End-to-End Privacy Policy Enforcement in
Cloud Infrastructure
Stéphane Betgé-Brezetz, Guy-Bertrand Kamga, Marie-Pascale Dupont, Aoues Guesmi
Alcatel-Lucent Bell Labs
Nozay, France
Email: firstname.lastname@alcatel-lucent.com
Abstract — Privacy in the cloud is still a strong issue for the
large adoption of cloud technologies by enterprises which fear to
actually put their sensitive data in the cloud. There is indeed a
need to have an efficient access control on the data stored and
processed in the cloud infrastructure allowing to support the
various business and country-based regulation constraints (e.g.,
on data location and co-location, data retention duration, data
processing, node security level, tracing and audit). In this
perspective, this paper presents a novel approach of end-to-end
privacy policy enforcement over the cloud infrastructure and
based on the sticky policy paradigm (a policy being bound to
each sensitive data). In our approach the data protection is
performed within the cloud nodes (e.g., within the internal file
system of a VM or its attached volume) and is completely
transparent for the applications (no need to modify the
applications). This paper describes the concept and the proposed
end-to-end architecture (from the client to the cloud nodes) as
well as an implementation based on the FUSE (Filesystem in
Userspace) technology. This implementation is executed on a
scenario of data access and transfer control, and is also used to
achieve performance evaluations. These evaluations show that,
with a reasonable additional computation cost, this approach
offers a flexible and transparent way to enforce various privacy
constraints within the cloud infrastructure.
Index Terms — Cloud computing; privacy control; data
protection; sticky policy; FUSE
I. INTRODUCTION
The benefits of Cloud Computing are widely recognized,
particularly the ability to provide IT resources such as storage
and computing power on demand, while requiring low effort
for the cloud customer to manage these resources. Indeed,
reduced IT costs and improved business agility are identified as
the greatest drivers in cloud computing adoption [24].
Nevertheless, the enterprises are still hesitant to put their
sensitive data in the cloud infrastructure even for a time-bound
project. Although the rate of adoption has recently accelerated,
the large scale adoption of cloud technologies is still restrained
by data security and privacy issues [28]. Indeed, recent cases of
security or privacy breaches [5][21] well illustrate the first two
of the top nine cloud computing threats identified by the CSA
for 2013 [22], namely data breaches and data loss. Moreover,
the Personally Identifiable Information (PII) are also subject to
strong constraints (e.g., on their location or on the storage
security level) that notably come from country-based
regulations [7] and that may be an actual hurdle for companies
or administrations to store these sensitive data in a cloud.
978-1-4799-0568-3/13/$31.00 2013
c IEEE
In order to prevent the loss of control on data and to limit
security breaches costs, focusing on well protecting sensitive
data is more efficient than focusing on a tight security
perimeter. Indeed, the biggest threat comes from internal users
taking advantage from new tools and applications (cloud-based
file sync tool such as Dropbox or GoogleDrive) to access their
data from any device and any location [23]. Therefore, in order
to take the full benefit of the high-growth cloud computing
market, there is a need to provide control mechanisms to keep
privacy & confidentiality of the sensitive data stored in the
cloud, all along their lifecycle (creation, processing, transfer,
deletion).
Regarding privacy control, two extreme choices lie before
the Cloud User: either to blindly entrust his data to the Cloud
(e.g., using Dropbox through a web browser), or to have no
trust in the cloud and protect his data through encryption (using
BoxCryptor or Viivo for example) but depriving him from
added value-services offered by the Cloud.
In between these two extreme approaches, Cloud Service
Providers (CSP) are more and more encouraged to provide the
Cloud User (CU) with the necessary features and technologies
allowing the protection of the CU sensitive data within his
Cloud infrastructure [9]. Indeed, contractual obligations on the
management of the CU sensitive data can be specified in the
Service Level Agreement (SLA) that the CSP has to comply
with.
In [26], we have presented such an in-between approach in
which some meta-data describing the data (e.g., data semantics,
types) could be revealed in order to allow the CU and CSP to
mutually benefit from the cloud added-value services. A
multilevel privacy policy enforcement approach has been
introduced to ensure the data protection at the application level
and at the cloud infrastructure level. This approach is based on
the expression of privacy requirements as policies indicating
how data can be accessed and used, and which will be
evaluated before performing any action on the data.
Based on this previous work, this paper focuses on the IaaS
CSP and therefore on policies handled at the infrastructure
level such as location-based data rules. Thus, we propose a
flexible data protection technology supporting the end-to-end
enforcement of data protection policies within the cloud
infrastructure (notably within the File System of a Virtual
Machine or a Volume), fully transparent to the applications,
and allowing also to monitor any action performed on data for
later analysis.
25
 The paper is structured as follows. In Section 2, we present
the context and the main technical challenges regarding the
enforcement of privacy settings within the cloud infrastructure.
