cloud storage and security overview - ceur-ws.orgceur-ws.org/vol-2326/paper3.pdf · web-cloud...

Oussama ArkiLIRE Laboratory, Constantine 2 University

Ali Mendjli, 25000 Constantine, [email protected]

Abdelhafid ZitouniLIRE Laboratory, Constantine 2 University

Ali Mendjli, 25000 Constantine, [email protected]

Abstract

Cloud storage is one of the cloud services, itallows users to store and manage their dataremotely in the cloud. Nowadays, cloud stor-age has become an attractive storage schemefor users to store their data. When users storetheir files remotely in a cloud storage system,they still worried about the security of theirfiles and the guarantee of the confidentialityand the integrity of them. In this work, wepropose a study of cloud storage and the prob-lem of security in this service. For that, first,we give an overview of this concept, second,we talk about the problem of security in cloudstorage, and then we summarize the differenttechniques and methods that have been pro-posed in order to ensure the security in cloudstorage systems.

Keywords Cloud Storage, Information Security,Confidentiality, Integrity, Availability, Encryption .

1 Introduction

In the last years, information technology has beenwidely developed, aiming to increase the power of com-puting and decrease their cost, which led to the emerg-ing of new technologies.In that context, cloud computing rapidly appeared sas IT solution of choice for many companies and in-dividuals. According to the national institute of stan-dards and technology, ”cloud computing is a model

Copyright c© by the paper’s authors. Copying permitted forprivate and academic purposes.

In: Proceedings of the 3rd Edition of the InternationalConference on Advanced Aspects of Software Engineering(ICAASE18), Constantine, Algeria, 1,2-December-2018, pub-lished at http://ceur-ws.org

for enabling ubiquitous, convenient, on-demand net-work access to a shared pool of configurable comput-ing resources (e.g., networks, servers, storage, appli-cations, and services) that can be rapidly provisionedand released with minimal management effort or ser-vice provider interaction” [PT11].Cloud storage is one of the cloud services, it allowsthe users to store and manage their data remotely inthe cloud servers, Cloud storage is a model of net-worked online storage where data is stored on mul-tiple virtual servers [PP13]. The cloud storage usersare perplexed about how security can be guaranteed inthe cloud storage system. Moreover, they are worriedabout hosting their sensitive data in the cloud storagesystems. The characteristics of cloud computing cancreate a serious data risk as the same resources areused among the different users [CS16].The adaptation of cloud storage needs a good compre-hension of this service and the risks behind the out-sourcing of our sensitive data in the cloud. In this pa-per, we give an overview of cloud storage system, andwe discuss the problem of security in cloud storage,and then we classify the existing techniques that aimto secure the cloud storage into different categories.The rest of this paper is organised as follows. Sec-tion 2 is an overview of cloud storage systems. Section3 discusses the problem of security in cloud storage.In section 4, we classified the existing solutions whichaim to secure the cloud storage. Finally, a conclusionis given in Section 5.

2 Cloud Storage overview

The cloud storage is one of the cloud services, it can beconsidered as a part of the infrastructure as a service,in this section we give a brief study of cloud storage.

2.1 Cloud storage

Cloud storage is a model of networked online stor-age where data is stored on multiple virtual servers,generally hosted by third parties, rather than being

Cloud Storage and Security Overview

Page 26

hosted on dedicated servers [PP13] , It allows users tostore their data at remote disks and access them any-time from any place [VMB14]. Through based uses aWeb-Cloud storage services may be accessed through aweb service application programming interface(API),or interface[PP13].

2.2 Cloud Storage Architecture

Cloud storage architectures are primarily about de-livery of storage on demand in a highly scalable andmulti-tenant way. Generically, cloud storage architec-tures consist of[VMB14] :front end that exports an API to access the stor-age. In traditional storage systems, this API is theSCSI protocol; but in the cloud, these protocols areevolving. There, you can find Web service front ends,file-based front ends, and even more traditional frontends.the storage logic behind the front end is a layerof middleware that is called the storage logic. Thislayer implements a variety of features, such as repli-cation and data reduction, over the traditional data-placement algorithms .back end implements the physical storage for data.This may be an internal protocol that implements spe-cific features or a traditional back end to the physicaldisks. Figure 01 presents the cloud storage architec-ture.

