Lecture 5

Data Security & Privacy in the Cloud

If cloud computing is so great, why isn’t
everyone doing it?
• The cloud acts as a big black box, nothing inside the
cloud is visible to the clients
• Clients have no idea or control over what happens
inside a cloud
• Even if the cloud provider is honest, it can have
malicious system admins who can tamper with the
VMs and violate confidentiality and integrity
• Clouds are still subject to traditional data
confidentiality, integrity, availability, and privacy
issues

2
Companies are afraid to use clouds

[Chow09ccsw]
3
What is Privacy?

• The concept of privacy varies widely among (and sometimes

within) countries, cultures, and jurisdictions.
• It is shaped by public expectations and legal interpretations;
– as such, a concise definition is elusive if not impossible.
• Privacy rights or obligations are related to the collection, use,
disclosure, storage, and destruction of personal data
• At the end of the day, privacy is about the accountability of
organizations to data subjects, as well as the transparency to
an organization’s practice around personal information.

18 From [6] Cloud Security and Privacy by Mather and Kumaraswamy

******
What Are the Key Privacy Concerns?

• Typically mix security and privacy

• Some considerations to be aware of:
– Storage
– Retention
– Destruction
– Auditing, monitoring and risk management
– Privacy breaches
– Who is responsible for protecting privacy?

20 From [6] Cloud Security and Privacy by Mather and Kumaraswamy

Control over data

• Moving data off premises does not necessarily pose

new risks, it may actually improve security
– Most organizations have minimum security
services for on premises systems.
• Entrusting data to external providers can be better
and cost effective.
• Currently security is limited to the community and
private cloud.
CSP high assurance balance shift
Data Security and Storage
• Several aspects of data security, including:
– Data-in-transit
– Data-at-rest
– Processing of data

From [6] Cloud Security and Privacy by Mather and Kumaraswamy

23
Data at rest
• Data at rest
– Data in computer storage
– Includes
• Files on a corporate server
• Files on an employee server
• Offsite file backup
– Same principles apply to cloud as standard
security
– Need to follow-up with holistic security methods
Owning
organization is
data owning
Cloud data storage
• Cloud storage provides the CIA triad
• Data is stored on multiple virtualized servers.
• Physically the resources will span multiple servers
even multiple storage sites.
• CSP responsible for backup, replication and disaster
recovery. Example Amazon S3
• Data replication is achieved via RAID
implementations
• Note that many CSP do not provide data backup as a
default feature
Cloud storage gateway

• A cloud storage gateway is a software or hardware

networking device that provides connectivity and
protocol translation services between a cloud
storage service provider and local customer
application.
• It is implemented on a local machine or application
to facilitate data transfer between incompatible
protocols, security and compression services.
• https://searchstorage.techtarget.com/definition/cloud-storage-gateway
Cloud lock-in (Roach motel syndrome)
• Dependence on the cloud services could mean that
switching providers is extremely difficult.
• Organizations start with one service and end up
storing the entire data on the cloud
– Thus a secondary service has now become your
lifeline.
– Problems become severe with customized API’s,
custom file types, extensions, etc
– Data migration issues with proprietary data
formats.
Cloud lock-in - Metadata
• Metadata gives insight into the operations on the
cloud.
• Tends to grow as the system gets entangled with
other systems
• Includes
– Where data came from
– Who performed operations on it
– Time stamps
– Records associative context information
Avoiding Cloud lock-in

• When choosing a CSP look for export features

– Allows subscribers to export data and metadata in
bulk.
• Also consider if the exported data could be imported
into other CSP.
– Issues with proprietary file formats
• Lets see some export options
Avoiding Cloud lock-in

• Salesforce.com allows complete export of all data.

– Some packages provide service for free while
others pay.
– Exported data is in a ZIP file with CSV files giving
details of each object metadata.
• Google has created a Data Liberation Front.
– A team of engineers dedicated to preventing lock-
in.
Avoiding Cloud lock-in

• Google Docs is a repository for all users where data

can be placed for distributed access.
• Export features allow subscriber to export all
document in familiar word and open office formats.
• Elastic Compute Cloud Service (EC2) @ Amazon Web
Services
– Offer a physical hard drive for data migration
process.
Data Integrity

• Has two different perspective

– Integrity of data
Data has not been modified in any way
– Provenance
Integrity of the data and the computational accuracy
(correctness of operations) of the data.
Data Availability
• Four Concerns
– Lack of availability due to network based attacks
• Attacks which could limit our connection to the CSP
provider.
– CSP availability
• Five 9s availability - Ideally want 99.999% uptime.
Data Availability

Total Downtime (HH:MM:SS)

Availability Per day Per month Per year
99.999% 00:00:00.4 00:00:26 00:05:15
99.99% 00:00:08 00:04:24 00:52:35
99.9% 00:01:26 00:43:49 08:45:56
99% 00:14:23 07:18:17 87:39:29
• Entire loss of data
– Carbonite Inc lost data of 7500 customers due to
faulty backup equipment
• Service closure/ out of business
– Coghead shutdown services suddenly and gave 90
days for backup to customers.
Data Remanence

