1 / 19

CloudFilter Practical Control of Sensitive Data Propagation to the Cloud

Department of Computing. CloudFilter Practical Control of Sensitive Data Propagation to the Cloud. Ioannis Papagiannis Peter Pietzuch Large-Scale Distributed Systems Group http://lsds.doc.ic.ac.uk. ACM Cloud Computing Security Workshop (CCSW), October 19, 2012.

hayley
Download Presentation

CloudFilter Practical Control of Sensitive Data Propagation to the Cloud

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Department of Computing CloudFilterPractical Control of Sensitive Data Propagation to the Cloud IoannisPapagiannis Peter Pietzuch Large-Scale Distributed Systems Group http://lsds.doc.ic.ac.uk ACM Cloud Computing Security Workshop (CCSW), October 19, 2012

  2. Can an employee store files online?

  3. Can an employee store files online? Not really… Why?! Hi Yiannis, Can you send me that file from my Dropbox? Sure, here it is!

  4. Can an employee store files online? Not really… Why?! • Policy 1:Employees should not waste time online on personal matters! • Policy 2:Employees should not be able to send company files to arbitrary recipients!

  5. Can an employee store files online? Not really… Why?! • Dropbox enables large scale data disclosure • It’s very easy for employees to misunderstand and violate the data propagation policy of the bank • The bank wants to be able to blame employees if a leak occurs

  6. Current solution: network-level blocking • Network-level blocking of cloud services is not perfect: • Why prevent workflows that involve non-sensitive data? • Employees are more likely to bypass company policycompletely by using personal devices

  7. Threat Model • Users are not malicious: • Employees are trusted to decide whether data are sensitive or not • Employees are accountable for their actions • The cloud provider: • Is trusted to collaborate with organisations and help them control access to their data

  8. Objectives and Ideas • CloudFilter’s objectives: • Support (most) cloud storage providers • help employees comply with data propagation policy • log attempts to disclose sensitive data • control how data are accessed after they have been uploaded • Important ideas: • Three different types of data (confidential, public and protected) • Most cloud storage providers support HTTP for file transfers • Data propagation is controlled via labels embedded inside files

  9. CloudFilter File Upload 4 Policy Policy Client Proxy Service Proxy 2 5 label File 3 label HTTP File 1 Browser plugin Cloud Storage Provider

  10. CloudFilter File Download Client Proxy Service Proxy 4 3 2 Policy label File HTTP 1 Browser plugin Cloud Storage Provider

  11. Embedding labels inside files <rdf:Descriptionrdf:about="" xmlns:cf0="http://cloudfilter.doc.ic.ac.uk/0"> <cf0:domain>cf.doc.ic.ac.uk</cf0:domain> <cf0:id>protected</cf0:id> <cf0:parameters> <rdf:Seq> <rdf:li>user</rdf:li> </rdf:Seq> </cf0:parameters> <cf0:user>ip108, prp</cf0:user> </rdf:Description> proxy addr policy id parameters File Labels can be embedded inside specific file types using Adobe’s eXtensible Metadata Platform (XMP)

  12. Policy 1: Prevent all file uploads to Dropbox Client Proxy • Event{out} {put post} {(.*\.)*dropbox.com(/.*)* } • Condition(none) • Actionreturn(“403”) HTTP File Browser plugin

  13. Policy 2: Only allow uploading public documents Client Proxy • Event{out} {put post} {(.*\.)*dropbox.com(/.*)* } • Condition(none) • Actionform=createHTMLForm()resp=ask(form)if resp==“public”: log() return(issue())else: return(“403”) HTTP File Browser plugin

  14. Policy 3: Only share documents across university staff Policy (DN) Client Proxy Service Proxy UConfidential File Policy (UP) UConfidential File File Cloud Storage Provider UniversityEmployee UniversityStudent

  15. CloudFilter++

  16. CloudFilter Limitations • Limitations: • No provenance » too irritating for the user • User input is required to classify each file in a security category • User input is required again after a file has been edited • Restrictive data model » most web applications do not use files • Web applications typically use a relational database and a custom data model • Online document editors expose file export/import functionality but this does not preserve labels • User files are typically stored online, edited locally

  17. How will the future enterprise desktop look like? start

  18. The End • IoannisPapagiannis • DoC, Imperial College London • ip108@doc.ic.ac.uk

  19. Policy specification: Event-Condition-Action (ECA) • Data propagation policies • they specify the actions of CloudFilter proxies when file transfers are detected • have 3 parts (Event-Condition-Action) • may be sent across proxies at runtime • Part 1: Event • the event that triggers an ECA policy is the invocation of an HTTP method • Match HTTP requests according to (1) direction of data flow, (2) HTTP method, (3) target URL • Part 2: Condition • The condition that must be satisfied is the existence of labeled files inside the HTTP request/response • Two type of conditions (service-agnostic, service-specific) • Part 3: Action • A python script that a proxy executes to handle the file transfer • The script can access the file and the HTTP request/response

More Related