Stream on the Sky: Outsourcing Access Control Enforcement for Stream Data to the Cloud

There is an increasing trend for businesses to migrate their systems towards the cloud. Security concerns that arise when outsourcing data and computation to the cloud include data confidentiality and privacy. Given that a tremendous amount of data is being generated everyday from plethora of devices equipped with sensing capabilities, we focus on the problem of access controls over live streams of data based on triggers or sliding windows, which is a distinct and more challenging problem than access control over archival data. Specifically, we investigate secure mechanisms for outsourcing access control enforcement for stream data to the cloud. We devise a system that allows data owners to specify fine-grained policies associated with their data streams, then to encrypt the streams and relay them to the cloud for live processing and storage for future use. The access control policies are enforced by the cloud, without the latter learning about the data, while ensuring that unauthorized access is not feasible. To realize these ends, we employ a novel cryptographic primitive, namely proxy-based attribute-based encryption, which not only provides security but also allows the cloud to perform expensive computations on behalf of the users. Our approach is holistic, in that these controls are integrated with an XML based framework (XACML) for high-level management of policies. Experiments with our prototype demonstrate the feasibility of such mechanisms, and early evaluations suggest graceful scalability with increasing numbers of policies, data streams and users.

[1]  Brent Waters,et al.  Ciphertext-Policy Attribute-Based Encryption , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[2]  Cong Wang,et al.  Achieving Secure, Scalable, and Fine-grained Data Access Control in Cloud Computing , 2010, 2010 Proceedings IEEE INFOCOM.

[3]  Nicholas D. Lane Community-Aware Smartphone Sensing Systems , 2012, IEEE Internet Computing.

[4]  Michael Stonebraker,et al.  Aurora: a new model and architecture for data stream management , 2003, The VLDB Journal.

[5]  Michael Stonebraker,et al.  Linear Road: A Stream Data Management Benchmark , 2004, VLDB.

[6]  Dirk Westhoff,et al.  Optimized Implementation of Elliptic Curve Based Additive Homomorphic Encryption for Wireless Sensor Networks , 2007 .

[7]  Raghu Ramakrishnan,et al.  Database Management Systems , 1976 .

[8]  Elisa Bertino,et al.  A Security Punctuation Framework for Enforcing Access Control on Streaming Data , 2008, 2008 IEEE 24th International Conference on Data Engineering.

[9]  Allison Bishop,et al.  Decentralizing Attribute-Based Encryption , 2011, IACR Cryptol. ePrint Arch..

[10]  Ronald Cramer,et al.  A secure and optimally efficient multi-authority election scheme , 1997, Eur. Trans. Telecommun..

[11]  David A. Maltz,et al.  Cloudward bound: planning for beneficial migration of enterprise applications to the cloud , 2010, SIGCOMM '10.

[12]  Hari Balakrishnan,et al.  CryptDB: A Practical Encrypted Relational DBMS , 2011 .

[13]  Radu Sion,et al.  To cloud or not to cloud?: musings on costs and viability , 2011, SOCC '11.

[14]  Helen J. Wang,et al.  Enabling Security in Cloud Storage SLAs with CloudProof , 2011, USENIX ATC.

[15]  J. Pollard,et al.  Monte Carlo methods for index computation () , 1978 .

[16]  Randy H. Katz,et al.  Above the Clouds: A Berkeley View of Cloud Computing , 2009 .

[17]  Allison Woodruff,et al.  Common Sense: participatory urban sensing using a network of handheld air quality monitors , 2009, SenSys '09.

[18]  Robert M. White,et al.  National Oceanic and Atmospheric Administration , 2020, Federal Regulatory Guide.

[19]  Pascal Paillier,et al.  Public-Key Cryptosystems Based on Composite Degree Residuosity Classes , 1999, EUROCRYPT.

[20]  Albert G. Greenberg,et al.  Sharing the Data Center Network , 2011, NSDI.

[21]  A. Rowstron,et al.  Towards predictable datacenter networks , 2011, SIGCOMM.

[22]  Ian Goldberg,et al.  Louis, Lester and Pierre: Three Protocols for Location Privacy , 2007, Privacy Enhancing Technologies.

[23]  Brent Waters,et al.  Attribute-based encryption for fine-grained access control of encrypted data , 2006, CCS '06.

[24]  Matt Blaze,et al.  Divertible Protocols and Atomic Proxy Cryptography , 1998, EUROCRYPT.

[25]  Kian-Lee Tan,et al.  Specifying Access Control Policies on Data Streams , 2007, DASFAA.

[26]  Wenqiang Wang,et al.  City on the Sky: Extending XACML for Flexible, Secure Data Sharing on the Cloud , 2012, Journal of Grid Computing.

[27]  Qiang Chen,et al.  Aurora : a new model and architecture for data stream management ) , 2006 .

[28]  David E. Culler,et al.  SEDA: an architecture for well-conditioned, scalable internet services , 2001, SOSP.

[29]  Anand Sivasubramaniam,et al.  To Move or Not to Move: The Economics of Cloud Computing , 2011, HotCloud.

[30]  Qian Wang,et al.  Plutus: Scalable Secure File Sharing on Untrusted Storage , 2003, FAST.

[31]  Matthew Green,et al.  Outsourcing the Decryption of ABE Ciphertexts , 2011, USENIX Security Symposium.

[32]  Ying Xing,et al.  Scalable Distributed Stream Processing , 2003, CIDR.

[33]  Rafail Ostrovsky,et al.  Attribute-based encryption with non-monotonic access structures , 2007, CCS '07.

[34]  Kian-Lee Tan,et al.  Enforcing access control over data streams , 2007, SACMAT '07.