In section 3, we analyze the related work in this area and
position our approach. Then section 4 introduces the general
architecture solving the technical challenges that have been
identified. Section 5 details our implementation based on the
FUSE technology, illustrates it on a scenario related to data
access and transfer, and presents the results of the performance
evaluation that has been conducted. Finally, in the conclusion,
we discuss the open issues and perspectives.
II. PRIVACY IN THE CLOUD: CONTEXT AND CHALLENGES
A. Business and regulation context
Privacy and data protection are still issues for the large
adoption of cloud technology by enterprises. Let consider the
case of a company willing to move its IT from its own
premises to a cloud IaaS (even for a time bound project). As
shown in Fig. 1, this enterprise has then to move, in the CSP,
his data, his applications and the related policies (governing
how the data can be accessed and used). Various data types,
applications and policies need to be considered:
• Data types: PII as employee data (e.g., HR data), customer
data (e.g., user profiles, eHealth data), sensitive technical
or financial data, etc.
• Applications: content sharing applications, communication
tools, analytic applications, etc.
• Privacy & data protection policies: regulation policy
(country-based), enterprise policy (e.g., internal enterprise
policies), individual policy (for instance, privacy policy
defined by a customer of the enterprise regarding his
customer profile usage).
Data Applications
Policies
Cloud-based Enterprise IT
Traditional Enterprise IT
(on-premise based)
Fig. 1. Company moving its IT in a cloud IaaS
Moving such IT assets in an IaaS cloud will raise many
concerns for the enterprise such as: How to ensure that the
policies applicable to each data are enforced in the cloud?
Where are data located? Are the country-based regulation
constraints on data respected? Who has access to the data, from
where, and how many times? How many instances of a given
data do exist in the cloud infrastructure? Or how to be sure that
all these instances will be deleted when requested?
Note that these issues have been well underlined by
standard or regulation bodies [4][7][27] which, notably in
Europe, state that this enterprise, as a Cloud User (aka Data
Controller in the regulation terminology), is responsible for the
right application of the privacy policies on their customer data.
Indeed, the enterprise can be prosecuted in case of an
inappropriate usage of their customer data (even if these data
are processed in the CSP infrastructure and not in their
26 2013 IEEE 2nd International Conference on Cloud Networking (CloudNet): Full Paper
premises). Consequently, it obliges the CSP (aka Data
Processor in the regulation terminology) to provide the
adequate privacy functions and capabilities so that the Cloud
User can appropriately set the privacy policies for each of his
sensitive data. These privacy settings have to be specified in
the SLA contract agreed between the CU and the CSP.
The overall process of privacy setting in a cloud IaaS is
depicted in Fig. 2. At first, it is necessary for the CU to identify
the characteristics of the data that will be put in the cloud (see
c in Fig. 2), e.g.: the data type (as eHealth data), the data
criticality, the data owner, or the owner location. These
characteristics allow the CU to find the right policy to apply on
the data (see d in Fig. 2) and then to upload this data in the
cloud with the related privacy settings (see e in Fig. 2).
These privacy settings concern the cloud infrastructure and
they cover the storage (with the data location and co-location
constraints, access control, retention duration, data usage
tracing, data breach notification, etc.) as well as the Virtual
Machines (with the VM location/co-location, VM isolation,
VM security level, etc.).
Applicable policies
Privacy-related
Cloud privacy
metadata
2
settings
Cloud Cloud
Compliance Analysis
Management Infrastructure
Data Cloud Privacy Settings (e.g., Orchestration, (Computing node,
1 3
Monitoring) Storage, Network)
SLA
Cloud User Cloud Service Provider
(Data Controller) (Data Processor)
Fig. 2. Overall process of privacy policy setting in a cloud IaaS
Note that, as described in [26], other privacy constraints
may concern the application itself (e.g., to authorize/forbid
some specific applicative actions on the data). However, these
constraints are not handled in the cloud infrastructure (but
within the application) and they cannot therefore be enforced
(incl. Private & Public cloud)
and guaranteed by an IaaS CSP. As we focus in this paper on
the IaaS CSP, we do not address these application specific
constraints. For more on how to enforce privacy policies within
the applications, see for instance [2].
B. Technical challenges
In this context, guaranteeing privacy and data protection
policies within the infrastructure raises several technical
challenges such as:
• Ensure the end-to-end protection of data from the cloud
user terminals and through the entire cloud networking,
storage and computation infrastructure.
• Support various types of privacy policies (e.g., data
location, data retention duration, data access regarding the
requester or his processing purpose); these policies coming
from different sources as the regulation, the enterprise
policies or also the enterprise customers.
• Enable the fine grain policy enforcement by offering the
possibility to assign, if needed, a particular policy for a
data.
• Allow the fine grain monitoring of data with tamper-proof
traces generated for all actions performed on the data
(including processing by applications, copy, transfer,
deletion, etc.) and provide a comprehensive dashboard of
the data usage (for instance for audit purpose).
• Offer a data protection mechanism fully transparent to the
application (i.e., with no need to modify the applications).
• Finally ensure the scalability and performance of the
solution notably regarding the volume of data to handle as
well as the complexity of the policy.
