Transcript of "Enhanced data security model for cloud computing.bak"
The 8th International Conference on INFOrmatics and Systems (INFOS2012) - 14-16 May Cloud and Mobile Computing Track Enhanced Data Security Model for Cloud Computing Eman M.Mohamed Hatem S. Abdelkader Faculty of computers and information, computer science Faculty of computers and information, Information system department, Faculty of computers and information, department, Faculty of computers and information, Menofia University Menofia University emanhabib_1987 @yahoo.com email@example.com Sherif EI-Etriby Faculty of computers and information, computer science department, Faculty of computers and information, Menofia University EI_etriby 1OO@yahoo.comAbstract- Cloud Computing becomes the next generation • Massive scalability: Cloud computing provides thearchitecture of IT Enterprise. In contrast to traditional solutions, ability to scale to tens of thousands of systems, as wellCloud computing moves the application software and databases as the ability to massively scale bandwidth and storageto the large data centers, where the management of the data and spaceservices may not be fully trustworthy. This unique feature,however, raises many new security challenges which have not • Elasticity: Users can rapidly increase and decreasebeen well understood. In cloud computing, both data and their computing resources as needed.software are fully not contained on the users computer; DataSecurity concerns arising because both user data and program • Pay as you used: Users to pay for only the resourcesare residing in Provider Premises. Clouds typically have a single they actually use and for only the time they requiresecurity architecture but have many customers with different them.demands. Every cloud provider solves this problem by encryptingthe data by using encryption algorithms. This paper investigates • Self-provisioning of resources: Users self-provisionthe basic problem of cloud computing data security. We present resources, such as additional systems (processingthe data security model of cloud computing based on the study of capability, software, storage) and network resources.the cloud architecture. We improve data security model for cloud • Cloud computing can be confused with distributedcomputing. We implement software to enhance work in a data http://ieeexploreprojects.blogspot.comcomputing, utility computing, service system, gridsecurity model for cloud computing. Finally apply this software oriented architecture, web application, web 2.0,in the Amazon EC2 Micro instance. broadband network, browser as a platform, Keywords-component; Cloud computing, Architecture of Cloud Virtualization, and free/open software .computing .Amazon EC2, NIST Statistical test suite" RC4 , RC6, Cloud computing is a natural evolution of the widespreadMARS, AES, DES, 3DES, Two-Fish, Blowfish adoption of virtualization, service-oriented architecture, autonomic, and utility computing . Details are abstracted I. INTRODUCTION from end-users, who no longer have a need for expertise in, or In the traditional model of computing, both data and control over, the technology infrastructure "in the cloud" thatsoftware are fully contained on the users computer; in cloud supports them as shown in figure 1.computing, the users computer may contain almost no softwareor data (perhaps a minimal operating system and web browser,display terminal for processes occurring on a network). Cloud computing is based on five attributes: multi-tenancy(shared resources), massive scalability, elasticity, pay as you Figure 1. Evolution of cloud computinggo, and self-provisioning of resources, it makes new advancesin processors, Virtualization technology, disk storage, Cloud services exhibit five essential characteristics thatbroadband Internet connection, and fast, inexpensive servers demonstrate their relation to, and differences from, traditionalhave combined to make the cloud a more compelling solution. computing approaches such as On-demand self-service, Broad The main attributes of cloud computing are illustrated as network access, Resource pooling, Rapid elasticity, andfollows : Measured service . Cloud computing often leverages Massive scale, • Multi-tenancy (shared resources): Cloud computing is Homogeneity, Virtualization, Resilient computing (no stop based on a business model in which resources are computing), Low cost/free software, Geographic distribution, shared (i.e., multiple users use the same resource) at Service orientation Software and Advanced security the network level, host level, and application level. technologies . Faculty of Computers and Information - Cairo University CC-12
