Cloudsweeper and data-centric security

Abstract

Most security online is binary, where being authorized to access a system allows complete access to the requested resource. This binary system amplifies the harm of giving access to an unauthorized individual and motivates system designers to strengthen access control mechanisms to the point where they become so strong as to be nearly insurmountable for illegitimate and legitimate users alike. As a result, Internet users are required to jump through several hoops to access their data: ever longer passwords, multiple authentication factors, or time consuming CAPTCHAs. Users must always provide strong proof of their identity, regardless of whether they want to check their email for something as innocuous as a movie time or as serious as a medical test result. Not surprisingly, users often disable or refuse to use these tedious security options [2, 5, 7]. Users may be better served by a data-centric approach to security, where systems are sensitive to the differing security needs of data, even within a single account or collection. A data-centric approach can apply strong security only when the data being protected warrants it, while allowing users a less encumbered experience the majority of the time. Machine learning techniques can automate the detection of sensitive information, freeing users from the tedious task of sorting their data into low and high security categories. With less friction involved in securing their data, users may be more likely to use strong security where available, resulting in a more secure Internet for everyone. We present Cloudsweeper , a tool that applies a data-centric approach to security to the specific case of plain text password sharing in Gmail accounts. Cloudsweeper detects and applies an additional layer of encryption to plain text passwords in a user's email account, while allowing the user to access the rest of their email archive as normal. Public use of Cloudsweeper shows that such a data-centric approach to securing data can be an effective way of providing users more security while still being acceptably convenient.