Department of Computing
CloudFilter
Practical Control of Sensitive Data Propagation to the Cloud
Ioannis Papagiannis
Peter Pietzuch
Large-Scale Distributed Systems Group
http://lsds.doc.ic.ac.uk
Peter R. Pietzuch
[email protected]
ACM Cloud Computing Security Workshop (CCSW), October 19, 2012
Can an employee store files online?
2
Can an employee store files online? Not really…
Why?!
Hi Yiannis,
Can you send me that
file from my Dropbox?
Sure, here it is!
3
Can an employee store files online? Not really…
Why?!
• Policy 1:
Employees should not waste
time online on personal
matters!
• Policy 2:
Employees should not be able
to send company files to
arbitrary recipients!
4
Can an employee store files online? Not really…
Why?!
• Dropbox enables large scale data disclosure
• It’s very easy for employees to misunderstand and violate the
data propagation policy of the bank
• The bank wants to be able to blame employees if a leak occurs
5
Current solution: network-level blocking
Network-level blocking of cloud services is not perfect:
• Why prevent workflows that involve non-sensitive data?
• Employees are more likely to bypass company policy completely
by using personal devices
6
Threat Model
Users are not malicious:
• Employees are trusted to decide whether data
are sensitive or not
• Employees are accountable for their actions
The cloud provider:
• Is trusted to collaborate with organisations and
help them control access to their data
7
Objectives and Ideas
CloudFilter’s objectives:
• Support (most) cloud storage providers
• help employees comply with data propagation policy
• log attempts to disclose sensitive data
• control how data are accessed after they have been uploaded
Important ideas:
• Three different types of data (confidential, public and protected)
• Most cloud storage providers support HTTP for file transfers
• Data propagation is controlled via labels embedded inside files
8
CloudFilter File Upload
Policy
2
4
Client Proxy
Service Proxy
5
Policy
label
label
File
3
HTTP
File
1
Cloud
Storage
Provider
Browser plugin
9
CloudFilter File Download
Client Proxy
Service Proxy
4
3
Policy
HTTP
2
label
File
1
Cloud
Storage
Provider
Browser plugin
10
Embedding labels inside files
<rdf:Description rdf:about=""
xmlns:cf0="http://cloudfilter.doc.ic.ac.uk/0">
proxy addr
<cf0:domain>cf.doc.ic.ac.uk</cf0:domain>
<cf0:id>protected</cf0:id>
policy id
<cf0:parameters>
<rdf:Seq>
<rdf:li>user</rdf:li>
</rdf:Seq>
</cf0:parameters>
parameters
<cf0:user>ip108, prp</cf0:user>
</rdf:Description>
File
Labels can be embedded inside specific file types
using Adobe’s eXtensible Metadata Platform (XMP)
11
Policy 1: Prevent all file uploads to Dropbox
Client Proxy
HTTP
File
• Event
{out} {put post}
{(.*\.)*dropbox.com(/.*)* }
• Condition
(none)
• Action
return(“403”)
Browser plugin
12
Policy 2: Only allow uploading public documents
Client Proxy
HTTP
File
• Event
{out} {put post}
{(.*\.)*dropbox.com(/.*)* }
• Condition
(none)
• Action
form=createHTMLForm()
resp=ask(form)
if resp==“public”:
log()
return(issue())
else:
return(“403”)
Browser plugin
13
Policy 3: Only share documents across university staff
Policy
(DN)
Client Proxy
UConfidential
Service Proxy
File
Policy
(UP)
UConfidential
File
File
Cloud
Storage
Provider
University
Employee
University
Student
14
CloudFilter++
15
CloudFilter Limitations
Limitations:
• No provenance » too irritating for the user
• User input is required to classify each file in a security category
• User input is required again after a file has been edited
• Restrictive data model » most web applications do not use files
• Web applications typically use a relational database and a custom
data model
• Online document editors expose file export/import functionality but
this does not preserve labels
• User files are typically stored online, edited locally
16
How will the future enterprise desktop look like?
start
17
The End
• Ioannis Papagiannis
• DoC, Imperial College London
• [email protected]
18
Policy specification: Event-Condition-Action (ECA)
Data propagation policies
• they specify the actions of CloudFilter proxies when file transfers are detected
• have 3 parts (Event-Condition-Action)
• may be sent across proxies at runtime
Part 1: Event
• the event that triggers an ECA policy is the invocation of an HTTP method
• Match HTTP requests according to (1) direction of data flow, (2) HTTP
method, (3) target URL
Part 2: Condition
• The condition that must be satisfied is the existence of labeled files inside
the HTTP request/response
• Two type of conditions (service-agnostic, service-specific)
Part 3: Action
• A python script that a proxy executes to handle the file transfer
• The script can access the file and the HTTP request/response
19