In the following of this paper, we will detail our approach
of end-to-end privacy policy enforcement aiming to address
such technical challenges.
III. RELATED WORK
Numerous technologies have been studied to tackle the
issues on security and privacy in the cloud (see for instance
[10] or [11] for a general survey of these works). Regarding the
particular challenges identified in the previous section II.B, we
can mention different approaches discussed here below.
A first approach consists in obfuscating the data before
sending them to the cloud so that the data are not
understandable or exploitable by the CSP. Such data
obfuscation can be achieved in various ways. The data can be
encrypted as proposed by several research initiatives as
[13][18] or business solutions as [8][14]. The data can also be
shredded in different parts which are distributed over different
-non colluding- cloud entities [3]. Similarly, the computation
performed on the data can also be distributed to preserve
privacy [12]. Some other approaches as [15] or [16] use proxy
re-encryption to protect the privacy of a content stored in one -
or several- clouds and shared between different end-users.
These approaches indeed prevent the CSP to access the
plain data but it also prevents the cloud user to benefit from the
added value services that the CSP may provide (e.g.,
indexation, search, or personalized services). For this purpose,
it exists the homomorphic encryption [6] that enables some
processing on encrypted data, but it is still very
computationally expensive. And finally, all these approaches
do not allow the CU to specify a wide range of privacy policies
(for instance related to location or retention duration) and
which can be enforced by the CSP without necessary requiring
an access to the plain data.
Other approaches have been proposed to define, for each
data, a privacy policy describing the constraints to access this
data and the obligations to execute afterwards. In particular, the
sticky policy approach consists in binding this policy to the
data and sending the set [data + policy] within the cloud.
Among these sticky policy approaches, we can mention DPaaS
(Data Protection as a Service) [1] which is a trusted platform
using a combination of encryption, application confinement
and information-flow controls to enforce application-level
sticky policy attached to the data. In [20], it is presented
another sticky policy approach with a Consent & Revocation
module allowing to dynamically checking the access to a data
2013 IEEE 2nd International Conference on Cloud Networking (CloudNet): Full Paper
of an enterprise by applications running inside or outside of
this enterprise. In [19], it is proposed a scalable authorization
infrastructure, based on sticky policy and with conflict
resolution capabilities, that a cloud provider can use to control
the web service requests made by applications on the sensitive
data. In [17], an access control layer, with dedicated API, is
added above the cloud server in order to control, through sticky
policy, the access to these data by a third party. Finally, even if
not really sticky policy based, we can also mention the Rights
Management Systems (RMS) [25] which offers a proprietary
solution of access control to documents shared between
employees using office applications.
All these approaches basically offer a policy-based control
when an application wants to access to a sensitive data, but this
control is not really embedded within the cloud infrastructure.
Therefore, some more infrastructure related constraints (e.g.,
on the location or the security level of the node) could not be
enforced. Moreover, in order to automatically trigger this
control before accessing to a privacy sensitive data, it would be
needed to upgrade the application or, if the data is accessed
through a web browser, to upload a dedicated plug-in within
the browser.
In this paper, we propose therefore an approach, also
within the sticky policy family, but that can be enforced within
the cloud infrastructure, notably within the File System of a
Virtual machine (VM) or of its storage system (volume). This
File System based approach, using sticky policy, will therefore
be completely transparent regarding the applications and would
not need any particular or proprietary API. It will also support
various infrastructure-level policies (for instance on location or
minimum security level of a node). Finally, it will also generate
tamper-proof traces that will allow to build a comprehensive
dashboard of all actions performed on the sensitive files and
that may be later used for an audit on data usage.
IV. GENERAL ARCHITECTURE
A. Architecture principles
For addressing the challenges described in the section II.B,
we propose an end-to-end architecture which principle is
depicted in Fig. 3 and where data protection module from
cloud customer’s site collaborates with data protection module
running in the cloud provider infrastructure to provide a chain
of trust between the cloud customer and the cloud provider.
Cloud Customer Cloud Provider
Applications Services
Customer Site
Cloud Infrastructure Level
Data Protection Module
Client Data
Protection Module
Policy
Data
Data usage
historic
Fig. 3. Overall data protection architecture
27
 In this architecture, the Client Data Protection Module
associates the data with the adequate policy and sends the set
[data+policy] to the cloud infrastructure. All operations
occurring on these data from either the Cloud Customer
Applications (e.g., open, read, write, delete) or the Cloud
Provider Services (e.g. replication) are controlled, according to
the associated policies, by a Data Protection Module running in
the cloud infrastructure. Finally, this Data Protection Module is
also in charge of providing an end-to-end monitoring of
customer data usage thanks to the generation of tamper-proof
traces for all the operations occurred on customer data.
B. Architecture for file data protection
In order to offer a fine grain data protection (c.f., section
II.B), we may offer this control for each sensitive file stored in
the cloud. For this purpose, we propose to instantiate the
previously introduced Data Protection Module directly within
the internal file system of a VM or its attached volume. The
proposed architecture is depicted in Fig. 4.
