Abstract
When tenants deploy applications under the control of third-party cloud providers, they must trust the provider's security mechanisms for inter-tenant isolation, resource sharing and access control. Despite a provider's best efforts, accidental data leakage may occur due to misconfigurations or bugs in the cloud platform. Especially in Platform-as-a-Service (PaaS) clouds, which rely on weaker forms of isolation, the potential for unnoticed data leakage is high. Prior work to raise tenants' trust in clouds relies on attestation, which limits the management flexibility of providers, or fine-grained data tracking, which has high overheads. We describe CloudSafetyNet (CSN), a lightweight monitoring framework that gives tenants visibility into the propagation of their application data in a cloud environment with low performance overhead. It exploits the incentive of tenants to co-operate with each other to detect accidental data leakage. CSN transparently adds opaque security tags to a subset of form fields in HTTP requests, using a client-side JavaScript library. Socket-level monitors maintain a log of observed tags flowing between application components. Tenants retrieve their logs and identify foreign tags that indicate data leakage. To check the correct operation of CSN, tenants send probe requests with known tags and verify that monitors are logging correctly. Using an implementation of CSN deployed on the OpenShift and AppScale PaaS platforms, we show that it can discover misconfigurations and bugs with a negligible performance impact.
Original language | English |
---|---|
Title of host publication | CCSW 2014 - Proceedings of the 2014 ACM Cloud Computing Security Workshop, Co-located with CCS 2014 |
Publisher | Association for Computing Machinery |
Pages | 117-128 |
Number of pages | 12 |
Edition | November |
ISBN (Print) | 9781450332392 |
DOIs | |
Publication status | Published - 7 Nov 2014 |
Event | 6th ACM Cloud Computing Security Workshop, CCSW 2014, Held in Conjunction with the 2014 ACM Computer and Communication Security, CCS 2014 - Scottsdale, United States Duration: 7 Nov 2014 → … |
Publication series
Name | Proceedings of the ACM Conference on Computer and Communications Security |
---|---|
Number | November |
Volume | 2014-November |
ISSN (Print) | 1543-7221 |
Conference
Conference | 6th ACM Cloud Computing Security Workshop, CCSW 2014, Held in Conjunction with the 2014 ACM Computer and Communication Security, CCS 2014 |
---|---|
Country/Territory | United States |
City | Scottsdale |
Period | 7/11/14 → … |
Bibliographical note
Publisher Copyright:Copyright © 2014 by the Association for Computing Machinery, Inc. (ACM).
Keywords
- Cloud
- Data leakage detection
- Inter-tenant isolation
- Socket-level monitoring