A digital envelope scheme for document sharing in a private cloud storage

Data assurance is one of the biggest concerns in adopting Cloud Computing. In Cloud Storage environment organizations outsource the storage and management of their documents for great flexibility and economic savings. However, contracting data storage to a third-party even in private cloud deployment could lead to potential security and privacy risks. Encryption of remotely stored documents before outsourced to the cloud has been the most widely used technique to bridge the privacy gap, nevertheless, this technique impose important limitations when users want to have workflows for sharing documents with others users, because data must be decrypted by the cloud storage before being sent or the private keys used to encrypt the documents must be shared. Both cases may lead to a lack of access control to the information. In this paper we present a digital envelope scheme over a configurable workflow architecture allowing secure document sharing in private cloud storage environments. Our scheme uses three main ideas: the encryption of the main information by using cryptographic systems, the construction of a documentsharing envelope by using attribute based encryption and digital signature mechanisms, and the development of a well-defined assurance workflow to transport the information through the different security phases. Based on our scheme, we developed a prototype and conducted a proof of concept in a private cloud environment. Experimental results revealed that the overhead of the assurance represents in average only a fraction (no more than 15%) of the sharing operations.