Cloud Computing Node
Virtual Machine (VM)
File Data Protection Module
Customer Device
Trace Manager
Client Data
Applications
Data Access
Protection Module Applications
Manager
FS req./resp.
File System Wrapper
FS Kernel OS
Module
Fig. 4. File Data Protection Architecture
In this architecture, the cloud client’s device is provided
with a basic Client Data Protection Module allowing him to, on
one way, upload the data with its associated policy in the cloud
infrastructure; and, on the other way, to download -if
authorized- the data from the cloud infrastructure (this data is
then back within the enterprise security domain).
On the cloud side, the VM comprises a File Data Protection
Module (FDPM), also called Privacy-aware File System in
[26]. The FDPM includes the following main components:
• File System Wrapper (FS Wrapper)
This module intercepts all file system requests (FS req. in
Fig. 4) to a given storage system accessible from the VM (e.g.,
internal directory, mounted volume, NFS) and checks if the
requested file is subject to a specific policy. In this case, the
request result will depend on the evaluation of the applied
policy. In Unix-like OS environment, the interception of file
system requests could be done using FUSE (Filesystem in
Userspace) [33] which is part of the File System kernel (FS
Kernel Module in Fig. 4). Moreover, each sensitive file that
needs to be controlled is linked with the appropriate policy.
Policy could be bound to a file using a sticky policy method
such as the Privacy Data Envelope (PDE) mechanism [2] that
builds an encrypted envelope containing the sensitive data and
the related policy. This binding step can then be done by the
28 2013 IEEE 2nd International Conference on Cloud Networking (CloudNet): Full Paper
Client Data Protection Module or even by an application
supporting such bound [data + policy] structure. Moreover, this
binding can be achieved by associating the file either with the
entire policy, or only with a reference/pointer to the policy,
stored separately from this file.
• Data Access Manager
This module is in charge of extracting the policy from the
PDE in order to be checked by the Policy Evaluation Engine
described here below. In case of a positive decision, this
module will decrypt the raw data contained in the PDE so that
this raw data will be made available to the application (FS resp.
in Fig. 4).
• Policy Evaluation Engine
This module is in charge of evaluating the policy based on
parameters provided by the FS Wrapper and related to the
request (user Id, application Id, file Id, location of the VM,
etc.). Depending on the implementation, this module can be
inside the same VM as the FS Wrapper module or a remote site
(e.g., in another VM, in the customer side, in a third party
side).
• Trace Manager
This module logs all the operations occurring on any
sensitive file requiring access/usage tracking (as also defined in
the policy) and provides the customer with means to access
Policy these traces in a comprehensive dashboard.
Evaluation
Engine
So, as illustrated in Fig. 5, an end-to-end data protection is
Policy
Data
ensured as a file protected with our approach can be accessed
only within an environment or be transferred only to
environments (client devices and cloud VMs) having the
appropriate Data Protection Modules. As a consequence,
depending on the policy decision, one can access the protected
file embedded in the PDE from both client devices and from all
the virtual machines except from the Virtual Machine 3 which
does not have a Data Protection Module (see Fig. 5).
Virtual Machine2
File Data
Protection Module
Customer Device1 Virtual Machine1 Customer Device2
Client Data File Data Client Data
Protection Module Protection Module Protection Module
Virtual Machine3
Cloud Resources
Fig. 5. End-to-end File Data Protection
Moreover, we can note that a higher level of trust on the
controls performed by the data protection modules could even
be guaranteed by leveraging the underlying trusted modules on
the client and cloud provider devices, using technologies such
as TPM (Trusted Platform Module), Mobile TPM or virtual
TPM.
 V. PROTOTYPE AND PERFORMANCE EVALUATIONS
A. Prototype
From this architecture, we have implemented a prototype
in java that has been carried out in a scenario as well as used to
evaluate its performances. The prototype implementation is
detailed Fig. 6 and is composed of the following components.
The VM OS is Ubuntu 12.04, with the FUSE kernel module
2.8.4. The directory that we want to control is mounted with
FUSE and named /Protected_Dir. All the PDE files are then
stored within this Protected_Dir and all access requests made
to these PDE files by any application are intercepted and
forwarded to the File System Wrapper.
The File System Wrapper is a user space file system
implemented on the FUSE-J library [34] with its JNI binding to
FUSE [33]. The FS Wrapper will actually store the PDE files
in a backend directory, named /Backend_Dir, that can be
located in the VM FS or on in its attached volume. Note
however that the FS Wrapper mechanism is completely
transparent for the client -or system- applications which will
see and access the PDE files in the Protected_Dir as in any
other directory (no need to modify the application). The key
difference is that the access will be decided not by using the
classical Unix POSIX ACL (e.g., with the "ugo+rw" like
access rights) but by using the policy stored within the PDE
file. Indeed, the FS wrapper controls any request (e.g., open,
read, write, delete) made on a file that is accessed through the
FUSE mounted Protected_Dir. If the file is subject to a policy
(e.g., case of a PDE) it retrieves the associated policy as well
as, using the fuse_context structure provided by FUSE, the
context of the request (e.g., the requesting application, the user,
the requested action, the location of the file and of the
requester, the date/time of the request). These information
(policy and context) are sent to the Policy Checking to know if
the request is authorized (or not) and get the resulting
obligations (e.g., generate a trace). If the request is authorized,
it gives the access to the data and achieves the possible
obligations. Note that this FS Wrapper has then the role of a
Policy Enforcement Point (PEP).
