Cloud safety net: Detecting data leakage between cloud tenants

Christian Priebe, Divya Muthukumaran, Dan O'Keeffe, David Eyers, Brian Shand, Ruediger Kapitza, Peter Pietzuch

    Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

    28 Citations (Scopus)

    Abstract

    When tenants deploy applications under the control of third-party cloud providers, they must trust the provider's security mechanisms for inter-tenant isolation, resource sharing and access control. Despite a provider's best efforts, accidental data leakage may occur due to misconfigurations or bugs in the cloud platform. Especially in Platform-as-a-Service (PaaS) clouds, which rely on weaker forms of isolation, the potential for unnoticed data leakage is high. Prior work to raise tenants' trust in clouds relies on attestation, which limits the management flexibility of providers, or fine-grained data tracking, which has high overheads. We describe CloudSafetyNet (CSN), a lightweight monitoring framework that gives tenants visibility into the propagation of their application data in a cloud environment with low performance overhead. It exploits the incentive of tenants to co-operate with each other to detect accidental data leakage. CSN transparently adds opaque security tags to a subset of form fields in HTTP requests, using a client-side JavaScript library. Socket-level monitors maintain a log of observed tags flowing between application components. Tenants retrieve their logs and identify foreign tags that indicate data leakage. To check the correct operation of CSN, tenants send probe requests with known tags and verify that monitors are logging correctly. Using an implementation of CSN deployed on the OpenShift and AppScale PaaS platforms, we show that it can discover misconfigurations and bugs with a negligible performance impact.

    Original languageEnglish
    Title of host publicationCCSW 2014 - Proceedings of the 2014 ACM Cloud Computing Security Workshop, Co-located with CCS 2014
    PublisherAssociation for Computing Machinery
    Pages117-128
    Number of pages12
    EditionNovember
    ISBN (Print)9781450332392
    DOIs
    Publication statusPublished - 7 Nov 2014
    Event6th ACM Cloud Computing Security Workshop, CCSW 2014, Held in Conjunction with the 2014 ACM Computer and Communication Security, CCS 2014 - Scottsdale, United States
    Duration: 7 Nov 2014 → …

    Publication series

    NameProceedings of the ACM Conference on Computer and Communications Security
    NumberNovember
    Volume2014-November
    ISSN (Print)1543-7221

    Conference

    Conference6th ACM Cloud Computing Security Workshop, CCSW 2014, Held in Conjunction with the 2014 ACM Computer and Communication Security, CCS 2014
    Country/TerritoryUnited States
    CityScottsdale
    Period7/11/14 → …

    Bibliographical note

    Publisher Copyright:
    Copyright © 2014 by the Association for Computing Machinery, Inc. (ACM).

    Keywords

    • Cloud
    • Data leakage detection
    • Inter-tenant isolation
    • Socket-level monitoring

    Fingerprint

    Dive into the research topics of 'Cloud safety net: Detecting data leakage between cloud tenants'. Together they form a unique fingerprint.

    Cite this