Peter R. Pietzuch prp@doc.ic.ac.uk

Ioannis Papagiannis Peter Pietzuch

Large-Scale Distributed Systems Grouphttp://lsds.doc.ic.ac.uk

ACM Cloud Computing Security Workshop (CCSW), October 19, 2012

Department of Computing

CloudFilterPractical Control of Sensitive Data Propagation to

the Cloud

Can an employee store files online?

2

Can an employee store files online? Not really…

Hi Yiannis,

Can you send me that file from my Dropbox?

Sure, here it is!

Why?!

3

Can an employee store files online? Not really…

Why?!

• Policy 1:Employees should not waste time online on personal matters!

• Policy 2:Employees should not be able to send company files to arbitrary recipients!

4

Can an employee store files online? Not really…

Why?!

• Dropbox enables large scale data disclosure• It’s very easy for employees to misunderstand and

violate the data propagation policy of the bank• The bank wants to be able to blame employees if a leak

occurs

5

Current solution: network-level blocking

Network-level blocking of cloud services is not perfect:• Why prevent workflows that involve non-sensitive data?• Employees are more likely to bypass company policy

completely by using personal devices

6

Threat Model

Users are not malicious:• Employees are trusted to decide whether

data are sensitive or not• Employees are accountable for their

actions

The cloud provider:• Is trusted to collaborate with

organisations and help them control access to their data

7

Objectives and IdeasCloudFilter’s objectives:• Support (most) cloud storage providers• help employees comply with data propagation policy• log attempts to disclose sensitive data• control how data are accessed after they have been

uploaded

8

Important ideas:• Three different types of data (confidential, public and

protected)• Most cloud storage providers support HTTP for file

transfers• Data propagation is controlled via labels embedded

inside files

Cloud StorageProvider

Policy

CloudFilter File Upload

Client Proxy

Browser plugin

Service Proxy

1

HTTP

2

File

3label

File

label

4 Policy5

9

Cloud Storage Provider

CloudFilter File Download

Client Proxy

Browser plugin

Service Proxy

1HTTP

Policy

2

File

label

34

10

File

Embedding labels inside files

<rdf:Description rdf:about=""xmlns:cf0="http://cloudfilter.doc.ic.ac.uk/0"><cf0:domain>cf.doc.ic.ac.uk</cf0:domain><cf0:id>protected</cf0:id>

<cf0:parameters><rdf:Seq>

<rdf:li>user</rdf:li></rdf:Seq>

</cf0:parameters><cf0:user>ip108, prp</cf0:user>

</rdf:Description>

policy id

proxy addr

parameters

Labels can be embedded inside specific file types using Adobe’s eXtensible Metadata

Platform (XMP)

11

Policy 1: Prevent all file uploads to Dropbox

Client Proxy

Browser plugin

HTTPFile

• Event{out} {put post} {(.*\.)*dropbox.com(/.*)* }

• Condition(none)

• Actionreturn(“403”)

12

Policy 2: Only allow uploading public documents

Client Proxy

Browser plugin

HTTPFile

• Event{out} {put post} {(.*\.)*dropbox.com(/.*)* }

• Condition(none)

• Actionform=createHTMLForm()resp=ask(form)if resp==“public”: log() return(issue())else: return(“403”)

13

Cloud Storage Provider

Policy 3: Only share documents across university staff

Client Proxy Service Proxy

Policy(DN)

File

UConfidential

File

Policy(UP)

UniversityStudent

UniversityEmployee

File

UConfidential

14

CloudFilter++

15

CloudFilter Limitations

Limitations: • No provenance » too irritating for the user

• User input is required to classify each file in a security category

• User input is required again after a file has been edited• Restrictive data model » most web applications do not

use files• Web applications typically use a relational database and a

custom data model• Online document editors expose file export/import

functionality but this does not preserve labels• User files are typically stored online, edited locally

16

17

How will the future enterprise desktop look like?

start

18

The End

• Ioannis Papagiannis

• DoC, Imperial College London

• ip108@doc.ic.ac.uk

Policy specification: Event-Condition-Action (ECA)

Data propagation policies• they specify the actions of CloudFilter proxies when file transfers are

detected• have 3 parts (Event-Condition-Action)• may be sent across proxies at runtimePart 1: Event• the event that triggers an ECA policy is the invocation of an HTTP

method• Match HTTP requests according to (1) direction of data flow, (2) HTTP

method, (3) target URL

19

Part 2: Condition• The condition that must be satisfied is the existence of labeled

files inside the HTTP request/response• Two type of conditions (service-agnostic, service-specific)

Part 3: Action• A python script that a proxy executes to handle the file transfer• The script can access the file and the HTTP request/response