1 / 5

Adversaries in Clouds: Protecting Data in Cloud-Based Applications

Adversaries in Clouds: Protecting Data in Cloud-Based Applications. Nick Feamster Georgia Tech. Building Applications on the Cloud. “You can’t trust code that you did not totally create yourself.” – Ken Thomson, Reflections on Trusting Trust.

jaimie
Download Presentation

Adversaries in Clouds: Protecting Data in Cloud-Based Applications

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Adversaries in Clouds: Protecting Data in Cloud-Based Applications Nick FeamsterGeorgia Tech

  2. Building Applications on the Cloud “You can’t trust code that you did not totally create yourself.” – Ken Thomson, Reflections on Trusting Trust • Used for a wide variety of services and applications • Built using a variety of technology • Programming languages • Web servers • Load balancers • Application frameworks • New opportunities for external adversaries • About 85% of data leaks occur due to external attacks at servers [Verizon data breach report]. • Existing attacks on software applications • But, applications are also hosted on untrusted platforms

  3. Possible Defenses • Check the Web application for vulnerabilities • Doesn’t defend against zero-day attacks, programmer error, etc. • Must trust all underlying hardware and software infrastructure, as well • No protection once the account is compromised • Isolate each session in a virtual machine • Significant performance overhead

  4. Protect the Data (in addition to the application) • Proposal: A data firewall for cloud-based Web applications • Apply network-level information flow control to data hosted by Web applications • Associate a taint with a piece of data (e.g., row in a database table) • Rewrite queries to retrieve taints with data • Propagate taints across processes and network • Perform IFC based on taints associated with data

  5. New Adversary Models • The “foreign” code base is increasing • Application security is getting harder • Position: Protect the data, not just the application • Network-wide DLP could benefit cloud-based applications in other settings, too • Data isolation between multi-tenant application services

More Related