Cloud safety net: Detecting data leakage between cloud tenants

Christian Priebe, Divya Muthukumaran, Dan O'Keeffe, David Eyers, Brian Shand, Ruediger Kapitza, Peter Pietzuch

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

26 Citations (Scopus)

Abstract

When tenants deploy applications under the control of third-party cloud providers, they must trust the provider's security mechanisms for inter-tenant isolation, resource sharing and access control. Despite a provider's best efforts, accidental data leakage may occur due to misconfigurations or bugs in the cloud platform. Especially in Platform-as-a-Service (PaaS) clouds, which rely on weaker forms of isolation, the potential for unnoticed data leakage is high. Prior work to raise tenants' trust in clouds relies on attestation, which limits the management flexibility of providers, or fine-grained data tracking, which has high overheads. We describe CloudSafetyNet (CSN), a lightweight monitoring framework that gives tenants visibility into the propagation of their application data in a cloud environment with low performance overhead. It exploits the incentive of tenants to co-operate with each other to detect accidental data leakage. CSN transparently adds opaque security tags to a subset of form fields in HTTP requests, using a client-side JavaScript library. Socket-level monitors maintain a log of observed tags flowing between application components. Tenants retrieve their logs and identify foreign tags that indicate data leakage. To check the correct operation of CSN, tenants send probe requests with known tags and verify that monitors are logging correctly. Using an implementation of CSN deployed on the OpenShift and AppScale PaaS platforms, we show that it can discover misconfigurations and bugs with a negligible performance impact.

Original languageEnglish
Title of host publicationCCSW 2014 - Proceedings of the 2014 ACM Cloud Computing Security Workshop, Co-located with CCS 2014
PublisherAssociation for Computing Machinery
Pages117-128
Number of pages12
EditionNovember
ISBN (Print)9781450332392
DOIs
Publication statusPublished - 7 Nov 2014
Event6th ACM Cloud Computing Security Workshop, CCSW 2014, Held in Conjunction with the 2014 ACM Computer and Communication Security, CCS 2014 - Scottsdale, United States
Duration: 7 Nov 2014 → …

Publication series

NameProceedings of the ACM Conference on Computer and Communications Security
NumberNovember
Volume2014-November
ISSN (Print)1543-7221

Conference

Conference6th ACM Cloud Computing Security Workshop, CCSW 2014, Held in Conjunction with the 2014 ACM Computer and Communication Security, CCS 2014
Country/TerritoryUnited States
CityScottsdale
Period7/11/14 → …

Bibliographical note

Publisher Copyright:
Copyright © 2014 by the Association for Computing Machinery, Inc. (ACM).

Keywords

  • Cloud
  • Data leakage detection
  • Inter-tenant isolation
  • Socket-level monitoring

Fingerprint

Dive into the research topics of 'Cloud safety net: Detecting data leakage between cloud tenants'. Together they form a unique fingerprint.

Cite this