This document discusses securing databases in the cloud. It outlines some benefits of cloud computing like lower prices and flexibility, but also security risks from lack of control over machines and services. It then defines concepts like confidentiality, integrity and accessibility for data security. It discusses encrypting data at rest, in motion and in use. Homomorphic encryption and order-preserving encryption are introduced as ways to query encrypted data. The CryptDB project at MIT is mentioned as an approach using "onion encryption" to execute SQL queries over encrypted data stored in the cloud.

1. Secure databases in the cloud
Vasily Sidorov
@bazzilic
http://bazzilic.me/

2. Benefits of the Cloud
Price
Cloud could be significantly cheaper.
Consumed AvailableConsumed AvailableConsumed Available

3. Benefits of the Cloud
Flexibility
Quick adaptation to growth or peaks.
Consumed AvailableConsumed Available

4. Problems of the Cloud
Information Security
Machines and services are out of our control
– Configuration, isolation, firewalls, etc.
– What security policies are in place?
– Is the cloud service provider telling the truth?
– Cloud service provider itself is a threat!

5. What is “Security” of Data Security?
CIA
– Confidentiality
Authorized reading of data.
– Integrity
• Authorized writing of data
• Data is not corrupted
– Accessibility
• Data is not deleted
• Connectivity issues, servers downtime, etc.

6. What is “Data” of Data Security?
The three states of digital data:
– Data at Rest
• Disk encryption
• Crypto containers
– Data in Use
– Data in Motion
• SSL/TLS

7. Database Security SotA
Data at Rest Data in Motion Data in Use
Confidentiality
Integrity
Accessibility
Encryption of database files (TDE)
– SQL Server, Oracle, 3rd party solutions
– Data is decrypted when loaded
– The DBMS knows the key!

8. Processing of Encrypted Data
• Decrypt the data
• Deterministic encryption for search and
simple joins
• What if we can do something with
encrypted data itself?

9. Homomorphic Encryption
Homomorphic encryption preserves at least
one operation: addition, multiplication, etc.
For addition:
∃𝑔 ⋅ such that ∀𝑎, 𝑏 ∈ ℕ:
𝑎 + 𝑏 = 𝐷 𝑔 𝐸 𝑎 , 𝐸 𝑏
Examples: Paillier, ElGamal, BGN, RSA.

10. Fully Homomorphic Scheme
Has been a holy grail of cryptography for
decades – an encryption scheme that
preserves both addition and multiplication.
In 2009 Craig Gentry has developed a fully
homomorphic scheme while doing PhD at
Stanford University.
It still appears to be completely impractical.

11. Order-Preserving Encryption
Similar in concept to homomorphic
encryption, OPE allows us to say which
ciphertext keeps a greater (lesser) number.
Allows us to do range queries.
Searching through Encrypted Data
One of the most developed directions in the
field with multiple different approaches.

12. CryptDB
Has been in development in MIT since 2011.
Invented “onion” encryption

13. Directions of Research
• Support full SQL over encrypted data
• Multiple users with separate access scopes
– Separation/scoping of access by encryption
• Performance
– General performance improvements
– Task- or scope-specific performance (OLTP,
OLAP, specific query types)
• Accessibility and Integrity

14. References
1. The three states of digital data:
http://aspg.com/three-states-digital-data/
2. Oracle database file encryption:
http://www.oracle.com/technetwork/database/options/advanced-security/index-
099011.html
3. SQL Server database file encryption:
https://msdn.microsoft.com/en-us/library/bb934049.aspx
4. Homomorphic encryption:
http://en.wikipedia.org/wiki/Homomorphic_encryption
5. Craig Gentry’s fully homomorphic encryption:
http://crypto.stanford.edu/craig/craig-thesis.pdf
6. Implementation of Craig Gentry’s scheme in C:
https://github.com/shaih/HElib
7. Executing SQL over Encrypted Data in the Database-Service-Provider Model:
http://www.ics.uci.edu/~chenli/pub/sigmod02.pdf
8. CryptDB:
https://css.csail.mit.edu/cryptdb/