Auditing PII in the Cloud with CloudFence


One of the primary concerns of users of cloud-based services and applications is the risk of unauthorized access to their private information. Personally identifiable or sensitive information (PII) has become a target of attackers seeking financial gain through misuse of such information.

Adversarial scenarios aside, PII is sometimes released or leaked inadvertently, through application bugs, sloppy administration practices, or other operational problems. With the trend toward storing and processing PII on complex and insecure systems, the need for improved protection has become a goal of both enterprise policy and, increasingly, legislative efforts.

CloudFence is a framework that allows users to independently audit the treatment of their private data by third-party online services, through the intervention of the cloud provider that hosts these services. We advocate auditing instead of enforcement as the preferred path, because it empowers end users while allowing cloud services to remain flexible by adapting to changing needs, and offering new features without a priori need to update mechanistic security policies or user preferences. However, CloudFence can also enforce information security policies should that become desirable.

The research in this project seeks to investigate, develop, and experimentally evaluate novel techniques for conducting fine-grained tracking of “information of interest” (as defined by the user of the cloud, in a flexible, context-sensitive manner) toward (a) providing increased transparency to end users of the handling of their information by the cloud, and (b) enabling the periodic (or even continuous) auditing of said handling, either by users or an agent acting on their behalf. The end goal is to create a general-purpose, application-agnostic information tracking mechanism across the cloud that can operate on both legacy and newly developed applications, such that users can leverage their trust on the infrastructure provider (e.g., Google or Amazon) without imposing unreasonable constraints on said provider (e.g., no requiring manual inspection of applications).


  • ShadowReplica: Efficient Parallelization of Dynamic Data Flow Tracking
    Kangkook Jee, Vasileios P. Kemerlis, Angelos D. Keromytis, and Georgios Portokalidis. In Proceedings of the 20th ACM Conference on Computer and Communications Security (CCS). November 2013, Berlin, Germany.
  • CloudFence: Data Flow Tracking as a Cloud Service
    Vasilis Pappas, Vasileios P. Kemerlis, Angeliki Zavou, Michalis Polychronakis, and Angelos D. Keromytis. In Proceedings of the 16th International Symposium on Research in Attacks, Intrusions and Defenses (RAID). October 2013, Saint Lucia.
  • Cloudopsy: an Autopsy of Data Flows in the Cloud
    Angeliki Zavou, Vasilis Pappas, Vasileios P. Kemerlis, Michalis Polychronakis, Georgios Portokalidis, and Angelos D. Keromytis. In Proceedings of the 15th International Conference on Human-Computer Interaction (HCI). July 2013, Las Vegas, NV.
  • SecureGov: Secure Government Data Sharing
    Jong Uk Choi, Soon Ae Chun, Dong Hwa Kim, and Angelos D. Keromytis. In Proceedings of the 14th Annual International Conference on Digital Government Research (dg.o). June 2013, Quebec City, Canada.


Network Security Lab, Columbia University

This material is based upon work supported by the National Science Foundation under Grant No. 1222748

Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation.