A trust boundary in an electronic network is defined as a region within which all computer systems, their operations, and the data are trusted. Typically, a trust boundary is protected by computer security hardware and software such as firewalls, Virtual Private Networks (VPNs), intrusion detection and prevention systems, data leakage protections, antivirus programs, etc. For example, for an organization, a trust boundary may include an entire data center infrastructure, including computers connected via VPNs. For an individual, a laptop computer could be her trust boundary.
Various mechanisms exist today to facilitate secure communications between trust boundaries. SSL/TLS and IPSec are two examples. These mechanisms are intrinsically point-to-point, thus for many-to-many secure information sharing and collaboration, it will require a worst case “N-squared messy cross-bar” connectivity for all N trust boundaries where every party needs to be able to field electronic communications from every other party. This can become costly and complex for reasons that might include the need for every party to standardize on the same technology, or for each party to interoperate with other parties that might be deploying dissimilar technologies.
On the other hand, Web based technologies, and now cloud computing make information sharing and collaboration increasingly cheaper and easier. Any party that deploys technologies of their choice would need to deploy integration with just the hub. In essence, this is a central intermediary based hub-spoke communication model. While this simplifies deployment and operation, the hub has full visibility and control over all communications. Therefore, when it comes to secure sharing, this model requires that the central intermediary to be a trusted escrow that must be trusted by all parties across all trust boundaries in the network and that no one in the network will surreptitiously game the system for their own profit.
Such a blind trust hub-spoke model tends to fail due to a range of challenges that include breaches of hub's electronic perimeters, insider attacks, coercion from governments and organized crimes, and other threats to the hub. All indications are that any model that involves conventional electronic security, and is based on a need to trust any central individual or organization to follow the rules, is deeply flawed. This is demonstrated by the fact that even with improvements in technologies for monitoring and protection, the rate of successful intrusions and internal malfeasance is actually rising rapidly.
When an individual's information is stored in the cloud, managed by a cloud service provider, there is no guarantee that his/her data privacy will be protected. Most cloud services require a user's password to authenticate an individual. Despite of cloud vendors' relentless effort to protect users' passwords, the number of incidents of large scale password breaches is only increasing.
In present day enterprises, the custodian (typically the hub, the infrastructure service operator/provider in physical possession of the sensitive data) and the curator (typically some spoke, perhaps the IT organization that owns and authorizes access to this data) are within the same organization, and most likely within the same legal and compliance domain. Authentication is typically implemented through techniques such as Kerberos; authorization is typically through infrastructure such as AD and Security Groups; access control is enforced by the various data containers that include databases, document management systems, and networked file systems. Organizations also leverage PKI and X.509v3 for identity and possibly authorization, and access through Smart Cards, SAML for single sign-on and authorization. Various technologies exist for the organization to implement its own Authentication and Authorization, and to federate beyond that organization with business partners and other service providers or service consumers.
When IT infrastructures such as data storage or containers are moved to a hosting service in the cloud, the role of the custodian and curator is separated, where the cloud service provider that is hosting the data is now the custodian of that data, while the curatorship continues to remain in the hands of functionaries within that organization. For legal, compliance and other business IP protection reasons, organizations can't afford the blind trust on the cloud service providers, thus are disinclined to adopt these services, or they demand unlimited liability protection.
In order to solve this problem, the cloud needs to be constrained in function to be only a policy enforcement service that is implementing the exact policy specified by the customer organization and its curator functionary. The curator needs sufficient visibility into, and control over actions performed by the custodian. Furthermore, this new cloud architecture needs to seamlessly integrate, without any significant requirement to modify the existing IT infrastructure, or the existing business process.
In short, there is no solution existing today that can allow organizations (curators) to extend the existing IT infrastructures along with the business processes (such as Governance, Risk Management, and Compliance, GRC in short) to the cloud service providers (custodians), across the trust boundaries while a) the data privacy and confidentiality are ensured—custodians can never see the data nor the policies about how the data can be accessed; b) the visibility and the control of the data are fully retained by the curators; and c) multiple curators across trust boundaries can collaborate and share the sensitive data through the custodians.
There is a need for systems, methods and apparatuses that address the above-listed requirements in cloud computing, and provide a trustworthy workflow across trust boundaries between parties. While ‘trust’ is typically grounded in the physical world, and derives from relationships, contracts, and legal protection, ‘trustworthy’ can be defined an attribute of a technology, typically based on cryptography, that provides to the curator guarantees against human accident, negligence or malfeasance, by the custodian.
A trustworthy workflow is defined as a cryptography based mechanism that enables all parties to securely communicate across trust boundaries through the central intermediary (the hub), without the hub ever being able to access the data, nor the data access policies. All end-points in such a workflow can count on the same degree of trustworthiness of a point-to-point secure communications supported by protocols such as SSL/TSL and IPSec, as described before.
It is desirable to have methods, systems and apparatuses for securing a user's secret while addressing the problems listed above.