A Farewell to Trust: An Approach to Confidentiality Control in the Cloud Asmund Ahlmann Nyre ∗ , Stian Alapnes † and Gansen Zhao ‡ Martin Gilje Jaatun ∗ , ˚ ∗ SINTEF ICT, Norway Email: { martin.g.jaatun,aasmund.a.nyre } @sintef.no † Telenor Corporate Development, Norway Email: stian.alapnes@telenor.com ‡ South China Normal University, China Email: gzhao@scnu.edu.cn minimize confidentiality concerns 1 . In a way, our approach is Abstract —This paper applies a divide-and-conquer approach to achieve confidentiality control in Cloud Computing. We sketch the opposite of the aggregation problem in database security how a Redundant Array of Independent Net-storages (RAIN) for – we de-aggregate the sensitive data. Cloud Computing can be designed using techniques originally The remainder of the paper is structured as follows: In intended for other purposes. The RAIN approach splits data Section II we identify problem statements, and in Section III into segments and distributes segments onto multiple providers. By keeping the relationships between the distributed segments we outline the background for our contribution. In Section private, the original data cannot be re-assembled. Further, IV we sketch our solution, and discuss our contribution in with each segment small enough, each segment discloses no Section V. We outline further work in Section VI, and offer meaningful information to others. Hence RAIN is able to ensure our conclusions in Section VII. the confidentiality of data stored on clouds. II. P ROBLEM S TATEMENTS I. I NTRODUCTION Cloud computing provides on-demand services to clients, Wireless technologies have enabled truly mobile computing, relieving the clients of the burden of deployment and man- and a large part of the pending increase in mobile data can be agement of their own IT infrastructures and applications. The attributed to cloud computing [1], since complex operations clients need only to choose the right providers for the needed can be performed in the cloud while accessing the results infrastructures and applications. The services are provided in via simple wireless devices. Security concerns are frequently an off-premises manner and delivered via the Internet. This cited [2] as one of the major obstacles to cloud computing pattern for IT capacity provisioning is appealing in most adoption. In a traditional outsourcing scenario, technical and cases due to its characteristics such as convenience, rapid organizational security mechanisms contribute to protect a deployment, cost-efficiency, and so on. However, when relying customer’s data, but the most important factor is that the on off-premise services for data storage, clients have the customer establishes a trust relationship with the provider (see common security concerns: Fig. 1). This implies that the customer acknowledges that if the provider is evil, the customer’s data may be used improperly • Data availability. With cloud computing, data are kept [3]. and managed by cloud storage providers at remote sites. One aspect of Cloud Computing can be described as “out- When keeping data at remote systems owned by oth- sourcing on steroids”; where both storage and processing is ers, data owners may suffer from system failures of handled by one or several external providers, and where the the service provider, as system failures will mean that provider(s) may be in a different jurisdiction than the customer. data will become unavailable if the data depends on a Not knowing where your data is physically located may be single service provider. As no cloud service provider can uncomfortable to the customer, and personal data may even guarantee 100% availability of services, the data kept and be illegal to export from some jurisdictions [4]. Just like with managed on a cloud will suffer data unavailability when traditional offshoring, settling disputes is more challenging the provider is out of operation. Unavailability of data when the provider may be on a different continent, which is all could be a disaster to some business, especially to those the more reason to limit the degree to which the customer has who heavily reply on the data for business transaction to trust the provider. This is the “need to know” principle in a processing. nutshell - if the provider does not need to read the information, • Data Confidentiality. As data are kept and managed by why should it be allowed to? cloud storage providers, there is no way for data owners In this paper, we will describe a path toward a Cloud 1 Note that this approach to confidentiality may not be acceptable in certain Computing scenario where the dependency on trust will be high-security environments, such as classified military installations – but then reduced through a divide-and-conquer approach, where each again, it is unlikely that these environments will be employing public cloud actor gets access to sufficiently small units of data so as to computing approaches in the foreseeable future anyway.
Fig. 1: Outsourcing and trust to prevent the providers to allow others to access the thus ensuring that the stored data is not intelligible to the data. It is obvious that data owners will not tolerate their storage provider. data being accessed without their authorization. Cloud By use of these deployment models, we have shown that storage providers could enforce access control on the through duplication and separation of duty, we can alleviate modifying of data. But the access control infrastructure availability and integrity concerns, and to some extent also is still potentially under the complete control of the confidentiality, by implementing encrypted storage. However, providers, the providers can still override the access even with encrypted storage, we still have to trust the encryp- policies imposed by the data owners. tion provider with all our data. • Data Integrity. Similar to the issue of data integrity, data The main motivation for confidentiality control in the cloud owners have no way to prevent their data being tampered is currently various privacy-related legislation forbidding the with due to the complete control power held by the cloud export of sensitive data out of a given jurisdiction, e.g. the storage providers. Privacy legislation in the EU [4]. The current solution to this problem has been to sidestep it, by offering geolocalized cloud III. B ACKGROUND services, where a customer may request the cloud provider to In previous work [2], we identified five deployment models ensure that the sensitive data is only stored and processed on of cloud services designed to ease users’ security concerns: systems that are physically located in a geographically defined area, e.g., within the borders of the European Union. However, • The Separation Model separates storage of data from this is rapidly becoming a moot point, since cloud service processing of data, at different providers. providers typically run global operations, and although data • The Availability Model ensures that there are at least might physically reside in one jurisdiction, it will in principle two providers for each of the data storage and processing be accessible from anywhere in the world. tasks, and defines a replication service to ensure that Although misappropriation of data by cloud providers have the data stored at the various storage providers remains not been documented, Jensen et al. [5] show that current cloud consistent at all times. implementations may be vulnerable to attack. Ristenpart et al. • The Migration Model defines a cloud data migration [6] demonstrate that even supposedly secret information such service to migrate data from on storage provider to as where a given virtual machine is running may be inferred another. by an attacker, highlighting another attack path. • The Tunnel Model defines a data tunneling service between a data processing service and a data storage Krautheim [7] proposes to achieve cloud security through service, introducing a layer of separation where a data the introduction of Trusted Platform Modules (TPM) in all processing service is oblivious of the location (or even datacenter equipment. It is not clear, however, how the user identity) of a data storage service. could verify that a TPM is indeed present in any given cloud • The Cryptography Model extends the tunnel model by infrastructure. You might argue that the cloud provider could encrypting the content to be sent to the storage provider, assert, and have an auditor confirm that they are using a TPM,
Recommend
More recommend