1 / 19

End-to-End Privacy Policy Enforcement in Cloud Infrastructure

End-to-End Privacy Policy Enforcement in Cloud Infrastructure. S. Betgé-Brezetz, M.P. Dupont, G.B. Kamga, A. Guesmi Alcatel-Lucent Bell Labs, France IEEE CloudNet, San Francisco, November 11 th , 2013. Privacy & Data Protection in the Cloud Business & regulation context (1/2).

mirabelle-nicolas
Download Presentation

End-to-End Privacy Policy Enforcement in Cloud Infrastructure

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. End-to-End Privacy Policy Enforcement in Cloud Infrastructure S. Betgé-Brezetz, M.P. Dupont, G.B. Kamga, A. Guesmi Alcatel-Lucent Bell Labs, France IEEE CloudNet, San Francisco, November 11th, 2013

  2. Privacy & Data Protection in the CloudBusiness & regulation context (1/2) Enterprises are moving in the cloud their data & applications (even for a time-bound project) Various data sensitivities (eg HR, eHealth data), applications (eg business, communication) and policies (regulation, enterprise, end-user) Key issue: End-to-end protection of sensitive data stored, processed and moving in the cloud Who has accessed to my data? From where? How many times? I control the access to my data. I know where my data are. Where are located my data? Applications Policy Data Cloud-based Enterprise IT (incl. Private & Public cloud) Data, apps & policy are controlled by my IT staff. Traditional Enterprise IT (on-premise based) How many pieces of a given data exist in the cloud? Keep privacy & confidentiality of the sensitive data in the cloud all along their lifecycle (creation, processing, transfer, deletion)

  3. Privacy & Data Protection in the CloudbusineSs & Regulation context (2/2) Enterprise (as a Cloud User) is responsible for the right application of the privacy/data protection policies on their customer data (eg, see* for the European regulation context)  The Cloud Service Provider (CSP) has to provide the adequate protection features so that the Cloud User can appropriately set the privacy policies for each of his sensitive data These privacy settings have to be specified in the SLA agreed between the CU and the CSP  The CSP has to enforce the SLA and provide evidences of the SLA fulfillment Applicable policies 2 Privacy-related metadata Cloud privacy settings Cloud Infrastructure (Computingnode, Storage, Network) Cloud Management (e.g., Orchestration, Monitoring) Compliance Analysis Cloud Privacy Settings Data 1 3 SLA Cloud User (Data Controller) Cloud Service Provider (Data Processor) Data protection : a mandatory requirement for the CSP *Article 29 Data Protection Working Party, “Opinion 05/2012 on cloud computing”, WP 196, Brussels, July 2012

  4. Privacy & Data Protection in the CloudKey requirements • Data storage • Data location • Data access control per application/per user • Data retention and deletion • Data usage tracing • Data breach notification • etc. • Data processing (in Virtual Machines) • VM location and co-location constraints • VM isolation • VM security level • etc. This Data Protection should be handled end-to-end (from the Cloud User through all the cloud nodes/VMs of the CSP)

  5. Privacy & Data Protection in the CloudRelated Work Data obfuscation before sending to the cloud • Prevent the CSP to access the plain data • Encryption [Diallo 2012, HekaFS], Data Shredding [Rabin 1989] • Enable some processing on encrypted data: • Homomorphic encryption [Gentry 2009] • Adapted for storage service, but not for benefiting from the cloud computation capabilities • Not flexible access control • Sticky policy approaches: • Using consent & revocation module [Casassa 2012] • Scalable authorization infrastructure with conflict resolution capabilities [Chadwick 2012] • Proprietary solution: Rights Management System (RMS) [Microsoft] • Infrastructure-related constraints not enforced • Not transparent to the application (application upgrade or applicative plug-in needed) Privacy policy enforcement

  6. Privacy & Data Protection in the Cloud Our approach: end-to-end data protection Cloud Provider Services Cloud User Applications CustomerSite Cloud Infrastructure Level Data Protection Module PDE ( Privacy Data Envelope) Plain text data Privacy policies Encryption Client Data Protection Module Policy Data Data usage historic • End-to-end policy enforcement from the client device to the cloud infrastructure • Controls are governed by the data itself (PDE: sticky policy based approach) • In-depth and fine-grained access control within the cloud (based on user ID and location, data location, action purpose, etc.) and transparent to the applications • Overall data access tracking in order to build a comprehensive data usage dashboard

