We aim to build a secure system that can fend off both external and internal attackers. Many previous work deal with issues related to external attackers. Our system combines many existing techniques which we explain in the following sections.
Data availability has a very high priority in any company operations. In our system, all data are stored encrypted. The backup of the database is performed regularly by the cloud service, in addition we require a backup of the Encryption Proxies with the corresponding decryption keys for the system integrity.
We automate the backup procedure for Encryption Proxies by establishing system integrity first, then exchanging the decryption keys over a secure channel. All session keys are TPM sealed. By comparing specific PCR values, we are able to attest the integrity between identical hardware. And only if both Encryption Proxies have the same state (same hardware, software, XACML file and known database services), the exchange of their key material can take place.
Using XACML, our system not only can limit the number of queries by an employee, it is also possible to setup a fine grained access control structure. XACML editors should follow the what-need-to-know principle. With respect to confidentiality, employees must only access what they need in their jobs (so system administrators do not need to access the productive database. In particular, we want to avoid the possibilities of employees copying the entire database.