1

AbstractAbstractAbstractAbstract————CloudCloudCloudCloud computingcomputingcomputingcomputing isisisis thethethethe fundamentalfundamentalfundamentalfundamental changechangechangechange

happeninghappeninghappeninghappening inininin thethethethe fieldfieldfieldfield ofofofof InformationInformationInformationInformation Technology,Technology,Technology,Technology, whichwhichwhichwhichrepresentsrepresentsrepresentsrepresents itsitsitsits trendtrendtrendtrend towardstowardstowardstowards thethethethe intensiveness,intensiveness,intensiveness,intensiveness, largelargelargelarge scalescalescalescale andandandandspecialization.specialization.specialization.specialization. However,However,However,However, itititit bringsbringsbringsbrings aboutaboutaboutabout notnotnotnot onlyonlyonlyonly thethethethe convenienceconvenienceconvenienceconvenienceandandandand thethethethe efficiency,efficiency,efficiency,efficiency, butbutbutbut alsoalsoalsoalso thethethethe greatgreatgreatgreat challengeschallengeschallengeschallenges totototo thethethethe datadatadatadatasecuritysecuritysecuritysecurity andandandand privacyprivacyprivacyprivacy protection.protection.protection.protection. CurrentlyCurrentlyCurrentlyCurrently securitysecuritysecuritysecurity hashashashas beenbeenbeenbeenregardedregardedregardedregarded asasasas oneoneoneone ofofofof thethethethe greatestgreatestgreatestgreatest problemsproblemsproblemsproblems totototo bebebebe solvedsolvedsolvedsolved inininin thethethethedevelopmentdevelopmentdevelopmentdevelopment ofofofof cloudcloudcloudcloud computing.computing.computing.computing. ThisThisThisThis paperpaperpaperpaper describesdescribesdescribesdescribes thethethethe greatgreatgreatgreatrequirementsrequirementsrequirementsrequirements inininin cloudcloudcloudcloud computingcomputingcomputingcomputing andandandand cloudcloudcloudcloud storagestoragestoragestorage securitysecuritysecuritysecurity keykeykeykeytechnologytechnologytechnologytechnology andandandand providesprovidesprovidesprovides aaaa cloudcloudcloudcloud computingcomputingcomputingcomputing securitysecuritysecuritysecurity framework.framework.framework.framework.

KeyKeyKeyKey wordswordswordswords————cloudcloudcloudcloud computing;computing;computing;computing; cloudcloudcloudcloud storage;storage;storage;storage; cloudcloudcloudcloud computingcomputingcomputingcomputingsecuritysecuritysecuritysecurity;;;; cloudcloudcloudcloud securitysecuritysecuritysecurity frameworkframeworkframeworkframework

I. INTRODUCTION OF CLOUD STORAGE AND CLOUDCOMPUTING

loud computing and Cloud storage uses a complex,extensive infrastructure (hardware, platform, and

software – hence the abstraction as “cloud”) to providesignificant storage and computing resources to the user over anetwork. Depending on cloud configuration, it can be infinitelyextensible, readily accessible, with minimal management effortor service provider interaction.There is a good example to describe Cloud computing

technologies like the electricity network power applications.We use electricity networks to improve the running of thecompany, each family can enjoy cheap energy from this, ratherthan your own home power generation. Cloud computing willbring about similar cycle as the development of the electricitynetwork in the next decade.Cloud computing and Cloud storage is based on and include

the Distributed Computing technology, Parallel computingtechnology, Utility Computing technology, Network Storagetechnology, Virtualization technology, and Load Balancetechnology.

A. The Hybrid Cloud Architecture

A private cloud network is allocation on a premise, may bebelong to a company, and users are all the employees of thiscompany. It is easier to manage, it is more dependable, andmore secure in a private than the public cloud network. Becausethe user of the public cloud may be all over the world. So wecan use a hybrid cloud network. By utilizing "hybrid cloud"architecture, companies and individuals are able to obtaindegrees of fault tolerance combined with locally immediateusability without dependency on internet connectivity. Hybridcloud architecture requires both on-premises resources andoff-site (remote) server-based cloud infrastructure. Hybridclouds lack the flexibility, security and certainty of in-houseapplications[2]. Hybrid cloud provides the flexibility of inhouse applications with the fault tolerance and scalability ofcloud based services.

