Researcher with his head in the clouds
Ensuring our data is safe and secure in all conditions.
May 5, 2020
There are multiple tangible reasons and benefits to using cloud storage services, but with its ambiguous nature, is it something we can completely trust with our information? Senior Professor Willy Susilo and his team are working in just this space. With a recently awarded ARC grant, Susilo and Co are keen to find solutions for securing cloud storage with protection against malicious senders.
“Just put it in the cloud” is a sentence most of us have heard at this point in our lives. Every time we get a new phone or device we are told that uploading our information “in the cloud’ is the safest and easiest option for storing and transferring our data. While the definition for the cloud can at times seem a little murky and confusing to the general population, it is now a way of life for those using digital technologies with it integrated into various facets of our day.
The cloud is a model of data storage in which digital data is stored in logical groups. The physical storage spans multiple servers (often across multiple geographical locations), and the physical environment is typically owned and managed by an external hosting company. These cloud storage providers are responsible for keeping the data available, accessible, and ensuring the physical environment of the servers is protected and operational. Individuals and organisations buy or lease storage capacity from the providers to store user, business, or application data.
Through this service provider, cloud computing is a system that serves as an internet-based information centre where customers can access all kind of files and software safely through several different devices, no matter where they are. Cloud storage services may be accessed through a co-located cloud computing service, a web service application programming interface (API) or by applications that utilize the API, such as cloud desktop storage, a cloud storage gateway or Web-based content management systems.
Simply put, cloud computing is the delivery of computing services – including servers, storage, databases, networking, software, analytics and intelligence – over the Internet (“the cloud”) to offer faster innovation, flexible resources and economies of scale.
There are multiple reasons and benefits of using cloud storage services. Maybe your local hard drives are low on disk space, in which case you can use the cloud as extra storage. If you want to be able to stream your music collection from anywhere, access your work files at home, easily share holiday pics, etc., you can upload your files online to a cloud storage service. Another reason providers promote using cloud storage is to keep important files secure behind a password and encryption.
However, when you rely on a third-party to store data for you, you’re lifting a lot of responsibility off of your shoulders. This is a double-edged sword. On one hand, you won’t have to manage your data – on the other hand, somebody else will. If something affects your storage provider, like outages or malware infections, than that will directly impact access to your data. You’ll have to rely on the provider to fix the issues. The more time your data spends unprotected, the more at-risk it becomes.
Cloud storage providers must ensure that the data stored in the cloud will be readable to only authorised people. Information leakage from cloud storage, which is commonly known as “cloud leak” is totally unacceptable as it has a significant impact on users’ trust to the cloud provider. Unfortunately, cloud leak in the existing public cloud is common. Recent examples include the cloud leak in Verizon’s network in December 2018 that exposed 14 million US customers, which placed Verizon’s cloud servers reputation at stake and the infamous Apple iCloud leak which exposed a collection of almost 500 private pictures of various celebrities and jeopardised millions of dollars of future earnings.
Data leakage can cause serious problems since it could expose business-critical or private data to external sources. Even if you take steps to prevent anyone in your enterprise from leaking data, your storage provider might accidentally expose your data to the wrong person.
Encrypting data with a security policy before storing it in the cloud does not solve the problem due to the presence of malicious senders who deliberately make encrypted data accessible beyond the described policy. And this is where Professor Willy Susilo and his team come in.
Willy Susilo is a Senior Professor in the School of Computing and Information Technology, Faculty of Engineering and Information Sciences at UOW. He is the director of Institute of Cybersecurity and Cryptology (iC2), School of Computing and Information Technology, also based at UOW. For this project Willy has bought together a team with extensive backgrounds in computer science, mathematics, cryptography and cybersecurity, all with specific experience in the development of secure cryptographic protocols and their fundamental schemes.
This project they are working on aims to enable secure public cloud storage by developing new practical cryptographic solutions that provide protection against malicious senders, in contrast to the existing knowledge that can only cope with malicious receivers. The expected outcomes are innovative technologies, which will lower infrastructure costs and provide cybersecurity for cloud storage.
“In this project we specifically aim to provide protection against malicious senders in the context of cloud leak, to enhance users confidence in public cloud storage,” says Willy.
This means the data being uploaded to the cloud would be automatically filtered and sanitised prior to being stored in the cloud. Their solution employs a hybrid encryption technique, such that sanitisation of large data stream only involves extremely efficient symmetric key operations. Their approach will address three challenging problems; private information and key exposure; access policy violation and integrity and authenticity enforcement.
“We will deal with a daunting task to provide protection to the cloud storage against malicious senders. We aim to take the approach of modifying ciphertexts on the fly. In our approach, we must introduce a mechanism that modifies the uploaded ciphertexts prior to storing them. We call this the sanitizer san. This means that all data uploaded by senders goes through san prior to being stored in the cloud. San will ensure that the stored ciphertext has no issues that may have been introduced by malicious senders. San is not equipped with any keys, so cannot decrypt the provided ciphertexts.”
“This mechanism benefits both the cloud storage provider and the organisation that employs the cloud. The protection against malicious senders will eliminate severe impact of cloud leak, which brings direct benefit to the cloud provider. From the organisation’s point of view, the data can be stored in a secure way and it cannot be accessed by any third party, including the cloud provider”
The emergence of cloud storage technology has greatly influenced enterprise operations and the adoption of cloud technology has been one of the biggest changes of the digital age. The Australian government has identified cybersecurity as a fundamental element for Australia’s growth and prosperity. In Australia’s cybersecurity strategy, it has been identified that cloud computing, and hence cloud storage will drive the future Australia’s economy by producing $US 625 billion per year in economic activity. Moreover, AustCyber (Australia Cyber Growth Network) has indicated that cloud security, particularly in the public cloud will increase demand for all forms of cybersecurity, so this project will significantly contribute to this future demand. This project will educate and train a new generation of Australian scientists in the state of the art cryptography and cybersecurity to resolve a practical problem.
The forecast for cloud solutions is that we’ll be seeing a lot more of them in the future, with UOW experts ensuring our security, we’ll be adequately covered. The investigators of this project are Prof. Willy Susilo, Associate Professor Guomin Yang, and Dr. Fuchun Guo, all from iC2 at UOW.
- SENIOR PROFESSOR WILLY SUSILO: To read more about
- INSTITUTE OF CYBERSECURITY AND CRYPTOLOGY: To read more about IC² read here