The 8th International Conference on INFOrmatics and Systems (INFOS2012) - 14-16 May Cloud and Mobile Computing Track This paper enhances data security model for cloud C. Cloud computing sub-services modelscomp~ting. We propose a n.ew data .security mode~ based on • IaaS: DataBase-as-a-Service (DBaaS): DBaaS allowsstudying of cloud computing architecture. We Implement the access and use of a database management system assoftwar~ to sel~ct the ~uitable and the highest ~ecurity a service .encryption algorithm, This software makes evaluation forselected eight modem encryption techniques namely RC4, • PaaS: Storage-as-a-Service (STaaS): STaaS involvesRC6, MARS, AES, DES, 3DES, Two-Fish, and Blowfish. This the delivery of data storage as a service, includingevaluation has been performed for pervious encryption database-like services, often billed on a utilityalgorithms accord to randomness tests and performance in computing basis, e.g., per gigabyte per month.cloud computing. The evaluation performed according to NISTstatistical testing . This evaluation is implemented as • SaaS: Communications-as-a-Service (CaaS): CaaS isPseudo Random Number Generator (PRNG). This evaluation is the delivery of an enterprise communications solution,used to determine the most suitable technique. The such as Voice over IP, instant messaging, and videoperformance of evaluation is tested by the measure encryption conferencing applications as a service.speed of those encryption algorithms in the cloud. The selectedeight modem encryption techniques [21-27] use a random • SaaS: SECurity-as-a-Service (SECaaS): SECaaS is the security of business networks and mobile networksnumber generator to get some critical data similar to keys and through the Internet for events, database, application,initial vectors. transaction, and system incidents. The main objective of this paper is to enhance data security • SaaS: Monitoring-as-a-Service (MaaS): MaaS refersmodel for cloud computing. The proposed data security model to the delivery of second-tier infrastructuresolves cloud user security problems, help cloud provider to components, such as log management and assetselect the most suitable encryption algorithm to its cloud. We tracking, as a service.also help user cloud to select the highest security encryptionalgorithm. • PaaS: Desktop-as-a-Service (DTaaS): DTaaS is the decoupling of a users physical machine from the The paper is organized as follows; in section 2 cloud desktop and software he or she uses to work.computing architecture is defined. Cloud computing security isdiscussed in section 3, in section 4 Methodology is described, • IaaS: Compute Capacity-as-a-Service (CCaaS)and finally in section 5 interruptions of the results are CCaaS is the provision of "raw" computing resource,described. typically used in the execution of mathematically complex models from either a single "supercomputer" http://ieeexploreprojects.blogspot.comlarge number of distributed computing II. BASIC CLOUD COMPUTING ARCHITECTURE resource or a resources where the task performs well.A. Cloud computing service models D. Cloud computing benefits • Cloud Software as a Service (SaaS): Application and Information clouds, Use providers applications over a Lower computer costs, improved performance, reduced network, cloud provider examples Zoho, software costs, instant software updates, improved document Salesforce.com, Google Apps. format compatibility, unlimited storage capacity, device independence, and increased data reliability • Cloud Platform as a Service (PaaS): Development clouds, Deploy customer-created applications to a E. Cloud computing drawbacks cloud, cloud provider examples Windows Azure, Google App Engine, Aptana Cloud. Requires a constant Internet connection, does not work well with low-speed connections, can be slow, features might be • Cloud Infrastructure as a Service (IaaS): Infrastructure limited, stored data might not be secure, and stored data can be clouds, Rent processing, storage, network capacity, and lost. other fundamental computing resources, Dropbox, Amazon Web Services, Mozy, Akamai. F. Cloud computing providers Amazon Web Services (AWS) -include Amazon S3,B. Cloud computing deployment models Amazon EC2, Amazon Simple-DB, Amazon SQS, Amazon • Private cloud: Enterprise owned or leased FPS, and others. Salesforce.com - Delivers businesses over the internet using the software as a service model. Google Apps - • Community cloud: Shared infrastructure for specific Software-as-a-service for business email, information sharing community and security. And others providers such as Microsoft Azure • Public cloud: Sold to the public, mega-scale Services Platform, Proof-point, Sun Open Cloud Platform, infrastructure Workday and etc.... • Hybrid cloud: Composition of two or more clouds Faculty of Computers and Information - Cairo University CC-13
