Security and Privacy Preservation of Evidence in Cloud Accountability Audits

Cloud accountability audits are promising to strengthen trust in cloud computing by providing reassurance about the processing data in the cloud according to data handling and privacy policies. To effectively automate cloud accountability audits, various distributed evidence sources need to be considered during evaluation. The types of information range from authentication and data access logging to location information, information on security controls and incident detection. Securing that information quickly becomes a challenge in the system design, when the evidence that is needed for the audit is deemed sensitive or confidential information. This means that securing the evidence at-rest as well as in-transit is of utmost importance. In this paper, we present a system that is based on distributed software agents which enables secure evidence collection with the purpose of automated evaluation during cloud accountability audits. We thereby present the integration of Insynd as a suitable cryptographic mechanism for securing evidence. We present our reasoning for choosing Insynd by showing a comparison of Insynd properties with requirements imposed by accountability evidence collection as well as an analysis how security threats are being mitigated by Insynd. We put special emphasis on security and privacy protection in our system analysis.

[1]  Karin Bernsmed,et al.  A-PPL: An Accountability Policy Language , 2014, DPM/SETOP/QASA.

[2]  Mihir Bellare,et al.  Forward-Security in Private-Key Cryptography , 2003, CT-RSA.

[3]  Dirk Westhoff,et al.  Privacy-friendly cloud audits with Somewhat Homomorphic and Searchable Encryption , 2014, 2014 14th International Conference on Innovations for Community Services (I4CS).

[4]  Frank Doelitzscher,et al.  An agent based business aware incident detection system for cloud environments , 2012, Journal of Cloud Computing: Advances, Systems and Applications.

[5]  Hakim Weatherspoon,et al.  Summary of the 3rd ACM SIGOPS workshop on large-scale distributed systems and middleware (LADIS 2009) , 2010, OPSR.

[6]  Hiroyuki Date,et al.  Gringotts: Securing Data for Digital Evidence , 2014, 2014 IEEE Security and Privacy Workshops.

[7]  Ralf Brandner,et al.  Evidence Record Syntax (ERS) , 2007, RFC.

[8]  Frank Doelitzscher,et al.  Sun Behind Clouds - On Automatic Cloud Security Audits and a Cloud Audit Policy Language , 2013 .

[9]  Jee Hea An Authenticated Encryption in the Public-Key Setting: Security Notions and Analyses , 2001, IACR Cryptol. ePrint Arch..

[10]  Roel Peeters,et al.  Insynd: Privacy-Preserving Secure One-Way Messaging Using Balloons , 2015, IACR Cryptol. ePrint Arch..

[11]  Tomaz Klobucar,et al.  Long-term trusted preservation service using service interaction protocol and evidence records , 2007, Comput. Stand. Interfaces.

[12]  Roel Peeters,et al.  Balloon: A Forward-Secure Append-Only Persistent Authenticated Data Structure , 2015, ESORICS.

[13]  Christoph Reich,et al.  Supporting Cloud Accountability by Collecting Evidence Using Audit Agents , 2013, 2013 IEEE 5th International Conference on Cloud Computing Technology and Science.

[14]  Tanja Lange,et al.  The Security Impact of a New Cryptographic Library , 2012, LATINCRYPT.

[15]  T. Grance,et al.  SP 800-144. Guidelines on Security and Privacy in Public Cloud Computing , 2011 .

[16]  Ruoqing-Zhang,et al.  An efficient massive evidence storage and retrieval scheme in encrypted database , 2013 .

[17]  Ari Juels,et al.  PillarBox: Combating Next-Generation Malware with Fast Forward-Secure Logging , 2014, RAID.

[18]  Andreas Haeberlen,et al.  A case for the accountable cloud , 2010, OPSR.

[19]  P. Samarati,et al.  PrimeLife Policy Language , 2010 .

[20]  Siani Pearson,et al.  Toward Accountability in the Cloud , 2011, IEEE Internet Computing.

[21]  Jin Tong,et al.  NIST Cloud Computing Reference Architecture , 2011, 2011 IEEE World Congress on Services.

[22]  Roel Peeters,et al.  Distributed privacy-preserving transparency logging , 2013, WPES.

[23]  Philip Turner,et al.  Unification of Digital Evidence from Disparate Sources (Digital Evidence Bags) , 2005, DFRWS.

[24]  James A. Hendler,et al.  Information accountability , 2008, CACM.

[25]  Anuradha Gupta Privacy preserving efficient digital forensic investigation framework , 2013, 2013 Sixth International Conference on Contemporary Computing (IC3).

[26]  Nick Mathewson,et al.  Tor: The Second-Generation Onion Router , 2004, USENIX Security Symposium.