VOL. 3, NO.

6, June 2012 ISSN 2079-8407

Journal of Emerging Trends in Computing and Information Sciences
©2009-2012 CIS Journal. All rights reserved.

http://www.cisjournal.org

A Proposed Model for Enhancing Data Storage Security in

Cloud Computing Systems
1
Dr Nashaat el-Khameesy, 2 Hossam Abdel Rahman
1
Prof. and Head of Computers & Information systems Chair, Sadat Academy
2
Computers & Information systems Chair, Sadat Academy
1, 2
Sadat Academy for management Science –Computer & Information Dept -Maady-Cairo-Egypt
1
[email protected], 2 [email protected]

ABSTRACT
The reported recent success of cloud computing has attracted attention for cost effective IT services with many signs for
continuing spread out if not dominating in the coming years. However, challenges are being faced by both research and
professional communities including quality reliable services, optimized architectures and security. Meanwhile, IT services in
Cloud Computing face the overwhelming challenges to ensure the proper physical, logical and personnel security controls,
especially when considering the fact that cloud computing moves the application software and databases to the large data
canters. Moreover, while moving such large volumes of data and Software, the management of the data and services may not
be fully trustworthy.
In this paper, the main focus is given to highlight the security aspects of data storage from perspectives of threats and attacks
from one side and approaches for solutions from the other side. The paper also proposes an effective and flexible distributed
scheme with two salient features, opposing to its predecessors. Our scheme achieves the integration of storage correctness
insurance and data error localization.

Keywords: Cloud computing, Threats and attacks, personnel security controls, storage correctness, distributes storage system

1. INTRODUCTION
In cloud computing, moving data into the cloud and their design Goals, methods for enhancing cloud data
offers great convenience to users since they don’t have to storage and Finally the Conclusions.
worry about the complexities of direct hardware
management [1]. Meanwhile, the emerging trend of 2. THREATS AND ATTACKS FROM
outsourcing data storages at third parties (cloud storage) has STORAGE PERSPECTIVES
recently attracted tremendous amount of attention from both
research and industry communities [2]. Outsourced storage While the benefits of storage networks have been
makes shared data and resources much more accessible as widely acknowledged, consolidation of enterprise data on
users can retrieve them anywhere from personal computers networked storage poses significant security risks. Hackers
to smart phones, however the users will be at the mercy of adept at exploiting network-layer vulnerabilities can now
their cloud service providers for the availability and integrity explore deeper strata of corporate information [6].
of their data. [3].
Following is brief listings of some major drivers to
On the other hand, security remains the critical implementing security for networked storage from
issue that concerns potential clients, especially for the banks perspectives of challenging threats and attacks:
and government sectors. A major challenge for any
comprehensive access control solution for outsourced data is  Perimeter defence strategies focus on protection from
the ability to handle requests for re-sources according to the external threats. With the number of security attacks
specie security policies to achieve congeniality, and at the on the rise, relying on perimeter defence alone is not
same time protect the users' privacy [4]. Several solutions sufficient to protect enterprise data, and a single
have been proposed in the past, but most of them didn’t security breach can cripple a business [7].
consider protecting privacy of the policies and users' access  The number of internal attacks is on the rise thereby
patterns as essential aspect for users [5]. threatening NAS/SAN deployments that are part of
the “trusted” corporate networks [8]. Reports such as
In this paper we address the main aspects related to the CSI/FBI’s annual Computer Crime & Security
security of cloud storage. It presents an attempt to propose Survey help quantify the significant threat caused by
an effective and flexible security policy and procedures data theft
explicit to enhance the Data storage security in the cloud.  The problem of incorrectness of data storage in the
The paper covers briefly a number of aspects including: cloud
major challenges and problems, Cloud Deployment Models

970
 VOL. 3, NO. 6, June 2012 ISSN 2079-8407
Journal of Emerging Trends in Computing and Information Sciences
©2009-2012 CIS Journal. All rights reserved.

