Do you often use Facebook? What about Snapchat, Gmail, Dropbox, Slack, Google Drive, Spotify or Minecraft? Perhaps all of them? Bottom line, if you use an online social network, e-mail program, data storage service or a music platform, you are almost certainly using cloud computing.
Cloud computing is a way of giving access to shared resources such as computer networks, servers, storage, applications and services. Individuals and organizations can place their data on the cloud and enjoy unlimited storage free or at a relatively low cost. It also allows services such as email to be offloaded, reducing companies’ development and maintenance costs.
Data breaches happen every day
Despite the tremendous benefits of cloud computing, the security and privacy of data are probably the biggest concerns that individuals and organizational users have. Current efforts to protect users’ data include measures such as firewalls, virtualization (running multiple operating systems or applications simultaneously) and even regulatory policies, yet often users are required to provide information to service providers “in the clear” – means plain-text data without any protection.
Moreover, because cloud-computing software and hardware are anything but bug-free, sensitive information may be exposed to other users, applications and third parties. In fact, cloud data breaches happen every day.
Fighting a new threat model
A research project conducted by the Axa Research Fund is aiming at providing cloud data security and privacy protection under a new threat model that more accurately reflects the open, heterogeneous and distributed nature of the cloud environment. This model assumes that cloud servers, which store and process users’ data, are not to be trusted to keep users’ data and the processing results confidential, or even to enforce access limitations correctly. This is a radical departure from the traditional threat model for closed enterprise IT systems, which assume that servers can be trusted.
The central approach of the research is thus to embed protection mechanisms, such as encryption and authentication, into the data itself. In this way, data security and privacy remain even if the cloud itself is compromised, all while enabling authorized writers to access and process shared data.
Protecting the data and its users
In the research project of the Axa Research Fund, the team have created a suite of techniques for scalable access control and computation of encrypted data in the cloud. They also built an attribute-based secure messaging system as a proof-of-concept prototype. The system is designed to provide end-to-end confidentiality for enterprise users, and is built on the assumption that the cloud itself doesn’t necessarily keep users’ messages confidential.
To understand how it works, imagine that you’re depositing valuables in a house to which you have a key and that, from time to time, you want to move these valuables to other friends’ houses where unknown people may come and go. Each of your friends keeps his or her key, but not all have the same access privileges: their keys can only open certain houses based on the access they have. Such privileges and key sets are managed by a keymaster who stays elsewhere.
Every user in the system has a set of attributes that specifies his or her privileges to receive and decrypt messages. For example, Alice’s set of attributes could be “student, school of business” while Bob’s are “student, school of information systems”. At the user registration stage, the keymaster issues each person a decryption code based on his or her attributes.
To send a message securely, a user encrypts it, and the appropriate access policy is attached. The encrypted message is referred to as ciphertext. Only users whose attributes match a message’s access policy can receive and decrypt it. For example, if a message is to “all students”, then both Alice and Bob can receive and decrypt it. On the other hand, if another message’s access policy is “business-school students”, only those students (meaning Alice but not Bob) can receive and decrypt it.
The system is highly efficient – only one message is generated and delivered regardless of the number of recipients, and it achieves confidentiality even if the cloud-based messaging server and the communication networks are open.
The business benefits of switching to a secure cloud
- Enhance organizational flexibility: Popular cloud providers operate on a highly scalable licensing system, enabling companies to add or remove licenses as required to expand and contract. These can also be added almost instantly in many occasions, allowing fast scaling (which is simply not possible with on-premise technology). As an added benefit, this provisioning of resources can typically be done programmatically, and therefore human involvement is not always required.
- Improve data security: By removing physical systems from your office, you remove the risk that they can be tampered with – no one in your business has direct access to the machines. Additionally, cloud providers will generally always keep their technology up to date, patched and backed up, as they do not possess the infrastructure limitations of a typical company. This alone is a critical aspect of maintaining good security.
- Improve disaster recovery: Through a secure cloud, you can easily back up important data and recover it in the event of a disaster at your office locations. Remote workers can also do the same, as there’s no need to physically connect to a network. Additionally, this mitigates some of the risks involved with a lost or stolen device – administrators can quickly revoke the device’s access and prevent unwanted data loss.
Cloud computing gives companies access to the next level – next-level customer service through enhanced data gathering and storage, next-level flexibility through remote working and fast scalability, next-level convenience through interconnected systems with fast file and data sharing … the list goes on.
However, due to the risks of misconfiguration and the ever-present danger of cyber criminals, any company’s cloud environment must be secure to remain effective. And that’s where cloud security comes in. With cloud security, you can enhance the protection of your digital assets and mitigate the risks associated with human error, reducing the likelihood that your organization will suffer a damaging loss thanks to an avoidable breach.
Do you agree with the ideas we came up with in our article or do you have a different point of view? We would be glad to receive any feedback from you.