Figure 1: Cloud Storage Architecture

2.3 Definition of Cloud Storage Services

Many cloud storage providers are active on the market,offering various kinds of services to their customers.This study distinguishes between two types of cloudstorage services[MTM+12].

Basic cloud storage services are generally not de-signed to be accessed directly by users but ratherincorporated into custom software using applicationprogram-ming interfaces” (API).Advanced cloud storage services mostly employbasic cloud storage services for the actual storage ofdata, and provide interfaces such as client or web ap-plications which greatly simplify the use of the servicefor the customer.

2.4 The Existing Interface for cloud DataStorage

Since cloud Storage, cloud service providers began tomake their own implementations available to users. Asa result, a multitude of interfaces have been suppliedthat have been re-purposed for cloud storage, such asblock-based access via iSCSI; POSIX interfaces (NFS,CIFS, and WebDAV); object-based CRUD (Create,Read, Update, Delete) interfaces over HTTP; and aplethora of proprietary interfaces for database or tableaccess. Figure 02 presents the cloud storage existinginterfaces[Zap12].

Figure 2: Existing Interfaces for Cloud Data Storage

CDMIAs cloud storage provides benefits , such as scalabil-ity and cost savings, the adoption of cloud storage isgrowing. However, each cloud storage provider offersits own cloud storage interface. As a result, multi-ple standards exist, which locks clients into propri-etary solutions. The Storage Networking Industry As-sociation (SNIA)’s response has been to develop theCloud Data Management Interface (CDMI), an exten-sible standard that accommodates vendors’ require-ments and ensures consistency and interoperability forusers [Zap12]. Figure 03 shows the cloud storage ref-erence model.

Cloud Storage and Security Overview ICAASE'2018

7International Conference on Advanced Aspects of Software EngineeringICAASE, December, 01-02, 2018

Figure 3: Cloud Storage Reference Model [2]

3 Cloud storage and security

In this section, we discuss the problem of cloud storagesecurity.

3.1 Information Security

This term means protecting information and informa-tion systems from unauthorized access, use, disclo-sure, disruption, modification, or destruction in or-der to provide integrity, confidentiality and availabil-ity. Here, integrity means guarding against improperinformation modification or destruction and includesensuring information non-repudiation and authentic-ity. Confidentiality means preserving authorized re-strictions on disclosure and access, including meansfor defending proprietary and personal privacy infor-mation. Availability means ensuring timely and reli-able access to and use of information[LSMMM13].-Confidentiality: It means keeping user data secretin the Cloud systems. It ensures that the data ofthe user, which reside in the Cloud, cannot be ac-cessed by an unauthorized person. There are two ba-sic approaches to achieve such confidentiality, physi-cal isolation and cryptography. Confidentiality can beachieved through proper encryption technique: sym-metric and asymmetric algorithms [PS13].-Data Integrity: Data integrity is one of the mostcritical elements in any information system. Generally,data integrity means protecting data from unautho-rized deletion, modification, or fabrication. Managingentitys admittance and rights to specific enterprise re-sources ensures that valuable data and services are notabused, misappropriated, or stolen [YJYG14].-Availability: Data should be available when it isrequested via the owner. It ensures that user can beable to use the service anytime from any place. Twostrategies called hardening and redundancy are mainly

used to enhance the availability [PS13].

3.2 Security Challenges in Cloud Storage

With adoption of a cloud model, users lose controlover physical security. Security overall covers mainlythree aspects: confidentiality, integrity and availability(CIA). These aspects are the top most considerationsin designing a security measure to ensure maximumprotection. [FVRG14].-Securing access to protected data is restricted tocertain level of user authorised to access it. This re-quires mechanisms to be in place to control the accessof protected data. The foundation on which accesscontrol mechanisms are built starts with authentica-tion, authorization and encryption.-Protecting data from loss and leakage envolves in-tegrity of many parties involved in providing the re-sources. It is suggested to practice auditing tech-niques such as Proof-of-Retrivebility(POR) and Proof-of-Data Possession(PDP) to enable verification.-High-available as access and data are getting se-cured, it is important to keep the hardware high-available. The hardware is the infrastructure hostingthe services to store data and information. Withoutensuring failover, the services are unable to meet theuptime and comply with service level managements.

