Custos A Flexibly Secure Key-Value Storage Platform Andy Sayler - PowerPoint PPT Presentation

Custos A Flexibly Secure Key-Value Storage Platform Andy Sayler www.andysayler.com University of Colorado, Boulder Masters of Science Computer Science

Trust

Who do we trust with our data?

Today...

Feature Provider Features

Feature Provider Features Trust

Feature Provider User Data Features Trust

Feature Provider User Data Unrestricted Access Features Trust

Conflicts of Interest Lack of Control Absence of Oversight

So you don’t use cloud services...

How can we control and protect our data?

Encryption

Encrypt “My Secret” TXkgU2VjcmV0 Decrypt

How does it help us?

X

But what about the keys?

? X

X

Key Management Challenges

Multi-Device Sync

X

Out-of-Band Sharing

X

Autonomous Access

X X

The Cloud

Feature Provider User Data Unrestricted Access Features Trust

Feature Provider Encrypted User Data Features

Feature Provider Encrypted User Data X No Access Features

Feature Provider Encrypted User Data X No Access

Encryption is broken

Lack of key access

X

X

Feature Provider Encrypted User Data X No Access Features

Lack of flexibility

X X

Security Accessibility

Security Accessibility Fixed Point Traditional Encryption Systems

Ill-suited for Modern Application Difficult to Use Doesn’t Solve the Real Problem

Encryption is broken

Encryption is fine

Encryption is fine Key storage is broken

To fix key storage...

Flexibility Centralization

Flexibility

Security Accessibility Flexible Points Flexible Encryption Systems

X X

Centralization

Feature Provider User Data Unrestricted Access Features Trust

Feature Provider User Data Features Trust

Feature Provider User Data Trust Provider Features Trust

Feature Provider Encrypted User Data Trust Provider Encryption Keys Features Trust

Feature Provider Encrypted User Data Trust Provider Encryption Keys Controlled Access Features Trust

Feature Provider Encrypted User Data Trust Provider Controlled Access Encryption By Proxy Keys Controlled Access Features Trust

Data Host Encrypted User Data Trust Provider Controlled Feature Provider Encryption Access Keys Features Trust

Custos

“Secret Storage as a Service”

“Key Storage as a Service”

Central Key:Value Storage Flexible Access Control Access Auditing

Custos Server

Custos Server Key:Value Store

Custos Server Key:Value Store Management Auditing Data Subsystem Subsystem Subsystem

Custos Server Key:Value Store Authentication Management Auditing Data Subsystem Subsystem Subsystem Subsystem

Custos Server Key:Value Store Authentication Management Auditing Data Subsystem Subsystem Subsystem Subsystem Auth Plugins

Custos Server Key:Value Store Authentication Management Auditing Data Subsystem Subsystem Subsystem Subsystem Access Control Subsystem Auth Plugins

Custos Server Key:Value Store Authentication Management Auditing Data Subsystem Subsystem Subsystem Subsystem Access Control Subsystem API Auth Plugins

Custos Server Key:Value Store Authentication Management Auditing Data Subsystem Subsystem Subsystem Subsystem Access Control Subsystem API Auth Plugins SSL Custos API Custos API Custos API Application Application Application System A System B System C

Application Domains

File Systems

Mail Trusted Alice Bob Daemon Collaborators X Password Auth Password Password Auth Auth X X Msg A Doc B Msg A Doc B Encrypted Encrypted Local Local File System File System Key Key Store Store Networked or Cloud File System System A System B

Mail Trusted Alice Bob Daemon Collaborators Password P a s s w o r d Auth A u t h Contextual Auth Msg A Doc B Msg A Doc B Custos Encrypted Encrypted Key Store File System File System Networked or Cloud File System Trust Provider System A System B

Data Centers

User Server SSH Verification Login Server Users SSH VM Instance A

User Server SSH Verification Login Server Users Server Users Destroy SSH SSH VM Instance A VM Instance A