Returning Data Control to Users with STRATUS

Associate Professor Ryan Ko – University of Waikato

When we upload files into cloud storage or when we process and create data into the cloud, we immediately lose control of our data. Most of the time, we will not know where our data will be stored, or how many copies of the data are created. Worse, we could not stop malicious insiders from accessing possibly sensitive data. Despite being transferred across and within clouds over encrypted channels, data often has to be decrypted within the database for it to be processed. Exposing the data at some point in the cloud to a few privileged users is undoubtedly a vendor-centric approach, and hinges on the trust relationships data owners have with their cloud service providers.

A team of cyber security researchers from the University of Waikato, University of Auckland, Unitec, and the Cloud Security Alliance, has been working since 2014 on an NZD12.23m MBIE-funded project called STRATUS (  STRATUS aims to develop user-centric approaches that return data control to the data owners -- empowering users with data provenance, transparency and auditability, homomorphic encryption, situation awareness, revocation, attribution and data resilience.

It is STRATUS’ proposition that, for the cloud to be a truly trustable service, cloud service providers must not be data owners but data processors. We have also worked closely with NZ industry such as Aura Information Security, Gallagher, Virscient, Naki Cloud, and Vigilance to develop and commercialise cyber security products. Some of our STRATUS subprojects are as follows:

  • We have developed Progger to enable cloud stakeholders to keep track of provenance (i.e. derivation history) of their data and enable them to know if malicious insiders have accessed their data, or whether the users have leaked their important data to foreign systems.

  • We have developed tools that allow cloud stakeholders to analyse data provenance and help them identify malicious activities. Cloud users can benefit from capabilities of tracking data provenance and identifying malicious activities as they can use them for incident investigations and auditing purposes.

  • Together with Vigilance, we developed tools to identify anomalous payments and potential fraudulent behaviours from bank transactions.

  • We have developed 3Dcrypt, designed to render encrypted 3D images without decrypting them. Healthcare businesses processing medical images in the cloud can benefit from 3DCrypt as they can ensure that they can utilise powerful cloud computing capabilities while privacy of patients’ medical images can be preserved.

  • We have also developed searchable encryption tools that enable stakeholders to search encrypted data without decrypting it such that cloud providers are only processors of data and not capable of seeing what data is.

  • We have developed CRaaSH, a disaster recovery system that provides decentralizedservice checkpoint/restart -- enabling cloud stakeholders to be able to recover data from possible failure in cloud computing.

    Please feel free to contact:

  • Industry collaboration: Mr Brian Cole (brian.cole AT

  • Scientific enquiries: Associate Professor Ryan Ko (ryan.ko AT