As cyber-physical systems grow more interconnected and complex, safeguarding sensitive data and infrastructure demands dynamic, context-aware, and scalable security solutions. Within the MEDIATE project, CNR (Consiglio Nazionale delle Ricerche) and SSSUP (Scuola Superiore Sant’Anna) are contributing to the development of cloud-based security orchestration and dynamic access control, supporting the broader goal of building more resilient and trustworthy systems.
CNR – Building Secure and Scalable Sentinel Tools in the Cloud
CNR leads the development of software-layer Sentinel tools and services under Task T4.4. These Sentinels are core components in the detection of attacks, threats, and vulnerabilities across distributed assets. For example, in one of the use cases supported by a pilot partner within the MEDIATE consortium, a Sentinel is tasked with analyzing GPS signals to detect anomalies. When suspicious patterns are identified, the Sentinel reports them to the DSS–a dedicated decision- support component within the MEDIATE framework–for further assessment. This highlights the Sentinel’s role as the system’s first line of defense, continuously monitoring operational data and escalating alerts to trigger appropriate mitigation actions.
Beyond detection, the Sentinels also support policy enforcement. Acting as Policy Enforcement Points (PEPs), they interact with the Security & Privacy Policy Manager–a separate component developed by SSSUP–to determine whether specific actions should be permitted based on the current user, resource, and environmental context. This coordination enables fine-grained access control and ensures that policy decisions are consistently enforced across the system.
The Sentinel system uses a per-asset virtualization model, deploying a separate virtual machine for each asset in the cloud. A secure orchestrator under development manages the lifecycle of these VMs, their associated tools, and security contexts. This architecture enables isolated, scalable security monitoring, suitable for a range of real-world applications.
SSSUP – Enabling Privacy-Preserving Access Control
SSSUP leads Task T5.5, which delivers a comprehensive engine for security and privacy policy management. This component is responsible for evaluating access requests using the Usage Control (UCON) model, enabling decisions that are not only based on static policies but also on dynamic contextual data. These policies dictate what resources an asset (or a subject in general) may access, under what conditions, and how long the access is valid. This allows enforcement to adapt as conditions evolve.
Like CNR’s Sentinel tools, SSSUP’s decision engine plays a central role in Use Cases 1, 2, and 3.
Aligning with Project Objectives
Together, CNR and SSSUP are critical contributors to Objective O5 (Dynamic Security and Privacy Management) and Objective O6 (Trusted and Isolated Execution) of the MEDIATE framework. Their combined efforts deliver real-time detection and policy-based enforcement, scalable and isolated multi-asset analysis, and privacy-preserving, context-aware decision-making.
Conclusion
The integration of CNR’s Sentinel Services and SSSUP’s Policy Management Engine provides MEDIATE with a robust, adaptive security backbone. By combining cloud-native architecture with fine-grained access control and anonymization, these contributions not only mitigate threats effectively but also establish trust in highly dynamic environments.
Stay tuned as these components move from development to integration and begin securing real- world deployments across the MEDIATE use cases.