Protecting Outsourced Data Privacy with Lifelong Policy Carrying

The lack of remote data access control capability and the loss of remote data access trail make data owners hesitate when they have to outsource their sensitive data to remote third party platform. The data owners have no choice but to trust the remote third party software before they ship their data to the remote environment. In this paper we propose a new set of guiding principles for protecting outsourced data with data owner specified policy. Compared with traditional access control mechanism equipped by service providers, which can be regarded as the first layer of confinement, we aim to provide data owner a second layer of confinement on data propagation and access without modifying existing data-access applications. This is achieved by two critical techniques: (1) a policy-carrying data model that binds customer data with logical data access policy, and (2) a remote application running environment which acts as data access verifier and propagation controller. To demonstrate the feasibility of this approach, we build the logical data propagation and access control (LDPAC) system, in which a human-readable policy abstract is provided to formulate data propagation and access. When policy-carrying data is shipped to remote service provider, the per-node LDPAC verifier module conducts the logical proof checking to mediate sensitive data access. Meanwhile, the authorized application which intends to access sensitive data is forced to run in an application container, in order to prevent sensitive data leakage through in-memory data breaches. Our evaluation shows that LDPAC system adds reasonable performance overhead for the remote sensitive data access and propagation mediation, while preserving the original service deployment.