When tenants deploy applications under the control of third-party cloud providers, they must trust the provider’s security mechanisms for inter-tenant isolation, resource sharing and access control. Despite a provider’s best efforts, accidental data leakage may occur due to misconfigurations or bugs in the cloud platform. Especially in Platform-as-a-Service (PaaS) clouds, which rely on weaker forms of isolation, the potential for unnoticed data leakage is high. Prior work to raise tenants’ trust in clouds relies on attestation, which limits the management flexibility of providers, or fine-grained data tracking, which has high overheads.
We describe CloudSafetyNet (CSN), a lightweight monitoring framework that gives tenants visibility into the propagation of their application data in a cloud environment with low performance overhead. It exploits the incentive of tenants to co-operate with each other to detect accidental data leakage. CSN transparently adds opaque security tags to a subset of form fields in HTTP requests, using a client-side JavaScript library. Socket-level monitors maintain a log of observed tags flowing between application components. Tenants retrieve their logs and identify foreign tags that indicate data leakage. To check the correct operation of CSN, tenants send probe requests with known tags and verify that monitors are logging correctly. Using an implementation of CSN deployed on the OpenShift and AppScale PaaS platforms, we show that it can discover misconfigurations and bugs with a negligible performance impact.