Cloud and the Law

Encryption- Cloud federation is the practice of

interconnecting public and private
cloud services from two or more
providers to extend the scalability

Based Solution of existing cloud systems, increase

elasticity in resource management,
and accommodate spikes in demand.
Because workloads are outsourced to cost-effective

for Data regions, cloud federation can also potentially result

in significant cost savings (electricity, hardware pro-
visioning, and so on). This outsourcing also allows
federated clouds to overcome emerging challenges,

Sovereignty such as big data handling/disaster recovery through

colocation and geographic distribution of computing
and storage resources, together with other methods.
Therefore, it isn’t surprising that cloud federa-

in Federated tion is an increasingly popular option for both users

and providers (for example, Google’s InterCloud). A
Gartner study, for example, forecasts that through
2020, hybrid clouds will overtake both public and

Clouds private cloud services to be the dominant cloud ser-

vice model.1
To provide service aggregation, seamlessly
and transparently integrating public and private
cloud services from two or more providers is criti-
cal. These services will likely have been built us-
ing different infrastructures. For example, one will
need to resolve heterogeneity-related issues at the
infrastructure level (for example, exchanged data
Christian Esposito formats, interfaces of provided services, and com-
University
munication means), and ensure that other (nontech-
of Napoli “Federico II”
nical) issues, such as differing resource allocation
policies, economic models, and management poli-
cies, won’t affect the federated cloud’s smooth op-
eration. Various initiatives have sought to identify
Aniello Castiglione and promote open solutions and standards for cloud
University of Salerno interoperability. Examples include the Open Cloud
Manifesto (www.opencloudmanifesto.org), Open
Cloud Computing Interface (OCCI, http://occi-wg
.org), Open Cloud Standards Incubator (http://www
.dmtf.org/standards/cloud), and Cloud Data Man-
Kim-Kwang agement Interface (CDMI, www.snia.org/cdmi).
Raymond Choo Cloud federation has also been the focus of recent
University research efforts. For example, several researchers
of South Australia have proposed middleware abstraction layers to fa-
cilitate cloud federation2 (see Figure 1).
As the figure illustrates, a front-end is provid-
ed for interactions with cloud service consumers.

12 I E E E C l o u d C o m p u t i n g p u b l i s h e d b y t h e I E E E c o m p u t e r s o cie t y  2325-6095/16/$33.00 © 2016 IEEE

 Cloud federation

Cloud A Cloud B Cloud C

Consumer

Federation middleware

Integration layer Allows the communication

of each cloud to/from the
Cloud orchestration solution.
service Embodies the orchestration
brokerage logic for the interconnection
Orchestration layer of clouds.

Represents the
front-end of the
cloud federation

Figure 1. A generic federation middleware for clouds can be schematically viewed as composed of two
different abstraction layers: one providing communication capabilities, the other offering orchestration
means.

This component hides the federation’s complexity, ware can replicate and/or move data between differ-
so from the consumers’ perspective, the service ap- ent cloud services and datacenters, possibly located
pears to be running on a single cloud platform. An in different countries.
integration layer enforces the interoperability among These activities can take place without the
heterogeneous cloud platforms. An orchestration data owner’s knowledge or informed consent. For
layer, built on top of the integration layer, harmoniz- example, in the case of private clouds, the data
es the different management strategies and models owner must have given consent by specifying geo-
of the federated clouds. graphical, legislative, and data location constraints
in the service-level agreement (SLA), whereas in a
Challenges public cloud, such a requirement might not be pres-
In addition to the interoperability issues, a federated ent in the SLA. In both cases, the federated cloud
cloud service faces security and legal challenges. service providers (CSPs) might not even be able
Cloud consumers’ concerns about the lack of con- to determine the “split” data’s exact location. This
trol over the outsourced data and computational could potentially result in organizations breaching
activities, and about data being stored in multiple the exacting privacy and other regulations in the ju-
disparate datacenters located in different countries, risdiction in which they operate. More specifically,
are exacerbated in a federated cloud environment, consumer data is managed by a CSP regulated un-
where, to maximize efficient resource utilization, der a legal framework that might be inconsistent or
automated software within the federation middle- conflict with that of the data owner, and data can be