http://www.cisjournal.org
 The data stored in the cloud may be updated by the b. Private Cloud
users, including insertion, deletion, modification,
appending, reordering, etc [9]. A private cloud is one in which the services and
 Individual user’s data is redundantly stored in infrastructure are maintained on a private network. These
multiple physical locations to further reduce the data clouds offer the greatest level of security and control, but
integrity threats [10]. they require the company to still purchase and maintain all
the software and infrastructure, which reduces the cost
Moreover, risks due to compromised storage range savings. [11].
from tangible loss such as business discontinuity in the form
of information downtime, to intangibles such as the loss of c. Hybrid Cloud
stature as a secure business partner. With the number of
reported security attacks on the rise, a firm understanding of A hybrid cloud environment consisting of multiple
networked storage solutions is a precursor to determining internal and/or external providers "will be typical for most
and mitigating security risks. enterprises". By integrating multiple cloud services users
may be able to ease the transition to public cloud services
while avoiding issues such as PCI compliance. [12].
3. CLOUD DEPLOYMENT MODELS
By large, based on the reported literatures and d. System Model
implementations, the cloud can be deployed in three models
which have different features and approaches to be below. Cloud networking can be illustrated by three
different network entities:

User: who have data to be stored in the cloud and

rely on the cloud for data computation, consist of both
individual consumers and organizations?

Cloud Service Provider (CSP): who has

significant resources and expertise in building and managing
distributed cloud storage servers, owns and operates live
Cloud Computing systems.

Third Party Auditor (TPA): who has expertise

and capabilities that users may not have, is trusted to assess
and expose risk of cloud storage services on behalf of the
users upon request.

Fig 1 e. Adversary Model [13].

There are two different sources for Security threats
The cloud can be deployed in three models. The
faced by cloud data storage.
Fig: 1 explains its structure. They are described in different
ways. In generalized it is described as below:
1. CSP can be self-interested, un-trusted and possibly
malicious.
a. Public Cloud
A public cloud is one in which the services and • It may move data that is rarely accessed to a lower
infrastructure are provided off-site over the internet. These tier of storage for monetary reasons, but
clouds offer the greatest level of efficiency in shared
resources; however, they are also more vulnerable than • It may hide a data loss incident due to management
private clouds. Public clouds are run by third parties, and errors, Byzantine failures and so on.
applications from different customers are likely to be mixed
together on the cloud’s servers, storage systems, and •
networks. 2. Economically motivated adversary, who has the
capability to compromise a number of cloud data
storage servers in different time intervals and
subsequently is able to modify or delete users 'data

971
 VOL. 3, NO. 6, June 2012 ISSN 2079-8407
Journal of Emerging Trends in Computing and Information Sciences
©2009-2012 CIS Journal. All rights reserved.

http://www.cisjournal.org
while remaining undetected by CSPs for a certain • The security protocol should add as little overhead
period [14]. as possible in terms of computation and the number and size
of messages.
There are two types of adversary

• Weak Adversary: The adversary is interested in 5. PROPOSED SOLUTIONS TO ENHANCE

corrupting the user’s data files stored on individual CLOUD DATA STORAGE
servers. Once a server is comprised, an adversary can
pollute the original data files by modifying or Control Access Data Storage that includes the
introducing its own fraudulent data to prevent the necessary policies, processes and control activities for the
original data from being retrieved by the user. delivery of each of the Data service offerings. The collective
control Data Storage encompasses the users, processes, and
• Strong Adversary: This is the worst case scenario, in technology necessary to maintain an environment that
which we assume that the adversary can compromise supports the effectiveness of specific controls and the
all the storage servers so that he can intentionally control frameworks [17].The Security, correctness and
modify the data files as long as they are internally availability of the data files being stored on the distributed
consistent. cloud servers must be guaranteed by the following:

4. DESIGN GOALS  Providing Security Policy & Procedure for Data

Storage
To ensure the security and dependability for cloud
data storage, we aim to design efficient mechanisms for The Defence in Depth (referred to as did in this
dynamic data verification and operation and achieve the paper) is an excellent framework advocating a layered
following goals: approach to defending against attacks, thereby mitigating
risks.
• Storage correctness: to ensure the data are kept intact
all the time in the cloud.  Defence in Depth for Data Storage in cloud
• Fast localization of data error: to effectively locate the computing
malfunctioning server when data corruption has been
detected  Layer 1 – Devices on the Storage Network [18]
• Dynamic data support: to maintain the same level of
storage correctness assurance even if users modify, The following risk-mitigation measures are
delete or append their data files in the cloud. recommended:
• Dependability: to enhance data availability against
Byzantine failures, malicious data modification and • Authentication schemes provided by the OS should
server colluding attacks. be evaluated. Schemes utilizing public- private key
• Lightweight: to enable users to perform storage based authentication such as SSH or Kerberos,
correctness checks with minimum overhead which also encrypt authentication communications
• The Network Access Storage Data security system on the network, should be used
should explicitly separate the policy enforcement • Authorization using Access Control Lists (ACL) to
mechanism from the policy decision process and the setup role-based access and appropriate permissions
file manager must be able to communicate policy will enhance security
decisions to the drive [15]. • Strong password schemes like minimum length
• The protocol should prevent unauthorized passwords and periodic change of passwords
modification of client requests and capabilities along should be enforced. The default username and
with protecting privacy of requests if dictated by the passwords that are configured on the device should
policies of clients or file managers. be changed
• To minimize interaction with the file manager, the Constant monitoring of published OS-
drive should be able to validate client operations vulnerabilities using database, SANS Security Alert
without direct communication with the file manager. Consensus newsletter and the NAS vendor’s
• To allow for low memory drive implementations, support site, is a
there should be no long term state shared between • necessity to prepare for possible attacks
drive and client. Overall state requirements of the • Logging and auditing controls should be
drive should be kept at a minimum, but additional implemented to prevent unauthorized use, track
memory should enhance performance [16]. usage and for incident response

