CloudFilter Practical Control of Sensitive Data Propagation to the Cloud
description
Transcript of CloudFilter Practical Control of Sensitive Data Propagation to the Cloud
![Page 1: CloudFilter Practical Control of Sensitive Data Propagation to the Cloud](https://reader035.fdocuments.us/reader035/viewer/2022070500/568168b4550346895ddf89ff/html5/thumbnails/1.jpg)
Peter R. Pietzuch [email protected]
Ioannis Papagiannis Peter Pietzuch
Large-Scale Distributed Systems Grouphttp://lsds.doc.ic.ac.uk
ACM Cloud Computing Security Workshop (CCSW), October 19, 2012
Department of Computing
CloudFilterPractical Control of Sensitive Data Propagation to
the Cloud
![Page 2: CloudFilter Practical Control of Sensitive Data Propagation to the Cloud](https://reader035.fdocuments.us/reader035/viewer/2022070500/568168b4550346895ddf89ff/html5/thumbnails/2.jpg)
Can an employee store files online?
2
![Page 3: CloudFilter Practical Control of Sensitive Data Propagation to the Cloud](https://reader035.fdocuments.us/reader035/viewer/2022070500/568168b4550346895ddf89ff/html5/thumbnails/3.jpg)
Can an employee store files online? Not really…
Hi Yiannis,
Can you send me that file from my Dropbox?
Sure, here it is!
Why?!
3
![Page 4: CloudFilter Practical Control of Sensitive Data Propagation to the Cloud](https://reader035.fdocuments.us/reader035/viewer/2022070500/568168b4550346895ddf89ff/html5/thumbnails/4.jpg)
Can an employee store files online? Not really…
Why?!
• Policy 1:Employees should not waste time online on personal matters!
• Policy 2:Employees should not be able to send company files to arbitrary recipients!
4
![Page 5: CloudFilter Practical Control of Sensitive Data Propagation to the Cloud](https://reader035.fdocuments.us/reader035/viewer/2022070500/568168b4550346895ddf89ff/html5/thumbnails/5.jpg)
Can an employee store files online? Not really…
Why?!
• Dropbox enables large scale data disclosure• It’s very easy for employees to misunderstand and
violate the data propagation policy of the bank• The bank wants to be able to blame employees if a leak
occurs
5
![Page 6: CloudFilter Practical Control of Sensitive Data Propagation to the Cloud](https://reader035.fdocuments.us/reader035/viewer/2022070500/568168b4550346895ddf89ff/html5/thumbnails/6.jpg)
Current solution: network-level blocking
Network-level blocking of cloud services is not perfect:• Why prevent workflows that involve non-sensitive data?• Employees are more likely to bypass company policy
completely by using personal devices
6
![Page 7: CloudFilter Practical Control of Sensitive Data Propagation to the Cloud](https://reader035.fdocuments.us/reader035/viewer/2022070500/568168b4550346895ddf89ff/html5/thumbnails/7.jpg)
Threat Model
Users are not malicious:• Employees are trusted to decide whether
data are sensitive or not• Employees are accountable for their
actions
The cloud provider:• Is trusted to collaborate with
organisations and help them control access to their data
7
![Page 8: CloudFilter Practical Control of Sensitive Data Propagation to the Cloud](https://reader035.fdocuments.us/reader035/viewer/2022070500/568168b4550346895ddf89ff/html5/thumbnails/8.jpg)
Objectives and IdeasCloudFilter’s objectives:• Support (most) cloud storage providers• help employees comply with data propagation policy• log attempts to disclose sensitive data• control how data are accessed after they have been
uploaded
8
Important ideas:• Three different types of data (confidential, public and
protected)• Most cloud storage providers support HTTP for file
transfers• Data propagation is controlled via labels embedded
inside files
![Page 9: CloudFilter Practical Control of Sensitive Data Propagation to the Cloud](https://reader035.fdocuments.us/reader035/viewer/2022070500/568168b4550346895ddf89ff/html5/thumbnails/9.jpg)
Cloud StorageProvider
Policy
CloudFilter File Upload
Client Proxy
Browser plugin
Service Proxy
1
HTTP
2
File
3label
File
label
4 Policy5
9
![Page 10: CloudFilter Practical Control of Sensitive Data Propagation to the Cloud](https://reader035.fdocuments.us/reader035/viewer/2022070500/568168b4550346895ddf89ff/html5/thumbnails/10.jpg)
