COPYRIGHT © 2012 ALCATEL-LUCENT. ALL RIGHTS RESERVED. ALCATEL-LUCENT CONFIDENTIAL SOLELY FOR...
-
Upload
kate-whisler -
Category
Documents
-
view
213 -
download
0
Transcript of COPYRIGHT © 2012 ALCATEL-LUCENT. ALL RIGHTS RESERVED. ALCATEL-LUCENT CONFIDENTIAL SOLELY FOR...
COPYRIGHT © 2012 ALCATEL-LUCENT. ALL RIGHTS RESERVED. ALCATEL-LUCENT — CONFIDENTIAL — SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW — PROPRIETARY — USE PURSUANT TO COMPANY
INSTRUCTION
S. Betgé-Brezetz, M.P. Dupont, G.B. Kamga, A. Guesmi
Alcatel-Lucent Bell Labs, France
IEEE CloudNet, San Francisco, November 11th, 2013
END-TO-END PRIVACY POLICY ENFORCEMENT IN CLOUD INFRASTRUCTURE
COPYRIGHT © 2011 ALCATEL-LUCENT. ALL RIGHTS RESERVED. ALCATEL-LUCENT — INTERNAL PROPRIETARY — USE PURSUANT TO COMPANY INSTRUCTION
PRIVACY & DATA PROTECTION IN THE CLOUDBUSINESS & REGULATION CONTEXT (1/2)
• Enterprises are moving in the cloud their data & applications (even for a time-bound project)
Various data sensitivities (eg HR, eHealth data), applications (eg business, communication) and policies (regulation, enterprise, end-user)
• Key issue: End-to-end protection of sensitive data stored, processed and moving in the cloud
Traditional Enterprise IT(on-premise based)
Cloud-based Enterprise IT(incl. Private & Public cloud)
App
licat
ions
Dat
a
Policy
Where are located my data?
Who has accessed to my data? From where? How many times?
How many pieces of a given data exist in the cloud?
I know where my data are.
Data, apps & policy are controlled by my IT staff.
I control the access to my data.
Keep privacy & confidentiality of the sensitive data in the cloud all along their lifecycle (creation, processing, transfer, deletion)
COPYRIGHT © 2011 ALCATEL-LUCENT. ALL RIGHTS RESERVED. ALCATEL-LUCENT — INTERNAL PROPRIETARY — USE PURSUANT TO COMPANY INSTRUCTION
PRIVACY & DATA PROTECTION IN THE CLOUDBUSINESS & REGULATION CONTEXT (2/2)
• Enterprise (as a Cloud User) is responsible for the right application of the privacy/data protection policies on their customer data (eg, see* for the European regulation context)
The Cloud Service Provider (CSP) has to provide the adequate protection features so that the Cloud User can appropriately set the privacy policies for each of his sensitive data
• These privacy settings have to be specified in the SLA agreed between the CU and the CSP
The CSP has to enforce the SLA and provide evidences of the SLA fulfillment
Data
Applicable policies
CloudManagement
(e.g., Orchestration,
Monitoring)
CloudInfrastructure
(Computing node, Storage,
Network)
Cloud User(Data Controller)
Cloud Service Provider(Data Processor)
Priv
acy-
rela
ted
met
adat
a
Clo
ud
priv
acy
sett
ings
1
2
3
SLA
Compliance Analysis
Cloud Privacy Settings
*Article 29 Data Protection Working Party, “Opinion 05/2012 on cloud computing”, WP 196, Brussels, July 2012
Data protection : a mandatory requirement for the CSP
4COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED. ALCATEL-LUCENT — CONFIDENTIAL — SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW — PROPRIETARY — USE PURSUANT TO COMPANY
INSTRUCTION
PRIVACY & DATA PROTECTION IN THE CLOUDKEY REQUIREMENTS
• Data storage
Data location
Data access control per application/per user
Data retention and deletion
Data usage tracing
Data breach notification
etc.
• Data processing (in Virtual Machines)
VM location and co-location constraints
VM isolation
VM security level
etc.
