Cyber Experts Making Cloud Security Easier

Six staff members of Cyber Institute standing in posed group portrait.

When consumers across the globe recognize International Computer Security Day on Nov. 30, they might think of simple acts they can do themselves, like creating stronger passwords.

What they might not consider are ways to protect credit card numbers saved by iCloud, sonogram images uploaded to family members via Dropbox or other deeply personal items sent to cloud storage providers that are also vulnerable to ambitious hackers.

Cyber Institute Names Inaugural Cohort of Affiliate Scholars

Twenty-four University of Pittsburgh faculty members will combine their areas of expertise to support Pitt’s Institute for Cyber Law, Policy, and Security.

Together, they realize Pitt Cyber’s ambition to bring research and teaching excellence from numerous fields to provide a unique, interdisciplinary environment for tackling cyber challenges. The institute anticipates welcoming additional colleagues from across the University this spring. The inaugural affiliate scholars include:

Graduate School of Public and International Affairs

Dietrich School of Arts and Sciences

School of Computing and Information

School of Law

School of Medicine

Protecting personal or work data stored in the cloud takes more technical effort and time than most average users are willing to spend. But Pitt researchers are working on simplifying the process, with the ultimate goal of putting cloud security into users’ hands.

The advent of cloud storage — platforms such as Google Drive, Dropbox and iCloud that allow data to be stored on the Internet rather than within a single device — has transformed everything from workforce communications to sharing home movie clips with friends worldwide. 

And as the number of cloud platforms and their users increase, many let questions about security take a backseat to convenience even as data breaches continue to rise. By the end of June 2017, there were 791 data breaches in the United States, 29 percent higher than last year during the same period, according to the Identity Theft Resource Center.

“I feel like there isn’t a week that goes by that you don’t hear about some sort of data breach. Whether or not people are as concerned about it as much as they should be is another story,” said Adam Lee, the associate dean for academic programs at Pitt’s School of Computing and Information and an associate professor in the Department of Computer Science.

The Secret Keys

Lee, also an affiliate scholar with Pitt’s Institute for Cyber Law, Policy, and Security, said consumers can secure their data through encryption — a process that makes information inaccessible to anyone who does not know a secret “key” needed to recover the original data — before putting it on a cloud platform. However, this process is not necessarily straightforward and can be inconvenient for most users. 

Additionally, in situations where content is shared with a group of individuals that changes over time, approaches such as these can lead to time-consuming revisions. To change the makeup of the group, the files must be downloaded, re-encrypted with new keys and uploaded to the cloud again to revoke access from removed users.  Finally, the new keys must be given to those who should still have access to the content.

To simplify the process, Lee, Pitt School of Computing and Information Associate Professor John Lange and Indiana University Associate Professor Steven Myers have launched a research initiative funded through the National Science Foundation to explore the use of cryptographic techniques and recent advances in trusted hardware to reduce these technical hurdles. 

Lee said the aim is to let individuals, not the cloud platforms, control the security.

“When I set controls, I can say my wife can see the shot records for dogs, my collaborators can see my research papers, my parents can see pictures from my vacation. I’m no longer going to just rely on Dropbox to correctly enforce the data sharing policies that I set.” 

With the use of keys to encrypt the data stored on cloud platforms, data shared in this manner is protected from disclosure even in the event of a cloud provider data breach.

The team has developed an initial prototype system that seamlessly protects data shared using the Andrew File System (AFS), a storage platform widely used within the University. 

The prototype runs in a portion of a computer’s processor that’s isolated from the rest of the system.  When someone using the system copies files into their shared folders, they are automatically encrypted and made available through the AFS platform to users in their designated groups. Once authorized users try to open the file, the prototype decrypts the data and makes it available to their machine. Users only have to place pictures, vital documents or other sensitive information into the program and decide who has permission to see the unscrambled version before sending it out.

Over the next several years, the team aims to improve the security and scalability of this approach before making it available for public use. In the meanwhile, Lee said users should carefully examine what they’re sending to the cloud and whether it needs an extra layer of protection.

“Security can be like sand in the gears sometimes. It can make it a bit more difficult to do things. Still, people need to train themselves a little bit to think about is the convenience worth it,” he said.

“For some things, yes, it is. For others, you might want to think twice about whether it’s really the best way to do what you’re trying to get done.”