An increasing number of companies and other enterprises are reducing their costs by migrating portions of their information technology infrastructure to cloud service providers. For example, virtual data centers and other types of systems comprising distributed virtual infrastructure are coming into widespread use. Typical cloud service offerings include, for example, Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), and Software-as-a-Service (SaaS).
In cloud-based information processing systems, enterprises in effect become tenants of the cloud service providers. However, by relinquishing control over their information technology resources, these cloud tenants expose themselves to additional potential security threats. As one illustration, a given tenant may be inadvertently sharing physical hardware resources of a cloud computing environment with other tenants that could be competitors or attackers. Similar issues arise in other types of information processing systems in which computing environments or other types of information technology infrastructure are shared by multiple tenants.
It is therefore important that tenant files entrusted to a cloud service provider be subject to appropriate security protections. For example, the tenant may require that its files be stored in an encrypted format.
Techniques for allowing a tenant to verify that its files are subject to appropriate security protections by the cloud service provider are disclosed in U.S. patent application Ser. No. 13/075,848, filed Mar. 30, 2011 and entitled “Remote Verification of File Protections for Cloud Data Storage,” which is commonly assigned herewith and incorporated by reference herein. Illustrative systems disclosed therein implement file protection verification functionality using an “hourglass” protocol that provides an efficient and accurate technique for verifying that files stored by cloud storage providers are subject to appropriate protections such as encryption. The hourglass protocol is configured to ensure that transformation of a given file from one format to another is subject to minimum resource requirements. As a result, a cloud storage provider cannot, for example, store a file in unencrypted form and then encrypt it only upon receipt of a verification request from the tenant.
Further advances are disclosed in U.S. patent application Ser. No. 13/432,577, filed Mar. 28, 2012 and entitled “Counter-Based Encryption of Stored Data Blocks,” which is commonly assigned herewith and incorporated by reference herein. One or more of the illustrative disclosed arrangements provide improved security for stored data blocks, such as those that are stored for a given tenant in cloud infrastructure of a cloud service provider, by maintaining counters for the respective stored data blocks and utilizing the counter values in encrypting the data blocks. As a more particular example, enhanced security may be provided for stored tenant data through the use of homomorphic encryption based on counter values maintained for respective stored data blocks.
Despite these advances, a need remains for additional improvements in secure data processing, particularly for tenants of cloud service providers. For example, many conventional techniques assume a significant level of trust in the cloud service provider and its personnel relative to sensitive tenant data. However, certain tenants may not be comfortable in placing such trust in the cloud service provider, and as a result these conventional techniques can represent a roadblock to more widespread adoption of cloud services.