B. How is cloud storage and cloud computing worksTo saving data to an off-site storage system maintained by a

third party. Instead of storing information to your computer'shard drive or other local storage device, you save it to a remotedatabase. The Internet provides the connection between yourcomputer and the database.A cloud storage system needs just one data server connected

to the Internet. A client (e.g., a computer user subscribing to acloud storage service) sends copies of files over the Internet tothe data server, which then records the information. When theclient wishes to retrieve the information, he or she accesses thedata server through a Web-based interface. The server theneither sends the files back to the client or allows the client to

Security of Cloud Storage and Cloud ComputingYuchen Cao

C

Fig. 1. TheDefinition ofCloud.

Fig. 2. This is a explain of the deployment models of cloud. Private cloud iscloud infrastructure operated solely for a single organization. Public cloudapplications, storage, and other resources are made available to the generalpublic by a service provider. These services are free or offered on apay-per-use model. Hybrid cloud is a composition of two or more clouds(private, community or public) that remain unique entities but are boundtogether, offering the benefits of multiple deployment models. [1]

2

access and manipulate the files on the server itself[3].

Like the Fig.3, when you use the cloud storage. First the datawill be partitioned to serval part, and will be storage intodifferent database. When you check or use the data, those servalpart will combine again.Cloud computing is based on cloud storage, and works

similar with cloud storage. Like the Fig.4 and Fig.5.

II. THREATS FACING CLOUD STORAGE AND CLOUDCOMPUTING

Another analogy to cloud computing services is the watersupply services of a supply company:Original each family and their own digging wells, repair

water tower, responsible for their own water security issues, forexample, to avoid contamination, to prevent others steal water.But now, we use the water supply services of water companies.The companies have to protect the whole system, to manage somany users, and keep the whole system safety.Because of the huge and complex of this system, this will be

very difficult. So we can say that cloud storage and cloudcomputing brings about not only the convenience and theefficiency, but also the great challenges to the data security andprivacy protection.There are seven threats facing cloud storage and cloud

computing.[9] They are:Because of some change from the traditional network to

cloud network, and the use of some new technology, and newrules of management, there are more security risks of cloudnetwork than every before. In detail, there are the followingrisks facing cloud storage and cloud computing.

A. Changes in the data flow modelIn a traditional data center, the data flow model is relatively

simple:Various applications reference flow rate and bursty traffic

rules to follow, even for larger data center can still be carriedout according to the importance of Web application servertargeted protection; Execution of the security equipment basedtraffic detection in accordance with established security policy.In the public cloud computing environment:Cloud computing center, similar server scale to tens of

thousands to work together as a unit;The equipment is highly concentrated, from scattered to

safety equipment performance under pressure;The equipment is unable to achieve sub-rule, and thus high

performance requirements of safety equipment, especially inthe DDOS attack detection and prevention, new challenges.

B. Virtual operating systemsVirtual operating systems has loopholes and flaws, it is prone

to inter-virtual machine data leak by hacking attack, or evenpossible infiltration or take over the master operating systems.[8]Based on a high degree of integration of storage resources

and server resources to provide various services, cloud

Fig. 3. How is the cloud storge works

Fig. 4. How is the cloud computing works

Fig. 5. How is the cloud computing works

Threat #1: Abuse and Nefarious Use of Cloud Computing.Threat #2: Insecure Interfaces and APIs.Threat #3: Malicious Insiders.Threat #4: Shared Technology Issues.Threat #5: Data Loss or Leakage.Threat #6: Account or Service Hijacking.Threat #7: Unknown Risk Profile.

3

computing and storage resources according to need, bringunprecedented risk to data security.

C. The risk of identity management diversifiedIn traditional networks, the identity management is single for

using a application. But in cloud network, there are multipleidentify provider. So that the standards of authenticationcredentials, issuing authority diversity. And because all ofthose providers and different standards works together, makesthe identity management system disordered.

