and the barriers to entry into the topic are very high. The potential and current status of the project are therefore very different.

The planned work is divided into three sub-projects, which are oriented towards the basic infrastructure, GAIA-X ecosystem and application levels.

1) To create the basic infrastructure, both the hardware resources and the necessary software solutions are to be instantiated. A convergent communication technology, which plays a decisive role in the connectivity of GAIA-X through to production systems, is also an integral component.

2) The GAIA-X ecosystem is built on the infrastructure and distributed via the cloud and edge nodes. In addition to basic services and data rooms, the focus here is on suitable processes that should enable the secure and systematic onboarding of new services and participants, among other things. The investigation of suitable integration options for typical applications from the production environment concludes this sub-project.

3) Building on this, various applications will be implemented at the application level that combine innovative digital approaches with real production scenarios. The implementation takes place at several locations and includes both the integration of the infrastructure in data centers and the coupling with real production systems in research factories.

Security & Compliance Automation

For cloud providers, an increasing number of relevant, cross-industry and cross-national certifications pose a variety of challenges, ranging from the initial implementation of certification measures to regular auditing. Against this backdrop, Prof. Lins is working on new ways of automating compliance and certification processes as part of the "Security & Compliance Automation" project, which is being carried out in cooperation with SAP SE and is intended to help reduce the effort required to fulfill various certifications in the future. As a continuation of the Next Generation Certification (NGCert) project, the aim is to put the knowledge and experience gained into practice. As part of the project, the approach for managing compliance data will be analyzed and validated and requirements for a self-auditing compliance system will be defined. The aim is also to define automatic test procedures and audit rules and to accompany a proof-of-concept for compliance automation.

Toward better Development of Applications on DLT

With the advancement of distributed ledger technology (DLT) over the last decade, smart contracts have become interesting for various applications that require reliable and automated enforcement of digital agreements. Above all, smart contracts offer great opportunities for the automation of business processes through the formal representation of the respective business process in program code, which can accelerate the process flow and reduce costs at the same time. Although Bitcoin already provided a simple OP_CODE, Ethereum was the first DLT design to provide an environment that supports the execution of Turing-complete program code with the Ethereum Virtual Machine (EVM). The ability to develop Turing-complete code that runs reliably on a distributed ledger has greatly expanded the range of applications for DLT. As a result, DLT is now being tested in industrial use cases. The use of tokens is no longer limited to cryptocurrencies. However, the increasing support of ever more powerful programming languages for smart contract development also poses new problems for the security and performance of distributed ledgers. For example, when developing applications on DLT, it is important to keep in mind that smart contracts are strongly inspired by finite state machines.

The development of complex smart contracts and applications on DLT requires a sound understanding of the execution of smart contract code in a distributed ledger in order to understand the current challenges in smart contract development and to generate recommendations to support better smart contract development. Therefore, we aim to clarify when and how smart contracts can be usefully deployed. In addition, we are conducting an in-depth analysis of how data feeds can be integrated into smart contracts (on-chain or off-chain). To support practitioners and researchers, our goal is to develop software design patterns for the development of smart contracts.

Unblackboxing IT Certifications: A Decompositional Analysis of IT Certifications in Electronic Markets and their Impact on Customer and Platform Provider Perceptions

Electronic markets have become a central part of everyday life in the 21st century due to their ease of use and ubiquity. Compared to traditional markets in the offline world, there are many new uncertainties (e.g. regarding the IT security of online platforms or the malicious behavior of a platform provider) and an increased susceptibility to misuse (e.g. sale of personal (payment) data). As a result, many buyers are reluctant to do business online or have doubts about the provider of an online platform. In order to reduce uncertainty and support the development of stable electronic markets, IT certificates are used in research and practice as a proven means, for example by signaling transparency with regard to the ordering processes.

Three central research gaps in the field of IT certificates for online platforms were addressed as part of the project: (1) Explicit consideration of structural differences between IT certificates as an influencing factor on their effectiveness (opening the "black box"), (2) linking the perspectives of customers and platform providers and (3) optimal presentation/design of IT certificates.

Based on the results, however, there is a lack of validated findings and explanatory models on the influence of other variables in the certification ecosystem on the perception of IT certificates. In the context of IT certificates for online platforms, two key influencing variables of the certification ecosystem are particularly relevant: the certification body as an independent third party and complementary or competing information signals on an online platform. Furthermore, it remains unclear in previous research how IT certificates affect customers in the long term. Against this background, the project aims to achieve the following additional objectives: (1) to explore the influence of a certification authority as an independent third party in the perception of IT certificates, (2) to explore the effect of signal configurations on the perception of IT certificates, and (3) to explore the long-term effect of IT certificates when customers interact with a certified online platform multiple times.

NGCert: Project Next Generation Certification

The use of cloud services enables companies to realize a variety of financial and technical benefits. On the other hand, cloud service providers also face many concerns from potential users regarding trust in the services offered and their security. It is clear that certifications can help to address this problem by creating trust, increasing transparency in the cloud service market and enabling providers to improve the systems and processes they use. A large number of cloud service certifications, such as the "EuroCloud Star Audit" from EuroCloud, have been developed in recent years. These certificates suggest a high level of security, availability and compliance, with a validity of one to three years. However, due to the inherent dynamics and constant (technical) development of cloud services, high demands are placed on certifications. Long-term validity in the cloud computing environment must therefore be viewed critically. Compliance with certain requirements and criteria can be jeopardized over this period, e.g. due to the occurrence of serious security incidents or changes to the configuration of the cloud service.

In order to increase the credibility of issued certificates and to continuously ensure that cloud services are offered securely and reliably, the Federal Ministry of Education and Research has funded and initiated five projects in the "Secure Cloud Computing" research area as part of the German government's high-tech strategy. The "Next Generation Certification" (NGCert) project is concerned with the research and development of dynamic certifications for cloud services that enable the continuous and (partially) automated verification of critical requirements for cloud services. As part of the NGCert project, Prof. Lins developed metrics, measurement methods and design guidelines for the continuous and (partially) automated certification of cloud services. In addition to the KIT, the Fraunhofer Institute for Applied and Integrated Security (AISEC), the Technical University of Munich, the University of Kassel, EuroCloud Germany, Fujitsu and the AKDB, as well as other field and transfer partners are involved in the project.