J a n u a r y/ F e b r u a r y 2 0 1 6 I EEE Clo u d Co m p u t i n g 13
 Cloud and the Law

accessed by users from countries with privacy rules the recent high-profile incident involving Edward
that are inconsistent (or conflict) with those of the Snowden.
data owner. When using a cloud federation, consumers
Therefore, establishing data sovereignty3 (that don’t know the data’s exact location (for example,
is, controlling and verifying the data’s geoloca- which datacenter in which country the data will
tion) is of pivotal importance when (federated) be stored). In fact, the cloud federation’s front end
cloud services are used to store sensitive data to is represented by a broker service that receives a
ensure that data stored in the cloud won’t be avail- consumer’s request and decides how to allocate
able to anyone in a location with a conflicting the hardware commodity, based on predefined se-
legal framework (for example, data about the US lection algorithms7 without the consumer or data
transport-critical infrastructure shouldn’t be stored owner’s involvement. Moreover, the data owner
or made available to anyone located outside the can share access to outsourced data with other
country, particularly in US Office of Foreign Assets consumers, as long as they have Internet connec-
tivity, even if they’re located in a dif-
ferent geographic location. These are
serious issues when handling sensitive
data,8 such as healthcare data, bio-
Restrictions on data storage and medical datasets, or financial informa-
access can also differ among states tion. Access to this data is generally
governed by various legal restrictions,
within the same country, or between such as the Health Insurance Porta-
countries. bility and Accountability Act (HIPAA)
and Control Objectives for Informa-
tion and Related Technology (COBIT).
For example, the European Union
(EU) Data Protection Directive states
Control [OFAC] sanctioned countries).4 Ensuring that any personal data generated within the EU
data sovereignty can be part of the SLA manage- is subject to European law and data can only be
ment system. Existing research on this topic has shared with a third party if the owner is notified.9
two general focus areas: However, the data can’t leave the EU unless the
third party is located in a country that provides an
• imposing geolocation and legislation awareness adequate level of protection, for example, coun-
policies when locating data within the cloud in- tries that participate in the Safe Harbor program
frastructure,5 and (www.export.gov/safeharbor).
• verifying the compliance of SLA policies when As noted elsewhere, “It is a near impossible
storing data in a cloud infrastructure.6 task to fully harmonise privacy and data protec-
tion regimes due to the different judicial and legal
In the first case, data can’t be moved around systems internationally. There are countries that
the cloud infrastructure, and the CSP can’t apply do not have any mandatory data retention or data
its internal strategies to improve storage and re- protection requirements.”10 In other words, restric-
trieval efficiency. In the second case, there’s no as- tions on data storage and access can also differ
surance that the data has been duplicated and the among states within the same country, or between
copies moved to other locations, hence violating countries. Within the EU, countries such as France
SLA policies. In both cases, the data owner must and Denmark have broad restrictions, but coun-
trust the CSP to be doing the right thing; however, tries such as Italy and Germany have limited or no
such blind trust makes the data stored in the cloud restrictions for certain types of data.11 CSPs with
vulnerable because of the possibility of a mali- an international presence will have to comply with
cious or corrupt insider/CSP. This is evidenced in a myriad of regulatory obligations, both domes-

