CloudFilter: Practical Confinement of Sensitive Data Across Clouds
Lead Research Organisation:
Imperial College London
Department Name: Computing
Abstract
Cloud computing aims to revolutionise traditional ways of service delivery. It enables companies, research institutions and government organisations to consolidate services in a shared ICT infrastructure supported by cloud providers. This reduces ownership and management costs, allows services to scale on-demand and improves energy efficiency. Security considerations, however, are a practical obstacle for the adoption of cloud computing. Cloud providers consolidate data from multiple services, which may result in wide-spread data disclosure when their security is compromised.
Strong cloud security is hard to achieve because it requires that the cloud platform cannot be compromised by hosted applications and that applications belonging to different cloud tenants are isolated to prevent data leakage. It
is even harder for federated clouds, i.e. when a cloud provider uses another provider for some of its services. This is common in a Software-as-a-Service (SaaS) model, in which a provider offers a high-level service that can be reused by other providers. Both clients and cloud providers have an incentive to control the propagation of sensitive data. Clients are often legally responsible for data protection, and cloud providers want to prevent hosting sensitive data to avoid liability claims after security incidents.
The CloudFilter project explores novel methods for exercising control over sensitive data propagation across multiple cloud providers. The targeted outcome is a practical solution that allows clients and cloud providers to control the sensitivity of data that is transferred across their systems and to prevent user actions that would violate data dissemination policies. Our key idea is to provide application-level proxies that transparently monitor data propagation from clients to cloud providers and between cloud providers. These proxies employ a data labelling scheme inspired by decentralised information flow control (DIFC) models, in which security classes express the sensitivity of transfered data. When crossing domain boundaries, labels are attached to data automatically based on data dissemination policies. Proxies verify labels according to domain policies to detect and prevent unauthorised data propagation between cloud domain domains.
Strong cloud security is hard to achieve because it requires that the cloud platform cannot be compromised by hosted applications and that applications belonging to different cloud tenants are isolated to prevent data leakage. It
is even harder for federated clouds, i.e. when a cloud provider uses another provider for some of its services. This is common in a Software-as-a-Service (SaaS) model, in which a provider offers a high-level service that can be reused by other providers. Both clients and cloud providers have an incentive to control the propagation of sensitive data. Clients are often legally responsible for data protection, and cloud providers want to prevent hosting sensitive data to avoid liability claims after security incidents.
The CloudFilter project explores novel methods for exercising control over sensitive data propagation across multiple cloud providers. The targeted outcome is a practical solution that allows clients and cloud providers to control the sensitivity of data that is transferred across their systems and to prevent user actions that would violate data dissemination policies. Our key idea is to provide application-level proxies that transparently monitor data propagation from clients to cloud providers and between cloud providers. These proxies employ a data labelling scheme inspired by decentralised information flow control (DIFC) models, in which security classes express the sensitivity of transfered data. When crossing domain boundaries, labels are attached to data automatically based on data dissemination policies. Proxies verify labels according to domain policies to detect and prevent unauthorised data propagation between cloud domain domains.
Planned Impact
The advent of cloud computing creates numerous opportunities for SMEs, public organisations and the defence and security sectors to reduce "time-to-market" for new applications and services, while also decreasing capital and operational expenditure through sharing of ICT infrastructure. The explosive growth of cloud computing will have profound implications on cybersecurity and the UK's national capability to protect its critical ICT infrastructure.
The move to an ecosystem of federated clouds, in which a single deployed application relies on services and resources from dozens of different cloud providers, will make the challenge of enforcing data security even more paramount. The lack of control over data placement and propagation in federated clouds severely limits their applicability. CloudFilter will result in an approach that enables data owners to obtain strong guarantees, for example, that only unclassified data will ever reach public clouds.
Impact in Different Sectors
A major requirement in the defence sector is to create information systems that provide secure collaborative working environments, particularly in an ad-hoc fashion in the field. For example, information systems for military situational awareness have to combine data, potentially hosted in distinct clouds, in order to drive real-time decision support. It will be possible to deploy CloudFilter as part of situational awareness applications, and we plan to explore such links for future work through Dstl, Nexor and BAE Systems.
The UK's G-Cloud effort for shared, cloud-based deployment of e-government services will require new data-centric cloud security solutions. Instead of focusing on a single cloud provider in isolation, security mechanisms will have to support application deployments across private, community and public clouds, each with their own trust considerations and security levels. The CloudFilter project will explicitly target such scenarios, and we plan to disseminate our research results to stakeholders from the G-Cloud community.
We also view UK companies as non-academic beneficiaries. Companies in many industries posses confidential data that requires protection. The aggressive drive towards reduction of ICT costs will lead more companies to embrace cloud-based solutions. As part of the CloudFilter project, we will target explicitly a cloud-based collaborative data sharing scenario for an SME.
Finally, the NHS will benefit because CloudFilter technology will allow NHS organisations to share data in a secure fashion while retaining control over how it is exchanged between different cloud domains. Our group has a successful history of technology transfer to ECRIC, an organisation within the NHS that collects medical histories of cancer patients. ECRIC currently field tests our SafeWeb middleware, and we plan to involve ECRIC staff in our dissemination activities for CloudFilter.