D. The risk for uncertainty of Security boundaryTraditional data center security protection, it is an important

principle is "based on boundary safety isolation and accesscontrol", and strong research "according to different safetylocale, differentiated safety strategy".These measures, depends heavily on "between each area

clear regional boundary".In cloud computing environment, Virtualization cloud

terminal, cloud desktop will blur boundary. Storage andcomputing resources will be highly integrated boundarydisorder, safety equipment deployment boundary hasdisappeared.In the cloud environment, this kind of boundary problems of

safety risk displays in the following aspects:1, Access control implementation point position uncertainty.2, The risk of safety equipment be bypassed increased.3, Safety devices detect effects may be greatly reduced.

III. CLOUD PLATFORM SECURITY FRAMEWORK SUGGESTIONSTo solve cloud computing security issues is imperative to

establish a comprehensive framework to those security threats,and research the key technology of this framework. [4]In this section, I provide a cloud platform security

framework.

A. Cloud client security objectivesCloud the user's primary safety target is data security and

privacy protection service. Main cloud service providers toprevent malicious disclosure or betray the user privacyinformation, or to the user data collection and analysis ofmining the user privacy data. For example, analysis the users'potential effective profit model, or through the two companiesthat the exchange of information between them may havecooperation, etc.The data security and privacy protection in the user data in

the life cycle of creation, storage, use, sharing, filing,destruction and so on each stage, and involves all participate inthe service of the all levels cloud service provider. Cloud theuser's demand is another important safety management. That isnot leak other user privacy and does not involve cloud servicesunder the premise of trade secrets, allows users to get thesecurity configuration information and running stateinformation, and in some degree allows users to deployimplement special safety management software.

B. Cloud computing security service systemCloud computing security service system by a series of cloud

security service composition, which is the important targetcloud user security technology.[5] According to their differentlevels, cloud security service can be further divided intocredible cloud infrastructure services, cloud security basicservices and cloud security application service.

1. Safety cloud infrastructure servicesCloud infrastructure services for upper cloud application

provides the security of data storage, calculation and other ITresources service, is the whole cloud computing systemsecurity.[7] Here, the foundation of safety contains two aspectsof meaning:First is from the external hacker attacking ability.The second is to prove that you can't destroy the user data

and application ability.On the one hand, the cloud platform should be facing the

analysis of the traditional computing platform security issues,take comprehensive strict security measures. For example, inconsidering the physical plant safety, in storage layerconsidering integrity and files/log management, dataencryption, backup and disaster recovery, etc., in the networklayer should consider denial of service attack, DNS security,network reach ability, data transmission and confidentiality, thesystem layer shall be covers virtual machine safety, patchmanagement, system user identity management security, datalayer including database security, data privacy and accesscontrol, data backup and cleaning, etc., and the applicationlayer should consider program integrity test and vulnerabilitymanagement, etc.On the other hand, cloud platform should be users to prove

himself with some degree of data privacy protection ability. Forinstance, storage services that user data is stored on dense state,computing services that the user code running on protectedmemory medium. The user security needs the differences,cloud platform should have provide different security levels of

Fig. 6. The Cloud Platform Security Framework

4

cloud infrastructure service ability.

2.Cloud security basic servicesCloud security basic services belong to cloud based software

service layer, for all types of cloud application providecommon information security service, is support cloudapplication meet user security goals. The important means ofcomparison of several kinds of typical cloud security servicesinclude:(1) Cloud user identity management services. Mainly

involves the supply of identity, cancellation and identityauthentication process. In the cloud environment, realizeidentity joint and single sign-on can support cooperationbetween the enterprises is more convenient to share the useridentity information and certification services, and reduceduplication of the operation of the authentication bringspending. But cloud identity joint management process that theuser should be in digital identity privacy. Due to the premise ofdigital identity information may be Shared between multipleorganization, its life cycle stages of safety management morechallenging, and based on the combination of identityauthentication process in cloud computing environment alsohas a higher security needs;(2) Cloud network access control service. Cloud access

control service realization depends on how to properly willtraditional access control model (such as role based accesscontrol, based on the attributes of the access control model andforced/independent access control model, etc.) and all kinds ofauthorization strategy language standard (such as XACML,SAML, etc.) extended moved implant cloud environment. Inaddition, in view of the cloud each enterprise group providesresources service compatibility and composability is increasingday by day, combination authorization problem is also a cloudaccess control service security framework need to considerimportant problem;(3) Cloud audit service. The user lack of safety management