  7. Privacy& Data Protection in the Cloud Implementation: File data protection MODULE • Illustration in the case of VM File System: File Data Protection Module (FDPM) • Use FUSE* (Linux standard) for intercepting all File System calls done to the files stored in a protected directory (/protected_dir) • Enforce the privacy policies for each action done on a protected file • “Replace” the POSIX ACL (eg, “ugo+rw”) by the policy attached to the file Cloud Compute Node Virtual Machine (VM) File Data Protection Module (FDPM) Trace Manager User Context Manager Customer Device System Applications User Applications Data Access Manager Policy Checking Client Data Protection Module (CDPM) FUSE-J based FS Wrapper FS requests / responses Linux Ubuntu FUSE Kernel Module /Backend _Dir file.pde /Protected _dir * File system in user space

  8. Privacy & Data Protection in the Cloud FDPM Prototype characteristics • Virtual Machines • Linux Ubuntu 12.04 • Deployed on Cloud Platforms in France and in the US • File system wrapper • FUSE version 2.8 • FUSE-J (JNI Java/C binding) • Policy checking • Java SunXacml (XACML 2.0) • Data access management: file & policy hybrid encryption • Blowfish (FEK/File Encryption Key, PEK/Policy Encryption Key) • GPG (PEK and FEK encryption)

  9. Privacy & Data Protection in the Cloudscenario (1/7): setup MarcDurand.xml Client Data Protection Module 1 Policy.xml Client laptop Nozay-Vx (FR) 2 sftp US France Cloud Compute Node Cloud Compute Node VM-US-1 VM-FR ALU CLOUDBAND Naperville (US) ALU CLOUDBAND Naperville (US) 3 FDPM Application_A Application_A FDPM 6 sftp 4 Application_B Application_B ALU Bell LabsAxP Cloud Emulated Other Country ALU Bell LabsAxP Cloud Nozay-Vx (FR) 5 OS OS 7 8 sftp sftp Other country US Cloud Compute Node Cloud Compute Node VM-US-2 VM-Other FDPM Application_A Application_A Application_B Application_B OS OS

  10. Privacy & Data Protection in the Cloudscenario (2/7): data & policy First Name: Marc Name: Durand Citizenship: French Address: 10 rue de la Paix, Paris, France Phone: 01 40 56 37 32 Purchase history & customer profile: … Location history & geo-profile: ... Call history & social profile: ... MarcDurand.xml Client Data Protection Module 1 Policy.xml Client laptop Nozay-Vx (FR) 2 sftp US France Cloud Compute Node Cloud Compute Node • The profile shall only be stored in a protected VM (i.e., in the protected_dir of a VM equipped with the FDPM). • The profile shall only be stored in France or in the US. • This profile shall be accessed/processed by Application_A (e.g., content recommendation application) but not by the Application_B (e.g., targeted advertising application). VM-US-1 VM-FR ALU CLOUDBAND Naperville (US) ALU CLOUDBAND Naperville (US) 3 FDPM Application_A Application_A FDPM 6 sftp 4 Application_B Application_B ALU Bell LabsAxP Cloud Emulated Other Country ALU Bell LabsAxP Cloud Nozay-Vx (FR) 5 OS OS 7 8 sftp sftp Other country US Cloud Compute Node Cloud Compute Node VM-US-2 VM-Other FDPM Application_A Application_A Application_B Application_B OS OS

  11. Privacy & Data Protection in the Cloudscenario (3/7): protected file generation MarcDurand.xml Client Data Protection Module 1 MarcDurand.pde Policy.xml Client laptop Nozay-Vx (FR) 2 sftp Generation of the protected file (MarcDurand.pde) US France Cloud Compute Node Cloud Compute Node VM-US-1 VM-FR ALU CLOUDBAND Naperville (US) ALU CLOUDBAND Naperville (US) 3 FDPM Application_A Application_A FDPM 6 sftp 4 Application_B Application_B ALU Bell LabsAxP Cloud Emulated Other Country ALU Bell LabsAxP Cloud Nozay-Vx (FR) 5 OS OS 7 8 sftp sftp Other country US Cloud Compute Node Cloud Compute Node VM-US-2 VM-Other FDPM Application_A Application_A Application_B Application_B OS OS

