paasword: a holistic data privacy and security by design framework for cloud services

PaaSword: A Holistic Data Privacy and Security

by Design Framework for Cloud Services

Yiannis Verginadis, Antonis Michalas, Panagiotis Gouvas,

Gunther Schiefer, Gerald Hubsch, Iraklis Paraskakis

CLOSER 2015, Lisbon, May 21, 2015

Information Management Unit / ICCS of NTUA www.imu.iccs.gr

Agenda

Introduction

Data Security Challenges in the Cloud

PaaSword Framework

Conclusions


Introduction

The adoption of cloud computing has moved from focused interest to

widely spread intensive experimentation and is now rapidly

approaching a phase of near ubiquitous use

Many users have started relying on cloud services without realizing it

Many companies have remained cautious due to security concerns

Applications and storage volumes often reside next to potentially hostile

virtual environments, leaving sensitive information at risk to theft,

unauthorized exposure or malicious manipulation

Governmental regulation presents an additional concern of significant

legal and financial consequences if data confidentiality is breached


Related Work

Commonly used access control models (Ferrari 2010) are:

Mandatory Access Control (MAC)

Discretionary Access Control (DAC)

Role-Based Access Control (RBAC)

Extending these models:

location-aware access control (LAAC) - there is a clear lack of

supporting additional pertinent contextual information (Cleeff et

al.,2010)

context-aware access control (CAAC) – with shortcomings like:

lack of support for dynamically generated context (Covington et al., 2001)

lack of fine-grained data access control (Kayes et al., 2013)


Related Work (contd.)

Regarding the policy management there is lack of proper separation

of concerns (Kourtesis and Paraskakis, 2012)

The policy definition and policy enforcement are entangled in the

implementation of a single software component, leading to the lack of

portability

explicit representation of policy relationships

Regarding the data distribution and encryption algorithms

Gentry (2009), introduced the first fully homomorphic encryption

scheme that enables semantically secure outsourcing to the cloud

but presents severe performance issues

In CryptDB (Popa et al., 2011), the concept of onions was used

with the main drawback the lack of security guarantees to the client


Agenda

Introduction


PaaSword Framework

Conclusions


Security Challenges in the Cloud

Top four threats identified (CSA, 2013) are:

data leakage

data loss

account hijacking

insecure APIs

The most critical part of a modern cloud application is the data

persistency layer and the database itself

The OWASP foundation has categorized the database-related

attacks as the most critical ones

SQL injections represents 17% of all security breaches examined

These attacks were responsible for 83% of the total records stolen,

from 2005 to 2011


Security Challenges in the Cloud (contd.)

Most of the security fences that are configured in a corporate

environment target the fortification of the so-called network

perimeter

e.g. routers, hosts and virtual machines

IDS and IPS try to cope with database-takeover security aspects,

but the risk of database compromise is greater than ever, as:

automated exploitation tools (e.g. SQLMap) are widely spread

IPS and IDS evasion techniques have become extremely sophisticated

Internal adversaries or even unknown vulnerabilities of software

platforms widely adopted in the cloud may provide malicious access

to sensitive data

e.g. Heartbleed flaw - constituted a serious fault in the OpenSSL

cryptography library, which remained unnoticed for more than two years

and affected over 60% of Web servers worldwide


Security Challenges in the Cloud (contd.)

Regarding the post-exploitation phase things are even worse in the

case where a symmetric encryption algorithm has been employed

cracking toolkits that utilize GPU processing power (e.g. oclHashcat) are able to

crack ciphers using brute-force techniques with an attack rate of 162 billion

attempts per second

The application developer is the one responsible for both

sanitizing all HTTP-input parameters

reassuring that compromised data will be useless

Nevertheless, the mere utilization of an IaaS or PaaS provider, may

by itself spawn a multitude of inherent vulnerabilities

that cannot be tackled effectively as they typically exceed the

responsibilities of an application developer


Agenda

Introduction


PaaSword Framework

Conclusions


Threat Model

We assume a semi-honest adversarial model for the cloud provider

(Paladi et al., 2014; Santos et al., 2009)

a malicious cloud provider correctly follows the protocol specification

but can intercept all messages and may attempt to use them in order to

learn information that otherwise should remain private.

For the rest of the participants we consider the threat model (Santos

et al., 2009) that assumes that privileged access rights can be used

by a remote adversary, ADV, to leak confidential information

e.g. a corrupted system administrator, can obtain remote access to any

host maintained by the provider.

the adversary cannot access the volatile memory of any guest virtual

machine (VM) residing on the compute hosts of the provider


Context-aware Access Model

We envision a XACML-based context-aware access model,

which is needed by the developers in order to annotate the Data

Access Objects of their applications


Facets of the Context-Aware Access Model

Facets

IP Address

(Local) Time

Location Device Type

Data Connection

Type

etc…

Patterns

Frequency Usual Duration

Usual Dates

Usual Hours

Previously Accessed

Data

Sensitive / Non Sensitive Data

Role


Policies Access and Enforcement

A middleware that will provide:

a transparent key usage for efficient authentication purposes,

annotation capabilities in the form of a tool (IDE plugin) for allowing

developers to declaratively create the minimum amount of rule-set that

is needed for security enforcement purposes

dynamically interpret the DAO annotations into policy enforcement

rules

the governance and quality control of the annotations and their

respective policy rules

the formulation and implementation of the overall policy enforcement

business logic


Devise an appropriate

vocabulary of concepts and

decide how they are

interrelated

Populate the framework with

appropriate instances to give

rise to DAOs

Formalise these concepts and

their interrelations – gives rise

to the ontology framework

Ontology for Access Policies


High level view of XACML Components


Secure Storage

We propose a design for a cryptographic cloud storage that will be

based on a symmetric searchable encryption (SSE) scheme similar

to (Kamara and Lauter, 2010)

We plan to extend the previous work Cumulus4j (Huber et al., 2013)

and MimoSecco (Gabel and Hubsch, 2014)) that hides relations

between different data values of a data row and creates the base for

secure database outsourcing

We plan to build an SSE that will support multi write/multi read

(M/M)

by involving a key distribution algorithm that will extend S/S architecture

to M/M.


Conceptual Architecture


Agenda

Introduction


PaaSword Framework

Conclusions


Conclusions & Next Steps

Future work involves the implementation of the proposed framework

This solution will be validated through 5 pilots:

Encrypted persistency as a service in a PaaS provider

Intergovernmental secure document and personal data exchange

Secure sensors data fusion and analytics

Protection of personal data in a multi-tenant CRM

Protection of sensible enterprise information in multi-tenant ERP

Thank you for listening!

Acknowledgements:

This work is related to the PaaSword project and

has received funding from the European Union’s

Horizon 2020 research and innovation

programme under grant agreement No 644814