The PDE Manager is the module providing the necessary
functions for manipulating a PDE (e.g., extracting policy or
content from a PDE, creating a new PDE). It uses GPG [29]
and Blowfish [31] for ensuring the security of the PDE. Given
a PDE, its policy and its content are respectively encrypted
with Blowfish using two generated symmetric keys. These
symmetric keys are then encrypted using the public key of each
user that is authorized to access the PDE (according to policy
decision).
The Policy Checking is a Policy Evaluation Engine based
on the Sun’s implementation of XACML specifications [32].
Its role is to format the request received from the FS Wrapper
before sending it to the XACML policy engine for determining
if the request is accepted or denied, according to the policy and
context.
2013 IEEE 2nd International Conference on Cloud Networking (CloudNet): Full Paper
The User Context Manager is the module that provides
additional information (e.g., user unique ID, user location)
about the user involved in the request. Moreover, in case of file
transfer request (for instance via ftp), this module fetches the
requester context from the remote User Context Manager
running on the requester’s VM (or device). In our prototype,
this communication between User Context Managers is done
via a socket (on a dedicated port), but an alternative
implementation could be for instance to get these information
from a centralized entity (e.g., LDAP Server).
The Trace manager is in charge of generating and storing
the traces related to the actions/requests performed on the files
requiring access tracking. It logs all the information related to
the user, the application, the date/time, the file, the action
requested, the request decision, etc. in a dedicated log file. All
these logs are then collected in order to build a comprehensive
dashboard showing all the protected files, their locations and
the achieved actions.
Cloud Computing Node
Virtual Machine (VM)
File Data Protection Module
User Context
Manager
Traces
Manager
Customer Device
System Us er PDE Manager
Policy
Checking
Applications Applications
Client Data
Protection Module FUSE-J based FS Wrapper
FS requests / responses
Linux Ubuntu
FUSE Kernel
/Protected _Dir /Backend _Dir
Module
file.pde
Fig. 6. Implementation details
B. Scenario
Let consider the basic example of an e-commerce
enterprise that operates in different countries. This enterprise
wants to benefit from a cloud IaaS to deploy its business
software (in order to reduce his IT costs and to support the
demand evolution thanks to the cloud flexibility). However,
this enterprise has sensitive data as the personal profile of each
of his customer which contains privacy related information
(e.g., name, address, contacts, purchase history, detailed
preferences, location history). Depending on the customer, his
profile can be used to provide certain services (e.g., content
recommendation) but not others (e.g., targeted advertising).
Moreover, the enterprise has to ensure the protection of these
profiles and notably regarding their storage location (for
instance depending on the customer citizenship).
In order to operate his services, the enterprise has then
deployed Virtual Machines in different countries. Fig. 7 shows
a simple example of deployment where one VM is running in
France (VM-FR), two VMs are running in the US (VM-US-1
and VM-US-2), and one VM is running in another country
(VM-Other). Note also that the three VMs (VM-FR, VM-US-1
and VM-Other) are equipped with the FDPM; while not VM-
US-2. Finally, this enterprise has also deployed some
applications on these VMs as Application_A and Application_B
(which can for instance be respectively a content recommender
application and a targeting advertising application).
29
 command cp or with a file browser). This copy of a file
Customer Device outside the Protected_Dir is prevented by the FDPM.
MarcDurand.xml Client Data
1 Protection
Module
6. A transfer of the file is requested from VM-FR to the
policy.xml MarcDurand.pde
Protected_Dir of VM-US-1 (e.g., through a ftp client
2

sf tp
launched from the VM-US-1). This transfer is authorized
France US
by the FDPM.
Cloud Computing Node Cloud Computing Node

VM-FR VM-US-1
7. A transfer of the file is requested from VM-FR to a
3
Application_A 6 Application_A
directory of VM-US-2 which is not equipped with the

FDPM
FDPM

4
Application_B
sf tp
Application_B
FDPM. This transfer is then not authorized by the FDPM.
5 OS OS
8. A transfer of the PDE file is requested from VM-FR to the
MarcDurand.pde MarcDurand.pde
Protected_Dir of VM-Other. This transfer is not authorized
by the FDPM as, although the VM is protected, it is
8 7
located in a not authorized country.
sf tp

Other
country US
Cloud Computing Node Cloud Computing Node This scenario has then been executed on our prototype
VM-Other VM-US-2
deployed on a private cloud based on OpenStack (in France)
Application_A Application_A
FDPM

Application_B
OS
Fig. 7. Scenario of privacy sensitive file data protection
Let then consider the profile of a customer Marc Durand
shown in Fig. 8 and that is stored in a file MarcDurand.xml.