and proof ability, must be clear about the safety accidentliability requires the service provider to provide the necessarysupport. Therefore, the implementation of the third party auditbecomes even more important. Cloud audit service mustprovide meet audit events list all the evidence and thecredibility of the evidence that. Of course, if the evidence willnot disclose other users of information, it need special designdata and collect evidence method. In addition, cloud auditservice is also ensure that cloud services meet variouscompliance requirements of the important way;(4) Cloud password service. Due to the cloud is widespread

in the user data encryption operation demand, the emergence ofcloud password service also is very natural. In addition to mosttypical encryption algorithm service outside, passwordoperation need in key management and distribution, certificatemanagement and distribution and so on all can foundation classcloud security services exist. Cloud password service for theuser not only simplify the code module design andimplementation, and makes use of the password techniquesmore concentrated standard, easy to management.

3.Cloud security application serviceCloud security applications services and user's demand

closely, phyletic and various.[5,6] A typical example as DDOSattack protection cloud services, Botnet detection andmonitoring cloud services, cloud web filtering and antivirusapplication, content security cloud services, security eventmonitoring and early warning cloud services, cloud spamfiltering and control.The traditional network security technology in defense

ability, speed of response, system scale are limited, to meetincreasingly complex security needs, and cloud computingadvantage can greatly make up for the shortage: cloudcomputing provides the very large scale computing power andmass storage ability, can in the security incident acquisition,correlation analysis, virus prevention achieve performanceimproved significantly, and can be used for large scaleconstruction safety event information processing platform, toimprove the security situation which grasp.In addition, through massive terminal distributed processing

power security event collection, to cloud security centeranalysis, greatly improve the security incident collection andtimely corresponding processing capacity.

IV. CLOUD COMPUTING SECURITY KEY TECHNOLOGY

A. Reliable access controlService providers can not be trusted to faithfully implement

user-defined access control policy in the cloud computingmodel, so the researchers are concerned about how to controlaccess to data objects through non-traditional access control.Which is concerned most cryptography-based methods accesscontrol, including:The implementation of access control based on hierarchical

key generation and distribution strategy method [10,11];Using attribute-based encryption algorithm (such as key

rule-based attribute encryption scheme (KP-ABE) [12], orcipher text rule the attribute encryption schemes (CP-ABE)[13]), is embedded in the user key or ciphertext access controltree method [14-16];Based proxy re-encryption method [17];Privileges revoked based on the password class program

facing an important issue, a basic solution is to set an expirationtime for key users every certain period of time to update theprivate key from the certificate[18];References [19] introduce an online improvements

semi-trusted third party maintenance authorization list, thereferences [20], based on the user's unique ID attribute andnon-door structure to achieve a specific user privilegesrevoked.However, the above method with time constraints authorized

authority restricted commissioned, and so on, there are stillmany problems to be solved.

B. Identification And Access ManagementUnified identity management of multiple identities source ;Authorization management binding with identity,

5

permissions and virtual resources ;Across the identity of the source within the data center,

across administrative domain authentication technology;Authentication credentials unified management model;Certificate cross-certification technology.

1.Single sign-on technologyThe end-users to access various applications of Cloud

Computing Center, you do not need multiple certification.Technical solutions:Certified by certification services, issued by the

cryptographic techniques the SAML assertion temporarycertificate as the carrier of identity and identity informationbetween multiple applications certified for use.

Single sign-on (SSO) is a property of access control ofmultiple related, but independent software systems. [21] Withthis property a user logs in once and gains access to all systemswithout being prompted to log in again at each of them.Conversely, Single sign-off is the property whereby a singleaction of signing out terminates access to multiple softwaresystems.As single sign-on provides access to many resources once the

user is initially authenticated ("keys to the castle"), it increasesthe negative impact in case the credentials are available to otherpersons and misused. Therefore, single sign-on requires anincreased focus on the protection of the user credentials, andshould ideally be combined with strong authentication methodslike smart cards and one-time password tokens.

