Auditing to Keep Online Storage Services Honest

Mehul A. Shah, Mary Baker, Jeffrey C. Mogul, Ram Swaminathan 

BYVISHAL VERMA1ST08CS116

SEMINAR GUIDESREEJA E.M.

INDEX MEANING CLOUD COMPUTING ARCHITECTURE INTRODUCTION AN EXAMPLE THIRD PARTY AUDITOR (TPA) SYSTEM AND THREAT MODEL A NOTE ON AUDITING INTERNAL VS. EXTERNAL AUDITING THREATS FOR AUDITS DESIRABLE PROPERTIES IMPLEMENTATION CONCLUSION

What the title actually means?

AUDITING TO KEEP ONLINE STORAGE SERVICES HONEST

AUDITING-:The general definition of an audit is an evaluation of a person, organization, system, process, enterprise, project or product. Ex-TAX AUDITS,

ONLINE STORAGE SERVICES-:It allows users

to store data online.Ex- dropbox,skydrive,Google

docs, adrive..

CLOUD COMPUTING• What is a Cloud computing?

Cloud computing is Internet ("CLOUD-") based development and use of computer technology ("COMPUTING")

Cloud computing is a general term for anything that involves delivering hosted services over the Internet.

The term "cloud" is used as a metaphor for the Internet

Architecture

INTRODUCTION• With cloud computing, users can remotely

store their data into the cloud and use on-demand high-quality applications

• When users put their data on the cloud, the data integrity protection is challenging

• Enabling public audit for cloud data storage security is important

• Users can ask an external audit party to check the integrity of their outsourced data

AN EXAMPLE

PHOTOBUCKETOSP

Alice

MiniFile Inc.Bangalore, India

BobLiverpool, UK

Peer-to-peernetwork

My

Wedding

Photos!

One day, Alice’s machine crashes, so she contacts PHOTOBUCKET

THIS IS WHAT SHE SEE’S

• Cloud computing gives flexibility to users• Users pay as much as they use• Users don’t need to set up the large computers• Operation is managed by the Cloud Service

Provider (CSP)• The user give their data to CSP,CSP has control

on the data• The user needs to make sure the data is correct

on the cloud• Internal (some employee at CSP) and external

(hackers) threats for data integrity

• How to efficiently verify the correctness of outsourced data?–Simply downloading the data by the

user is not practical• TPA can do it and provide an audit

report• TPA should not read the data content• TPA should not disclose Customers

info..

OBJECTIVES

System and Threat Model• USER: Cloud user has a large amount of data files to

store in the cloud• CLOUD SERVER: Cloud server which is managed by

the CSP has significant data storage and computing power.

• TPA: Third party auditor has expertise and capabilities that User and CSP don’t have. TPA is trusted to assess the CSP’s storage security upon request from USER.

A note on auditingWhat is auditing?

• The general definition of an audit is an evaluation of a

person, organization, system, process, enterprise, project

or product.

• Third-party auditing is an accepted method for

establishing trust between business and its data.

• Auditors assess and expose risk, enabling customers to

choose rationally between competing services.

Internal vs. external auditing•  Internal audits evaluate the

structure and processes within a service to ensure that the service can continue to meet its objectives (SLAs)

• External audits evaluate the quality of service through externally available interfaces

• We need both internal and external audits of OSPs.

Threats for audits

• Latent faults: Many potential sources of data corruption are not immediately visible.

• Correlated faults: Correlated failures increase the risk of data loss.

• Recovery faults: Data is often more insecure to corruption and loss during recovery procedures.

Desirable properties for both internal and external audits

• Establish standards for comparison.

• Minimize auditing cost.

• Protect customer data privacy. 

• Audit results must be trustworthy. 

IMPLEMENTATION

EXTRACTION

For extraction, the auditor assists in returning the encrypted data and key to the customer

VERIFICATIONDuring verification, the auditor must check that (a) the encrypted data is unchanged and (b) the encryption key is unchanged.

INITIALIZATIONDuring initialization, the storage service commits to storing the key, and encrypted data, after receiving these items from the

customer. 

Conclusion

• Our protocols detect data loss and are not vulnerable to a cheating storage service.

• In this paper, we motivate the need for auditing to support an online service-oriented economy. We highlight issues around both internal and external auditing and detail ways of auditing online storage services.

ADVANTAGE & DISADVANTAGE

Scalability, Flexibility, Security, Reduction of hardware costs.

Auditing of OSPs is not feasible yet. First, customers are not yet sophisticated enough to demand risk assessment. Second, OSPs do not yet provide support for third-party audits.