14 I EEE Clo u d Co m p u t i n g w w w.co m p u t er .o rg /clo u d co m p u t i n g

tic and international. For example, in the United • the schemes might not consider the verification
States, the Patriot Act allows US intelligence agen- of possible copies of data of interest (this isn’t
cies to access personal data managed by US compa- uncommon in cloud computing because of per-
nies without notifying the data owners, in an effort formance and availability); and
to enhance domestic security by surveying suspect- • geolocation accuracy depends on timing delays
ed terrorists.12 and packet losses.
The EU directive and the US Patriot Act have
conflicting requirements in relation to disclosure re- Moreover, naïve solutions mandating the use
quirements. US CSPs operating in the EU must com- of domestic CSPs and having geographical re-
ply with US legislation (such as the Patriot Act) in strictions provide a false sense of security since
addition to EU data protection and notification laws. a malicious or corrupt CSP can circumvent such
In other words, US CSPs could be criminally liable or restrictions prior to the consumer undertaking any
subject to prosecution in the EU should they release SLA verification.
EU citizens’ data to the US Government
under the US Patriot Act without notify-
ing the data owner.
Naïve solutions for cloud federation
include deploying only cloud services Naïve solutions mandating the
from domestic providers or providers lo- use of domestic CSPs and having
cated in countries with compatible legal
requirements, or defining geographical
geographical restrictions provide a
boundaries for data storage and move- false sense of security.
ment. The latter can be achieved by
implementing restriction policies within
the SLA. When a cloud consumer sub-
mits a request to the cloud through a
broker service, the service can consider geolocation Potential Solution
restrictions when selecting the best datacenter, and/ Data geolocation or domestic CSP restrictions will
or the right federated cloud, to host the consumer also undermine the benefits of cloud federation.
data. Based on an adequately secure verification Therefore, we posit that a simpler solution is to adopt
mechanism (such as an SLA management system an encryption-at-rest approach in a federated cloud,
that observes the runtime performance of cloud ser- where consumers control the cryptographic keys.
vices and aggregates the observed data into SLA re- Several CSPs provide encryption for data at rest as a
porting metrics13), the cloud consumer can validate privacy guarantee, allowing users to keep some con-
whether the conditions outlined in the SLA have trol of their own data, and not allowing CSPs, be-
been satisfied or fulfilled. lieved to be untrustworthy, to access the outsourced
Zachary Peterson and his colleagues identify a data. This removes the urge to know where the data
possible solution to achieving data sovereignty us- is located or which legal framework to apply for data
ing proof of data possession (PDP).3 PDP proves outsourced to the cloud, since only those who pos-
the existence of certain data outsourced to a cloud sess the decryption key can access the outsourced
server, and the proof can be used to test the data’s data.14 Moreover, even if transferred to a different
retrievability from an untrusted cloud server (for country from that of the data owner, the outsourced
this reason, PDP is also known as proof of retriev- data isn’t subject to foreign law since CSPs can’t be
ability). However, existing proposed proofs of loca- forced to provide data to which it has no access.
tion schemes have limitations: Figure 2 shows a potential implementation of
this solution. The data owner (User 1) specifies the
• the use of landmarks complicates the practical desired geographic location within which his or her
implementation of such schemes; data may be disclosed. Based on this geolocation

J a n u a r y/ F e b r u a r y 2 0 1 6 I EEE Clo u d Co m p u t i n g 15
 Cloud and the Law

User 2’s data User 2’s

consumer geolocation
Encrypted data
Encrypted data
Decryption
algorithm Decryption key

Plaintext Decrypted data

data
User 1
Encryption
data owner
algorithm
Cloud federation Error

Encrypted data
Decryption key
Geolock
Geolocation encryption key
requirement Decryption
algorithm

User 3’s
geolocation
User 3’s data
consumer

Figure 2. An encryption-based solution for data sovereignty in federated clouds can include an encryption stage done by the
data owners, and decryption stages done by data consumers that have retrieved the encrypted data from different clouds than
the one of the data owner.

requirement, an encryption key is constructed and Data sovereignty is a key require-

the data to be outsourced is encrypted and loaded ment for outsourcing sensitive data
into the cloud federation. A set of data consum- in the cloud, particularly in privacy-
ers may retrieve the encrypted data from the cloud conscious jurisdictions such as
federation. We can have two classes of consumers: countries within the European Union.
those in a location that satisfies the data owner’s This column proposed enforcing geolocation control
requirement (User 2), and those outside the data using encryption, rather than the traditional solu-
owner’s desired geographic location (User 3). Both tion of limiting the placement of data within certain
users construct a decryption key from their current geographic areas.
location, but only User 2 can obtain the plaintext of
the retrieved data, while the other fails. References
In such a solution, a key problem is to design 1. “Hype Cycle for Emerging Technologies,” Gartner,
a mechanism that can securely determine a user’s 2012; www.gartner.com/DisplayDocument?doc cd
location. Such a mechanism must be equipped with =233931.
techniques to protect itself from a malicious user 2. C. Esposito et al., “Interconnecting Federated
providing false information to mark the user’s true Clouds by Using Publish-Subscribe Service,”
location. Such a geolocation spoofing attack can Cluster Computing, vol. 16, no. 4, 2013, pp.
be neutralized using techniques discussed in the 887–903.
literature.15 3. Z.N.J. Peterson, M. Gondree, and R. Beverly, “A

