Data-at-Rest Protection and Efficient Access Control in the Cloud

Cloud storage services offer a variety of benefits that make them extremely attractive for the management of large amounts of data. These services, however, raise some concerns related to the proper protection of data that, being stored on servers of third party cloud providers, are no longer under the data owner control. The research and development community has addressed these concerns by proposing solutions where encryption is adopted not only for protecting data but also for regulating accesses. Depending on the trust assumption on the cloud provider offering the storage service, encryption can be applied at the server side, client side, or through an hybrid approach. In this book, for each of these three scenarios, we present a novel approach, supported by its implementation, for providing data-at-rest protection and efficient access control. First, we introduce and implement a novel hybrid approach, named EncSwift. EncSwift relies on client side encryption for protecting data-at-rest, and on server-side encryption to enforce efficient access revocation. Second, we introduce a novel technique, i.e., Mix&Slice, belonging to the family of all-or-nothing transforms (AONTs), and we present an interesting application of AONTs to Decentralized Cloud Storage (DCS) networks. Indeed, an AONT provides stronger security guarantees on the data it wraps, and it can be exploited for enforcing efficient access revocation without requiring the support of the cloud provider. Finally, we target efficient access control on data aggregations, when relying on a trusted provider. Indeed, despite the availability of information, situations like fragmented ownership and legal frameworks hinder data processing, requiring companies to design complex human-driven processes in order to gather, aggregate, and process data in a compliant way. We address this lack of automation with an access control mechanism extending the XACML policy language, and enforcing a novel decision process.