CloudSafetyNet: End-to-End Application Security in the Cloud
Lead Research Organisation:
Imperial College London
Department Name: Computing
Abstract
Cloud computing promises to revolutionise how companies, research institutions and government organisations, including the National Health Service (NHS), offer applications and services to users in the digital economy. By consolidating many services as part of a shared ICT infrastructure operated by cloud providers, cloud computing can reduce management costs, shorten the deployment cycle of new services and improve energy efficiency. For example, the UK government's G-Cloud initiative aims to create a cloud ecosystem that will enable government organisations to deploy new applications rapidly, and to share and reuse existing services. Citizens will benefit from increased access to services, while public-sector ICT costs will be reduced.
Security considerations, however, are a major issue holding back the widespread adoption of cloud computing: many organisations are concerned about the confidentiality and integrity of their users' data when hosted in third-party public clouds. Today's cloud providers struggle to give strong security guarantees that user data belonging to cloud tenants will be protected "end-to-end", i.e. across the entire workflow of a complex cloud-hosted distributed application. This is a challenging problem because data protection policies associated with applications usually require the strict isolation of certain data while permitting the sharing of other data. As an example, consider a local council with two applications on the G-Cloud: one for calculating unemployment benefits and one for receiving parking ticket fines, with both applications relying on a shared electoral roll database. How can the local council guarantee that data related to unemployment benefits will never be exposed to the parking fine application, even though both applications share a database and the cloud platform?
The focus of the CloudSafetNet project is to rethink fundamentally how platform-as-a-service (PaaS) clouds should handle security requirements of applications. The overall goal is to provide the CloudSafetyNet middleware, a novel PaaS platform that acts as a "safety net", protecting against security violations caused by implementation flaws in applications ("intra-tenant security") or vulnerabilities in the cloud platform itself ("inter-tenant security"). CloudSafetyNet follows a "data-centric" security model: the integrity and confidentiality of application data is protected according to data flow policies -- agreements between cloud tenants and the provider specifying the permitted and prohibited exchanges of data between application components. It will enforce data flow policies through multiple levels of security mechanisms following a "defence-in-depth" strategy: based on policies, it creates "data compartments" that contain one or more components and isolate user data. A small privileged kernel, which is part of the middleware and constitutes a trusted computing base (TCB), tracks the flow of data between compartments and prevents flows that would violate policies. Previously such information flow control (IFC) models have been used successfully to enhance programming language, operating system and web application security.
To make such a secure PaaS platform a reality, we plan to overcome a set of research challenges. We will explore how cloud application developers can express data-centric security policies that can be translated automatically into a set of data flow constraints in a distributed system. An open problem is how these constraints can be tied in with trusted enforcement mechanisms that exist in today's PaaS clouds. Addressing this will involve research into new lightweight isolation and sand-boxing techniques that allow the controlled execution of software components. In addition, we will advance software engineering methodology for secure cloud applications by developing new software architectures and design patterns that are compatible with compartmentalised data flow enforcement.
Security considerations, however, are a major issue holding back the widespread adoption of cloud computing: many organisations are concerned about the confidentiality and integrity of their users' data when hosted in third-party public clouds. Today's cloud providers struggle to give strong security guarantees that user data belonging to cloud tenants will be protected "end-to-end", i.e. across the entire workflow of a complex cloud-hosted distributed application. This is a challenging problem because data protection policies associated with applications usually require the strict isolation of certain data while permitting the sharing of other data. As an example, consider a local council with two applications on the G-Cloud: one for calculating unemployment benefits and one for receiving parking ticket fines, with both applications relying on a shared electoral roll database. How can the local council guarantee that data related to unemployment benefits will never be exposed to the parking fine application, even though both applications share a database and the cloud platform?
The focus of the CloudSafetNet project is to rethink fundamentally how platform-as-a-service (PaaS) clouds should handle security requirements of applications. The overall goal is to provide the CloudSafetyNet middleware, a novel PaaS platform that acts as a "safety net", protecting against security violations caused by implementation flaws in applications ("intra-tenant security") or vulnerabilities in the cloud platform itself ("inter-tenant security"). CloudSafetyNet follows a "data-centric" security model: the integrity and confidentiality of application data is protected according to data flow policies -- agreements between cloud tenants and the provider specifying the permitted and prohibited exchanges of data between application components. It will enforce data flow policies through multiple levels of security mechanisms following a "defence-in-depth" strategy: based on policies, it creates "data compartments" that contain one or more components and isolate user data. A small privileged kernel, which is part of the middleware and constitutes a trusted computing base (TCB), tracks the flow of data between compartments and prevents flows that would violate policies. Previously such information flow control (IFC) models have been used successfully to enhance programming language, operating system and web application security.
