Project Overview

Sensitive services, such as health record repositories, are increasingly being hosted in cloud environments and this trend is expected to accelerate in the future. Due to the highly sensitive nature of cloud-resident information such as health records, financial data, etc., security is becoming a preeminent issue for cloud services. In addition, sensitive data from the cloud is increasingly downloaded to a wide variety of end devices and security controls must extend to cover these scenarios as well.

In this project, we are studying an architecture and concrete security mechanisms that are targeted at the specific problems inherent in cloud environments. Our primary focus is maintaining confidentiality, integrity, source verifiability, and recovery of sensitive information that resides in the cloud, where both the cloud provider and other applications can potentially gain access to cloud resources that are used to host the health services. Specific research thrusts include: 1) the encryption-utility tradeoff in encrypted databases, 2) data fragmentation techniques that build on the distributed storage resources of the cloud while achieving confidentiality, high availability, and excellent performance, 3) redactable digital signatures that maintain data utility while providing data integrity and source verification even when data passes through multiple intermediaries, 4) hybrid plaintext and encryption-based services that build on new protected memory capabilities of cloud virtualization layers, and 5) flexible information flow control techniques for heterogeneous cloud environments.

The architecture and mechanisms we are developing are being prototyped and evaluated on the CERCS 82-node, 784-core Jedi Cluster running OpenStack, which is an open-source cloud infrastructure implementation. End-device solutions are demonstrated on a tablet running open source Android.

The project is being carried out in collaboration with our industry partners, IBM and Microsoft, and is sponsored by the National Science Foundation through Grant IIP-1230740.

People

Georgia Tech

Prof. Douglas Blough
Prof. Ling Liu
Dr. Daniel Russler
Yuzhe Tang
Doug Sigelbaum
Sang-Chan Kim
Lei Zhang
Huiye Liu

IBM

Aameek Singh

Microsoft

Himanshu Raj

Research Artifacts

A Flexible and Secure Shared Object Storage Service for the Cloud (poster)
Distributed Enforcement of Sticky Policies with Flexible Trust, Presentation: this video is a presentation of our decentralized, heterogeneous fine-grained access control and information flow control work (see also the accompanying paper on Doug Blough's publications page)
Distributed Enforcement of Sticky Policies with Flexible Trust, Prototype Demonstration: this video shows a demonstration of a Windows-based prototype for our decentralized access and information flow control work, which includes an Excel add-in that provides variable data views and information flow control within Excel
Distributed Enforcement of Sticky Policies with Flexible Trust, Android App Prototype Demonstration: this video shows a prototype of a simple Android app that implements selected features of our decentralized access and information flow control work
Distributed Enforcement of Sticky Policies with Flexible Trust, Research Paper
Fine-grained Access Control on Mobile Devices, Android Prototype Demonstration: this video shows a prototype of an Android contacts manager that permits fine-grained and user-specifiable access control to contacts for Android apps

Back to Advanced Networking Lab's Main Page