2.Federated Identity ManagementBased on the single sign-on. Identity federation conquers the

concern of “ securely” managing identities, enabling theorganization to share employee identity information with theCloud Service Provider (CSP) or any other resource over theInternet.This allows the organization to boost their control over

“who” has access to “what” information and resources,regardless of where those resources reside. Federated identitymanagement improves security by controlling access on anoperation base and providing a detailed audit trail.User inside the enterprise attempts to access a claims-aware

application that’s deployed in Private Cloud. This situation iscommon nowadays as more applications are becoming claims

aware and the private cloud is becoming popular in largeorganizations. [22]

Fig. 8. Federated Identity Management in a private cloud

1.The application needs identity information for the user.

2. The application triggers or initiates either a web service call or an HTTPredirect through the browser to ask for a token from an STS.

3. The STS responds to the request, returning the token to the application.

In Public Cloud users in the identity provider’s enterpriseneed to seamlessly access application deployed in the PublicCloud.

Fig. 9. Federated Identity Management in a hybrid cloud

C. Protecting data during transmissionData transmission using end-to-end data encryption

technology to ensure that important information will not beintercepted, listened, tampered. And use the encryptiontechnology at all levels of the network protocol stack, such asencryption protocol like the IPSec, SSL etc. To implement theencrypted transmission.

Fig. 7. Single sign on

6

Internet Protocol Security (IPsec) is a protocol suite forsecuring Internet Protocol (IP) communications byauthenticating and encrypting each IP packet of acommunication session.[23] IPSec also includes establishingmutual authentication between the agent and the beginning ofthe session, and negotiation of Encryption keys to be usedduring the session.Based on the IPSec, we can establish a VPN.

A virtual private network (VPN) extends a private networkand the resources contained in the network across publicnetworks like the Internet. [24]The connection between any two nodes of the entire VPN

network without traditional private network end-to-endphysical link. But architecture in the public network servicesprovided by the network platform, Such as the Internet, anATM (Asynchronous Transfer Mode), Frame Relay (FR) andso on logical networks. User data transmission in the logicallink. It covers the expansion of the private network for theencapsulation, encryption and authentication links acrossshared or public networks. VPN mainly uses tunnelingtechnology, encryption and decryption, key management andidentity authentication technology.

D. Protecting data in storageDistributed storage encryption technology, data backup and

disaster recovery technology.Available encryption technologies are:

(1)File-based encryption technology.(2)The encrypted storage technology based on virtual storage

media, including virtual volume, virtual disk, virtual resources(MapReduce).(3)Based on the physical media stored encrypted IDE,

SATA.(4)Network-based encrypted storage SAN, the NAS.

E. Virtual security technologyVirtual technology is the core technology to implement

cloud computing and cloud storage.Cloud providers using virtual technology of cloud computing

platform architecture need to provide security guarantee andisolation to their clients.References [25] put forward the isolation enforcement

mechanisms in grid environment based on virtual machinetechnology.References [26] concerned about the security of the image

file in virtual machine. Each image file corresponding to aclient application. They must have a high integrity with asecure sharing mechanism. The Image File ManagementSystem in [26] implement the image file access control, sourcetracking, filtering and scanning, etc. It could detect and repairsecurity problems.

V. CONCLUSIONThis paper provides a cloud security framework, and

describes the services and objectives of this framework. Thendescribes some of key technology will be used in thisframework. Such as Reliable access control, Federated IdentityManagement, IPSec and VPN in protecting data duringtransmission, Protecting data in storage and Virtual securitytechnology.But each of those technology is just a solution of one part of

this framework. The solution of Security of Cloud Storage andCloud Computing is this whole framework and all thetechnology in different aspects works together.

Fig. 10. Protecting data during transmission

Fig. 11. virtual private network (VPN)

Fig. 12. Cloud Platform Security Framework

7

REFERENCES[1] NIST, “The NIST Definition of Cloud Computing”, Available:

http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf[2] Stevens, Alan (June 29, 2011). "When hybrid clouds are a mixed

blessing". The Register. Retrieved March 28, 2012.[3] Jonathan Strickland, How Cloud Storage Works, Available:

http://computer.howstuffworks.com/cloud-computing/cloud-storage.htm[4] Zissis, Dimitrios; Lekkas (2010). "Addressing cloud computing security

issues". Future Generation Computer Systems.doi:10.1016/j.future.2010.12.006.