To make such a secure PaaS platform a reality, we plan to overcome a set of research challenges. We will explore how cloud application developers can express data-centric security policies that can be translated automatically into a set of data flow constraints in a distributed system. An open problem is how these constraints can be tied in with trusted enforcement mechanisms that exist in today's PaaS clouds. Addressing this will involve research into new lightweight isolation and sand-boxing techniques that allow the controlled execution of software components. In addition, we will advance software engineering methodology for secure cloud applications by developing new software architectures and design patterns that are compatible with compartmentalised data flow enforcement.
Planned Impact
The importance of cloud computing for future services and applications has been recognised widely. A recent report by IBISWorld predicts that the UK cloud computing market will grow at an annual rate of 15.8% from £5.2 billion in 2011/2012 to reach £11 billion by 2016/2017. As well as decreasing capital and operational expenditure through outsourcing ICT infrastructure, cloud computing potentially reduces time-to-market. This creates numerous opportunities for SMEs and public organisations, thus engaging with providers of public, private or community clouds.
Cloud security is of particular concern to organisations that require compliance with strict confidentiality and integrity policies. These include organisations in finance, defence and healthcare. For example, cloud security is especially important in e-government where the UK government establishes the G-Cloud as a standardised way for public bodies to deploy cloud-based applications and reuse existing services. As described in the attached letter of support by Andy Nelson, the UK Government Chief Information Officer (CIO), who is overseeing the G-Cloud programme, this puts pressure on companies participating in the G-Cloud initiative to show new capabilities in relation to cloud security. Over the course of CloudSafetyNet, we will stay aligned with the goals of the G-Cloud and form close links with CESG, the UK Government's National Technical Authority for Information Assurance.
In addition to the G-Cloud programme, we regard the NHS cancer record service, NHS ECRIC, as a major non-academic collaborator (see attached support letter). We will also interact with the local government shared service venture (LGSS), which provides IT services across Cambridgeshire and Northamptonshire County Councils regarding a cloud deployment based on our open-source CloudSafetyNet middleware (see attached support letter).
The Advanced Technology Centre of BAE Systems plans to apply data flow approaches as part of the Ministry of Defence's Project Solomon and their Detica business unit. As stated in the attached support letter, they commit to regular half-day meetings and participation in the CloudSafetyNet impact workshop. Nexor, an SME based in Nottingham providing security solutions for clouds, are an official supplier to the G-Cloud initiative and have committed to interact closely with the CloudSafetyNet project (see attached support letter).
Citrix Systems R&D and Xen.org, as providers of cloud computing technologies, have both expressed strong support for our research. Citrix's XenServer product is based on the open-source Xen hypervisor software. Citrix are interested in using our data flow policy language to express which network flows are allowed/denied, and in compiling to Open vSwitch rules, to update per-host flow tables to enforce this policy as the virtual environment changes (see attached support letters).
A high level of security is a sine qua non for cloud use by the financial sector and the military. Morgan Stanley, for example, will suggest security policies relevant to them, as part of ongoing interaction (see attached support letter by their Chief Operating Officer, Technology and Data). We intend to use these interactions as a basis for case studies and small experiments, in addition to the ECRIC deployment and evaluation.
Overall we see the broad range of support letters that we received as evidence for the technical quality, the timeliness and the potential for impact of the CloudSafetyNet project.
Cloud security is of particular concern to organisations that require compliance with strict confidentiality and integrity policies. These include organisations in finance, defence and healthcare. For example, cloud security is especially important in e-government where the UK government establishes the G-Cloud as a standardised way for public bodies to deploy cloud-based applications and reuse existing services. As described in the attached letter of support by Andy Nelson, the UK Government Chief Information Officer (CIO), who is overseeing the G-Cloud programme, this puts pressure on companies participating in the G-Cloud initiative to show new capabilities in relation to cloud security. Over the course of CloudSafetyNet, we will stay aligned with the goals of the G-Cloud and form close links with CESG, the UK Government's National Technical Authority for Information Assurance.
In addition to the G-Cloud programme, we regard the NHS cancer record service, NHS ECRIC, as a major non-academic collaborator (see attached support letter). We will also interact with the local government shared service venture (LGSS), which provides IT services across Cambridgeshire and Northamptonshire County Councils regarding a cloud deployment based on our open-source CloudSafetyNet middleware (see attached support letter).