This Data Protection should be handled end-to-end(from the Cloud User through all the cloud nodes/VMs of the CSP)
5COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED. ALCATEL-LUCENT — CONFIDENTIAL — SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW — PROPRIETARY — USE PURSUANT TO COMPANY
INSTRUCTION
PRIVACY & DATA PROTECTION IN THE CLOUDRELATED WORK
• Prevent the CSP to access the plain data
• Encryption [Diallo 2012, HekaFS], Data Shredding [Rabin 1989]
• Enable some processing on encrypted data:
• Homomorphic encryption [Gentry 2009]Þ Adapted for storage service, but not for benefiting from the cloud computation capabilities
Þ Not flexible access control
• Sticky policy approaches:
• Using consent & revocation module [Casassa 2012]
• Scalable authorization infrastructure with conflict resolution capabilities [Chadwick 2012]
• Proprietary solution: Rights Management System (RMS) [Microsoft]
Infrastructure-related constraints not enforced
Not transparent to the application (application upgrade or applicative plug-in needed)
Data obfuscation before sending to the cloud
Privacy policy enforcement
6
COPYRIGHT © 2011 ALCATEL-LUCENT. ALL RIGHTS RESERVED.
Privacy & Data Protection in the Cloud Our approach: end-to-end data protection
Customer Site
Data usage historic
Client Data Protection Module
Cloud Infrastructure LevelData Protection Module
DataPolicy
Cloud User Applications
Cloud Provider Services
• End-to-end policy enforcement from the client device to the cloud infrastructure
• Controls are governed by the data itself (PDE: sticky policy based approach)
• In-depth and fine-grained access control within the cloud (based on user ID and location, data location, action purpose, etc.) and transparent to the applications
• Overall data access tracking in order to build a comprehensive data usage dashboard
Plain text data Privacy policies EncryptionPDE
( Privacy Data Envelope)
7
COPYRIGHT © 2011 ALCATEL-LUCENT. ALL RIGHTS RESERVED.
Privacy & Data Protection in the Cloud Implementation: File data protection MODULE
File Data Protection Module (FDPM)
/Backend _Dir file.pde
Linux UbuntuFUSE Kernel
Module
PolicyChecking
FUSE-J based FS Wrapper
Data Access Manager
Trace ManagerUser Context
Manager
UserApplication
s
SystemApplication
s
FS requests / responses
Client Data Protection Module
(CDPM)
/Protected _dir
Virtual Machine (VM)
Cloud Compute Node
Customer Device
• Illustration in the case of VM File System: File Data Protection Module (FDPM)
• Use FUSE* (Linux standard) for intercepting all File System calls done to the files stored in a protected directory (/protected_dir)
• Enforce the privacy policies for each action done on a protected file
• “Replace” the POSIX ACL (eg, “ugo+rw”) by the policy attached to the file
* File system in user space
8COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED. ALCATEL-LUCENT — CONFIDENTIAL — SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW — PROPRIETARY — USE PURSUANT TO COMPANY
INSTRUCTION
PRIVACY & DATA PROTECTION IN THE CLOUD FDPM PROTOTYPE CHARACTERISTICS
• Virtual Machines
Linux Ubuntu 12.04
Deployed on Cloud Platforms in France and in the US
• File system wrapper
FUSE version 2.8
FUSE-J (JNI Java/C binding)
• Policy checking
– Java SunXacml (XACML 2.0)
• Data access management: file & policy hybrid encryption
Blowfish (FEK/File Encryption Key, PEK/Policy Encryption Key)
GPG (PEK and FEK encryption)
File Data Protection Module (FDPM)
/Backend _Dirfile.pde
Linux UbuntuFUSE Kernel
Module
PolicyChecking
FUSE-J based FS Wrapper
Data Access Manager
Trace ManagerUser Context
Manager
UserApplications
SystemApplications
FS requests / responses
Client Data Protection Module(CDPM)
/Protected _dir
Virtual Machine (VM)
Cloud Compute Node
Customer Device
9
COPYRIGHT © 2011 ALCATEL-LUCENT. ALL RIGHTS RESERVED.
Client laptopNozay-Vx (FR)
US
Client DataProtection
Module
Cloud Compute Node
VM-FR
Application_A
FD
PM
Policy.xml
OS
Application_B
France
sftp
US
Othercountry
1
2
3
4
5
Cloud Compute Node
VM-US-1
Application_A
FD
PM
OS
Application_B
Cloud Compute Node
VM-Other
Application_A
OS
Application_B FD
PM
sftp6
sftp
8
MarcDurand.xml
ALUCLOUDBANDNaperville (US)
ALU Bell Labs AxP CloudNozay-Vx (FR)
ALUCLOUDBANDNaperville (US)
ALU Bell Labs AxP CloudEmulated Other Country
Cloud Compute Node
VM-US-2
Application_A
OS
Application_B
sftp
Privacy & Data Protection in the Cloudscenario (1/7): setup
7
10
COPYRIGHT © 2011 ALCATEL-LUCENT. ALL RIGHTS RESERVED.
