Dan Bogdanov, Ph.D., and Aivo Kalu, Ph.D., CISA
Cloud computing allows us to use computing infrastructure over the Internet. For example, one can rent storage and processors just as easily as one can rent a movie. Just as the movie distributor wants to prevent illegal copying of the movie, the data owner wants to prevent the cloud service provider (CSP) from copying or abusing its data. “Traditionally, the data owner has had direct or indirect control of the physical environment affecting his/her data. In the cloud, this is no longer the case.”1
A typical CSP does not accept responsibility for preventing third-party access to sensitive data such as intellectual property, trade secrets or personally identifiable information (PII), hosted in the cloud. The cloud user must manage this risk and deploy the necessary controls for ensuring confidentiality.
A cloud is a remote-access platform; thus, technical controls that remotely enforce a particular security policy are especially efficient. Examples of such controls include encryption and digital signatures. Encryption enforces confidentiality; digital signatures can detect if information has been modified since it was stored. Both mechanisms are static and require the user to remove the controls/protection mechanism to perform computations on the data. This means that stored encrypted and signed data are not protected from third-party access during processing.
The need for better solutions guides the development of new technologies. Secure multiparty computation (SMC) and homomorphic encryption (HE) are two new technologies that preserve cryptographic security during processing. If a cloud application uses these technologies, it can process data in the cloud without revealing the data to the CSP.
These new technologies enable applications that have previously been impossible to build due to a lack of trust in the CSP holding the data. One application of these technologies is the processing of PII with significantly better confidentiality than before. The International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) is scheduled to publish a standard for a privacy architecture framework (ISO/IEC 29101) that describes some ways for using SMC for PII processing.2
A well-studied application of SMC in the field of agriculture involves the Danish sugar company Danisco, which in 2008 began the process of requiring new contract agreements with sugar beet farmers. These manufacturing contracts contain production volumes and prices. Danisco requires this information in the contracts so that the company can plan sugar production. An auction was held to find the market-clearing price—the price at which Danisco could sign enough contracts to fulfill its need for sugar beets. However, the farmers were reluctant to report their production volumes to buyers because they feared that Danisco would use this information later to force unfavorable contract conditions. A survey held among the farmers resulted in approximately 75 percent of farmers stating that the confidentiality of the bid was either important or very important to them.3
Danisco began looking for better solutions because of this lack of trust. The problem was resolved with the use of an SMC auction system developed by the Alexandra Institute in Denmark. This secure auction system enforced the confidentiality of each bid in the auction and published only the market-clearing price. The sugar beet auction bids were collected over the Internet, but their software solution required representatives from Danisco and the sugar beet farmers’ association to physically come together to finalize the computation.
This case showed that SMC can be used to create trustworthy cloud applications.
The following case study shows SMC applied using cloud computing.
The Estonian Association for Information and Communications Technology (ITL) is a trade organization that connects Estonian IT companies such as Skype, Playtech, and the local offices of IBM, Microsoft and others. These companies formed ITL to protect their interests and to promote and develop IT education in Estonia. Estonia, a European Union country, is well known for its transparent e-government solutions; this same philosophy inspired ITL to collect financial performance indicators from its members to publish reports on how well the industry sector is performing.
According to the plan, the ITL board would collect metrics from its members and compile the report. As the organization consists of competing companies, some ITL members were reluctant to give their business health data to their competitors, but they were interested in the promised results.
ITL proposed developing the data collection and reporting system using SMC. The proposal suggested that ITL use a special kind of SMC that is based on secret sharing. Secret sharing is used to preserve the confidentiality of the financial metrics. It is a form of anonymous encryption that splits confidential values into several pieces that individually leak no information about the original secret value (see figure 1).
Material was prepared to inform the ITL members of the planned security measures and methods to ensure the confidentiality of their inputs. While it was hard to convince companies to disclose data about their financial state, everyone was interested in the health of the industry as a whole. Thus, the guarantees of SMC convinced ITL members to participate in the reporting.
ITL chose Sharemind4 as the SMC platform because it supported secret sharing and had the best performance among the available solutions.
The next step was the deployment of the secret-shared database. The efficient use of secret sharing requires three independent hosts for the database. Each host stores one share of each secret value. This guarantees that no single host is capable of recovering the confidential inputs from its database (see figure 1).
Three independent ITL members hosted the nodes of the Sharemind database. Two members used the Sharemind node on an Infrastructure as a Service (IaaS) CSP and the third member used a private server.
