Tredisec Requirements

Storage Integrity

  • Verifiable Storage
  • Verifiable Ownership

Verifiable Storage

Verifiable storage allows a cloud customer to check whether her (Big) data is stored correctly at the cloud server provider. As previously mentioned, classical data integrity techniques are not suitable anymore since they require the customer to download the entire data together with the integrity proof computed by the cloud. TREDISEC tackles this specific problem and currently investigates existing solutions that can be classified into two categories: Proof of Data Possession (PDP) and Proof of Retrievability (PoR).

Requirements
  • WP31-R1: Efficient storage verification
  • WP31-R2: Data possession verifiability
  • WP31-R3: Data extractability
  • WP31-R4: Delegated verifiability
  • WP31-R5: Public verifiability

Verifiable Ownership

To avoid client-side deduplication attacks, the new primitive called Proof of Ownership (PoW) was introduced with the aim of preventing leakage amplification in client-side deduplication. More specifically, the idea is that if an outside adversary somehow obtains a bounded amount of information about a given target user file F via out-of-band leakage, then the adversary cannot leverage this short information to obtain the whole file F by participating in client-side deduplication with the cloud storage server.

One of the main objectives of the project with respect to verifiability is the study of PoW protocols. There are indeed several open questions when it comes to this family of protocols, mostly revolving around performance and security. In addition, we plan to investigate PoW schemes that can be applied to encrypted data and/or data uploaded by participants that do not share mutual trust.

Requirements
  • WP33-R1: Efficient ownership verification
  • WP33-R2: Verifiable Ownership with data confidentiality

Content extracted from deliverable document D2.2 Requirements Analysis and Consolidation

Storage privacy

  • Access control and policy enforcement
  • Resource isolation
  • Data privacy

Access control and policy enforcement

Access control is essential in protecting storage privacy. Customers must be able to trust the cloud service that only authorized parties can access their data. More complicated access control mechanisms provide extra or improved use cases for cloud storage. Additional policy enforcement solutions such as secure deletion give customers tighter control over their data, enhance their storage privacy and can be essential in order to comply with business regulations.

Requirements
  • WP41-R1: Semantic and contextually constrained policy enforcement
  • WP41-R2: Privacy-respectful policy enforcement
  • WP44-R1: Secure deletion
  • WP44-R2: Shared ownership
  • WP44-R3: Assisted deletion

Resource isolation

To enforce resource isolation, systems may make use of access control and security policies. The entities enforcing these policies, such as hypervisors, operating system kernels, middleware or applications, are themselves vulnerable to attacks. Therefore, improving the security of such policy-enforcing-entities (monitors) improves the security guarantees provided by the policies. The main objective of the project is to design mechanisms that improve the security of monitors either through: (a) removing vulnerabilities present in the code base, (b) preventing such vulnerabilities from being reachable by attackers, or (c) in the presence of attacker-reachable vulnerabilities, preventing their exploitation.

Requirements
  • WP42-R1: Improved resource isolation
  • WP42-R2: Secure storage per tenant

Data Privacy

Cloud services introduce new security threats with respect to the confidentiality of the outsourced data. While the cloud providers are motivated to provide data confidentiality for their data storage services given the increasing security assurance demands from the cloud customers, they will also lose the advantage of optimizing their storage costs by de-duplicating the data once traditional encryption is applied to the data. TREDISEC aims to provide strong data confidentiality guarantees while benefiting from the various advantages of data deduplication in the cloud. On the one hand, we aim to devise novel schemes which ensure data confidentiality despite a powerful adversary that has access to the user's secret material: such schemes are defined as key-exposure resistant schemes. We also plan to propose techniques which support deduplication of data encrypted by different mistrusting principals (tenants, users).

Requirements
  • WP43-R1: Data confidentiality
  • WP43-R2: Resistance to key leakage

Content extracted from deliverable document D2.2 Requirements Analysis and Consolidation

Computation Integrity

  • Verifiable Computation

Verifiable Computation

While storage integrity requirements address the integrity of outsourced data, computation integrity requirements address the correctness of outsourced computation.

Requirements
  • WP32-R1: Computation integrity
  • WP32-R2: Public verifiability
  • WP32-R3: Public delegatability
  • WP32-R4: Managing big databases

Content extracted from deliverable document D2.2 Requirements Analysis and Consolidation

Computation Privacy

  • Privacy preserving data outsourcing
  • Privacy preserving processing

Privacy preserving data outsourcing

Within TREDISEC, the original data of the data owner should be protected against unintended and unauthorized access, and data confidentiality should be enforced by means of encryption. The encryption of large data sets with one or multiple encryption schemes should be executed in a performance-optimised manner. At the same time, end-user application downtime needs to be minimised during the migration process in order to allow daily business operations to continue.

Requirements
  • WP5-R1: Big Data confidentiality
  • WP51-R1: Efficient initial encryption
  • WP52-R1: Privacy preserving migration with minimum downtime

Privacy preserving processing

Privacy preserving processing deals with the design of mechanisms that enable the cloud to process encrypted data. Ideally, cloud providers should be able to conduct any complex operations on the outsourced data. While advances in fully homomorphic encryption are promising, they are still too computationally intensive to represent a viable solution for privacy preserving processing. This is why, in TREDISEC, we focus on a different line of research that aims at designing dedicated privacy preserving mechanisms for specific applications. More specifically, we address the problem of privacy preserving data processing for biometric data and privacy preserving word search:One of the most demanding operation for cloud application is word search. A data owner or another authorized third party should be able to search for some words over the data that has already been outsourced encrypted. The idea is to exploit the properties of the outsourced data and the functions we are interested in to come up with efficient security solutions that do not negatively impact the performances of cloud computing..