The 8th International Conference on INFOrmatics and Systems (INFOS2012) - 14-16 May Cloud and Mobile Computing Track III. CLOUD COMPUTING SECURITY the data is? And who has access? Every cloud provider With cloud computing, all your data is stored on the cloud. encrypts the data in three types according to table 1.So cloud users ask some questions like: How secure is thecloud? Can unauthorized users gain access to your confidential TABLE I. DATA SECURITY [ENCRYPTION] IN CLOUD COMPUTINGdata? Storage Processing Transmission Symmetric encryption Homomophric encryption Secret socket layer SSL encryption AES-DES-3DES- Unpadded RSA- EIGamal SSL 1.0- SSL 3.0- Blowfish-MARS ... ... SSL 3.1-SSL 3.2... IV. METHODOLOGY A. Proposed data security model in cloud computing The model used three-layer system structure, in which each floor performs its own duty to ensure that the data security of cloud layers . The first layer: responsible for user authentication, almost this is two factor authentication, but free cloud providers use one factor as examples eyeos, cloudo, and freezoha. Figure 2. Security is a major concern to cloud computing The second layer: responsible for users data encryption, Cloud computing companies say that data is secure, but it is and protect the privacy of users through a certain way by usingtoo early to be completely sure of that. Only time will tell if one symmetric encryption algorithms. Also allow protectionyour data is secure in the cloud. Cloud security concerns from user.arising which both customer data and program are residing in The third layer: The user data for fast recovery this dependsprovider premises. Security is always a major concern in Open on the speed of decryption as shown in figure 4.System Architectures as shown in figure 2. To understand welldata security for cloud computing, you must read papers ofCSA (Cloud Security Alliance group). This group interested inall topics in cloud security as shown in figure 3. I Layer 1 layer 2 layer3 I Data Encryption http://ieeexploreprojects.blogspot.com J-Understand Cloud Architecture Governing in the Cloud 2- Governance & Risk Mgt Operating in the Cloud 8- Security, BCM, DR I I OTP Data Integrity Data Fast 3- Legal 9- Data Center Operations 4- Electronic Discovery 5- Compliance & Audit 10- Incident Response 11- Application Security I Authentication II I I Recovery I 6- Information Lifecycle Mgt 7- Portability & 12- Encryption & Key Mgt 13- Identity & Access Mgt I Private User Protection I Interoperability 14- Virtualization Figure 3. CSA domains  Figure 4. Proposed data security model in cloud computing While cost and ease of use are two great benefits of cloudcomputing, there are significant security concerns that need to We make improvement to data security model in cloudbe addressed when considering moving critical applications computing. We implement software to the cloud provider. Thisand sensitive data to public and shared cloud environments. To software is implemented with two factor authentication. Thisaddress these concerns, the cloud provider must develop software compares between eight modem encryptionsufficient controls to provide the same or a greater level of algorithms. This comparison based on Statistical Tests to getsecurity than the organization would have if the cloud were not the most security algorithms. This software gets the faster andused. the highest security algorithm based on cloud infrastructure. So we proposed to cloud provider the suitable, more securityA. Data security in cloud computing encryption algorithm to its platform. Finally, by this evaluation There are three types of data in cloud computing. The first we ensure that data retrieve faster to the user and ensuredata in transit (transmission data), the second data at rest security of user data.(storage data), and finally data in processing (processing data). In addition, we make software to the cloud user. This Clouds are massively complex systems can be reduced to software allows user to choose between eight encryptionsimple primitives that are replicated thousands of times and algorithms to ensure data security. This software gives thecommon functional units, These complexities create many cloud user some advices to select the most security or mostissues related to security as well as all aspects of Cloud security and faster algorithm that suitable to its cloudcomputing. So users always worry about its data and ask where infrastructure. Faculty of Computers and Information - Cairo University CC-14