• Data remanence is the residual representation of

data
– Could have been left behind due to insufficient
delete procedures.
– Due to physical properties of the storage medium
– Many CSP do not even mention data remanence
as a suitable service
– Need to refer to US DoD 5220.22-M standard
• Clearing
– Process of ensuring that the data cannot be
recovered using standard software tools. Recovery
can be made in special labs for data recovery.
• Sanitization/ purging
– Process of removing data from a media before
reusing the media in an environment below the
current protection level. Essential that the data
cannot be recovered using any form of tool (HW
or SW)
 Causes of Problems Associated
with Cloud Computing
• Most security problems stem from:
– Loss of control
– Lack of trust (mechanisms)
– Multi-tenancy
• These problems exist mainly in 3rd party
management models
Loss of Control in the Cloud
• Consumer’s loss of control
– Data, applications, resources are located with
provider
– User identity management is handled by the cloud
– User access control rules, security policies and
enforcement are managed by the cloud provider
– Consumer relies on provider to ensure
• Data security and privacy
• Resource availability
• Monitoring and repairing of services/resources
Lack of Trust in the Cloud
• Trusting a third party requires taking risks

• Defining trust and risk

– Opposite sides of the same coin (J. Camp)
– People only trust when it pays (Economist’s view)
– Need for trust arises only in risky situations

• Third party management schemes

– Hard to balance trust and risk
– e.g. Key Escrow (Clipper chip)
– Is the cloud headed toward the same path?
Taxonomy of Fear
• Confidentiality
– Fear of loss of control over data
• Will the sensitive data stored on a cloud remain
confidential?
• Will cloud compromises leak confidential client data
– Will the cloud provider itself be honest and won’t
peek into the data?

• Integrity
– How do I know that the cloud provider is doing the
computations correctly?
– How do I ensure that the cloud provider really stored
my data without tampering with it?

7
From [5] www.cs.jhu.edu/~ragib/sp10/cs412
Taxonomy of Fear (cont.)

• Availability
– Will critical systems go down at the client, if the
provider is attacked in a Denial of Service attack?
– What happens if cloud provider goes out of
business?
– Would cloud scale well-enough?
– Often-voiced concern
• Although cloud providers argue their downtime
compares well with cloud user’s own data centers
From [5] www.cs.jhu.edu/~ragib/sp10/cs412
8
Taxonomy of Fear (cont.)
• Privacy issues raised via massive data mining
– Cloud now stores data from a lot of clients, and
can run data mining algorithms to get large
amounts of information on clients
• Increased attack surface
– Entity outside the organization now stores and
computes data, and so
– Attackers can now target the communication link
between cloud provider and client

From [5] www.cs.jhu.edu/~ragib/sp10/cs412

9
Taxonomy of Fear (cont.)
• Auditability and forensics (out of control of data)
– Difficult to audit data held outside organization in a
cloud
– Forensics also made difficult since now clients don’t
maintain data locally
• Legal dilemma and transitive trust issues
– Who is responsible for complying with regulations?
• e.g., GDPR, SOX, HIPAA, GLBA ?
– If cloud provider subcontracts to third party clouds,
will the data still be secure?

From [5] www.cs.jhu.edu/~ragib/sp10/cs412

10
 Taxonomy of Fear (cont.)
Cloud Computing is a security
nightmare and it can't be handled
in traditional ways.

John Chambers
CISCO CEO

• Security is one of the most difficult task to implement in

cloud computing.
– Different forms of attacks in the application side and
in the hardware components
• Attacks with catastrophic effects only needs one security
flaw
(http://www.exforsys.com/tutorials/cloud-computing/cloud-computing-security.html)

11
Threat Model
•A threat model helps in analyzing a security problem,
design mitigation strategies, and evaluate solutions
•Steps:
– Identify attackers, assets, threats and other
components
– Rank the threats
– Choose mitigation strategies
– Build solutions based on the strategies

From [5] www.cs.jhu.edu/~ragib/sp10/cs412

12
Threat Model

• Basic components
– Attacker modeling
• Choose what attacker to consider
– insider vs. outsider?
– single vs. collaborator?
• Attacker motivation and capabilities
– Attacker goals
– Vulnerabilities / threats

From [5] www.cs.jhu.edu/~ragib/sp10/cs412

13
What is the issue?

• The core issue here is the levels of trust

– Many cloud computing providers trust their customers
– Each customer is physically commingling its data with
data from anybody else using the cloud while logically
and virtually you have your own space
– The way that the cloud provider implements security
is typically focused on the fact that those outside of
their cloud are evil, and those inside are good.
• But what if those inside are also evil?

From [5] www.cs.jhu.edu/~ragib/sp10/cs412

14
Attacker Capability: Malicious Insiders
• At client
– Learn passwords/authentication information
– Gain control of the VMs
• At cloud provider
– Log client communication
– Can read unencrypted data
– Can possibly peek into VMs, or make copies of VMs
– Can monitor network communication, application patterns
– Why?
• Gain information about client data
• Gain information on client behavior
• Sell the information or use itself

From [5] www.cs.jhu.edu/~ragib/sp10/cs412

15
Challenges for the attacker

• How to find out where the target is located?

• How to be co-located with the target in the same
(physical) machine?
• How to gather information about the target?

From [5] www.cs.jhu.edu/~ragib/sp10/cs412

16