Privacy-preserving cloud computing on sensitive data: A survey of methods, products and challenges

Abstract

The increasing volume of personal and sensitive data being harvested by data controllers makes it increasingly necessary to use the cloud not just to store the data, but also to process them on cloud premises. However, security concerns on frequent data breaches, together with recently upgraded legal data protection requirements (like the European Union’s General Data Protection Regulation), advise against outsourcing unprotected sensitive data to public clouds. To tackle this issue, this survey covers technologies that allow privacy-aware outsourcing of storage and processing of sensitive data to public clouds. Specifically and as a novelty, we review masking methods for outsourced data based on data splitting and anonymization, in addition to cryptographic methods covered in other surveys. We then compare these methods in terms of operations supported on the masked outsourced data, overhead, accuracy preservation, and impact on data management. Furthermore, we list several research projects and available products that have materialized some of the surveyed solutions. Finally, we identify outstanding research challenges.

Introduction

Many companies are outsourcing at least some of their information technology to the cloud, from mere data storage to e-mail and other productivity applications. Reduced costs, no need for maintenance, virtually unlimited computational resources and increased availability are the main forces driving this change. Yet, security and privacy misgivings are still cardinal barriers hindering a franker migration to the cloud.

Security is defined as achieving confidentiality, integrity and availability of the data outsourced to the cloud. Users want to be assured that no intruder can hack the cloud and/or impersonate them to steal or alter their sensitive data, and that no denial of service will occur. In the E.U., 57% of large enterprises using the cloud reported the risk of a security breach as the main limiting factor in the use of cloud computing services [1]; in a survey by the cloud Security Alliance to over 165 information technology and security professionals in the U.S., most of the respondents considered cloud storage as high risk [2]; the European Network and Information Security Agency identified “loss of governance” over the data outsourced to the cloud as a critically deterring factor [3]. Security breaches are, in fact, very real threats. Some well-known examples include the Sony PlayStation Network outage¹ as a result of an external intrusion, in which personal details from approximately 77 million accounts were stolen, the multi-day outage in Dropbox² that temporarily allowed visitors to log into any of its 25 million customer accounts as a result of a misconfiguration, or the leakage of private pictures of a number of celebrities from the Apple iCloud storage service due to weakly protected login credentials.³

Regarding privacy, its most widely accepted definition in the information society is in terms of informational self-determination, that is, “the claim of individuals, groups or institutions to determine for themselves when, how, and to what extent information about them is communicated to others” [4]. Hence, for a cloud user to store and/or process sensitive data in the cloud, she needs the guarantee that no one other than herself – not even the CSP – will be able to see or infer her data. Thus, cloud computing needs to increase the user’s control on her data, which will decrease the need for users blindly trusting the CSP. Otherwise, a user might be reluctant to outsource sensitive data to the cloud.

Furthermore, when data are personal, the individuals to whom the data refer – a.k.a. subjects – have privacy rights that have recently been enshrined in the new European Union’s General Data Protection Regulation (GDPR⁴ ). To stay GDPR-compliant, a controller – an entity that has obtained consent from subjects to collect, store and process their data – can only outsource subject data to the cloud if she can obtain full control and confidentiality for the outsourced data. The above is a relevant issue because GDPR is also becoming a de facto legal standard outside the European Union, specifically in the USA, Australia, Canada and Japan, and any company wishing to sell information technology solutions to those markets must take it into account.

Notice that privacy is even more challenging than security, because it must hold also with respect to (public and, therefore, untrusted) CSPs. In this respect, the cloud has given CSPs the opportunity to analyze and exploit large amounts of personal data. In fact, a report by the U.S. Federal Trade Commission [5] states that public CSPs regularly collect and analyze the data of their users without the latter’s knowledge, and that those analyses could yield sensitive inferences; for example, a CSP could detect individuals that suffer from diabetes because of their interest in sugar-free products and share this information with an insurance company that could use that clue to classify a person as higher-risk (and possibly higher-premium).