The 8th International Conference on INFOrmatics and Systems (INFOS2012) - 14-16 May Cloud and Mobile Computing Track A proposed software solves some problems. This software B. Selection the highest encryption algorithm stepsimplements strong API access control, by using two way Sign up for Amazon web service to create an account.authentications. This software encrypts and protects data, ~y Lunch Micro instance Ubunto 10.11 (64 bit) Amazon EC2.using the highest security algorithm. This software analysis Connect to Amazon Ee2 Ubunto Micro Instance. Generate 128data prote~tion at lAAS, ,:e use Amazon EC2 as a case s~dy plain stream sequences as PRNG, each sequence is 7,929,856to run this software. This software ensures that protection bits in length (991232 bytes in length) and key stream (lengthalgorithm is highest security algorithm to satisfy the user, by of key 128 bits). Apply cryptography algorithms to get ciphersusing NIST statistical tests. This software Ensure faster text. Lunch Run NIST statistical tests for each sequence toretrieval, when using faster encryption/decryption algorithm eight encryption algorithms to get P-value Compare P-value to We use NIST statistical tests to get the highest security 0.01, ifp-value less than 0.01 then reject the sequence.encryption algorithm from eight al~orithms namely RC4, RC6, We compare between eight encryption methods based on P_MARS, AES, DES, 3DES, Two-FIsh, and Blowfish as s~own value, Rejection rate and finally based on time consuming forin figure 6. NIST Developed to test the randomness of binary each method.sequences produced by either hardware or software basedcryptographic random or pseudorandom number generators. We have 128 sequences (128-cipher text) for each eight- encryption algorithm. NIST statistical tests has 16 test namely The Frequency(Mon-obit) Test, Frequency Test within a Block, The Runs Each sequence has 7,929,856 bits in length (991232 bytesTest, Tests for the Longest-Run-of-Ones in a Block, The in length). Additionally, the P-values reported in the tables canBinary Matrix Rank Test, The Discrete Fourier Transform find in the results.txt files for each of the individual test - not in(Spectral) Test, The Non-overlapping Template Matching Test, thefinalAnalysisReport.txt file in NIST package.The Overlapping Template Matching Test, Maurers "Universal The P - value represents the probability of observing theStatistical" Test, The Linear Complexity Test, The Serial Test, value of the test statistic which is more extreme in the directionThe Approximate Entropy Test, The Cumulative Sums of non-randomness. P-value measures the support for the(Cusums) Test, The Random Excursions Test, and The randomness hypothesis on the basis of a particular testRandom Excursions Variant Test. Rejection Rate number of rejected sequences (P-value less than We also compare between eight encryption algorithms significance level a may be equal 0.01 or 0.1 or 0.05). Thebased on speed of encryption to achieve faster recovery. higher P-Value the better and vice versa with rejection rate, the lower the better . For each statistical test, a set of P-values (corresponding to the set of sequences) http://ieeexploreprojects.blogspot.com is produced. For a fixed significance level a, a certain percentage of P-values are expected to indicate failure. For example, if the significance level is chosen to be 0.01 (i.e., a 2:: 0.01), then about 1 % of the sequences are expected to fail. A sequence passes a statistical test whenever the P-value 2:: a and fails otherwise. We produce P-value, which small P-value(less than 0.01) support non-randomness. For example, if the sample consists of 128 sequences, the rejection rate should not exceed 4.657, or simply expressed 4 sequences with a = 0.01. The maximum number of rejections was computed using the formula : ( Figure 