Cloud safety net: Detecting data leakage between cloud tenants

Priebe C, Muthukumaran D, O'Keeffe D, Eyers D, Shand B, Pietzuch P, Kapitza R (2014)

Publication Type: Conference contribution

Publication year: 2014

Publisher: Association for Computing Machinery

Book Volume: 2014-November

Pages Range: 117-128

Conference Proceedings Title: Proceedings of the ACM Conference on Computer and Communications Security

Event location: Scottsdale, AZ, USA

ISBN: 9781450332392

DOI: 10.1145/2664168.2664174


When tenants deploy applications under the control of third-party cloud providers, they must trust the provider's security mechanisms for inter-tenant isolation, resource sharing and access control. Despite a provider's best efforts, accidental data leakage may occur due to misconfigurations or bugs in the cloud platform. Especially in Platform-as-a-Service (PaaS) clouds, which rely on weaker forms of isolation, the potential for unnoticed data leakage is high. Prior work to raise tenants' trust in clouds relies on attestation, which limits the management flexibility of providers, or fine-grained data tracking, which has high overheads. We describe CloudSafetyNet (CSN), a lightweight monitoring framework that gives tenants visibility into the propagation of their application data in a cloud environment with low performance overhead. It exploits the incentive of tenants to co-operate with each other to detect accidental data leakage. CSN transparently adds opaque security tags to a subset of form fields in HTTP requests, using a client-side JavaScript library. Socket-level monitors maintain a log of observed tags flowing between application components. Tenants retrieve their logs and identify foreign tags that indicate data leakage. To check the correct operation of CSN, tenants send probe requests with known tags and verify that monitors are logging correctly. Using an implementation of CSN deployed on the OpenShift and AppScale PaaS platforms, we show that it can discover misconfigurations and bugs with a negligible performance impact.

Authors with CRIS profile

Involved external institutions

How to cite


Priebe, C., Muthukumaran, D., O'Keeffe, D., Eyers, D., Shand, B., Pietzuch, P., & Kapitza, R. (2014). Cloud safety net: Detecting data leakage between cloud tenants. In Proceedings of the ACM Conference on Computer and Communications Security (pp. 117-128). Scottsdale, AZ, USA: Association for Computing Machinery.


Priebe, Christian, et al. "Cloud safety net: Detecting data leakage between cloud tenants." Proceedings of the 6th ACM Cloud Computing Security Workshop, CCSW 2014, Held in Conjunction with the 2014 ACM Computer and Communication Security, CCS 2014, Scottsdale, AZ, USA Association for Computing Machinery, 2014. 117-128.

BibTeX: Download