First Name: Marc
Name: Durand
Citizenship: French
Address: 10 rue de la Paix, Paris, France
Phone: 01 40 56 37 32
Purchase history & customer profile: …
Location history & geo-profile: ...
Call history & social profile: …
… that are not available with usual system administration tools.
Fig. 8. Marc Durand profile (stored in the file MarcDurand.xml)
Let finally consider that the policy associated to this profile
has the following constraints:
• The profile shall only be stored in a protected VM (i.e., in
the Protected_Dir of a VM equipped with the FDPM).
• The profile shall only be stored in France or in the US.
• This profile shall be accessed/processed by the content
recommendation application (i.e., Application_A) but not
by the targeted advertising one (i.e., Application_B).
Fig. 7 illustrates our technology with a scenario comprising
the following steps:
1. The enterprise uses the Client Data Protection Module to
build the PDE file (MarcDurand.pde) from (i) the previous
profile (MarcDurand.xml) and (ii) the policy (a file
policy.xml expressing the privacy constraints in XACML).
2. It uploads (e.g., via sftp) this MarcDurand.pde file in the
Protected_Dir of the VM-FR.
3. The Application_A requests an access to perform its
service (i.e., content recommendation). This access is
authorized by the FDPM (according to the policy).
4. The Application_B requests an access to the file to
perform its service (i.e., targeted advertising). This access
is not authorized by the FDPM (according to the policy).
5. An employee of the enterprise tries to copy the file outside
of the Protected_Dir (for instance with the Linux
Application_B
and CloudStack (in the US), and using the KVM hypervisor.
OS Fig. 9 shows the traces generated by the FDPM after the
execution of the scenario. A trace is generated each time an
action is requested -and performed if authorized- on a protected
file. For each VM, it is shown its location, its different
protected files (i.e., files stored in Protected_Dir), and for each
of these files, the requested actions (the first action being the
storage of this file), the requester location and the action
request result (“OK” if action authorized, or “NOT OK” if not).
Note that after the execution of the previous scenario, one
instance of the files MarcDurand.pde is available in VM-FR,
and another instance in VM-US-1. We can underline that such
dashboard provides the cloud end-user with traces on file usage
VM: VM-FR (Location: FR)
File: MarcDurand.pde
[2013-08-02 13:44:10] Action: Protected_file_stored
[2013-08-02 13:48:31] Action: Application_A [read], Requester Location: FR, Decision: (OK)
[2013-08-02 13:49:50] Action: Application_B [read], Requester Location: FR, Decision: (NOT OK)
[2013-08-02 13:49:57] Action: cp <outside-Protected_Dir>, Requester Location: FR, Decision: (NOT OK)
[2013-08-02 13:50:13] Action: sftp <to-protected-VM>, Requester Location: US, Decision: (OK)
[2013-08-02 13:50:30] Action: sftp <to-unprotected-VM>, Requester Location: ?, Decision: (NOT OK)
[2013-08-02 13:50:37] Action: sftp <to-protected-VM>, Requester Location: Other_Country, Decision: (NOT OK)
VM: VM-US-1 (Location: US)
File: MarcDurand.pde
[2013-08-02 13:50:15] Action: Protected_file_stored
VM: VM-Other (Location: Other_Country)
Fig. 9. Traces after scenario execution
C. Performance evaluation
This section presents the evaluation of the prototype
performance. The objective is to measure and analyze the
computation time of our privacy control approach. This overall
computation time is split into the two following times:
• FUSE kernel time: time spent in the FUSE kernel. In other
words, it is the time spent from the system call made in the
application (e.g., read) to the entry in the FDPM.
• File Data Protection time: time spent in the FDPM. This
time is then split between the FS wrapper (to get the
context of the request and trigger the other FDPM
modules), the User Context Manager (to get the context of
the local and remote user if any), the PDE Manager (to get
the policy and the content from the PDE and decrypt
them), the Policy checker (to evaluate the policy), and the
trace manager.
Note that regarding the User Context Manager, as the
context of the local user can be collected at the FDPM

30 2013 IEEE 2nd International Conference on Cloud Networking (CloudNet): Full Paper
launching stage, this module actually consumes time only FUSE kernel FS Wrapper
6% 2%
when a remote user is requesting an action (e.g., sftp), and this
PDE
time corresponds to the network connection and transmission Manager
of the remote user context (e.g., location, Id). (decryption)
16%
Policy
We have then evaluated these different times for PDE files Checking
9%
having all the same policy (the one specified in the previous
User Context
section) but contents of different sizes (1Ko, 10 Ko, 100 Ko, Manager
500 Ko, 1 Mo and 2 Mo). The VM is a linux Ubuntu server (context
transmission)
12.04 configured with 4 Go RAM and 2,4 GHz CPU. The 67%

results are shown in the following figures.