Client laptopNozay-Vx (FR)
Privacy & Data Protection in the Cloudscenario (2/7): data & policy
US
Client DataProtection
Module
Cloud Compute Node
VM-FR
Application_A
FD
PM
Policy.xml
OS
Application_B
France
sftp
US
Othercountry
1
2
3
4
5
Cloud Compute Node
VM-US-1
Application_A
FD
PM
OS
Application_B
Cloud Compute Node
VM-Other
Application_A
OS
Application_B FD
PM
sftp6
sftp
8
MarcDurand.xml
ALUCLOUDBANDNaperville (US)
ALU Bell Labs AxP CloudNozay-Vx (FR)
ALUCLOUDBANDNaperville (US)
ALU Bell Labs AxP CloudEmulated Other Country
Cloud Compute Node
VM-US-2
Application_A
OS
Application_B
sftp
First Name: MarcName: DurandCitizenship: FrenchAddress: 10 rue de la Paix, Paris, France Phone: 01 40 56 37 32 Purchase history & customer profile: … Location history & geo-profile: ...Call history & social profile: ...
7
•The profile shall only be stored in a protected VM (i.e., in the protected_dir of a VM equipped with the FDPM).
•The profile shall only be stored in France or in the US.
•This profile shall be accessed/processed by Application_A (e.g., content recommendation application) but not by the Application_B (e.g., targeted advertising application).
11
COPYRIGHT © 2011 ALCATEL-LUCENT. ALL RIGHTS RESERVED.
Client laptopNozay-Vx (FR)
Privacy & Data Protection in the Cloudscenario (3/7): protected file generation
US
Client DataProtection
Module
Cloud Compute Node
VM-FR
Application_A
FD
PM
Policy.xml
OS
Application_B
France US
Othercountry
1
3
4
5
Cloud Compute Node
VM-US-1
Application_A
FD
PM
OS
Application_B
Cloud Compute Node
VM-Other
Application_A
OS
Application_B FD
PM
sftp6
sftp
8
MarcDurand.xml
ALUCLOUDBANDNaperville (US)
ALU Bell Labs AxP CloudNozay-Vx (FR)
ALUCLOUDBANDNaperville (US)
ALU Bell Labs AxP CloudEmulated Other Country
Cloud Compute Node
VM-US-2
Application_A
OS
Application_B
sftp
MarcDurand.pde
sftp
2
Generation of the protected file (MarcDurand.pde)
7
12
COPYRIGHT © 2011 ALCATEL-LUCENT. ALL RIGHTS RESERVED.
Client laptopNozay-Vx (FR)
Privacy & Data Protection in the Cloudscenario (4/7): upload in the cloud
US
Client DataProtection
Module
Cloud Compute Node
VM-FR
Application_A
FD
PM
Policy.xml
OS
Application_B
France
MarcDurand.pde
sftp
US
Othercountry
1
2
3
4
5
Cloud Compute Node
VM-US-1
Application_A
FD
PM
OS
Application_B
Cloud Compute Node
VM-Other
Application_A
OS
Application_B FD
PM
sftp6
sftp
8
MarcDurand.xml
ALUCLOUDBANDNaperville (US)
ALU Bell Labs AxP CloudNozay-Vx (FR)
ALUCLOUDBANDNaperville (US)
ALU Bell Labs AxP CloudEmulated Other Country
MarcDurand.pde
VM-FR with MarcDurand.pde file stored in the directory /protected_dir
Cloud Compute Node
VM-US-2
Application_A
OS
Application_B
sftp
Transfer of MarcDurand.pde in VM-FR
7
13
COPYRIGHT © 2011 ALCATEL-LUCENT. ALL RIGHTS RESERVED.
Client laptopNozay-Vx (FR)
Privacy & Data Protection in the Cloudscenario (5/7): ACCESS from AppLI A & B controLled by polIcy
US
Client DataProtection
Module
Cloud Compute Node
VM-FR
Application_A
FD
PM
Policy.xml
OS
Application_B
France
MarcDurand.pde
sftp
US
Othercountry
1
2
3
4
5
Cloud Compute Node
VM-US-1
Application_A
FD
PM
OS
Application_B
Cloud Compute Node
VM-Other
Application_A
OS
Application_B FD
PM
sftp6
sftp
8
MarcDurand.xml
ALUCLOUDBANDNaperville (US)
ALU Bell Labs AxP CloudNozay-Vx (FR)
ALUCLOUDBANDNaperville (US)
ALU Bell Labs AxP CloudEmulated Other Country
Cloud Compute Node
VM-US-2
Application_A
OS
Application_B
sftp
MarcDurand.pde
7
Appli_A is authorized to read the file MarcDurand.pde
Appli_B is not authorized to read the file MarcDurand.pde
14
COPYRIGHT © 2011 ALCATEL-LUCENT. ALL RIGHTS RESERVED.