Sharemind developer tools provided libraries for creating the data collection and reporting applications. The resulting applications were deployed to the ITL intranet. The complete secure financial reporting system is depicted in figure 2.
The system went live in January 2011 and supplies biannual reports. A survey conducted among the ITL members showed that the new reporting system makes them feel safer about providing their financial metrics.5
Current SMC technology is most effective if the following three conditions are present:
SMC can also be used for securely outsourcing information processing of a single stakeholder to the cloud. However, a private or hybrid cloud may be a more efficient solution as the encryption benefits of SMC have a higher pay-off in this situation.
When the three conditions are present, the cloud application developer should evaluate the available SMC platforms to determine if SMC can be used to improve the security of the application. An SMC platform is a good control for keeping data confidential and analyzable at the same time.
SMC also protects the user’s information assets against access or seizure by the cloud service provider (CSP). Examples of such scenarios were described in a recent report by ISACA.6 For example, as the CSP controls the computing hardware running the cloud application, it also has access to the data residing within, including data such as customer and transaction databases. SMC can be used to protect and process databases with a greatly reduced risk of unauthorized access.
Following are the basic steps of building an SMC-enabled cloud application:
Some SMC platforms use freely available developer resources for easier evaluation. For example, Sharemind,7 SEPIA8 and VIFF9 provide developer tools and example source code online.
SMC applications can be deployed using the enterprise’s currently existing IaaS solutions. In time, a range of SMC-based Platform as a Service (PaaS) offerings is expected to make the use of the technology even simpler.
SMC is an emerging disruptive technology for processing confidential information. As with every technology, SMC has many approaches. Different platforms provide different security guarantees. New platforms and applications continue to be introduced around the world. Recently, the US Defense Advanced Research Projects Agency (DARPA) started the Programming Computation on Encrypted Data (PROCEED)10 program to develop new, efficient SMC methods. In Europe, there is a project with the goal of finding out how SMC can be applied in new areas.11
The main challenge for this new technology is its acceptance into existing risk management frameworks so that the CSPs and users can understand the risk mitigation it provides. One of the first areas where SMC is expected to have an impact is privacy; the ISO/IEC 29101 standard project on a privacy architecture framework describes SMC as a control for protecting PII. It will be up to the real innovators—the users—to take advantage of the new technology and realize its full potential.
1 ISACA, Cloud Computing: Business Benefits With Security, Governance and Assurance Perspectives, white paper, USA, October 2009, www.isaca.org 2 ISO/IEC 29101, Information technology—Security techniques—Privacy architecture framework, November 20123 Bogetoft, Peter, et al.; “Secure Multiparty Computation Goes Live,” Proceedings of the 13th International Conference of Financial Cryptography and Data Security, Springer, 2009, p. 325-343 4 The Sharemind secure computation platform, http://sharemind.cyber.ee/5 Bogdanov, Dan, et al.; “Deploying Secure Multi-Party Computation for Financial Data Analysis (Short Paper),” Proceedings of the 16th International Conference on Financial Cryptography and Data Security, Springer, 2012, p. 57-646 ISACA, Security Considerations for Cloud Computing, Cloud Computing Vision Series, ISACA, 2012, www.isaca.org7 The Sharemind Software Development Kit, https://sharemind.cyber.ee/download-sdk8 SEPIA (Security through Private Information Aggregation), http://sepia.ee.ethz.ch9 Virtual Ideal Functionality Framework (VIFF), http://viff.dk10 DARPA’s PROCEED program is a research effort that seeks to develop methods that allow computing with encrypted data without first decrypting it, making it more difficult for malware programmers to write viruses.11 Usable and Efficient Secure Multiparty Computation, http://usable-security.eu/
Dan Bogdanov, Ph.D., is an information security researcher at Cybernetica (Estonia). Before starting his research career, Bogdanov worked in IT system development and consultancy. His interest in secure data processing comes from his experience in developing the data management platform of EGeen Inc., an international contract research organization (CRO) working in the area of drug development. Bogdanov is currently leading a team that is developing the Sharemind secure database system.
Aivo Kalu, Ph.D., CISA, is a security engineer at Cybernetica (Estonia) and has previously worked as the security officer for Elion Enterprises (Estonia’s largest telecom, now part of TeliaSonera group) and for the Ministry of Foreign Affairs of Estonia. Kalu has experience in both creating the enterprise security architecture and auditing the baseline and compliance security.
Enjoying this article? To read the most current ISACA Journal articles, become a member or subscribe to the Journal.
The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.
Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.
© 2013 ISACA. All rights reserved.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.