972
 VOL. 3, NO. 6, June 2012 ISSN 2079-8407
Journal of Emerging Trends in Computing and Information Sciences
©2009-2012 CIS Journal. All rights reserved.

http://www.cisjournal.org
• .
Layer 2 – Network connectivity [19] • We can do that by integrating the correctness
verification and error localization in our challenge-
NAS appliances face similar vulnerabilities as IP response protocol
based network devices. Common techniques used to protect • The response values from servers for each
IP networks are also applicable to Storage Network: challenge not only determine the correctness of the
distributed storage, but also contain information to
locate
• Extending network perimeter defence strategies like
using a Firewall and IDS device to filter traffic •
reaching the NAS appliance will increase protection b. Reliability of the analysis strategy of the
• Use VLANs for segregating traffic to the NAS experiment
appliances
• Separate and isolate management interface from data The reliability of secure data storage strategy
interfaces on the Storage Network, thus enforcing out- depends on security procedure and the backup data
of-band management which is more secure coefficients [22]. When one or more nodes cannot be
• Monitor traffic patterns on the data interfaces of the accessed, the secure strategy can ensure that the data will be
NAS devices for unusual activity restored as long as one of the k nodes can be accessed.
• Implement port binding on switches to prevent WWN However, traditional data storage methods require all the
spoofing. Port binding binds a WWN to a specific data in the k nodes to be retrieved. Thus, the more blocks the
switch port allowing connections of that device only data are split into, the poorer the reliability of traditional data
through the predefined port thereby preventing other storage
devices to assume the WWN’s identity
• Implement vendor specific security techniques. For 6. CONCLUSIONS
example, Brocade’s Secure Fabric OS provides for
additional security by enforcing switch authentication This paper suggests a methodical application of
• Create a separate management network which is “defence in depth” security techniques that can help allay
isolated from the data network, thus preventing security risks in networked storage. More importantly, a
insecure in-band management activities defence in depth based networked storage security policy
Layer 3 – Management access [20] provides a comprehensive framework to thwart future
Management access is a significant source of attack. attacks as the current technologies are more clearly
To address the vulnerabilities, the following understood. The emerging standards in storage security in
guidelines provide help conjunction with defence in depth will help in making
• Disable the use of telnet and HTTP and enforce storage much more resilient to future threats.
management access through SSH and HTTPS for
encrypted communication • In this abstract, we summarize the problem of data
• Create separate user accounts based on the security in cloud data storage, which is essentially a
management tasks assigned to the users distributed storage system. To enhance the security
• Implement strong authentication mechanisms like storage in cloud data storage.
two-factor authentication using tokens, biometrics, etc • We investigated the problem of data security in
• Strong password schemes like minimum length cloud data storage, which is essentially a distributed
passwords and periodic change of passwords should storage system.
be enforced • We proposed an effective and flexible security
• Implement authorization using Access Control Lists policy and procedure with explicit data support,
to setup role based access and appropriate including block update, delete, and append.
permissions • Our scheme achieves the integration of storage
• Enforce logging and auditing to prevent unauthorized correctness insurance and data error localization
use, track usage and for incident response [21]. • Accountability for security and privacy in public
• Restrict the management of the storage network clouds remains with the organization.
• devices from specific hosts • Federal agencies must ensure that any selected
public cloud computing solution is configured,
deployed, and managed to meet the security,
a. Correctness Verification and Error
privacy, and other requirements of the organization.
Localization • Organizational data must be protected in a manner
consistent with policies, whether in the
• Error localization is a key prerequisite for eliminating organization’s computing centre or the cloud.
errors in storage systems.