[5] Wikipedia, “Application security”, Available:http://en.wikipedia.org/wiki/Application_security#cite_note-patternsbook-1

[6] Microsoft Corporation, “Improving Web Application Security: Threatsand Countermeasures”, Available:http://msdn.microsoft.com/en-us/library/ms994920.aspx#

[7] Wikipedia, Cloud computing security, Available:http://en.wikipedia.org/wiki/Cloud_computing_security#cite_ref-9

[8] Winkler, Vic. "Cloud Computing: Virtual Cloud Security Concerns".Technet Magazine, Microsoft. Retrieved 12 February 2012.

[9] Chow R, Golle P. et al. Controlling data in the cloud: Outsourcingcomputation without outsourcing control. In: Proc. of the 2009 ACMWorkshop on Cloud Computing Security. 2009. 85 − 90.

[10] Crampton J, Martin K, Wild P. On key assignment for hierarchical accesscontrol. In: Proc. of the 19th IEEE CSFW 2006. V enice, 2006. 98 − 111.

[11] Damiani E, et al . An experimental evaluation of multi-key strategies fordata outsourcing. In: Proc. of the 22nd IFIP TC-11 Int’ l InformationSecurity Conf. South Africa, 2007.

[12] Goyal V, Pandey A, Sahai A, Waters B. Attribute-Based encryption forfine-grained access control of encrypted data. In: Proc. of the ACM Conf.on Computer and Communications Security. 2006. 89− 98.

[13] Bethencourt J, Sahai A, Waters B. Ciphertext-Policy attribute-basedencryption. In: Proc. of the IEEE Symp. on Secruity and Privacy. 2007.321 − 334.

[14] Malek B, Miri A. Combining attribute-based and access systems. In: Proc.of the 2009 Int’l Conf. on Computational Science and Engineering. 2009.305 − 312

[15] Ostrovsky R, Sahai A, Waters B. Attribute-Based encryption withnon-monotonic access structures. In: Proc. of the 14th A CM Conf. onComputer and Communications Security. Alexandria, 2007. 195− 203.

[16] Yu S, Ren K, Lou W, Li J. Defending against key abuse attacks inKP-ABE enabled broadcast systems. In: Proc. of the SECURECOMM2009. 2009.

[17] Chang YC, Mitzenmacher M. Privacy preserving keyword searches onremote encrypted data. Report 2004/051. Cryptology ePri nt Archive,2004. http://eprint.iacr.org/2004/051/

[18] Boneh D, Franklin M. Identity-Based encryption from the weil pairing.Advances in Cryptology-Crypto. 2001. 213 − 229.

[19] Ibraimi L, Petkovic M, et al . Ciphertext-Policy attribute-basedthreshold decryption with flexible delegation and revocation of userattributes. 2009.

[20] Roy S, Chuah M. Secure data retrieval based on ciphertext policyattribute-based encryption (CP-ABE) system for the DTNs , 2009.

[21] Wikipedia. Single sign-on, Available:http://en.wikipedia.org/wiki/Single_sign-on

[22] RESEARCHER'S BLOG, "FEDERATED IDENTITY MANAGEMENTIN CLOUD COMPUTING.", Available:http://clean-clouds.com/2012/04/25/federated-identity-management-in-cloud-computing-2/

[23] Wikipedia, Internet Protocol Security (IPsec), Available:http://en.wikipedia.org/wiki/IPsec

[24] Wikipedia, Virtual private network, Available:http://en.wikipedia.org/wiki/Virtual_private_network

[25] Elangop S, Dusseauaetal A. Deploying virtual machines as sandboxes forthe grid. In: Proc. of the 2nd Workshop on Real La rge DistributedSystems. San Francisco, 2005. 7− 12.

[26] Wei J, Zhang X, Ammons G, Bala V, Ning P. Managing security ofvirtual machine images in a cloud environment. In: Proc. o f the 2009ACM Workshop on Cloud Computing Security. 2009. 91− 96.