4 Cloud Storage Security Solutionsand Techniques

In the literature, many techniques and methods areproposed to provide cloud storage security. Thosetechniques and methods can be classified into encryp-tion methods, identity and access management (IAM)techniques, data protection techniques and availabilitytechniques.

4.1 Ensuring Confidentiality

Data confidentiality in cloud storage security refers tothe property that information stored in the cloud stor-age is not made available or disclosed to unauthorizedindividuals, entities, or processes. Access control anddata encryption have been widely deployed to protectdata confidentiality [CtLZ+14].

4.1.1 Encryption of data

Cryptography is the art of keeping message secure bychanging the data into non-readable forms [NAK16].Traditional Cryptographic Techniques Tradi-tional cryptography consists of three algorithms,Symmetric-key algorithms, Asymmetric-key algo-rithms and Hashing :

• Asymmetric cryptography is a class of crypto-graphic algorithms which requires two separate


Page 28International Conference on Advanced Aspects of Software EngineeringICAASE, December, 01-02, 2018

keys, one of which is secret (or private) and one ofwhich is public. Although different, the two partsof this key pair are mathematically linked. Thepublic key is used to encrypt plaintext or to ver-ify a digital signature; whereas the private key isused to decrypt cipher text or to create a digitalsignature [ZAH+15].

• Symmetric-key algorithms are a class of algo-rithms for cryptography that use the same crypto-graphic keys for both encryption of plaintext anddecryption of cipher text. The keys may be identi-cal or there may be a simple transformation to gobetween the two keys. The keys, in practice, rep-resent a shared secret between two or more partiesthat can be used to maintain a private informa-tion link [ZAH+15].

• A hash function takes a data of variable lengthand produces a data of fixed length. It producessmall and static length data which is unique foreach data. The hash code is also specified as mes-sage digest or Hash value. Any kind of changeto any bits in the data consequences in a hugealteration to the hash code [PPPS17].

Advanced Cryptographic Techniques In thebeginning of the Cloud Computing, common encryp-tion Technique like Public Key Encryption was ap-plied. This traditional technique does not provide ex-pected result as it support one to one encryption typecommunication [RDD15].

• Searchable Encryption: A searchable encryptionscheme is applied at high level in order to encryptthe content that is available in search index sothat it can hidden from others except the partythat provide the authorised tokens.

• Homomorphic Encryption: the Homomorphic en-cryption scheme allows executing computationson the encrypted data. It is only of the advancedcryptographic technique. It has a slow processingtime during computation.

• Identity based Encryption: In Identity Based En-cryption, an identity of the user plays a vital role.The sender who sends the message only needs toknow the receivers identity attribute in order tosend the encrypted messages. However, key revo-cation is not achieved in Identity Based Encryp-tion.

• Attribute-based Encryption: Attribute-based En-cryption come up with access control. In At-tribute Based Encryption, data owner uses a set

of attributes to encrypt the data and only the au-thorized users who has the predicted or certainattributes can decrypt the data.

4.1.2 Identity and Access Management (IAM)

IAM remains one of the greatest challenges in cloudcomputing, IAM refers to the processes, technologies,and policies that manage access of identities to digitalresources and determine what authorization identitieshave over these resources [EO16].Identity Management (IdM) is the process of cre-ating, managing, and using identities, and the infras-tructure that provides support for these processes. InIdM, each person or application is identified by a cre-dential, which represents a set of attributes, issued bya reliable source [JCC17]

• Identity in the Cloud Model: identity providerand service provider merge also in this model.This means for the cloud case that the cloud ser-vice provider, which hosts the application, is alsoresponsible for the identity management [BTK14].Figure 4 illustrates this model.

Figure 4: The Identity in the Cloud Model

• Identity to the Cloud Model: Also in this model,the identity provider takes over the tasks regard-ing identity management for the service provider.However, the main difference in this model is thatthe service provider and its applications are cloud-based [BTK14].Figure 5 illustrates this model.

Figure 5: The Identity to the Cloud Model



• Identity from the Cloud Model: The identity fromthe cloud model fully features the cloud comput-ing paradigm. In this case, both the cloud appli-cation and the identity provider are operated inthe cloud. However, in contrast to the Identityin the Cloud-Model both entities are operated bydistinct cloud service providers [BTK14]. Figure6 illustrates this model.

