Cloud Computing is defined as an environment in which users can share their resources with others in pay per use model. The supplies are stored centrally and can access from anywhere. Despite these advantages, there still exist significant issues that need to be considered before shifting into the cloud. Security stands as a considerable obstacle in cloud computing. This Article gives an overview of the security issues on data storage along with its possible solutions. It also provides a brief description of the encryption techniques and auditing mechanisms.
Cloud computing nowadays is an emergent IT technology which has gained limelight in research. Cloud computing is the combination of many pre-existing technologies that have matured at different rates and in different contexts.
The goal of cloud computing is to allow users to take benefit of all these technologies. Many organizations are moving into the cloud because it will enable the users to store their data on clouds and can access at any time from anywhere. Data breaching is possible in the cloud environment since data from various users and business organizations lie together in a cloud. And also by sending the data to the cloud, the data owners transfer the control of their data to a third person that may raise security problems. Sometimes the Cloud Service Provider (CSP) itself will use/corrupt the data illegally.
Security and privacy stand as the primary obstacle to cloud computing, i.e., preserving confidentiality, integrity, and availability of data. As simple solution encrypt the data before uploading it onto the cloud. This approach ensures that the data are not visible to external users and cloud administrators but has the limitation that plain text-based searching algorithm is not applicable.Synopsis
The National Institute of Standard and Technology’s (NIST) defined cloud computing as a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or service provider interaction. The NIST has listed five main characteristics of cloud computing as:
- On-demand self-service: Resources are available to users based on their demand.
- Broad network access: The services are rendered over the network, and the users can access it if having an internet connection.
- Resource pooling: Resources from vendors are pooled to serve multiple users.
- Rapid elasticity: Users can access the resources whenever needed and also they can release the funds when they no longer required.
- Measured service: Users have to pay only for the time they are using the resources.
The delivery models in cloud shown in Figure 1. They are:
- Infrastructure as a Service (IaaS): The IaaS model offers the support to run the applications.
- Platform as a Service (PaaS): The PaaS model enables the application developer with a development environment and also offer the services provided by the vendor.
- Software as a Service (SaaS): In SaaS model, the users can use the software for rent instead of purchasing it.
The deployment models in the cloud are:
- Public Cloud: The cloud is said to be public cloud if its services are rendered for open use by the general public. It may be owned, managed and operated by a business, academic, or government organization, or some combination of them. Amazon, Google are examples of a public cloud.
- Private Cloud: The cloud is said to be closed cloud if it is owned and managed solely by an organization and its services are rendered to the users within the organization.
- Community Cloud: A community cloud is an infrastructure shared by several organizations which supports a specific community.
- Hybrid Cloud: A hybrid cloud is a combination of public and private clouds.
VIDEO: Public Cloud vs Private Cloud vs Hybrid Cloud
Threats in Cloud Computing
There are certain aspects associated with Cloud Computing as a result of which many organizations are still not confident about moving into the cloud. The Computer Security Alliance Group has listed the threats that may occur in cloud computing. They are:
- Abuse of cloud computing.
- Insecure Interfaces and API’s.
- Malicious Insiders.
- Shared Technology Issues.
- Data Loss and Leakage.
- Account or Service Hijacking.
- Unknown Risk Profile.
- Hardware Failure.
- Natural Disasters.
- Closure of Cloud Service.
- Cloud-related Malware.
- Inadequate Infrastructure Design and Planning.
Among these data loss and leakage was ranked as the second most common threat. Data loss and leakage occurs due to lack of security and privacy in both storage and transmission. To reduce this risk, the data security aspects taken into account are:
- Data-in-transit: Data-in-transit refers to the data during transfer either from data owner to cloud provider or from a cloud provider to an owner.
- Data-at-rest: Data-at-rest refers to the data in the storage.
- Data lineage: Data lineage specifies what happened to data from its source through distinct applications and its use for auditors. Data lineage is difficult for public clouds.
- Data provenance: Data provenance is not just proving the integrity of data, but the more specific history of the data, i.e., who created, modified and deleted the data in the cloud.
- Data remanence: Data remanence refers to the data left behind after deletion.
This Article highlights the issues related to data storage. Data Storage refers to storing the data on a remote server hosted by the CSP. The benefits of data storage in the cloud are:
- Provides unlimited storage space for storing user’s data.
- A user can access the data at any time from anywhere using an internet connection in more than one machine.
- No need to buy the storage device for storing the data.
The primary constraint in data storage was an absence of security and privacy which arises due to loss of control over the data. The requirements for secure data storage are:
- The data on the cloud must be confidential, and CSP should not be able to compromise it at any cost.
- Data access must be given to the intended use only.
- The data owner must have full control over the authorization of data.
Security and Privacy Issues in Data Storage
Cloud Computing allows the users to store their data on the storage location maintained by a third party. Once the data is uploaded to the cloud, the user loses its control over the data, and the data can be tampered by the attackers. The attacker may be an internal (CSP) or external. Unauthorized access is also a common practice due to weak access control. The protection of information arises the following challenges:
- Access control: Are there appropriate controls over access of data when stored in the cloud?
- Structured versus unstructured: How is the data are stored? Whether it supports data access speedily?
- Integrity/availability/confidentiality: How are data integrity, availability and privacy maintained in the cloud?
- Encryption: Several laws and regulations require that certain types of information should be stored only when encrypted. Is this requirement supported by the CSP?
The security and privacy issues related to data storage are confidentiality, integrity, and availability.
INTERESTING VIDEO: How Google Protects Your Data
The principal dispute in cloud computing is confidentiality. Data confidentiality means accessing the data only by authorized users and is strongly related to authentication. In another way, secrecy means keeping users data secret in the cloud systems. As we are storing the data on a remote server and transferring the control over the data to the provider here arises the questions such as:
- Will the sensitive data stored on the cloud is confidential?