The Advanced Technology Centre of BAE Systems plans to apply data flow approaches as part of the Ministry of Defence's Project Solomon and their Detica business unit. As stated in the attached support letter, they commit to regular half-day meetings and participation in the CloudSafetyNet impact workshop. Nexor, an SME based in Nottingham providing security solutions for clouds, are an official supplier to the G-Cloud initiative and have committed to interact closely with the CloudSafetyNet project (see attached support letter).
Citrix Systems R&D and Xen.org, as providers of cloud computing technologies, have both expressed strong support for our research. Citrix's XenServer product is based on the open-source Xen hypervisor software. Citrix are interested in using our data flow policy language to express which network flows are allowed/denied, and in compiling to Open vSwitch rules, to update per-host flow tables to enforce this policy as the virtual environment changes (see attached support letters).
A high level of security is a sine qua non for cloud use by the financial sector and the military. Morgan Stanley, for example, will suggest security policies relevant to them, as part of ongoing interaction (see attached support letter by their Chief Operating Officer, Technology and Data). We intend to use these interactions as a basis for case studies and small experiments, in addition to the ECRIC deployment and evaluation.
Overall we see the broad range of support letters that we received as evidence for the technical quality, the timeliness and the potential for impact of the CloudSafetyNet project.
Organisations
People |
ORCID iD |
Peter Pietzuch (Principal Investigator) |
Publications
Bacon J
(2014)
Information Flow Control for Secure Cloud Computing
in IEEE Transactions on Network and Service Management
Brenner S
(2016)
SecureKeeper: Confidential ZooKeeper using Intel SGX
Glotzsche D
(2017)
Trust JS: Trusted Client-side Execution of JavaScript
Goltzsche D
(2017)
TrustJS
Muthukumaran D
(2015)
FlowWatcher
Papagiannis I
(2016)
BrowserFlow
Priebe C
(2014)
CloudSafetyNet
Description | The project has developed new practical approaches to monitor private and public clouds for unauthorised information disclosure, especially in relation to Platform-as-a-Service (PaaS) clouds, which are more vulnerable to security leaks. One concrete outcome was a software solution, FlowWatcher, that can be used to detect security vulnerabilities in the access control logic of cloud services. |
Exploitation Route | We are still exploring routes for incorporating our techniques into currently available public cloud stacks. |
Sectors | Digital/Communication/Information Technologies (including Software) |
URL | http://lsds.doc.ic.ac.uk/projects/CloudSafetyNet |
Description | We received interest from cloud technology vendors regarding our approach for securing PaaS Clouds using data tracking. We have had a number of discussions with organisations (including the NHS) that are willing to move services into the cloud but are concerned about security issues. These discussions led to three follow-on funded projects that investigated specific security solutions using trusted hardware technology. |
First Year Of Impact | 2015 |
Sector | Digital/Communication/Information Technologies (including Software) |
Impact Types | Economic Policy & public services |
Description | Enclave Key Technologies Collaboration Project - Cloud Security (Huawei) |
Amount | £746,883 (GBP) |
Funding ID | HF2016120011 |
Organisation | Huawei Technologies |
Sector | Private |
Country | China |
Start | 06/2017 |
End | 07/2020 |
Description | SeReCa: Secure Enclaves for Reactive Cloud Applications |
Amount | € 630,000 (EUR) |
Funding ID | 645011 |
Organisation | European Commission |
Sector | Public |
Country | European Union (EU) |
Start | 01/2015 |
End | 12/2017 |
Description | SecureCloud: Secure Big Data Processing in Untrusted Clouds |
Amount | € 499,000 (EUR) |
Funding ID | 690111 |
Organisation | European Commission |
Sector | Public |
Country | European Union (EU) |
Start | 01/2016 |
End | 12/2018 |
Title | FlowWatcher |
Description | FlowWatcher is an HTTP proxy that mitigates data disclosure vulnerabilities in unmodified web applications. It monitors HTTP traffic and shadows part of an application's access control state based on a rule-based specification of the user-data-access (UDA) policy. |
Type Of Technology | Software |
Year Produced | 2015 |
Impact | FlowWatcher generates interest with our industrial partners, and we discussed potential commercial exploitation avenues. |
URL | https://lsds.doc.ic.ac.uk/content/flowwatcher-defending-against-data-disclosure-vulnerabilities-web-... |