Figure 6: The Identity from the Cloud Model

• Cloud Identity Broker Model: The cloud iden-tity broker model can be seen as an exten-sion to the Identity from the Cloud-Model. Inthis Cloud Identity Broker-Model, the identityprovider in the cloud acts now as an identity bro-ker in the cloud. In other words, the cloud iden-tity broker is some kind of hub between one ormore service providers and one or more identityproviders[BTK14].Figure 7 illustrates this model.

Figure 7: The Cloud Identity Broker Model

• Federated Cloud Identity Broker Model: Thefederated cloud identity broker model combinesthe traditional federated identity model with thenewly Cloud Identity Broker-Model. This com-bined model aims on eliminating the drawbacksof the central Cloud Identity Broker-Model. Thegeneral architecture is illustrated in Figure 8,showing the federation of two different cloud iden-tity brokers. Compared to the simple Cloud Iden-tity Broker- Model, in this federated model usersand service providers do not need to rely on oneand the same identity broker. Actually, both theuser and the service provider can rely on the in-dividual broker of their choice[BTK14].

Figure 8: The Federated Cloud Identity Broker Model

Access Control Access control has been one of thekey mechanisms to protect data confidentiality in tra-ditional data networks. It is designed to block unau-thorized users and malicious hackers from accessingdata [CtLZ+14]:

• Attribute-Based Access Control (ABAC): it isbased in attribute-based encryption (ABE).InABAC model, access is granted based on at-tributes of the user. When applied to cloud stor-age, access control is enforced on data encryptedusing ABE schemes. In an ABE system, a userskeys and ciphertexts are labeled with sets of de-scriptive attributes. A particular key can decrypta particular ciphertext only if there is a matchbetween the attributes of the ciphertext and theusers key [CtLZ+14].

• Role Besed Access Controle(RBAC): has alsobeen commonly adopted in traditional storagesystem in order to simplify management of per-missions. Its access policy is determined based



on different roles assigned to users by the system,while the data owner can specify a set of permis-sions of their data to different roles. By separationthe tasks of role assignment and permission as-signment, RBAC is much more efficient and scal-able compared to other access control based onindividual users, because the number of roles areusually significantly less than the number of users[CtLZ+14] .

4.2 Data Protection

A number of different techniques and mechanisms havebeen proposed and designed for cloud data integrityverification process. The mainstream of research inthis field belongs to POR and Provable Data Posses-sion (PDP). The two methods originally emerged witha similar concept but different approaches [CtLZ+14].These techniques allow detecting data integrity dam-ages without requiring a copy of the user local data.The idea was to encode the protocol with the data be-fore storing it[FVRG14].Provable Data Possesion (PDP):In this client pre-computes tags for each block of a file. Then stores thefile and its tags with a server. Later the client canverify that the server possesses the file by generatinga random challenge against a randomly selected set offile blocks. Using the queried blocks and their corre-sponding tags, the server generates a proof of posses-sion. The client is thus convinced of data possession,without actually having to retrieve file blocks [CGB14]Proof of Retrievability (PoR):In this scheme ,firstfile is divided into blocks and then encoded with errorcorrecting codes. Then check blocks called sentinelsare embedded for each block. Encryption is performedto make check blocks indistinguishable from other fileblocks. The verifier challenges the prover by specifyingthe positions of a collection of sentinels. The proverreturns the respective sentinels. If prover has modi-fied or deleted a substantial portion of file, then withhigh probability , it will have also suppressed a num-ber of sentinels. Using error correcting code file canbe recovered. otherwise it is tampered [CGB14].

4.3 Cloud Storage Availability

Availability refers to the system uptime and thesystem capability to operate continuously. Differenttechniques can be implemented to increase the systemavailability [WMF17].In the cloud data is stored usingRAID (Redundant Array of Independent Disk). Itprovide way to store same data in different places inmultiple disk (Redundantly) [Gor16].RAID Features in Data StorageRAID is a technology that combines independentphysical disk drives into a single hard drive for the