  12. Privacy & Data Protection in the Cloudscenario (4/7): upload in the cloud Transfer of MarcDurand.pde in VM-FR MarcDurand.xml Client Data Protection Module 1 MarcDurand.pde Policy.xml Client laptop Nozay-Vx (FR) VM-FR with MarcDurand.pde file stored in the directory /protected_dir 2 sftp US France Cloud Compute Node Cloud Compute Node VM-US-1 VM-FR ALU CLOUDBAND Naperville (US) ALU CLOUDBAND Naperville (US) 3 FDPM Application_A Application_A FDPM 6 sftp 4 Application_B Application_B ALU Bell LabsAxP Cloud Emulated Other Country ALU Bell LabsAxP Cloud Nozay-Vx (FR) 5 OS OS MarcDurand.pde 7 8 sftp sftp Other country US Cloud Compute Node Cloud Compute Node VM-US-2 VM-Other FDPM Application_A Application_A Application_B Application_B OS OS

  13. Privacy & Data Protection in the Cloudscenario (5/7): ACCESS from AppLI A & B controLled by polIcy MarcDurand.xml Client Data Protection Module 1 MarcDurand.pde Policy.xml Client laptop Nozay-Vx (FR) 2 sftp US France Cloud Compute Node Cloud Compute Node VM-US-1 VM-FR ALU CLOUDBAND Naperville (US) ALU CLOUDBAND Naperville (US) 3 FDPM Application_A Application_A FDPM 6 sftp 4 Application_B Application_B ALU Bell LabsAxP Cloud Emulated Other Country ALU Bell LabsAxP Cloud Nozay-Vx (FR) 5 OS OS MarcDurand.pde Appli_A is authorized to read the file MarcDurand.pde Appli_B is not authorized to read the file MarcDurand.pde 7 8 sftp sftp Other country US Cloud Compute Node Cloud Compute Node VM-US-2 VM-Other FDPM Application_A Application_A Application_B Application_B OS OS

  14. Privacy & Data Protection in the Cloudscenario (6/7): file transfer controlled by policy MarcDurand.xml Client Data Protection Module 1 MarcDurand.pde Policy.xml Client laptop Nozay-Vx (FR) 2 VM-US-1 after authorized sftp transfer of MarcDurand.pde (100% transferred, policy ok) sftp US France Cloud Compute Node Cloud Compute Node VM-US-1 VM-FR ALU CLOUDBAND Naperville (US) ALU CLOUDBAND Naperville (US) 3 FDPM Application_A Application_A FDPM 6 sftp 4 Application_B Application_B MarcDurand.pde ALU Bell LabsAxP Cloud Emulated Other Country ALU Bell LabsAxP Cloud Nozay-Vx (FR) 5 OS OS MarcDurand.pde 7 8 VM-Other after unauthorized sftp transfer of MarcDurand.pde (0% transferred, policy not ok) VM-US-2 after unauthorized sftp transfer of MarcDurand.pde (0% transferred, policy not ok) sftp sftp Other country US Cloud Compute Node Cloud Compute Node VM-US-2 VM-Other FDPM Application_A Application_A Application_B Application_B OS OS

  15. Privacy & Data Protection in the Cloud scenario (7/7): generated traces MarcDurand.xml Client Data Protection Module 1 MarcDurand.pde Policy.xml Client laptop Nozay-Vx (FR) 2 sftp Generated traces US Europe Cloud Compute Node Cloud Compute Node VM-US-1 VM-FR ALU CLOUDBAND Naperville (US) ALU CLOUDBAND Naperville (US) 3 FDPM Application_A Application_A FDPM 6 sftp 4 Application_B Application_B ALU Bell LabsAxP Cloud Nozay-Vx (FR) ALU Bell LabsAxP Cloud Emulated Other Country 5 OS OS MarcDurand.pde MarcDurand.pde 7 8 sftp sftp Other country US Cloud Compute Node Cloud Compute Node VM-US-2 VM-Other FDPM Application_A Application_A Application_B Application_B OS OS

  16. Privacy & Data Protection in the CloudPerformance Evaluation Computation time split (500 Kb PDE file, file read access control) Performance of the FDPM modules according to the PDE file size Total computation time = 220 ms (compared to 60 ms for a plaintext file)

  17. Conclusion & perspectives • Support of various types of policies encompassing storage and computing (VM, file system) • End-to-end monitoring of data allowing to build a comprehensive data usage dashboard (enabling security & privacy audits) • Solution fully transparent for the applications (no need to modify the applications) • Use of Secure Elements (eg SD card, smart card) embedded in the cloud nodes in order to further enforce security • Support of the European SEED4C research project (www.celticplus-seed4c.org) • Enforce privacy constraints on the network path notably by relying on SDN technologies • E.g., data transferred between VMs should not cross some given unauthorized areas Conclusion: end-to–end & in-depth protection of sensitive data Some perspectives

More Related