973
 VOL. 3, NO. 6, June 2012 ISSN 2079-8407
Journal of Emerging Trends in Computing and Information Sciences
©2009-2012 CIS Journal. All rights reserved.

http://www.cisjournal.org
• The organization must ensure that security and Journal of Recent Technology and Engineering
privacy controls are implemented correctly and (IJRTE) ,March. 27, 2012
operate as intended.
[12] Cong Wang, Qian Wang, and Kui Ren Department of
REFERENCES ECE Illinois Institute of Technology, International
Journal of Recent Technology and Engineering
[1] V. Krishna Reddy, B. Thirumal Rao, Dr. L.S.S. (IJRTE) , April ,12- 2011
Reddy, P.Sai Kiran “Research Issues in Cloud
Computing “ Global Journal of Computer Science and [13] National Institute of Standards and Technology -
Technology, Volume 11,Issue 11, July 2011. Computer Security Division
http://csrc.nist.gov/groups/SNS/cloud-computing/
[2] What is Cloud Computing? Retrieved April 6, 2011,
available at: [14] Security Guidance for Critical Areas of Focus in
http://www.microsoft.com/business/engb/solutions/Pa Cloud Computing.
ges/Cloud.aspx http://www.cloudsecurityalliance.org/guidance/csagui
de.pdf.
[3] What is Cloud Computing? Retrieved April 6, 2011,
available at: [15] An Information-Centric Approach to Information
http://www.ibm.com/developerworks/cloud/newto.ht Security. http://virtualization.sys-
ml#WHATIS con.com/node/171199.

[4] What is Cloud? Retrieved April 6, 2011, available at: [16] EMC, Information-Centric Security.
http://www.rackspace.co.uk/cloud-hosting/learn- http://www.idc.pt/resources/PPTs/2007/IT&Internet_
more/whatis-cloud/ Security/12.EMC.pdf.

[5] Recession is good for cloud computing – Microsoft [17] End-User Privacy in Human–Computer Interaction.
agrees http://www.cloudave.com/2425/recession-is- http://www.cs.cmu.edu/~jasonh/publications/fnt-end-
goodfor- cloud-computing-microsoft-agrees/ user-privacy-in-human-computer-interaction-
final.pdf.
[6] S. De Capitani di Vimercati, S. Foresti, S. Paraboschi,
G. Pelosi, and P. Samarati. Ecient and private access [18] ESG White Paper, the Information-Centric Security
to outsourced data. In Proc. of the 31st International Architecture. http://japan.emc.com/collateral/analyst-
Conference on Distributed Computing Systems reports/emc-white-paper-v4-4-21-2006.pdf.
(ICDCS 2011), Minneapolis, Min- nesota, USA, June
2011. [19] Latest cloud storage hiccups prompts data security
questions.
[7] R. Chow, P. Golle, M. Jakobsson, E. Shi, J. Staddon, http://www.computerworld.com/action/article.do?co
R. Masuoka, and J. Molina. Controlling data in the mmand=viewArticleBasic&articleId=9130682&sourc
cloud: Outsourcing computation without outsourcing e=NLT_PM.
control. In ACM Workshop on Cloud Computing
Security, 2009 [20] Catteddu, D. and Hogben, G. Cloud Computing:
benefits, risks and recommendations for information
[8] Subashini S, Kavitha V., “A survey on security issues security. Technical Report. European Network and
in service delivery models of cloud computing,” Information Security Agency, 2009.
Journal of Network and Computer Applications
(2011) vol. 34 Issue 1, January 2011 pp. 1-11. [21] Danwei Chen, Yanjun He, Computer Technology,
Nanjing University of Posts and Telecommunications,
[9] IT Cloud Services User Survey, pt.2: Top Benefits & Journal of Convergence Information Technology
Challenges. http://blogs.idc.com/ie/?p=210. Volume 5, Number 7- September 2010

[10] New IDC IT Cloud Services Survey: Top Benefits [22] Cong Wang, Qian Wang, and Kui Ren Department of
and Challenges. Retrieved April 8, 2011 from ECE Illinois Institute of Technology, International
http://blogs.idc.com/ie/?p=730 Journal of Recent Technology and Engineering
(IJRTE) , April ,12- 2011
[11] Rohit Maheshwari, Department of Computer
Science, Kautilya Inst. Of Technology, International

974