INTERNATIONAL CONFERENCE ON CURRENT INNOVATIONS IN ENGINEERING AND TECHNOLOGY
ISBN: 378 - 26 - 138420 - 5
Secure data storage against attacks in cloud Environment using Defence in Depth 1
Naresh.G
(Audisankara College Of Engineering And Technology)
Abstract-
Cloud
computing
is
emerging
organizations. The outsourced storage makes
technology which offers various services with
shared data and resources much more accessible
low cost and flexible manner. One of the most
as users can access from anywhere.
important service models is Data Storage as a On the other hand, security remains the
Service (DaaS) in which user can remotely store
important issue that concerns privacy of users. A
their data and enjoy the on demand access using
major challenge for any comprehensive access
high quality application. Cloud computing faces
control solution for outsourced data. And have
many devastating problems to ensure the proper
the ability to handle the user requests for
physical, logical and personnel security controls.
resources according to the specified security
While moving large volumes of data and
policies. Several solutions have been proposed
software, the management of the data and
in the past, but most of them don’t consider
services may not be fully trustworthy. In this
protecting privacy of the policies and user access
paper, we mainly focus on the security features
patterns.
of data storage in the presence of threats and attacks and solutions. The paper also proposes
In this paper we address the main aspects related
an effective and flexible distributed scheme with
to security of cloud storage. It presents an
two silent features opposing to its predecessors.
attempt to propose an effective and flexible
Index
terms-
Cloud
Computing,
security policy and procedure explicit to
storage
enhance the Data storage security in the cloud.
correctness, Data Storage as a Service. I.
II. THREATS AND ATTACKS FROM STORAGE
INTRODUCTION
PERSPECTIVES Cloud computing is the delivery of the While the benefits of storage networks have
computing as a service rather than a product,
been widely acknowledged, consolidation of
whereby widely shared resources, software and
enterprise data on networked storage poses
information are provided to IT industry over a
significant security risks. Hackers adept at
network. Cloud can be classified as public,
exploiting network-layer vulnerabilities can now
private or hybrid‌etc. meanwhile, the emerging
explore deeper strata of corporate information
trend of outsourcing data storages at third parties attention from both research and industry
INTERNATIONAL ASSOCIATION OF ENGINEERING & TECHNOLOGY FOR SKILL DEVELOPMENT
326
www.iaetsd.in
INTERNATIONAL CONFERENCE ON CURRENT INNOVATIONS IN ENGINEERING AND TECHNOLOGY
Following is brief listings of some major drivers
III. SYSTEM DESIGN
to implementing security for networked storage
a) System Model
ISBN: 378 - 26 - 138420 - 5
from perspectives of challenging threats and Cloud networking can be illustrated by three
attacks:
different network entities: o
Perimeter
defence
strategies
focus
on User: who have data to be stored in the cloud
protection from external threats. With the
and rely on the cloud for data computation,
number of security attacks on the rise,
consist of both individual consumers and
relying on perimeter defence alone is not
organizations?
sufficient to protect enterprise data, and a
o
single security breach can cripple a business
Cloud Service Provider
[7].
significant resources and expertise in building
The number of internal attacks is on the rise
and managing distributed cloud storage servers,
thereby threatening NAS/SAN deployments
owns and operates live Cloud Computing
that are part of the “trusted” corporate
systems.
(CSP): who
has
networks [8]. Reports such as the CSI/FBI’s Third Party Auditor (TPA): who has expertise
annual Computer Crime & Security Survey
and capabilities that users may not have, is
help quantify the significant threat caused by
trusted to assess and expose risk of cloud storage
data theft o
services on behalf of the users upon request.
The problem of incorrectness of data storage in the cloud
o
b) Adversary Model
The data stored in the cloud may be updated There are two different sources for Security
by the users, including insertion, deletion,
threats faced by cloud data storage.
modification, appending, reordering, etc. o
Individual user’s data is redundantly stored
1. CSP can be self-interested, un-trusted and
in multiple physical locations to further
possibly malicious.
reduce the data integrity threats. o
It may move data that is rarely accessed to a
Moreover, risks due to compromised storage
lower tier of storage for monetary reasons,
range from tangible loss such as business
but
discontinuity in the form of information
o
It may hide a data loss incident due to
downtime, to intangibles such as the loss of
management errors, Byzantine failures and
stature as a secure business partner. With the
so on.
number of reported security attacks on the rise, a firm
understanding
of
networked
2. Economically motivated adversary, who has
storage
the capability to compromise a number of cloud
solutions is a precursor to determining and
data storage servers in different time intervals
mitigating security risks.
and subsequently is able to modify or delete
INTERNATIONAL ASSOCIATION OF ENGINEERING & TECHNOLOGY FOR SKILL DEVELOPMENT
327
www.iaetsd.in
INTERNATIONAL CONFERENCE ON CURRENT INNOVATIONS IN ENGINEERING AND TECHNOLOGY
ISBN: 378 - 26 - 138420 - 5
Layer – 1 Devices on the Storage Network
users 'data while remaining undetected by CSPs for a certain period.
