Cloud-Based Computing: Routes Toward Secure Storage And Affordable Computation

(MENAFN- The Conversation) Storing data in the cloud is now routine for people and companies alike, but cybersecurity risks still exist, particularly in handling user authentication and access control securely. Researchers are developing novel methods to store data securely and in a computationally affordable way, and to exploit it efficiently–by computing directly on encrypted data.

Cloud computing, while indispensable for modern business operations, has also become a significant target for cyberattacks due to the large amount of sensitive data stored online. Currently, over 90% of organizations rely on cloud services for critical operations, and there are more than 3.6 billion active cloud users globally. This translates to 47% of the world's population utilizing cloud services, underscoring the widespread dependency on the cloud.

Unfortunately, this reliance on cloud computing comes with heightened risks. Data breaches are escalating in both frequency and severity: according to the 2024 Thales Cloud Security Study, 44% of businesses reported experiencing a breach in their cloud environments, with 14% reporting a breach within the past 12 months .

As organizations migrate more sensitive data to the cloud–nearly half of all cloud-stored data is classified as sensitive–the attack surface for cybercriminals expands. This makes breaches not only more common but also more damaging, as the loss of sensitive information can have far-reaching consequences, including significant financial and reputational harm. The global average cost of a data breach in 2024 was estimated at $4.88 million .

Nowadays, so-called“client-side encryption” is effective in data security and privacy protection in cloud data storage. However, for encrypted data to be useful, there is still a long way to go toward practical secure computation over it. We still face significant scalability and performance hurdles. Research continues to explore ways to bridge this gap, making scalable, privacy-preserving computation more efficient and accessible for large-scale applications.

The root causes of data breaches

User authentication and access control are among the most critical mechanisms to deter data breaches.

User authentication, the process of verifying the identity of users trying to access cloud resources, is the first line of defence–but it is widely regarded as the weakest link in the chain of security, with an estimated 81% of hacking-related breaches leveraging either stolen or weak passwords . Though user authentication has evolved a lot in recent years, attacks meant to compromise user authentication have, too.

Access control–the process of regulating who can view, use or interact with cloud resources such as data, applications or services–is the next line of defence. Effective access control ensures that only authorized users or devices have the appropriate permissions to access certain resources, thereby minimizing security risks and preventing unauthorized access or misuse of cloud assets.

In today's cloud computing environments, cloud servers are fully responsible to correctly enforce access-control policies. As a result, misconfigurations of servers due to human error or software bugs, or compromise of servers due to malicious attacks, can result in serious breaches. In fact, the US National Security Agency (NSA) considers misconfiguration a leading vulnerability in a cloud environment .

Client-side encryption for secure storage

Data can be encrypted and decrypted on end users' devices before uploading it to and downloading it from the cloud. This approach ensures that data is encrypted during transit and storage, making data inaccessible to anyone without the decryption keys, including service providers and other potential attackers. As long as the decryption keys are kept secure by end users, security and privacy of data can be ensured even if the user's cloud account and the cloud server are compromised.

Existing client-side encryption solutions in cloud computing can use either private or public keys. For example, Google Workspace client-side encryption employs an online key distribution server for distribution between authorized users for the purpose of data encryption and sharing. However, an online distribution server can be both a security and performance bottleneck. To circumvent this, MEGA, another client-side encryption service, uses public key encryption and hence does not require an online key distribution server. But it does require sophisticated public key certificate management, as the number of public key encryptions is proportional to the number of potential data users to share a document, making this a strategy that's hard to scale up.

Circumventing the computational limitation of client-side encryption

Suppose that a hospital wants to outsource the storage of its patients' electronic medical records to the cloud and wants to establish specific policies on who can access the records. Before outsourcing a record, the hospital may specify that it can only be accessed by cardiologists in, say, the University Hospital, or by scientists in the Life Science Institute. Let“CT” denote the encrypted medical record and“AP” = (Cardiologist AND University Hospital) OR (Scientist AND Life Science Institute) be the access policy. CT and AP are cryptographically bound together and are uploaded to the cloud for storage. Then only users whose attributes satisfy AP can decrypt CT to get the decrypted medical record.

This is a scalable encryption system because its access policy does not need to list each and every authorized user who can access the data, only the attributes of the potential users. Access control (i.e., decryption) of encrypted data is not enforced by the cloud server but through the encryption and decryption algorithms that are theoretically proved secure.

Beyond secure storage: exploiting secure data efficiently

One of the main efficiency drawbacks of such systems–which are already deployed–is that decryption is computationally expensive for resource-limited devices. To address this issue, we proposed a protocol that improves decryption efficiency for end users by two orders of magnitude, by outsourcing most of the decryption workload to a public cloud server.

Another critical problem in deployment is“user revocation”: whenever a user leaves the system, changes her position or loses her existing private key, the key must be revoked to prevent unauthorized access to sensitive data. Current systems mostly use timestamps to bar revoked users from decrypting new content–however, the timestamps require regular updates, which can be computationally heavy in large systems. We proposed hardware-based revocable attribute-based encryption to make revocation cheaper.

Computing directly on encrypted data

Ideally, servers should be able to perform meaningful operations on encrypted data without ever decrypting it, preserving privacy at every step.

This is where so-called “fully homomorphic encryption” comes in. It is a cutting-edge encryption technique that enables mathematical operations–specifically, addition and multiplication–to be executed on encrypted data directly by a server, without the need for decryption.

However, current state-of-the-art systems are impractical for large-scale computations because of the“noise”–the unwanted, random-looking data introduced by cryptographic operations–that threatens the integrity of the results. Frequent noise-mitigating procedures are required–once again, a computationally expensive method, in particular for large data sets.

Our novel approach to secure computing over encrypted data allows an unlimited number of arithmetic operations to be performed without the need for“bootstrapping” (the mathematical operation to reduce noise), achieving superior performance across various secure computing tasks, such as privacy-preserving person re-identification .

Created in 2007 to help accelerate and share scientific knowledge on key societal issues, the Axa Research Fund has supported nearly 700 projects around the world conducted by researchers in 38 countries. To learn more, visit the website of the Axa Research Fund or follow @AXAResearchFund on X.

MENAFN09022025000199003603ID1109186168