Cloud Computing without Seeing Qutaibah Malluhi Qatar University Doha, Qatar (+974) 44034240 qmalluhi@qu.edu.qa Khaled M. Khan Qatar University Doha, Qatar (+974) 44034240 k.khan@qu.edu.qa ABSTRACT In the emerging cloud computing model, security is of paramount concern. This paper discusses the need for practical techniques that enable private outsourcing on the cloud by allowing the service provider to work on clients’ data or computations without seeing the data being processed. The paper briefly discusses two examples of such techniques. Categories and Subject Descriptors E.M [Miscellaneous] General Terms Algorithms, Reliability, Security, Legal Aspects Keywords Cloud computing, security, privacy 1. INTRODUCTION Cloud computing is an emerging model in which applications, data, computing resources and operating platforms are provided to clients as a service. This model offers the promise of utility-like virtually-unlimited computational power and storage capacity, at a lower cost and with greater flexibility. This new paradigm promotes and facilitates cost-effective outsourcing of data and computations. In today’s competitive environment, the service dynamism, elasticity, and choices offered by this highly scalable technology are too attractive for enterprises to ignore. These opportunities, however, don’t come without challenges. Despite its obvious benefits, cloud computing poses several trust and security challenges that can be serious impediments to its use. These security concerns include the risk of data breaches, malicious corruption of computation results, uncertainty about data privacy, and lack of client control on their data assets that are residing on third-party infrastructure. Boosting clients’ trust in cloud computing is often addressed by service providers through contractual agreements. However, service level agreements (SLAs) might not help much as trust in cloud computing is related more to the prevention of trust violation rather than being compensated when a violation occurs. Clients are usually more concerned about the possibility of data breach, and not about what happens after the breach. For most enterprises, security breaches of enterprise data are often irreparable and priceless. In this paper, we promote the concept that in cloud computing, the concern and emphasis should be more on prevention rather than on being compensated after security incidents. The paper discusses technological solutions that would enhance confidence in cloud computing by enabling the client to perform private and trusted computations, as well as data querying on the cloud. 2. PRIVACY OF CLOUD PROCESSING There could be many reasons that lead to clients’ reluctance in opting for outsourcing data and/or computations to the cloud. Loss of control on one’s own data once it is on the cloud is an important consideration. The possibility of leakage of proprietary information is a serious issue as it could give an edge to the competition by revealing trade secrets, corporate strategy, performance, etc. In addition, there is the fear that compromising private information may lead to embarrassments and lawsuits. Compliance with regulations and privacy laws may make it illegal to share data with others. Even if the cloud service provider is a trusted counterpart, it may not have a security policy that is stringent enough. Another consideration is the potential of trans- border data movement among cooperating service providers whose operations are governed by different jurisdictions. This paper focuses on outsourcing computations to the cloud and considers two scenarios of outsourcing. In one scenario, a computation-intensive task is itself the object of outsourcing, where the demanding task is performed on the powerful cloud. In the second scenario, data is the object of outsourcing (e.g. the cloud is providing database as a service). In the latter scenario, the cloud is still required to perform computations (e.g. search and query processing). For providing a trusted outsourcing of computation-intensive tasks, the client should be provided with the features of being able to perform its computation on the cloud while preventing the service provider from seeing the input data, intermediate results, output data and the model/algorithm. In addition, the client should have the ability to validate the correctness of computed results. When data is the object of outsourcing, the client should be able to prevent the cloud service provider from accessing private information. At the same time, the cloud service provider should be able to perform useful queries on this data without breaching data privacy. 3. EXAMPLES This section provides a brief overview of two examples that enable trusted cloud computing by allowing clients to hide sensitive information from the cloud service provider. These Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. SeceS’11, June 9–10, 2011, Baabda, Lebanon. Copyright 2011 ACM 978-1-4503-0884-7…$10.00. - 42 -