Bringing a new level of security and privacy to cloud services

Cloud service providers have a hard time implementing the right level of data security and privacy for their SaaS customers (Software as a Service). To help solve this challenge, imec has set up a unique collaboration with three companies that each brought a separate SaaS case to the table. Nicknamed SEQUOIA, the imec.icon research project has resulted in an innovative security framework that sets a new standard for shared data stores used by multitenant SaaS services. SEQUOIA allows fine-grained, attribute-based security rules in accordance with each customer’s own business logic. It has been implemented as an add-on to the data access middleware and can be plugged into proven, state-of-the-art middleware without the need to rebuild solutions from scratch. SEQUOIA was presented recently at ESSOSS17 (International Symposium on Engineering Secure Software and Systems) in Bonn.

Security and privacy - a challenge for SaaS providers

More and more companies organize part of their business through software services in the cloud. Take e.g. telecom corporations that create, view, and manage massive amounts of invoices. They can now do so through a SaaS service offered by a third party. This means they will create and manage their invoices through an interface application and a database that is run by a third party: the SaaS provider.

Today however, most of these services lack the inherent possibility to manage data based on customer-specific security or privacy considerations. As a result, an account manager at the telco, could e.g. query and see all possible invoices, irrespective of his role, assigned customers, or region.

A common way for a SaaS provider to solve this problem is to add and program each customer’s security logic in their SaaS application. But that is a solution that is most often not efficient, error-prone, difficult to audit and very expensive to manage and modify.

To make matters worse, this also makes it near impossible for the SaaS provider to have multitenant databases, i.e. databases shared by a number of its customers. To do so would force them to program and manage the security logic of various customers in one application, making audit and modification exponentially hard. So to be able to set up and guarantee at least a minimal level of security and privacy, SaaS providers are currently forced to set up separate installations per customer, which partly defies their business model.

What is the goal of SEQUOIA and how does it improve the state-of-the-art?

With SEQUOIA (Safe Query Operations for Cloud-Based SaaS Applications), the project partners aimed to create a generic security solution for SaaS providers, a solution that allows them to set up one multitenant database. At the same time, it also gives each of their SaaS customers the possibility to define fine-grained, attribute-based security rules in accordance with their own business logic. In the invoice example, the telco using SaaS would e.g. be able to define and modify its own restrictions on who can view and change invoices based on e.g. region, function, responsibility, or individual account manager portfolios.

As an example of how SaaS requests are processed today, take the situation where an account manager wants to see all open invoices under his authority. With today’s setup, his request will result in a general database query that will bring up all open invoices. Next, the SaaS application and its preprogrammed security logic will filter the results and display only those invoices that the particular account manager may view. Next to all the issues surrounding the rulebase, this makes the response time and performance dependent on the size of the database.

SEQUOIA, in contrast, will tailor the query before it is executed, so that only the right invoices are searched for and retrieved. This is much more efficient and secure. The rewriting and compacting of queries is done by an add-on module, at the level of the data access middleware, and is thus completely separated from the database or customer applications. The rules for rewriting are provided by each SaaS customer separately, who can enter them in a language that is easy to understand and audit. Each customer’s rules are thus managed and processed separately, no matter how many customers use the same application and database.

As a result, SEQUOIA allows SaaS providers to add value to their service without having to install new databases or middleware, or reprogram the applications. And each of the customers can add and manage its own rules, which makes a huge difference in terms of security and auditability.

How SEQUOIA works

SEQUOIA is set up as a middleware for scalable, attribute-based querying of multitenant, cloud-based databases. It is a security solution to enforce complex, custom authorization rules in search queries, with guarantees for safety, correctness and performance.

SEQUOIA is implemented as an add-on to the data access middleware, the API that sits between a database and the query source (customer application, web server…). The solution takes in a query, looks up the relevant security rules, translates these into restrictions that it injects into the query, and then compacts the query before it is sent on to the database. It can be added to proven, state-of-the-art data access middleware without having to rebuild a solution from scratch.

SEQUOIA includes an easy-to-use declarative language with which each SaaS customer can create its own access rule base based on attributes. This guarantees independence for application code, easy access, modification and audit. Because the rules are applied before querying, the performance is not affected by the size of the database.

SEQUOIA’s solution was validated in multiple storage and query architectures, for interactive and background querying, both with SQL structured queries and NoSQL unstructured querying. A proof-of-concept was implemented in state-of-the-art data access middleware and three demonstrators were built and validated in the application domains of the project partners, on top of MySQL, MS SQL, and ElasticSearch.

A win-win for the imec.icon project partners and an added value for SaaS providers

The SEQUOIA project was co-financed by imec and received project support from VLAIO, the Flemish Agency for Innovation & Entrepreneurship. Imec.icon projects support demand-driven, cooperative research involving imec researchers, industry partners or social-profit organizations. Together, they lay the foundation of digital solutions that find their way into breakthrough products.

The SEQUOIA team included two imec research groups (imec–DistriNet–KU Leuven and imec–IDLab–UGent) and three industrial partners. The imec researchers are specialized in security architectures and big data processing. The three industrial partners represent three separate SaaS use cases. UP-nxt manages customer administration data such as invoices, which have access ruled down to the level of single account managers or regions. Verizon has multitenant databases containing logs of managed IT infrastructure, access to which is extremely sensitive and restricted. And ESAS wants to set up a field service management where service engineers in the field can access their tasks, messages and statuses.

Through the experience they gained in the project, the SEQUOIA partners now have all the expertise and software to enhance their SaaS offering. They now work towards validating and including the new middleware into their live environments. From their point of view, they perceive the advantages of the SEQUOIA middleware as threefold:

• It mitigates the lingering doubt of customers about the security of multitenant cloud solutions. With the SEQUOIA technology, each customer will own, validate and audit its own rule base.
• It adds value to the SaaS offering and makes it attractive and competitive, again mainly because of the unique possibility and ease of setting up customer-specific rule bases.
• It greatly lowers operating costs, as SEQUOIA allows for one multitenant cloud installation, with no need for dedicated installations per business case.