Application and exploitation
Our main vehicle for technology transfer will be through Nexor, our industrial partner on the project. Nexor will provide a contribution in-kind based on their expertise in cybersecurity and existing relationships with problem owners in the defence space. We plan to conduct regular meetings with the Nexor CTO, Colin Robbins, and hold joint workshops with the Nexor technology group.
Communication and engagement
We plan to hold an impact workshop on CloudFilter and encourage broad attendance of software developers, drawn from our existing contacts with members of the G-Cloud effort, the NHS, BAE Systems and Nexor. This will be combined with a release of the CloudFilter technology as open-source software. In addition, the PI will use speaking engagements at industry- and government-focused events on cloud security to raise public awareness of data-centric security mechanisms.
The move to an ecosystem of federated clouds, in which a single deployed application relies on services and resources from dozens of different cloud providers, will make the challenge of enforcing data security even more paramount. The lack of control over data placement and propagation in federated clouds severely limits their applicability. CloudFilter will result in an approach that enables data owners to obtain strong guarantees, for example, that only unclassified data will ever reach public clouds.
Impact in Different Sectors
A major requirement in the defence sector is to create information systems that provide secure collaborative working environments, particularly in an ad-hoc fashion in the field. For example, information systems for military situational awareness have to combine data, potentially hosted in distinct clouds, in order to drive real-time decision support. It will be possible to deploy CloudFilter as part of situational awareness applications, and we plan to explore such links for future work through Dstl, Nexor and BAE Systems.
The UK's G-Cloud effort for shared, cloud-based deployment of e-government services will require new data-centric cloud security solutions. Instead of focusing on a single cloud provider in isolation, security mechanisms will have to support application deployments across private, community and public clouds, each with their own trust considerations and security levels. The CloudFilter project will explicitly target such scenarios, and we plan to disseminate our research results to stakeholders from the G-Cloud community.
We also view UK companies as non-academic beneficiaries. Companies in many industries posses confidential data that requires protection. The aggressive drive towards reduction of ICT costs will lead more companies to embrace cloud-based solutions. As part of the CloudFilter project, we will target explicitly a cloud-based collaborative data sharing scenario for an SME.
Finally, the NHS will benefit because CloudFilter technology will allow NHS organisations to share data in a secure fashion while retaining control over how it is exchanged between different cloud domains. Our group has a successful history of technology transfer to ECRIC, an organisation within the NHS that collects medical histories of cancer patients. ECRIC currently field tests our SafeWeb middleware, and we plan to involve ECRIC staff in our dissemination activities for CloudFilter.
Application and exploitation
Our main vehicle for technology transfer will be through Nexor, our industrial partner on the project. Nexor will provide a contribution in-kind based on their expertise in cybersecurity and existing relationships with problem owners in the defence space. We plan to conduct regular meetings with the Nexor CTO, Colin Robbins, and hold joint workshops with the Nexor technology group.
Communication and engagement
We plan to hold an impact workshop on CloudFilter and encourage broad attendance of software developers, drawn from our existing contacts with members of the G-Cloud effort, the NHS, BAE Systems and Nexor. This will be combined with a release of the CloudFilter technology as open-source software. In addition, the PI will use speaking engagements at industry- and government-focused events on cloud security to raise public awareness of data-centric security mechanisms.
Publications
Papagiannis Ioannis
(2012)
CloudFilter: Practical Control of Sensitive Data Propagation to the Cloud
in ACM Cloud Computing Security Workshop (CCSW'12)
Ioannis Papagiannis
(2016)
BrowserFlow: Preventing Accidental Data Disclosure in Web Browsers
Papagiannis I
(2016)
BrowserFlow
Papagiannis I
(2012)
CloudFilter
Description | We have developed new practical techniques for increasing the trust that users and organisations have in remote cloud environments. The basic idea is to follow an information flow control model, in which any sensitive data is tracked automatically by software, which can in turn prevent the unauthorised disclosure of the data. This means that users have more control about which of their data propagates to external cloud services. In addition, we have explored how similar techniques can be used to prevent unauthorised data disclosure in enterprise environments. |
Exploitation Route | Both cloud operators and companies offering security solutions (such as our industrial partner Nexor) can realise the proposed techniques as part of new offerings. We believe that the developed techniques are also relevant to private clouds that require higher security assurances, eg as needed for the G-Cloud or NHS Cloud. |
Sectors | Digital/Communication/Information Technologies (including Software) Healthcare Government Democracy and Justice |
URL | http://lsds.doc.ic.ac.uk/projects/CloudFilter |
Description | The CloudFilter project developed new techniques for increasing the user trust in cloud infrastructures. It resulted in two pieces of research work: (a) the CloudFilter system that monitors data entering and leaving a cloud domain in order to control the propagation of sensitive data; and (b) the BrowserFlow web browser plug-in that controls the propagation of sensitive data between different cloud-based web applications. Both systems were described in scientific publications and implemented as open-source prototypes. They were demonstrated to our industrial partner, Nexor, and we are currently exploring possible commercialisation routes. |
First Year Of Impact | 2013 |
Sector | Digital/Communication/Information Technologies (including Software) |
Impact Types | Societal Economic |
Description | CloudSafetyNet: Data-Centric Security for Clouds |
Amount | £522,000 (GBP) |
Funding ID | EP/K008129/1 |
Organisation | Engineering and Physical Sciences Research Council (EPSRC) |
Sector | Public |
Country | United Kingdom |
Start | 05/2013 |
End | 06/2016 |