5. Steps to select the highest encryption algorithm We use Amazon EC2 as a case study of our software.Amazon EC2 Load your image onto S3 and register it. Boot Rejection rate #=s a + 3V~~J (1)your image from the Web Service. Open up the required portsfor your image. Connect to your image through SSH. And Where s is the sample size and is a is the significance level isfinally execute your application. chosen to be 0.01. For our experiment in a cloud computing environment, weuse Micro Instances of this Amazon EC2 family, provide a V. RESULTSsmall amount of consistent CPU resources, they are well suited We use NIST statistical tests to select the highest securityfor lower throughput applications, 613 MB memory, up to 2 algorithm. We use Amazon EC2 Micro instance as a platformEC2 Compute Units (for short periodic bursts), EBS (Elastic to apply our software. We use eight modem encryptionBlock Store) storage only from 1GB to 1TB, 64-bit platform, algorithms namely RC4, RC6, MARS, AES, DES, 3DES,low I/O Performance, t1.micro API name, We use Ubuntu Two-Fish, and Blowfish.Linux to run NIST Statistical test package [9-11]. The comparison between eight modem encryption algorithms performed based on P-value and rejection rate. Faculty of Computers and Information - Cairo University CC-15
The 8th International Conference on INFOrmatics and Systems (INFOS2012) - 14-16 May Cloud and Mobile Computing Track The number of rejection rate gets from equation 1. The We compare between security in traditional desktop andrejection rate is listed in table 2 for each encryption algorithm Amazon EC2 cloud. We find EC2 Amazon EC2 has advancedbased on NIST statistical tests. security technologies so it has a small number of P-value in the range less than 0.1, but the desktop has more P-value in the range less than 0.1 as shown in figure 9 and 10.Figure 6. Comparison between RC4, RC6, MARS, AES, DES, 3DES, Two- Fish, and Blowfish based on average P-value(forI28 samples) to get higher security. Figure 9. Histogram of P-value in Amazon EC2 http://ieeexploreprojects.blogspot.comFigure 7. Comparison between RC4, RC6, MARS, AES, DES, 3DES, Two-Fish, and Blowfish based on average Rejection rates (for 128 samples) to get Figure 10. Histogram ofP-value in traditional desktop higher security. AES is the highest security encryption algorithm based on VI. CONCLUSIONNIST test results (based on P-value or rejection rate) as shown We see that Amazon EC2 provider must use AES to ensurein figure 6 and 7. the most security in user data. We also compare between eight encryption algorithms We have three advices to the Amazon EC2 cloud user, thebased on the speed of encryption/decryption to get the faster first when you are not interested in higher security of the dataalgorithm as shown in figure 8. and interested about the performance of the algorithm. You must use blowfish or DES or AES which take the least time to encrypt data than others and ensure that data retrieve faster. The second advice to Amazon EC2 cloud users, when you are interested in higher security of the data. You must use AES which is the highest security algorithm. Finally the third advice, AES is suitable to Amazon EC2 which it is the most secured and also takes less time to encrypt. REFERENCES  Center Of The Protection Of National Infrastructure CPNI by Deloitte "Information Security Briefing 0112010 Cloud Computing", p.71 Published March 2010. Figure 8. Performance for 1.12 MB file size with 128 block size in AmazonEC2  Ian Foster, Yong Zhao, loan Raicu, Shiyong Lu," Cloud Computing and Grid Computing 360-Degree Compared " Grid Computing Environments Workshop, 2008. GCE 08 p.l0, published 16 Nov 2008. Faculty of Computers and Information - Cairo University CC-16
The 8th International Conference on INFOrmatics and Systems (INFOS2012) - 14-16 May Cloud and Mobile Computing Track  Jeremy Geelan, "Twenty-One Experts Define Cloud Computing", cloud www.cloudsecurityalliance.org/guidance/csaguide.v3.0.pdf published computing journal, published JANUARY 24,2009. 11/14/2011  National Institute of Science and Technology. "The NIST Definition of  Luis M. Vaquero1, Luis Rodero-Merino1 , Juan Caceres1, Maik Cloud Computing".p.7. Retrieved July 24 2011. Lindner2 "A Break in the Clouds: Towards a Cloud Definition ", ACM  Ngongang Guy Mollet, "Cloud Computing Security" Thesis, p. 34 + 2 SIGCOMM Computer Communication Review, Volume 39, Number 1, appendices Published April 11, 2011. published January 2009  Rajkumar Buyya, Chee Shin Yeo, and Srikumar Venugopal, " Market-  John W. Rittinghouse James F. Ransome "Cloud Computing Oriented Cloud Computing: Vision, Hype, and Reality for Delivering IT Implementation, Management, and Security" book, published 17 Aug Services as Computing Utilities" Department of Computer Science and 2009. Software Engineering, University of Melbourne, Australia. p. 9.  