Multi-cloud applications: data and code fragmentation for improved security

When deciding against outsourcing their data to the cloud, organizations often point to security as the primary reason. If cloud is not used as a passive storage only, but rather both the data and the code required for their processing are being outsourced, then the data privacy may get compromised in two ways: (i) in the storage if not being encrypted and (ii) during the processing through various execution-level attacks. Encrypting the data before outsourcing enhances their security while in the storage, but disables their processing in the cloud. On the other hand, if a cloud has the ability to decrypt the data before processing, then they remain vulnerable during the execution. In this paper, we present a paradigm for outsourcing both the data and the code to the cloud in a way that preserves data privacy, while still enabling their processing outside the organization. The paradigm leverages constraint-based data and code fragmentation and deploys these fragments to multiple independent computer clouds. We introduce several architectural patterns for secure computation in a multi-cloud environment, demonstrate the paradigm use, and examine introduced performance penalty on a simple application.