Fujitsu develops inter-cloud data security technology

data, including data content, transmitted from the inside of a company to a cloud and between multiple clouds. In addition to the option of blocking confidential data, the data gateway also includes the following three features.

1. Data masking technology. Using masking technology, when data passes through the information gateway, confidential parts of the data can be deleted or changed before the data are transmitted to an external cloud. For example, the technology can be used to temporarily conceal personal information inside of a medical examination record with pseudonyms before sending it to an external industry-wide cloud for examination by a medical specialist. When the results from the examination have been received, the data can once again be restored to their original form.

In addition, with confidential numerical chart data, such as a breakdown by region of patients suffering from a certain disease, special operations can be performed on the data to mask the original figures before sending the data to the cloud, making it possible for multiple data sets to be aggregated without any modifications (patent pending). Each user can obtain access to different levels of detail for the tallied results using decryption keys that grant different levels of access (prefecture level, city level, town level, etc.). Processing is possible without needing to store actual data or keys in the cloud, and, in addition, the data can be accessed by users on multiple levels based on a single data set, making database management easy.

2. Secure logic migration and execution technology. For confidential data that cannot be released outside of the company, even formed by concealing certain aspects of the data, by simply defining the security level of data, the information gateway can transfer the cloud-based application to the in-house sandbox (a “sandbox” is a protected program execution environment that prevents fraudulent tampering of data) for execution. The sandbox will block access to data or networks that lack pre-authorized access, so even applications transferred from the cloud can be safely executed. Moreover, because the execution status of applications is recorded, application providers are able to confirm if there is any inappropriate use of the data.

3. Data traceability technology. The information gateway tracks all information flowing into and out of the cloud, so these flows and their content can be checked. Data traceability technology uses the logs obtained on data traffic as well as the characteristics of the related text to make visible the data used in the cloud. For example, in a joint development project, one can check how textual data collected in the cloud have been used, including whether portions have been copied, thereby enabling any inappropriate usage to be identified.

Results

Fujitsu says that with the newly developed cloud gateway, confidential data can be securely handled in the cloud without users or application developers having to take special precautions to guard data confidentiality. Depending on the circumstances, data can either be masked or the cloud-based processing application will be executed in-house, and therefore confidential data are not physically transferred to the cloud. Because the information gateway limits data flowing into or out of the cloud, movements of data in the cloud traffic flows can be made visible, and it is possible to block the transfer or copying of data to unintended destinations. These functions will be essential for cases in which private data are being handled in the cloud or for collaborations in which multiple organizations are developing new products.

The company says that this technology will now undergo verification in environments where multiple clouds are working in collaboration, with commercialization targeted for 2012.