Advanced Cyber Security for EU Data Spaces
Cyber Security
Semester programme:Cyber Security Professional
Research group:Cyber Security
Project group members:Dimitar Petkov
Viktoria Valkova
Lukáš Harťanský
Daria Jasmine Iosif
Isabelle Gruijs
Project description
This project analyzes and validates a secure Data Space environment designed to enable trusted collaboration and decentralized data sharing. The study involves a comprehensive security audit of an automated FIWARE Data Space Connector deployment running on a Kubernetes cluster. The research evaluates the implementation of decentralized identity management (Verifiable Credentials and DIDs) , usage and access control policies (ODRL and XACML) , and advanced cryptographic privacy mechanisms (Zero-Knowledge Proofs). Through threat modeling and practical penetration testing, the project identifies architectural weaknesses and provides a strategic remediation roadmap to transform a research prototype into a hardened, production-ready environment.
Context
European Data Spaces are designed to facilitate secure data exchange between organizations while ensuring that the original parties retain data sovereignty and ownership without relying on a centralized platform. This research is contextualized around a real-world smart city initiative where a municipality utilizes street-level sensors to continuously measure traffic, noise, and air quality. To share this valuable data with external research institutions and public bodies across Europe securely, the data must be routed through a compliant data space connector. The core challenge addressed by this project is balancing open data interoperability with strict technical policy enforcement and privacy preservation—moving beyond theoretical frameworks to validate security in a live implementation.
Results
The security evaluation and penetration testing phase uncovered several critical infrastructure vulnerabilities within the initial deployment. Key findings included world-readable administrative configuration files (kubeconfig) , exposed API servers , hardcoded plaintext secrets in the deployment scripts , and a complete lack of internal network namespace isolation. Conversely, dynamic testing proved that the core data plane gateway is resilient against several application-layer attacks, successfully defending against token replay , role/header spoofing , and SQL injection queries. The project delivered a comprehensive remediation strategy recommending restricted API bindings , secret management via production-grade vaults , "Default Deny" network policies , public TLS integration , and the adoption of Zero-Knowledge Proofs (BBS+) to enforce strict data minimization.