Cloud storage allows organizations to store data at remote sites of service providers. Although cloud storage services offer numerous benefits, they also involve new risks and challenges with respect to data security and privacy aspects. To preserve confidentiality, data must be encrypted before outsourcing to the cloud. Although this approach protects the security and privacy aspects of data, it also impedes regular functionality such as executing queries and performing analytical computations. To address this concern, specific data encryption schemes (e.g., deterministic, random, homomorphic, order-preserving, etc.) can be adopted that still support the execution of different types of queries (e.g., equality search, full-text search, etc.) over encrypted data.

However, these specialized data encryption schemes have to be implemented and integrated in the application and their adoption introduces an extra layer of complexity in the application code. Moreover, as these schemes imply trade-offs between performance and security, storage efficiency, etc, making the appropriate trade-off is a challenging and non-trivial task. In addition, to support aggregate queries, User Defined Functions (UDF) have to be implemented directly in the database engine and these implementations are specific to each underlying data storage technology, which demands expert knowledge and in turn increases management complexity.

In this paper, we introduce CryptDICE, a distributed data protection system that (i) provides built-in support for a number of different data encryption schemes, made accessible via annotations that represent application-specific (search) requirements; (ii) supports making appropriate trade-offs and execution of these encryption decisions at diverse levels of data granularity; and (iii) integrates a lightweight service that performs dynamic deployment of User Defined Functions (UDF) –without performing any alteration directly in the database engine– for heterogeneous NoSQL databases in order to realize low-latency aggregate queries and also to avoid expensive data shuffling (from the cloud to an on-premise data center). We have validated CryptDICE in the context of a realistic industrial SaaS application and carried out an extensive functional validation, which shows the applicability of the middleware platform. In addition, our experimental evaluation efforts confirm that the performance overhead of CryptDICE is acceptable and validates the performance optimizations for achieving low-latency aggregate queries.

云存储使组织可以将数据存储在服务提供商的远程站点。尽管云存储服务提供了许多好处，但它们在数据安全性和隐私方面也带来了新的风险和挑战。为了保护机密性，必须在外包给云之前对数据进行加密。尽管这种方法保护了数据的安全性和隐私性，但它也妨碍了常规功能，例如执行查询和执行分析计算。为了解决这个问题，可以采用仍然支持执行不同类型查询（例如相等性搜索，全文搜索等）的特定数据加密方案（例如确定性，随机，同态，顺序保留等）。 。）加密数据。

但是，这些专用数据加密方案必须在应用程序中实现和集成，并且采用它们会在应用程序代码中增加一层额外的复杂性。而且，由于这些方案暗示着性能与安全性，存储效率等之间的折衷，因此进行适当的折衷是一项艰巨而艰巨的任务。另外，为了支持聚合查询，用户定义功能（UDF）必须直接在数据库引擎中实现，并且这些实现特定于每种基础数据存储技术，这需要专业知识，从而增加了管理复杂性。

在本文中，我们介绍了CryptDICE，它是一种分布式数据保护系统，该系统（i）通过表示特定于应用程序（搜索）要求的批注提供对多种不同数据加密方案的内置支持；（ii）支持在不同的数据粒度级别上进行适当的权衡和执行这些加密决策；（iii）为异构NoSQL数据库集成了一种轻量级服务，该服务执行用户定义功能（UDF）的动态部署-而无需在数据库引擎中直接执行任何更改-以实现低延迟聚合查询并避免昂贵的数据改组（从云到本地数据中心）。我们已经在实际的工业SaaS应用程序上下文中验证了CryptDICE，并进行了广泛的功能验证，这表明了中间件平台的适用性。此外，我们的实验评估工作确认CryptDICE的性能开销是可以接受的，并验证了性能优化以实现低延迟聚合查询。