purpose of read/write speed improvement or reliabil-ity of stored data enhancement, or both . There are 2implementations of RAID [MPNL16]:Hardware RAID requires a RAID controller thatcontrols Input/Output. Hardware RAID is used forhost servers. It is high-performance yet expensive.Software RAID: The operating system controlsInput/Output. Software RAID is implemented oncomputers to boost the performance with low-costsolution.RAID LevelsRAID uses many different architecture called levels,each level have a different scenario of disk and storagetechnique, depending on the balance between faulttolerance and performance. In cloud architecturelevels of RAID describe how data distributed acrossthe drives, there are 7 levels of RAID with differentfeatures, established on two basis levels RAID 0 andRAID 1 [MPNL16].RAID 0: RAID 0 consists of at least 2 similar disks,which creates an array of n disks (n ≥ 2). Data issplit up evenly and get written across all devices inthe array. Each disk stores 1/n data. The size of thearray is the size of the smallest drive multiples thenumber of drives . Advantages: Read/Write transferrate enhancement: Each disk has to Read/Write 1/nof the data. Theoretically, performance is n timeshigher. Disadvantages: Lower reliability. If one drivefails, all data in RAID 0 array is lost. Data loss rate ofRAID 0 array is n times higher than the single-disks.Figure 9 shows the RAID 0 model.

Figure 9: RAID 0 Storage Level

RAID 1: This is the simplest RAID level thatprovides data reliability. Like RAID 0, RAID 1requires at least 2 drives to operate. Data are storedtwice in 2 drives (Mirroring). If one disk fails, theother will continue to operate. Therefore, brokendrive can be replaced without any worry of dataloss. RAID 1 is not high-performance; however, itis essential for administrations and individuals thatmanage important data. An RAID 1 array capacity isthe size of a single drive. Figure 10 shows the RAID1 model.




RAID 10: RAID 10 combines the approaches ofRAID 1 and RAID 0. It requires a minimum of4 drives to set up an RAID 10 array. Data arewritten on 4 drives at the same time: using Striping(RAID 0) on 2 drives, and using Mirroring (Raid1) on the two others.RAID 10 is fast and secure.Performance are improved while reliability is ensuredeven if 1 drive fails. However, RAID 10 has its dis-advantages of high cost, effective space is 1/2 of totalsize of 4 drives . Figure 11 shows the RAID 10 model.


5 Conclusion

In cloud storage systems, there is always a big concernabout data security. The guarantee of security is themain challenge for the cloud storage provider. First;they have to secure the access to the user’s data, sec-ond; they have to guarantee the integrity of this data,and then; they have to provide a continuous and per-manent access to this data. In this paper, we gavean overview of cloud storage and security. In the firststep; we provided a whole study of this service; likethe definition, it’s architecture and the different formsof this service. In the second step; we discussed theproblem of security in this service. In the last step,we summarized the cloud storage security techniqueaccording to the CIA properties of security. Table 1summirizes the cloud storage security solutions andtechniques.

Table 1: Cloud Storage Security Techniques.

Cloud Data Storage Security Techniques

Encryption

TraditionalSymmetricAsymmetricHashing

Advanced

searchableHolomorphicRole basedAttribute

IdentityandAccessManagement

IdentityManagement

Identity in the Cloud-ModelIdentity to the Cloud-ModelIdentity from the Cloud-ModelCloud Identity Broker-ModelFederated Cloud IdentityBroker-Model

AccessControl

Attribute-based accesscontrol (ABAC)Role-based access con-trol (RBAC)

IntegrityProvable Data Possesion (PDP)Proof of Retrievability (PoR)

Availability RAIDHardware RAIDSoftware RAID

References

[BTK14] Zwattendorfer Bernd, Zefferer Thomas,and Stranacher Klaus. An overview ofcloud identity management-models. In10th International Conference on WebInformation Systems and Technologies(WEBIST), pages 3–6, 2014.

[CGB14] V. Desai Charmee and Jethava Gord-han B. Survey on data integrity checkingtechniques in cloud data storage. Inter-national Journal of Advanced Researchin Computer Science and Software En-gineering, 4(12):293, December 2014.

[CS16] Prakash Chandan and Dasgupta Sura-jit. Cloud computing security analy-sis: Challenges and possible solutions.In International Conference on Electri-cal, Electronics, and Optimization Tech-niques (ICEEOT), page 3, 2016.

[CtLZ+14] Huang Chun-ting, Huang Lei, QinZhongyuan, Yuan Hang, Zhou Lan,Varadharajan Vijay, and Jay Kuo C.-C. Survey on securing data storagein the cloud. APSIPA Transactions



on Signal and Information Processing,3(2014):4,7–9, May 2014.