Fig. 10 shows the case of a local application that reads the
PDE file of size 500 Ko. The measured total computation time Fig. 12. Computation time split for a 500 Ko PDE file (remote app request)
is 220 ms (compared to 60 ms when reading the same file as
plain text in a usual file system). This figure shows then how These results show then the additional time spent to
this 220 ms time is split between the FUSE kernel and the perform the privacy control on sensitive files. We can see that
different FDPM modules. Note that the trace manager time is even with a java implementation of both FUSE and FDPM, it
not displayed as this time is negligible. can be performed privacy control of sensitive data used by end-
user applications at a reasonable cost (which mainly depends
FS Wrapper on the content size as this notably impacts the decryption time).
7% Of course, in the application, some other -non sensitive- data
may be read and will then not imply this additional cost. It is
FUSE kernel
then up to the Cloud User to well define the level of data
19% protection, knowing the trade-off he makes between privacy
protection and computation time. However, we can note that if
PDE this additional time becomes an issue for some applications,
Manager
Policy
(decryption) real improvements can be obtained on performance by notably
Checking
28%
46% using a full C/C++ implementation of FUSE and FDPM;
beyond the other implementation optimizations that can as well
be performed. This would finally ensure to offer privacy
protection to various applications handling sensitive data.

Fig. 10. Computation time split for a 500 Ko PDE file (local app request) VI. CONCLUSION
In this paper, we have proposed a new technology able to
Fig. 11 shows the evolution of these different times with keep control on sensitive data (file) stored and processed in a
respect to the size of the content.We can see that it is mainly cloud infrastructure. In order to support the privacy
the decryption time that increases with the PDE size. requirements coming notably from country-based regulations,
this technology provides an end-to-end privacy control that can
350 be applied on each sensitive file if needed and that supports
300
FS Wrapper various policies (e.g., on data location, data retention duration,
data access regarding the requester or his processing purpose).
250 The proposed data protection mechanism is also fully
PDE
transparent to the applications (i.e., no need to modify the
Duration (ms)

200 Manager
(decryption) application); the application being either a business application
150 or a system command (e.g., cp, ftp). Indeed, in our approach
Policy
100
Checking the access control is performed according to the policy attached
to the data; replacing the classical Unix POSIX ACL (e.g., with
50 FUSE kernel the "ugo+rw" like access rights). Moreover, thanks to tamper
0 proof generated traces, this technology provides the data owner
1 Ko 10 Ko 100 Ko 500 Ko 1 Mo 2 Mo with a full view (dashboard) on all his sensitive data stored in
the cloud infrastructure, their locations, their usages by
Fig. 11. Performance of the FDPM modules according to the PDE file size applications, the number of instances, etc.
This technology has been carried out in a prototype running
Fig. 12 shows the case of a remote user making an sftp on linux Virtual Machines and using the FUSE technology.
(from the US to France) to read the same PDE file of size 500 This prototype has been deployed over a cloud infrastructure
Ko. In this case, we see the additional time (+443 ms) of the and is executed in a scenario of sensitive data access and trans-
User Context Manager corresponding to the transmission of the national transfer. This prototype has also allowed to evaluate
context (e.g., location, Id) of the remote user. the performance of the technology. For various sizes of data, it

2013 IEEE 2nd International Conference on Cloud Networking (CloudNet): Full Paper 31
has been measured and analyzed how the additional time (spent
for the privacy control) is split between the different processing
stages. These results show that even with a java
implementation of FUSE and FDPM, it can be performed
privacy control of sensitive data used by end-user applications
at a reasonable cost. However, if the applications request to
quickly access to sensitive data, the performance can be
actually improved by using a C/C++ implementation as well as
by investigating other possible optimizations of the prototype.
Finally we can mention other perspectives that will be
considered in the scope of this research. First, in order to
further enforce the security of the approach, our privacy control
module can run in an execution environment offering a strong
level of protection. For instance, the FDPM can rely on
technologies such as TPM that are available within the
computing nodes. This will allow to protect the privacy control
mechanism as well as to offer some strong security guarantees
(e.g., for key management or trace certification). A second
perspective of our research consists in enforcing privacy
policies within the network transport itself. Indeed, despite the
use of encrypted data transfer protocols (e.g., sftp), it can also
be requested to constrain the path followed by the transported
data (e.g., forbidding to cross certain network areas or network
equipments). It is for instance envisaged to exploit technology
as the Software Defined Network (SDN) in order to ensure the
enforcement of such policy within the network. All these
mechanisms should then allow to further enforce the privacy
protection of sensitive data while still being transparent for the
applications and convenient for the end-users.
ACKNOWLEDGMENT
The work in this paper is supported by the European
CELTIC research program through the SEED4C project [29].
REFERENCES
[1] D. Song, E. Shi, I. Fischer and U. Shankar, “Cloud data
protection for the masses”, IEEE Computer Magazine, Vol. 45,
Issue. 1, 2012.
