Upload
hayley
View
26
Download
2
Tags:
Embed Size (px)
DESCRIPTION
Department of Computing. CloudFilter Practical Control of Sensitive Data Propagation to the Cloud. Ioannis Papagiannis Peter Pietzuch Large-Scale Distributed Systems Group http://lsds.doc.ic.ac.uk. ACM Cloud Computing Security Workshop (CCSW), October 19, 2012. - PowerPoint PPT Presentation
Citation preview
Peter R. Pietzuch [email protected]
Ioannis Papagiannis Peter Pietzuch
Large-Scale Distributed Systems Grouphttp://lsds.doc.ic.ac.uk
ACM Cloud Computing Security Workshop (CCSW), October 19, 2012
Department of Computing
CloudFilterPractical Control of Sensitive Data Propagation to
the Cloud
Can an employee store files online?
2
Can an employee store files online? Not really…
Hi Yiannis,
Can you send me that file from my Dropbox?
Sure, here it is!
Why?!
3
Can an employee store files online? Not really…
Why?!
• Policy 1:Employees should not waste time online on personal matters!
• Policy 2:Employees should not be able to send company files to arbitrary recipients!
4
Can an employee store files online? Not really…
Why?!
• Dropbox enables large scale data disclosure• It’s very easy for employees to misunderstand and
violate the data propagation policy of the bank• The bank wants to be able to blame employees if a leak
occurs
5
Current solution: network-level blocking
Network-level blocking of cloud services is not perfect:• Why prevent workflows that involve non-sensitive data?• Employees are more likely to bypass company policy
completely by using personal devices
6
Threat Model
Users are not malicious:• Employees are trusted to decide whether
data are sensitive or not• Employees are accountable for their
actions
The cloud provider:• Is trusted to collaborate with
organisations and help them control access to their data
7
Objectives and IdeasCloudFilter’s objectives:• Support (most) cloud storage providers• help employees comply with data propagation policy• log attempts to disclose sensitive data• control how data are accessed after they have been
uploaded
8
Important ideas:• Three different types of data (confidential, public and
protected)• Most cloud storage providers support HTTP for file
transfers• Data propagation is controlled via labels embedded
inside files
Cloud StorageProvider
Policy
CloudFilter File Upload
Client Proxy
Browser plugin
Service Proxy
1
HTTP
2
File
3label
File
label
4 Policy5
9
Cloud Storage Provider
CloudFilter File Download
Client Proxy
Browser plugin
Service Proxy
1HTTP
Policy
2
File
label
34
10
File
Embedding labels inside files
<rdf:Description rdf:about=""xmlns:cf0="http://cloudfilter.doc.ic.ac.uk/0"><cf0:domain>cf.doc.ic.ac.uk</cf0:domain><cf0:id>protected</cf0:id>
<cf0:parameters><rdf:Seq>
<rdf:li>user</rdf:li></rdf:Seq>
</cf0:parameters><cf0:user>ip108, prp</cf0:user>
</rdf:Description>
policy id
proxy addr
parameters
Labels can be embedded inside specific file types using Adobe’s eXtensible Metadata
Platform (XMP)
11
Policy 1: Prevent all file uploads to Dropbox
Client Proxy
Browser plugin
HTTPFile
• Event{out} {put post} {(.*\.)*dropbox.com(/.*)* }
• Condition(none)
• Actionreturn(“403”)
12
Policy 2: Only allow uploading public documents
Client Proxy
Browser plugin
HTTPFile
• Event{out} {put post} {(.*\.)*dropbox.com(/.*)* }
• Condition(none)
• Actionform=createHTMLForm()resp=ask(form)if resp==“public”: log() return(issue())else: return(“403”)
13
Cloud Storage Provider
Policy 3: Only share documents across university staff
Client Proxy Service Proxy
Policy(DN)
File
UConfidential
File
Policy(UP)
UniversityStudent
UniversityEmployee
File
UConfidential
14
CloudFilter++
15
CloudFilter Limitations
Limitations: • No provenance » too irritating for the user
• User input is required to classify each file in a security category
• User input is required again after a file has been edited• Restrictive data model » most web applications do not
use files• Web applications typically use a relational database and a
custom data model• Online document editors expose file export/import
functionality but this does not preserve labels• User files are typically stored online, edited locally
16
17
How will the future enterprise desktop look like?
start
Policy specification: Event-Condition-Action (ECA)
Data propagation policies• they specify the actions of CloudFilter proxies when file transfers are
detected• have 3 parts (Event-Condition-Action)• may be sent across proxies at runtimePart 1: Event• the event that triggers an ECA policy is the invocation of an HTTP
method• Match HTTP requests according to (1) direction of data flow, (2) HTTP
method, (3) target URL
19
Part 2: Condition• The condition that must be satisfied is the existence of labeled
files inside the HTTP request/response• Two type of conditions (service-agnostic, service-specific)
Part 3: Action• A python script that a proxy executes to handle the file transfer• The script can access the file and the HTTP request/response