Requirements
  • WP51-R2: Query analysis for optimised SQL statement execution over remotely stored encrypted data
  • WP53-R1: Privacy preserving data processing
  • WP53-R2: Search pattern privacy for word search
  • WP53-R3: Access pattern privacy for word search
  • WP53-R4: Performance / Efficiency at the client
  • WP53-R5: Query expressiveness for word search

Content extracted from deliverable document D2.2 Requirements Analysis and Consolidation

Multi-tenancy

  • hardware-level isolation
  • virtualization
  • application-level isolation

Multi-tenancy refers to the ability of a system to serve multiple administrative entities (called tenants) with a high degree of resource sharing among tenants (e.g. share CPU time, disk space, etc.).

Ideally a multi-tenant cloud storage system serves requests of multiple customers (tenants) in such a way that computing and storage resources are shared among such customers and this sharing of resources does not weaken system security.

In practice, multi-tenancy is a trade-off between security and costs: the wider the subset of resources shared (e.g., same physical machine vs. same OS), the more the cloud system can amortize costs and increase utilization.

Multi-tenancy can be achieved in several different ways. The simplest, most secure but also most expensive way is by leveraging hardware-level isolation; in this case, the requests of distinct tenants are handled by different hardware; a second approach is based on hardware and platform based virtualization techniques to create multiple virtual nodes and storage facilities (e.g. volumes, file systems, containers) for each tenant; process-level isolation hinges on the isolation provided by multi-user operating systems to separate resources belonging to different tenants; finally, within application-level isolation, the application is enhanced with access control enforcement to grant or deny access to otherwise shared resources.

The cloud services provided by TREDISEC should accommodate a multi-tenant environment. That is, an environment in which multiple users share the ownership of outsourced data, or are permitted to operate on the data without being actually owners. This requirement is more relevant to the use-cases pertaining to file sharing services

Storage efficiency

  • data compression
  • data deduplication

Under storage efficiency, we capture techniques such as compression and deduplication used by storage providers to make an optimal use of their storage resources by reducing the space needed to store client data.

Compression is the process of encoding information using fewer bits than the canonical representation requires. Compression can lead to a reduction of 20% to 70% of disk utilization. Cost reductions arise due to reduction in storage space, real estate, power consumption and cooling.

Deduplication strives instead to discard multiple copies of a common datum; a single copy is stored and extra copies only reference to the original.

Storage efficiency functions are at the heart of every cloud system, and constitute one of the central reasons for the appealing economy of scale of cloud systems. Cloud service providers take advantage of deduplication and compression mechanisms to minimise their storage needs and therefore, their expenditures. Thus, it is very important for TREDISEC solutions not to hinder the deployment of such mechanisms and to work seamlessly on top of them. While storage efficiency is a very important requirement for cloud services, it is more crucial to enable it for the file sharing use-cases.

By possessing very powerful machines and using parallelization techniques cloud service providers are able to operate on huge amount of data very fast. It follows that TREDISEC security services should maintain this low cloud provider’s latency by making sure that the implemented security services do not add too much complexity to the cloud environment. This requirement is derived from the use-cases dealing with the big data services.

The owner of outsourced data should be given the possibility to control who accesses her data and how. More specifically, the data owner should be allowed to share the ownership of her data, give read/write rights to users of her choice and finally revoke such rights at any point in time. Therefore, we envisage in TREDISEC to develop mechanisms for access policy enforcement. Given the multi-tenant nature of file sharing use-cases, they require solution that control and regulate data access.

Since the cloud provider possesses plenty of computational resources that the lay customer does not, it can perform complex operations on data very fast. This encourages customers not only to outsource storage but also to outsource data processing. To facilitate the adoption of TREDISEC security services, we should focus on how to reconcile existing data processing functionalities and the pressing requirements of data confidentiality and computation integrity.

We note here that this requirement is more related to the use cases dealing with big data storage and secure processing services, since, for the case of file sharing services the cloud provider is only supposed to store the data.

Most of the data outsourced to the cloud is prone to changes. Such changes include appending new data, modifying chunks of existing data, or deleting parts of the outsourced data. Besides the classical challenge of synchronization that cloud service providers should solve when multiple users update outsource concurrently, we should also ensure in TREDISEC that our security mechanisms work seamlessly in the presence of dynamic data. Namely, a cloud customer should not be impelled to download her (entire) data to perform a small change. Ideally, this requirement should be met in all the TREDISEC use-cases. However, in TREDISEC we prioritise the file sharing use-cases.

An important requirement that cloud service providers must meet is the requirement of data availability. Availability assures the cloud customer that she can download her (entire) data at her convenience. Although in the use-cases for big data storage and secure processing, the cloud customer is not supposed to ever download her data, we believe that in TREDISEC this requirement should be met for all the use-cases.