Client laptopNozay-Vx (FR)
US Cloud Compute Node
VM-US-2
Application_A
OS
Application_B
Privacy & Data Protection in the Cloudscenario (6/7): file transfer controlled by policy
Client DataProtection
Module
Cloud Compute Node
VM-FR
Application_A
FD
PM
Policy.xml
OS
Application_B
France
MarcDurand.pde
MarcDurand.pde
sftp
US
sftpOther
country
1
2
3
4
7
5
Cloud Compute Node
VM-US-1
Application_A
FD
PM
OS
Application_B
Cloud Compute Node
VM-Other
Application_A
OS
Application_B FD
PM
sftp6
sftp
8
MarcDurand.xml
ALUCLOUDBANDNaperville (US)
ALU Bell Labs AxP CloudNozay-Vx (FR)
ALUCLOUDBANDNaperville (US)
ALU Bell Labs AxP CloudEmulated Other Country
VM-Other after unauthorized sftp transfer of MarcDurand.pde (0% transferred, policy not ok)
MarcDurand.pde
VM-US-1 after authorized sftp transfer of MarcDurand.pde (100% transferred, policy ok)
VM-US-2 after unauthorized sftp transfer of MarcDurand.pde (0% transferred, policy not ok)
15
COPYRIGHT © 2011 ALCATEL-LUCENT. ALL RIGHTS RESERVED.
Privacy & Data Protection in the Cloud scenario (7/7): generated traces
US
Client DataProtection
Module
Cloud Compute Node
VM-FR
Application_A
FD
PM
Policy.xml
OS
Application_B
Europe
MarcDurand.pde
MarcDurand.pde
sftp
US
Othercountry
1
2
3
4
7
5
Cloud Compute Node
VM-US-1
Application_A
FD
PM
OS
Application_B
MarcDurand.pde
Cloud Compute Node
VM-Other
Application_A
OS
Application_B FD
PM
sftp6
sftp
8
MarcDurand.xml
ALUCLOUDBANDNaperville (US)
ALU Bell Labs AxP CloudNozay-Vx (FR)
ALUCLOUDBANDNaperville (US)
ALU Bell Labs AxP CloudEmulated Other Country
Cloud Compute Node
VM-US-2
Application_A
OS
Application_B
sftp
Client laptopNozay-Vx (FR)
Generated traces
16
COPYRIGHT © 2011 ALCATEL-LUCENT. ALL RIGHTS RESERVED.
Privacy & Data Protection in the CloudPerformance Evaluation
FS Wrapper7%
PDE Manager
(decryption) 46%
Policy Checking
28%
FUSE kernel19%
Total computation time = 220 ms (compared to 60 ms for a plaintext file)
Computation time split (500 Kb PDE file, file read access control)
0
50
100
150
200
250
300
350
1 Ko 10 Ko 100 Ko 500 Ko 1 Mo 2 Mo
Dur
ation
(ms)
FS Wrapper
PDE Manager (decryption)
Policy Checking
FUSE kernel
Performance of the FDPM modules according to the PDE file size
17COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED. ALCATEL-LUCENT — CONFIDENTIAL — SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW — PROPRIETARY — USE PURSUANT TO COMPANY
INSTRUCTION
• Support of various types of policies encompassing storage and computing (VM, file system)
• End-to-end monitoring of data allowing to build a comprehensive data usage dashboard (enabling security & privacy audits)
• Solution fully transparent for the applications (no need to modify the applications)
• Use of Secure Elements (eg SD card, smart card) embedded in the cloud nodes in order to further enforce security
–Support of the European SEED4C research project (www.celticplus-seed4c.org)
• Enforce privacy constraints on the network path notably by relying on SDN technologies
E.g., data transferred between VMs should not cross some given unauthorized areas
CONCLUSION & PERSPECTIVES
Conclusion: end-to–end & in-depth protection of sensitive data
Some perspectives
18COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED. ALCATEL-LUCENT — CONFIDENTIAL — SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW — PROPRIETARY — USE PURSUANT TO COMPANY
INSTRUCTION