One might argue that sensitive data handling in the cloud would be much simpler if the CSP could be assumed to be trusted. However, there are several legal issues here. On the one hand, in many scenarios the data subjects entrust the data controller with their personal data (for example, healthcare data), but this does not mean they allow the controller to further transfer their data to whomever the controller chooses to trust. On the other hand, the CSP may be under a jurisdiction different from the controller’s. If, say, the CSP is under U.S. law whereas controller and subjects are under E.U. law, the latter law may be violated. Finally, many public CSPs offer their services free of charge in return for the possibility of monetizing users’ data. For example, a recent privacy policy in Google⁵ specifies that whatever information a user decides to outsource to any Google service can be used, reproduced, modified or distributed by Google with the aim of improving or promoting its services, but also to conduct targeted advertising (e.g., the Gmail filtering system scans the content of our emails to serve personalized ads).

To assuage the above issues and restore the user’s control and trust on the protection of the data outsourced to the cloud, several solutions have been proposed in recent years. All of them involve masking sensitive data so that only protected values are stored in the cloud and only the user/controller owning the data is able to unmask the protected values retrieved from the cloud. However, if the user wants to use not only the cloud’s storage but also the cloud’s computational power, the challenge is even harder, because data protection should be made compatible with outsourced computations on cloud premises on masked data.

In this paper we survey the state of the art on security and privacy-enabling solutions towards the cloud, with a focus on those that preserve cloud service functionalities, such as the ability to outsource queries and calculations on protected data to the cloud. In comparison with recent surveys on this area, ours offers the following contributions:

• Most surveys focus on data security vs external attackers [6], [7], [8], [9] rather than on privacy versus the cloud. Therefore, they center their analysis on security attacks and on mechanisms to prevent, detect and mitigate them. In contrast, our survey considers mechanisms that protect outsourced data not only against third-party attackers, but also against insiders and honest-but-curious clouds ⁶ storing and managing such data.

• Many surveys concentrate on outsourced data storage [8], [9], [10]. Our paper goes a step beyond and puts the spotlight on the preservation of cloud service functionalities (e.g., queries, calculations, etc.) on the protected data outsourced to the cloud. Taking advantage of the cloud’s computing power on protected data is significantly more challenging than merely using the cloud to store protected data.

• All surveys covering privacy-enabling service preservation mechanisms are limited to cryptographic solutions [11], [12]. Even though these methods are powerful to secure data, they also result in significant calculation overheads (which partly neutralize the cost-saving benefits of cloud computing), they require key management, and they severely limit cloud functionalities on the outsourced data because they need tailored solutions for each type of outsourced calculation [12]. To be self-contained, we also discuss cryptographic solutions but, for the first time, we comprehensively survey non-cryptographic methods (based on data splitting and anonymization) that can be used to efficiently protect data outsourced to the cloud while preserving a variety of cloud services.

• In addition to the security and privacy-enabling solutions proposed in the literature, we survey research projects and products that implement some of these methods in the cloud scenario and discuss the outsourced functionalities they support.

In Section 2 we characterize the scenario we consider by identifying the actors and the entities involved. A common feature of privacy-enabling technologies towards the cloud is the use of a local proxy by the controller to mask the data before outsourcing them to the cloud. In this section we also present this general architecture and the assumptions and security models on which available solutions rely. We conclude the section with the identification and the description of the requirements that privacy-enabling technologies should ideally fulfill. In Section 3 we review data protection techniques, non-cryptographic or cryptographic, that have been or can be implemented in the aforementioned proxies to enable privacy and security towards the cloud while preserving (at least some of) its functionalities. In Section 4 we present a critical comparison of the techniques covered in Section 3 with respect to the requirements identified in Section 2. In Section 5 we survey research projects and products that offer security- and privacy-enabling solutions towards the cloud, and classify them according to the type of data protection technique they employ. Finally, in Section 6 we gather the conclusions and several research challenges derived from the gaps identified in the survey.