- Will the cloud provider itself be honest?
For ensuring confidentiality, cryptographic encryption algorithms and secure authentication mechanisms can be used. Encryption is the process of converting the data into a form called ciphertext that can be understood only by the authorized users. Encryption is an efficient technique for protecting the data but has the obstacle that data will be lost once the encryption key is stolen. The primary potential concern is:
- How is the data in the cloud be protected?
- If encryption is used what will be its key strength?
It all depends on the CSP. CSP itself will encrypt the user data before storing, and the keys will be disclosed only to the authorized persons. But some CSPs allow the users to encrypt their data before uploading into the cloud. The encrypted data is usually stored on the server, and the keys are revealed only to the authorized users. Different cryptographic algorithms are available for encryption. In symmetric cryptography involves the use of the private key is used for both encryption and decryption as shown in Figure 2. In symmetric algorithms, the data is encrypted by using a private or secret key, and the same key is used for decryption also. Symmetric algorithms include DES, AES, and Blowfish, etc. In DES has been a public crucial symmetric encryption, introduced in 1976 and is used in many commercial and financial applications. DES is more comfortable to implement in both hardware and software but is slower and has poor performance. DES was replaced by AES encryption which is fast and flexible and was used to protect information in smart cards and online transactions. The critical size of 256 bits is more secure, but sometimes it is too complicated. Blowfish introduced in 1993 is one of the most common public domain encryption algorithms. Blowfish is fat and straightforward encryption algorithm.
In general symmetric algorithms are more straightforward and faster but not efficient that both sender and receiver share the same secret or private key.
Asymmetric encryption algorithms also called public key encryption involves the use of public key and private key. In asymmetric encryption algorithms, the sender encrypts the data using the public key of the receiver and the receiver will decrypt it using his private key. The most popular asymmetric encryption algorithm is RSA encryption which is developed in 1978. It provides increased security as the private keys do not need to be revealed to anyone. Another advantage is it provides mechanisms for digital signature. Digital signatures along with RSA encryption ensure the security of data in the cloud. A numeric name is a mathematical scheme for proving the authenticity of data.
Predicate encryption is also a kind of asymmetric encryption which allows decrypting selected data instead of decrypting all of it. Identity-Based Encryption (IBE) is public key encryption which uses the unique information about the identity of the user as a public key and guarantees authenticity. The major advantage of asymmetric encryption is it provides more security. The disadvantage is its speed, i.e., symmetric algorithms are faster than asymmetric algorithms. Figure 3 depicts the asymmetric encryption technique.
The above encryption techniques have the limitation that for searching the data from the file, the entire data has to be decrypted. It is a time-consuming process, and thus searchable encryption was introduced. Searchable encryption allows build an index for the file containing the keywords and is encrypted and stored along with the record so that while searching the data only the keywords are decrypted rather than the entire file and search is made on it.
Efficient encryption is homomorphism encryption which allows the CSP to carry out operations on encrypted file rather than decrypting it, which provides the same result. The key used for encryption is kept secret by the user and not revealed to the CSP, so it is more secure.
All these encryption algorithms will improve the security of data but maintain the encryption key as the secret is a difficult task for the CSP as more users dumping their data. As the key is with the CSP sometimes, it is possible to hack the data.
Another serious problem faced by cloud computing is integrity. The integrity of data means to make sure that the data has not been changed by an unauthorized person or in an illegal way. It is a method for ensuring that the data is real, accurate and safeguarded from unauthorized users. As cloud computing supports resource sharing, there is a possibility of data being corrupted by unauthorized users. Digital Signatures can be used for preserving the integrity of data. The simple way for providing integrity is using Message Authentication Code (MAC). Message Authentication Code is a cryptographic checksum calculated using hash functions and is sent along with the data for checking the integrity. Auditing mechanisms can also be used for preserving integrity. In private auditing, the integrity of data is verified by the data owner using algorithms. Public verification means assigning a Trusted Third Party (TPA) by the data owner to check the integrity of the data. The TPA cannot access the data but can verify whether the data is modified or not and will report to the owner.
Remote Data Auditing refers to a group of protocols for verifying the correctness of the data over the cloud managed by CSP without accessing the data. As shown in Figure 4 Remote Data Auditing follows response challenge process which involves the following steps:
- The data owner processes the file and generates Metadata and handover it to the TPA.
- The TPA generates a challenge and transmits to CSP for checking the data correctness.
- On receiving the challenge, the CSP calculates the response and send it to TPA.
- After receiving the response, verification is done by TPA to check whether the data is stored correctly by the provider.
Provable Data possession is also a remote auditing mechanism. In all PDA mechanisms, the data owner or TPA will check the integrity of data. However, TPA is not able to verify the integrity independently when the data owner fails to send the metadata for verification. The TPA does not have the permission to take countermeasures without informing the owner.
To overcome this proxy PDP was defined in which remote data auditing task was assigned to a proxy on the warrant.
Availability refers to being available and accessible to authorized users on demand. Availability of cloud computing systems aims to ensure that its users can use them at any place and at any time.
Cloud computing enables users to store their data in the remote storage location. But data security is the significant threat to cloud computing. Due to this many organizations are not willing to move into the cloud environment. To overcome this, confidentiality, integrity, availability should be encapsulated in a CSP’s Service Level Agreement (SLA) to its customers. Otherwise, ensure that any sensitive information is not put into a public cloud and if any it is to be stored in encrypted form. Effective auditing mechanisms also can be used for providing data integrity.