Mark Baker, "An Introduction and Overview of Cloud Computing",43 Retrieved July 31 2008. slides, published 19th May, 09  Mladen A. Vouk "Cloud Computing- Issues, Research and  Cloud Security Alliance "Top Threats to Cloud Computing V 1.0" , Implementations" Journal of Computing and Information Technology - March 2010. CIT 16,2008,4,235-246  Andrew Rukhin, Juan Soto, James Nechvatal, Miles Smid,: "A  Dai Yuefa, Wu Bo, Gu Yaqiang, Zhang Quan, Tang Chaojing"Data Statistical Test Suite for Random and Pseudorandom Number Security Model for Cloud Computing"Proceedings of the 2009 Generators for Cryptographic Applications", April 2010 . International Workshop on Information Security and Application  Affiliation Juan Soto, National Institute of Standards and Technology (IWISA 2009) Qingdao, China, November 21-22,2009. 100 Bureau Drive, Stop 8930 Gaithersburg "Randomness Testing of the  Amazon EC2 API ," Amazon Elastic Compute Cloud Developer Guide Advanced Encryption Standard Candidate Algorithms". " http://docs.amazonwebservices.com/AWSEC2/2oo6-10-  Carolynn Burwick c , Don Coppersmith "The MARS Encryption oIlDeveloperGuide I Amazon Elastic Compute Cloud Developer Guide Algorithm" ,published August 27, 1999 published 2006-10-01  [Dawson, Helen Gustafson, Matt Henricksen, Bill Millan. " Evaluation  Amazon Web Services, "Amazon Simple Storage Service Developer of RC4 Stream Cipher , Information Security Research Centre Guide ", http://docs.amazonwebservices.com/AmazonS3/2006-03-0 II Queensland University of Technology", July 31, 2002 Amazon Simple Storage Service Developer Guide , published 2006-03- 01  W.Stallings, "Cryptography and Network Security 4th Ed," Prentice Hall , 2005,PP. 58-309 .  Amazon Web Services," Overview of Security Processes"  Coppersmith, D. "The Data Encryption Standard (DES) and Its Strength http://aws.typepad.com/aws/2oo9/08/introducing-amazon-virtual- Against Attacks. "I BM Journal of Research and Development, May private-cloud-vpc.html, September 2009. 1994,pp. 243 -250.  Cloud Security Alliance Guidance, "Security Guidance For Critical  Daemen, 1., and Rijmen, V. "Rijndael: The Advanced Encryption Areas of Focus In Cloud Computing Vl.0", Standard."D r. Dobbs Journal, March 2001,PP. 137-139. www.cloudsecurityalliance.orglguidance/csaguide.v1.0.pdf, published April 2009  Bruce Schneier. "The Blowfish Encryption Algorithm Retrieved ",October 25,2008,  Cloud Security Alliance Guidance," Security Guidance For Critical Areas of Focus In Cloud Computing V2.1",  John Kelseyy Doug Whitingz David Wagnerx Chris Hall, "Two_sh: A www.cloudsecurityalliance.orglguidance/csaguide.v2.1.pdf, published 128-Bit Block Cipher" http://ieeexploreprojects.blogspot.com,Niels Ferguson k, 15 June 1998 Dec 2009  http://www.csrc.nist.gov/groups/SNS/cloud-computing/cloud-computing-  Cloud Security Alliance Guidance, "Security Guidance For Critical v26.ppt Areas of Focus In Cloud Computing V3.0 TABLE II. COMPARISON BETWEEN RC4, RC6, MARS, AES, DES, 3DES, Two-FISH, AND BLOWFISH BASED ONREJECTION RATE TOGET HIGHEST SECURITYNIST RC6 RC4 AES MARS Two-Fish Blowfish 3DES DESTests Reject Accept Reject Accept Reject Accept Reject Accept Reject Accept Reject Accept Reject Accept Reject Accept 1 1 127 1 127 1 127 1 127 1 127 1 127 0 128 0 128 2 1 127 2 126 3 125 4 124 1 127 1 127 1 127 2 126 3 1 127 2 126 0 128 1 127 1 127 1 127 2 126 0 128 4 3 125 1 127 1 127 1 127 0 128 2 126 1 127 0 128 5 2 126 0 128 1 127 1 127 3 125 1 127 3 125 1 127 6 1 127 1 127 0 128 1 127 0 128 3 125 1 127 0 128 7 0 128 0 128 1 127 2 126 1 127 1 127 2 126 3 125 8 0 128 1 127 2 126 2 126 2 126 1 127 0 128 1 127 9 1 127 2 126 1 127 1 127 0 128 1 127 1 127 1 127 10 1 127 1 127 2 126 1 127 3 125 2 126 1 127 2 126 11 51 77 51 77 52 76 62 66 50 78 51 77 54 74 48 80 12 53 75 50 78 51 77 59 69 48 80 52 76 56 72 47 81 13 2 126 2 126 0 128 0 128 3 125 0 128 2 126 1 127 14 1 127 2 126 1 127 1 127 3 125 1 127 0 128 2 126 15 0 128 2 126 0 128 1 127 1 127 1 127 2 126 1 127 16 4 124 0 128 1 127 3 125 2 126 2 126 2 126 1 127 Faculty of Computers and Information - Cairo University CC-17