[EO16] Sturrus Edwin and Kulikova Olga. Iden-tity and Access Management. Encyclo-pedia of Cloud Computing, 2016.

[FVRG14] Yahya F., Chang V., Walters R.J., andWills G.B. Security challenges in cloudstorage. In IEEE 6th International Con-ference on Cloud Computing Technologyand Science, pages 1052–1054, 2014.

[Gor16] Ranvir Gorai. Deep dive into cloud com-puting. International Journal of Re-search in Engineering, Technology andScience, VI(Special Issue):4, July 2016.

[JCC17] Werner Jorge, Merkle Westphall Carla,and Becker Westphall Carlos. Cloudidentity management: a survey on pri-vacy strategies. Computer Networks,122:3–4, July 2017.

[LSMMM13] Akter Lipi, Rahman S M Monzurur,and Hasan Md. Information security incloud computing. International Journalof Information Technology Convergenceand Services (IJITCS), 3(4):18, August2013.

[MPNL16] Le Quang Minh, Huy Anh Phan,Anh Chuyen Nguyen, and Khanh DuongLe. Research on enhancing security incloud data storage. In ICTA: Interna-tional Conference on Advances in Infor-mation and Communication Technology,pages 511–512, 2016.

[MTM+12] Borgmann Moritz, Hahn Tobias, HerfertMichael, Kunz Thomas, Richter Mar-cel, Viebeg Ursula, and Vowe Sven. Onthe security of cloud storage services.Technical report, Fraunhofer Institutefor Secure Information Technology SIT,March 2012.

[NAK16] Hassan Hussein Nidal, Khalid Ahmed,and Khanfar Khalid. A survey of cryp-tography cloud storage techniques. Int.Journal of Computer Science & MobileComputing, 5(2):186, February 2016.

[PP13] O. Balbudhe Pravin and O. BalbudhePradip. Cloud storage reference modelfor cloud computing. InternationalJournal of IT, Engineering and AppliedSciences Research (IJIEASR), 2(3):83,March 2013.

[PPPS17] Parisha, Khanna Pooja, Sharma Puneet,and Rizvi Sheenu. Hash function baseddata partitioning in cloud computing forsecured cloud storage. Int. Journal ofEngineering Research and Application,7(7):3, July 2017.

[PS13] Yadav Poonam and Sujata. Security is-sues in cloud computing solution of ddosand introducing two-tier captcha. Inter-national Journal on Cloud Computing:Services and Architecture (IJCCSA),3(3):29, June 2013.

[PT11] Mell Peter and Grance Timothy. Thenist definition of cloud computing. Tech-nical report, National Institute of Stan-dards and Technology, September 2011.

[RDD15] Kirubakaramoorthi R., Arivazhagan D.,and Helen D. Survey on encryptiontechniques used to secure cloud storagesystem. Indian Journal of Science andTechnology, 36(8):2–4, December 2015.

[VMB14] Spoorthy V., Mamatha M., and San-thosh Kumar B. A survey on data stor-age and security in cloud computing.International Journal of Computer Sci-ence and Mobile Computing, 3(6):307–311, June 2014.

[WMF17] Bajaber Wejdan, AlQulaity Manahil,and S. Alotaibi Fahd. Different tech-niques to ensure high availability incloud computing. International Journalof Advanced Research in Computer andCommunication Engineering, 6(11):6,November 2017.

[YJYG14] Sun Yunchuan, Zhang Junsheng, XiongYongping, and Zhu Guangyu. Data secu-rity and privacy in cloud computing. In-ternational Journal of Distributed Sen-sor Networks, 2014:3, 2014.

[ZAH+15] Kartit Zaid, Azougaghe Ali, IdrissiH.Kamal, Marraki M.El, Hedabou M.,Belkasmi M., and Kartit A. Applyingencryption algorithm for data security incloud storage. In The International Sym-posium on Ubiquitous Networking, pages6–7, 2015.

[Zap12] Vytautas Zapolskas. Securing cloudstorage service. Master’s thesis, KTHRoyal Institute of Technology, 2012.



cloud storage and security overview - ceur-ws.orgceur-ws.org/vol-2326/paper3.pdf · web-cloud...

Documents