[2] M. Ghorbel, A. Aghasaryan, S. Betgé-Brezetz, M.P. Dupont,
G.B. Kamga, S. Piekarec, “Privacy data envelope: concept and
implementation”, Ninth Annual Conference on Privacy, Security
and Trust, PST 2011, 19-21 July 2011.
[3] M.O. Rabin, “Efficient dispersal of information for security,
load balancing and fault tolerance”, Journal of the ACM, Vol.
36, Issue 2, 1989.
[4] W. Jansen and T. Grance, “Guidelines on security and privacy in
public cloud computing”, NIST, 2011.
[5] F.Y. Rashid, “Epsilon data breach highlights cloud computing
security concerns”, eWeek.com, 2011.
[6] C. Gentry, “Fully homomorphic encryption using ideal lattices”,
Proc. 41st ACM Symposium on Theory of Computing, 2009.
[7] Article 29 Data Protection Working Party, “Opinion 05/2012 on
cloud computing”, WP 196, Brussels, July 2012.
[8] HekaFS, formerly known as CloudFS, http://hekafs.org
[9] D. Desai, “Beyond location: data security in the 21st Century”,
Communications of the ACM; Vol. 56, No. 1, Jan. 2013.
[10] S. Pearson and G. Yee (Eds.), “Privacy and security for cloud
computing”, Springer, 2013.
32 2013 IEEE 2nd International Conference on Cloud Networking (CloudNet): Full Paper
[11] H. Takabi, J.B.D. Joshi, and G.J. Ahn, “Security and privacy
challenges in cloud computing environments”, IEEE Security &
Privacy, Vol.8, No.6, Nov.-Dec. 2010.
[12] Y. Brun and N. Medvidovic, “Keeping data private while
computing in the cloud”, IEEE International Conference on
Cloud Computing, CLOUD 2012, 24-29 June 2012.
[13] M.H. Diallo, B. Hore, E.C. Chang, S. Mehrotra, and N.
Venkatasubramanian, “CloudProtect: managing data Privacy in
cloud applications” IEEE Conference on Cloud Computing,
CLOUD 2012, 24-29 June 2012.
[14] Sophos, http://www.sophos.com
[15] S. Yu, C. Wang, K. Ren, W. Lou, “Achieving secure, scalable,
and fine-grained data access control in cloud computing”, IEEE
INFOCOM 2010, 14-19 March 2010.
[16] M. Singhal, S. Chandrasekhar, T. Ge, R. Sandhu, K. Ram, G.J.
Ahn, E. Bertino, “Collaboration in multicloud computing
environments: framework and security issues”, Computer, vol.
46, no. 2, Feb. 2013.
[17] S. Trabelsi and J. Sendor, “Sticky policies for data control in the
cloud”, Tenth Annual International Conference on Privacy,
Security and Trust, PST 2012, 16-18 July 2012.
[18] I. Papagiannis and P. Pietzuch, “CloudFilter: practical control
of sensitive data propagation to the cloud”, ACM Workshop on
Cloud computing security workshop, CCSW '12, Oct. 19 2012.
[19] D.W. Chadwick and K. Fatema, “A privacy preserving
authorisation system for the cloud”, J. Comput. Syst. Sci., vol.
78, no. 5, Sept. 2012.
[20] M. Casassa Mont, V. Sharma, and S. Pearson, “EnCoRe:
dynamic consent, policy enforcement and accountable
information sharing within and across organisations”, HP report
HPL-2012-36, 2012.
[21] T. Samson, “Apple iCloud breach proves Wozniak’s point about
cloud risks”, InfoWorld, August 2012.
[22] Cloud Security Alliance (CSA), “The notorious nine cloud
computing top threats in 2013”, February 2013.
[23] R. George., “Tools and strategies for file-level data protection”,
InformationWeek Report, April 2013.
[24] P. Hall,“Opportunities for CSPs in enterprise-grade public cloud
computing”, OVUM, May 2012.
[25] Right Management System, http://technet.microsoft.com/en-
us/windowsserver/dd448611.aspx
[26] S. Betgé-Brezetz, G.B. Kamga, M. Ghorbel, M.P. Dupont,
“Privacy control in the cloud based on multilevel policy
enforcement”, IEEE Conference on Cloud Networking,
CLOUDNET 2012, 28-30 Nov. 2012.
[27] Cloud Security Alliance (CSA), “Security guidance for critical
areas of cloud computing”, Version 3.0, November 2011.
[28] Cloud Industry Forum, “UK Cloud adoption and trends for
2013”, 2012.
[29] S. Betgé-Brezetz et al., “Seeding the Cloud: An Innovative
Approach to Grow Trust in Cloud Based Infrastructures” FIA
book, Lecture Notes in Computer Science, Vol. 7858, 2013.
[30] GPG, http://www.gnupg.org
[31] BlowFish, https://www.schneier.com/blowfish.html
[32] Sun XACML, http://sunxacml.sourceforge.net
[33] FUSE: Filesystem in Userspace, http://fuse.sourceforge.net
[34] FUSE-J, http://sourceforge.net/projects/fuse-j