The following risk-mitigation measures are There are two types of adversary
recommended:
Weak Adversary: The adversary is interested in
o
Authentication schemes provisioned by the
corrupting the user’s data files stored on
Operating System should be evaluated.
individual servers. Once a server is comprised,
Schemes utilizing public-private key based
an adversary can pollute the original data files
authentication such as SSH or Kerberos,
by modifying or introducing its own fraudulent
which
data to prevent the original data from being
communications on the network.
retrieved by the user.
o
also
encrypt
authentication
Authentication using Access control Lists (ACL) to setup role-based access and
Strong Adversary: This is the worst case
appropriate
scenario, in which we assume that the adversary
permissions
will
enhance
security,
can compromise all the storage servers so that he
o
can intentionally modify the data files as long as
Strong password schemes like minimum length and periodic change of passwords
they are internally consistent.
should be enforced. The default user name and passwords that are configured on the
IV. PROPOSED SOLUTIONS
device should be changed. Control Access Data Storage that includes the necessary
policies,
processes
and
Constant
control
monitoring
of
published
OS
activities for the delivery of each of the Data
vulnerabilities using database, SANS Security
service offerings. The collective control Data
Alert Consensus newsletter and the NAS
Storage encompasses the users, processes, and
vendor’s support site, is a
technology
necessary
to
maintain
an
environment that supports the effectiveness of
o
necessity to prepare for possible attacks
o
Logging and auditing controls should be
specific controls and the control frameworks.
implemented to prevent unauthorized use,
The Security, correctness and availability of the
track usage and for incident response
data files being stored on the distributed cloud servers must be guaranteed by the following: o
Layer -2 Network Connectivity
Providing Security policy and Procedure for
NAS appliances face similar vulnerabilities as IP
Data Storage
based network devices. Common techniques used to protect IP networks are also applicable
The Defence in Depth (referred to as did in this
to Storage Network:
paper) is an excellent framework advocating a layered approach to defending against attacks,
o
thereby mitigating risks.
Extending
network
perimeter
defence
strategies like using a Firewall and IDS
INTERNATIONAL ASSOCIATION OF ENGINEERING & TECHNOLOGY FOR SKILL DEVELOPMENT
328
www.iaetsd.in
INTERNATIONAL CONFERENCE ON CURRENT INNOVATIONS IN ENGINEERING AND TECHNOLOGY
o
o
ISBN: 378 - 26 - 138420 - 5
device to filter traffic reaching the NAS
localization in our challenge- response
appliance will increase protection
protocol
Use VLANs for segregating traffic to the
o
The response values from servers for each
NAS appliances
challenge
Separate and isolate management interface
correctness of the distributed storage, but
from
the Storage
also contain information to locate.
Network, thus enforcing out of band
b) Reliability of the analysis strategy
data
interfaces
on
not
only
determine
the
management which is more secure o
Monitor
traffic
patterns
on
the
The reliability of secure data storage strategy
data
depends on security procedure and the backup
interfaces of the NAS devices for unusual
data coefficients. When one or more nodes
activity
cannot be accessed, the secure strategy can Layer – 3 Management Access
ensure that the data will be restored as long as one of the k nodes can be accessed. However,
Management access is a significant source of
traditional data storage methods require all the
attack. To address the vulnerabilities, the
data in the k nodes to be retrieved. Thus, the
following guidelines provide help o
more blocks the data are split into, the poorer the reliability of traditional data storage
Disable the use of telnet and HTTP and enforce management access through SSH
V. CONCLUSION
and HTTPS for encrypted communication o
o
o
o
Create separate user accounts based on the
This paper suggests a methodical application of
management tasks assigned to the users
“defence in depth” security techniques that can
Implement
authentication
help allay security risks in networked storage.
mechanisms like two-factor authentication
More importantly, a defence in depth based
using tokens, biometrics, etc
networked storage security policy provides a
Strong password schemes like minimum
comprehensive framework to thwart future
length passwords and periodic change of
attacks as the current technologies are more
passwords should be enforced
clearly understood.
Implement
strong
authorization
using
Access
REFERENCES
Control Lists to setup role based access and appropriate permissions
[1] What is Cloud Computing? Retrieved April
a) Correctness verification o
o
6, 2011, available at:
Error localization is a key prerequisite for
http://www.microsoft.com/business/engb/sol
eliminating errors in storage systems.
utions/Pages/Cloud.aspx
We
can
correctness
do
that
by integrating the
verification
and
error
INTERNATIONAL ASSOCIATION OF ENGINEERING & TECHNOLOGY FOR SKILL DEVELOPMENT
329
www.iaetsd.in
INTERNATIONAL CONFERENCE ON CURRENT INNOVATIONS IN ENGINEERING AND TECHNOLOGY
[2]
EMC,
Information-Centric
ISBN: 378 - 26 - 138420 - 5
Security.
http://www.idc.pt/resources/PPTs/2007/IT& Internet_Security/12.EMC.pdf. [3] End-User Privacy in Human–Computer Interaction. http://www.cs.cmu.edu/~jasonh/publications /fnt-enduser-privacy-in-human-computerinteractionfinal. pdf. [4] ESG White Paper, the Information-Centric Security Architecture. http://japan.emc.com/ collateral/analystreports/emc-white-paper
-
v4-4-21-2006.pdf. [5] Subashini S, Kavitha V., “A survey on security issues in service delivery models of cloud computing,” Journal of Network and Computer Applications (2011) vol. 34 Issue 1, January 2011 pp. 1-11. AUTHORS First Author Second Author
INTERNATIONAL ASSOCIATION OF ENGINEERING & TECHNOLOGY FOR SKILL DEVELOPMENT
330
www.iaetsd.in