Cloud Storage Provider
CloudFilter File Download
Client Proxy
Browser plugin
Service Proxy
1HTTP
Policy
2
File
label
34
10
![Page 11: CloudFilter Practical Control of Sensitive Data Propagation to the Cloud](https://reader035.fdocuments.us/reader035/viewer/2022070500/568168b4550346895ddf89ff/html5/thumbnails/11.jpg)
File
Embedding labels inside files
<rdf:Description rdf:about=""xmlns:cf0="http://cloudfilter.doc.ic.ac.uk/0"><cf0:domain>cf.doc.ic.ac.uk</cf0:domain><cf0:id>protected</cf0:id>
<cf0:parameters><rdf:Seq>
<rdf:li>user</rdf:li></rdf:Seq>
</cf0:parameters><cf0:user>ip108, prp</cf0:user>
</rdf:Description>
policy id
proxy addr
parameters
Labels can be embedded inside specific file types using Adobe’s eXtensible Metadata
Platform (XMP)
11
![Page 12: CloudFilter Practical Control of Sensitive Data Propagation to the Cloud](https://reader035.fdocuments.us/reader035/viewer/2022070500/568168b4550346895ddf89ff/html5/thumbnails/12.jpg)
Policy 1: Prevent all file uploads to Dropbox
Client Proxy
Browser plugin
HTTPFile
• Event{out} {put post} {(.*\.)*dropbox.com(/.*)* }
• Condition(none)
• Actionreturn(“403”)
12
![Page 13: CloudFilter Practical Control of Sensitive Data Propagation to the Cloud](https://reader035.fdocuments.us/reader035/viewer/2022070500/568168b4550346895ddf89ff/html5/thumbnails/13.jpg)
Policy 2: Only allow uploading public documents
Client Proxy
Browser plugin
HTTPFile
• Event{out} {put post} {(.*\.)*dropbox.com(/.*)* }
• Condition(none)
• Actionform=createHTMLForm()resp=ask(form)if resp==“public”: log() return(issue())else: return(“403”)
13
![Page 14: CloudFilter Practical Control of Sensitive Data Propagation to the Cloud](https://reader035.fdocuments.us/reader035/viewer/2022070500/568168b4550346895ddf89ff/html5/thumbnails/14.jpg)
Cloud Storage Provider
Policy 3: Only share documents across university staff
Client Proxy Service Proxy
Policy(DN)
File
UConfidential
File
Policy(UP)
UniversityStudent
UniversityEmployee
File
UConfidential
14
![Page 15: CloudFilter Practical Control of Sensitive Data Propagation to the Cloud](https://reader035.fdocuments.us/reader035/viewer/2022070500/568168b4550346895ddf89ff/html5/thumbnails/15.jpg)
CloudFilter++
15
![Page 16: CloudFilter Practical Control of Sensitive Data Propagation to the Cloud](https://reader035.fdocuments.us/reader035/viewer/2022070500/568168b4550346895ddf89ff/html5/thumbnails/16.jpg)
CloudFilter Limitations
Limitations: • No provenance » too irritating for the user
• User input is required to classify each file in a security category
• User input is required again after a file has been edited• Restrictive data model » most web applications do not
use files• Web applications typically use a relational database and a
custom data model• Online document editors expose file export/import
functionality but this does not preserve labels• User files are typically stored online, edited locally
16
![Page 17: CloudFilter Practical Control of Sensitive Data Propagation to the Cloud](https://reader035.fdocuments.us/reader035/viewer/2022070500/568168b4550346895ddf89ff/html5/thumbnails/17.jpg)
17
How will the future enterprise desktop look like?
start
![Page 19: CloudFilter Practical Control of Sensitive Data Propagation to the Cloud](https://reader035.fdocuments.us/reader035/viewer/2022070500/568168b4550346895ddf89ff/html5/thumbnails/19.jpg)
Policy specification: Event-Condition-Action (ECA)
Data propagation policies• they specify the actions of CloudFilter proxies when file transfers are
detected• have 3 parts (Event-Condition-Action)• may be sent across proxies at runtimePart 1: Event• the event that triggers an ECA policy is the invocation of an HTTP
method• Match HTTP requests according to (1) direction of data flow, (2) HTTP
method, (3) target URL
19
Part 2: Condition• The condition that must be satisfied is the existence of labeled
files inside the HTTP request/response• Two type of conditions (service-agnostic, service-specific)
Part 3: Action• A python script that a proxy executes to handle the file transfer• The script can access the file and the HTTP request/response