Microsoft researchers detail VC3, a way to securely process data in the cloud

Microsoft Research today unveiled Verifiable Confidential Cloud Computing (VC3), a framework for processing data that keeps code and data from being seen by attackers or people working for a cloud provider.

VC3 is a MapReduce framework that can run distributed computations on top of Hadoop open-source software for storing and analyzing lots of different kinds of data.

Researchers are showing off their work on the project today at the annual IEEE Symposium on Security and Privacy in San Jose, California, according to a blog post from Microsoft Research’s Allison Linn.

Microsoft isn’t announcing any sort of commercial productizing of VC3 — but if that happens, it could be of interest to companies that want to offload complex computing jobs to an external cloud but have some concerns about data security.

If Microsoft does introduce VC3-style computing in its growing Azure cloud, it would be another way to attract workloads from big enterprises, where Microsoft has earned trust over many decades. And it would be a new way for Microsoft to make itself look more appealing alongside other expanding public clouds, like the Google Cloud Platform and market-leading Amazon Web Services.

Microsoft is revealing VC3 a few weeks after it said it would boost email content encryption in Office 365. Clearly, security is one area Microsoft wants to take seriously, not only for its cloud software but also for cloud infrastructure that can run other companies’ applications.

Meanwhile, other cloud service providers have been striving to do more with encryption. Box recently announced Enterprise Key Management for storing customers’ encryption keys and audit logs on dedicated hardware security modules. And IBM research scientist Craig Gentry, who was named a MacArthur fellow in September, is looking to improve the performance of an encryption method called Fully Homomorphic Computing (FHE).

FHE in particular is currently not efficient for most computations, the Microsoft researchers concluded in their paper on VC3. And systems like Cipherbase and CryptDB “do not protect all code and data,” they wrote.

Thus the development of VC3, which the researchers were able to run on the HDInsight Hadoop distribution running on Windows. And importantly, as they noted, performance wasn’t dragged down:

Experimental results on common benchmarks show that VC3 performs well compared with unprotected Hadoop; VC3’s average runtime overhead is negligible for its base security guarantees, 4.5% with write integrity and 8% with read/write integrity.

Read the full VC3 paper here (PDF).