16 I EEE Clo u d Co m p u t i n g w w w.co m p u t er .o rg /clo u d co m p u t i n g

 Position Paper on Data Sovereignty: The Impor- 13. P. Bhoja, S. Singhalb, and S. Chutanic, “SLA

tance of Geolocating Data in the Cloud,” Proc. Management in Federated Environments,” Com-
3rd USENIX Conf. Hot Topics in Cloud Comput- puter Networks, vol. 35, no. 1, 2001, pp. 5–24.
ing (HotCloud), 2011; www.usenix.org/legacy/ 14. S. Kamara and K. Lauter, “Cryptographic Cloud
event/hotcloud11/tech/final_files/Peterson.pdf. Storage,” Financial Cryptography and Data Secu-
4. A.N. Toosi, R.N. Calheiros, and R. Buyya, “In- rity, R. Sion et al., eds., LNCS 6054, Springer,
terconnected Cloud Computing Environments: 2010, pp. 136–149.
Challenges, Taxonomy, and Survey,” ACM Com- 15. J.A. Muir and P.C.V. Oorschot, “Internet Geo-

puting Surveys, vol. 47, no. 1, 2014, article 7. location: Evasion and Counter Evasion,” ACM
5. N. Paladi, M. Aslam, and C. Gehrmann, “Trust- Computing Surveys, vol. 42, no. 1, 2009, article 4.
ed Geolocation-Aware Data Placement in Infra-
structure Clouds,” Proc. IEEE 13th Int’l Conf.
Trust, Security and Privacy in Computing and Christian Esposito is an adjunct professor at
Comm. (TrustCom), 2014, pp. 352–360. the University of Naples “Federico II,” Italy, and a re-
6. D.L. Fu, X.G. Peng, and Y.L. Yang, “Trusted Vali- search fellow at the University of Salerno, Italy. His
dation for Geolocation of Cloud Data,” Computer research interests include information security and
J., vol. 58, no. 10, 2015, pp. 2595–2607. reliability, middleware, and distributed systems. Es-
7. C. Esposito et al., “Smart Cloud Storage Ser- posito has a PhD in computer engineering from the
vice Selection Based on Fuzzy Logic, Theory University of Naples “Federico II.” Contact him at
of Evidence and Game Theory,” IEEE Trans. christian.esposito@dia.unisa.it.
Computers, preprint Jan. 2015; doi:10.1109/
TC.2015.2389952.
8. A. Castiglione et al., “Cloud-Based Adaptive Aniello Castiglione is an adjunct professor at
Compression and Secure Management Services the University of Salerno, Italy, and at the University
for 3D Healthcare Data,” Future Generation of Naples “Federico II,” Italy. His research interests in-
Computer Systems, vols. 43–44, Feb. 2015, pp. clude security, communication networks, information
120–134. forensics and security, and applied cryptography. Cas-
9. Directive 95/46/EC on the Protection of Individ- tiglione has a PhD in computer science from the Uni-
uals with Regard to the Processing of Personal versity of Salerno. He’s a member of IEEE and ACM.
Data and on the Free Movement of Such Data, Contact him at castiglione@ieee.org.
European Parliament and the Council, 24 Oct.
1995; http://eur-lex.europa.eu/legal-content/EN/
TXT/HTML/?uri=CELEX:31995L0046. Kim-Kwang Raymond Choo is an associate
10. K.-K.R. Choo, “Cloud Computing: Challenges
professor at the University of South Australia and vis-
and Future Directions,” Trends & Issues in Crime iting expert at the Interpol Global Complex for In-
and Criminal Justice, no. 400, Oct. 2010, pp. novation. His research interests include cyber and
1–6. information security and digital forensics. Choo
11. EU Country Guide Data Location & Access Re- has a PhD in information security from Queensland
striction. A Brief Survey, De Brauw Blackstone University of Technology, Australia. He’s a senior
Westbroek, Jan. 2013; www.verwal.net/wp/wp member of IEEE. Contact him at raymond.choo
-content/uploads/2014/03/EU-Country-Guide @fulbrightmail.org.
-Data-Location-and-Access-Restrictions.pdf.
12. H.R. 3162, Uniting and Strengthening America
by Providing Appropriate Tools Required to In-
tercept and Obstruct Terrorism (US Patriot Act)
Act of 2001, US Govt. Printing Office, Jan. 2001;
www.gpo.gov/fdsys/pkg/BILLS-107hr3162enr/ Selected CS articles and columns are also available
for free at http://ComputingNow.computer.org.
pdf/BILLS-107hr3162enr.pdf.

J a n u a r y/ F e b r u a r y 2 0 1 6 I EEE Clo u d Co m p u t i n g 17