FADE:A Secure Overlay Cloud Storage System with Access Control and Assured Deletion Patrick P.C.Lee 1
1 FADE: A Secure Overlay Cloud Storage System with Access Control and Assured Deletion Patrick P. C. Lee
Cloud Storage is Emerging >Cloud storage is now an emerging business model for data outsourcing 天 Individual users Jungle Disk等i Dropbox Enterprises 厚w口 Mobile devices NASDAQ 君治治 SmugMug己 amazon webservices" 888 百面o 2
2 Cloud Storage is Emerging Cloud storage is now an emerging business model for data outsourcing Mobile devices Individual users Enterprises
Case Studies >Smugmug:hosting terabytes of photos since 2006 Savings:USD 500K per year as in 2006 More savings are expected with more photos >NASDAQ:hosting historical market data since 2008 More clients are found on: http://aws.amazon.com/solutions/case-studies/ References: .http://don.blogs.smugmug.com/2006/11/10/amazon-s3-show-me-the-money/ 3 .http://www.infoq.com/articles/nasdaq-case-study-air-and-s3?
3 Case Studies Smugmug: hosting terabytes of photos since 2006 • Savings: USD 500K per year as in 2006 • More savings are expected with more photos NASDAQ: hosting historical market data since 2008 More clients are found on: http://aws.amazon.com/solutions/case-studies/ References: •http://don.blogs.smugmug.com/2006/11/10/amazon-s3-show-me-the-money/ •http://www.infoq.com/articles/nasdaq-case-study-air-and-s3?
Implications of Cloud Storage >Cloud storage will be a cost-saving business solution: Save cost for unused storage Save technical support for data backups Save electric power and maintenance costs for data centers >Yet,as a cloud client,how do we provide security guarantees for our outsourced data? 4
4 Implications of Cloud Storage Cloud storage will be a cost-saving business solution: • Save cost for unused storage • Save technical support for data backups • Save electric power and maintenance costs for data centers Yet, as a cloud client, how do we provide security guarantees for our outsourced data?
Security Challenges >Can we protect outsourced data from improperly accessed? Unauthorized users must not access our data We don't want cloud providers to mine our data for their marketing purposes We need access control: Only authorized parties can access outsourced data 5
5 Security Challenges Can we protect outsourced data from improperly accessed? • Unauthorized users must not access our data • We don’t want cloud providers to mine our data for their marketing purposes We need access control: • Only authorized parties can access outsourced data
Security Challenges Can we reliably remove data from cloud? We don't want backups to exist after pre-defined time e.g.,to avoid future exposure due to data breach or error management of operators If an employee quits,we want to remove his/her data e.g.,to avoid legal liability >Cloud makes backup copies.We don't know if all backup copies are reliably removed. We need assured deletion: Data becomes inaccessible upon requests of deletion 6
6 Security Challenges Can we reliably remove data from cloud? • We don’t want backups to exist after pre-defined time • e.g., to avoid future exposure due to data breach or error management of operators • If an employee quits, we want to remove his/her data • e.g., to avoid legal liability Cloud makes backup copies. We don’t know if all backup copies are reliably removed. We need assured deletion: • Data becomes inaccessible upon requests of deletion
Previous Work >Cryptographic protection on outsourced data storage [Ateniese et al.,SecureComm'08;Wang et al.,CCSW09] Require new protocol support on the cloud infrastructure >Security solutions compatible with existing cloud (e.g.,Cumulus,JungleDisk) [Yun et al.,CCSW09;Vrable et al.,ToS'09] No guarantees of reliable deletion of data 7
7 Previous Work Cryptographic protection on outsourced data storage [Ateniese et al., SecureComm’08; Wang et al., CCSW’09] • Require new protocol support on the cloud infrastructure Security solutions compatible with existing cloud (e.g., Cumulus, JungleDisk) [Yun et al., CCSW’09; Vrable et al., ToS’09] • No guarantees of reliable deletion of data
Previous Work Perlman's Ephemerizer INDSso7 目目…目⑧ A file is encrypted with a data key expiration date The data key is further encrypted with a time-based control key The control key is deleted when expiration time is reached The control key is maintained by a separate key manager (aka Ephemerizer) Weaknesses: Target only time-based assured deletion No fine-grained control of different file access policies ·No implementation 8
8 Previous Work Perlman’s Ephemerizer [NDSS’07] • A file is encrypted with a data key • The data key is further encrypted with a time-based control key • The control key is deleted when expiration time is reached • The control key is maintained by a separate key manager (aka Ephemerizer) Weaknesses: • Target only time-based assured deletion • No fine-grained control of different file access policies • No implementation expiration date … …
Previous Work >Vanish [USENIX'09] Divide the data key into many key shares Store key shares in nodes of a deployed P2P network Nodes remove key shares that reside in cache for 8 hours >Weaknesses: Time-based,no fine-grained control 9
9 Previous Work Vanish [USENIX’09] • Divide the data key into many key shares • Store key shares in nodes of a deployed P2P network • Nodes remove key shares that reside in cache for 8 hours Weaknesses: • Time-based, no fine-grained control
Our Work FADE:a secure overlay cloud storage system with file assured deletion >Design feature of FADE: work atop today's cloud as an overlay >Security features of FADE: Data confidentiality and integrity Fine-grained access control:files are accessible only when authorized Fine-grained file assured deletion:files are permanently inaccessible and unrecoverable based on policies Yang Tang,Patrick P.C.Lee,John C.S.Lui,Radia Perlman, "Secure Overlay Cloud Storage with File Assured Deletion",SecureComm 2010. 10
10 Our Work Design feature of FADE: • work atop today’s cloud as an overlay Security features of FADE: • Data confidentiality and integrity • Fine-grained access control: files are accessible only when authorized • Fine-grained file assured deletion: files are permanently inaccessible and unrecoverable based on policies FADE: a secure overlay cloud storage system with file assured deletion Yang Tang, Patrick P. C. Lee, John C. S. Lui, Radia Perlman, “Secure Overlay Cloud Storage with File Assured Deletion”, SecureComm 2010