In 2010 I asked Professor Eben Moglen to speak to the Internet Society of New York about software freedom, privacy and security in the context of cloud computing and social media. In his Freedom in the Cloud talk, he proposed the FreedomBox as a solution: a small inexpensive computer which would provide secure encrypted communications in a decentralized way to defeat data mining and surveillance by governments and large corporations. Having physical control and isolating the hardware can be crucial to maintaining computer security which is why data centers are kept under lock and key. Each FreedomBox user would physically possess their own machine.
The U.S. National Institute for Standards and Technology (NIST) defines cloud computing (PDF with full definition) as “a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.”
Cloud computing, for all its advantages in terms of flexibility and scalability, has been fundamentally insecure. While the technology exists to secure information while it is being stored and while it is in transit, computers must process information in an unencrypted form. This means that a rogue systems administrator, malicious hacker or government can extract information from the system while it is being processed.
Adoption of cloud computing services by large enterprises has been hindered by this except when they maintain a private cloud in their own facilities.
Homomorphic encryption allows data to be processed in an encrypted form so that only the end user can access it in a readable form. So far it has been too demanding for normal computers to handle. In 2012 I invited Shai Halevi, a cryptography researcher at IBM, to discuss work he was doing in this area. He was able to execute some basic functions slowly with specialized hardware but the technology was not ready for general use.
Recently researchers at MIT have made breakthroughs that promise to bring homomorphic encryption to the mainstream, finally making secure cloud computing possible.
Mylar is a platform for building secure web applications.
Mylar stores only encrypted data on the server, and decrypts data only in users’ browsers. Beyond just encrypting each user’s data with a user key, Mylar addresses three other security issues:
It is a secure multi-user system – it can perform keyword search over encrypted documents, even if the documents are encrypted with different keys owned by different users
Mylar allows users to share keys and data securely in the presence of an active adversary
Mylar ensures that client-side application code is authentic, even if the server is malicious
Results with a prototype of Mylar built on top of the Meteor framework are promising: porting 6 applications required changing just 35 lines of code on average, and the performance overheads are modest, amounting to a 17% throughput loss and a 50 msec latency increase for sending a message in a chat application.
To further secure a web app in the cloud, an encrypted distributed filesystem such as Tahoe-LAFS can be used. It distributes data across multiple servers so that even if some of the servers fail or are taken over by an attacker, the entire filesystem continues to function correctly, preserving privacy and security.
By combining these two technologies, data can be encrypted at every point until it is accessed by its legitimate owner, combining privacy and security with the flexibility and scalability of cloud computing.
No longer confined behind a locked down private data center or hidden under the end user’s bed, a virtual FreedomBox can finally escape to the clouds.