State-of-the-art Survey on Cloud
Computing Security Challenges,
Practices and Solutions
King Fahd University of Petroleum and Minerals, Dhahran, KSA
The 6th International Symposium on Applications of Ad hoc
and Sensor Networks
Cloud Computing Models
Security in the Cloud
Cloud Storage Security
Case Study: Amazon’s AWS Security
Implementation/Demo of SAFE
Cloud Computing: Highly scalable, technology-enabled services easily consumed over the
Internet on an as-needed basis.
Big Players: Amazon, Google, Microsoft, Yahoo, Sun, Salesforce.
Different implementation depends on type of Services: SAAS ,PAAS, IAAS, etc.
User data is processed and/or stored remotely in machines owned and operated by someone
Pros : Convenience, efficiency
Cons : Users’ fear of confidential data leakage and loss of privacy in the cloud.
Three main challenges in adapting Cloud Services:
How to identify a cloud provider that meet user’s privacy requirements?
Is the user’s data is actually handled as agreed by the parties?
C L O U D D E P L O Y M E N T M O D E L S
Public Cloud (Amazon AWS)
C L O U D S E C U R I T Y R I S K F A C T O R S
Extensibility and Shared Responsibility
Service Level Agreement
C L O U D S E C U R I T Y M AT R I X
Application & Interface Security
Audit Assurance & Compliance
Business Continuity Management & Operational Resilience
Change Control & Configuration Management
Data Security & Information Life-cycle Management
Encryption & Key Management
Governance and Risk Management
Identity & Access Management
Infrastructure & Virtualization Security
Interoperability & Portability
Security Incident Management, E-Discovery & Cloud
Supply Chain Management, Transparency and Accountability
Threat and Vulnerability Management
S E C U R I T Y A S A S E R V I C E
Identity Services and Access Management Services
Data Loss Prevention (DLP)
Intrusion Management, Detection, and Prevention
Security Information and Event Management (SIEM)
Business Continuity and Disaster Recovery
S O M E C L O U D S E C U R I T Y I S S U E S
The eDDoS (economic Distributed
Denial of Service)
Economic Denial of Sustainability
Cloud Storage Security and Privacy
Distributed Denial of Service (DDoS) attacks target web sites,
hosted applications or network infrastructures by absorbing all
available bandwidth and disrupting access for legitimate
customers and partners.
The eDDoS (economic Distributed Denial of Service) in cloud is
due to the DDoS attack, where the service to the legitimate user
is never restricted. This leads to Economic Denial of
Sustainability (EDoS) as user will be billed for this undesired
Cloud Storage Model
New business solution for remote backup outsourcing
Reduces data management costs
APIs, web based user interfaces, and cloud storage gateways.
Cloud Storage Providers for individuals
Advantages of Cloud Storage
Multiple copies for fault tolerance
Active files: Oscar should not be able to access the file.
Deleted files: if the files are actually deleted by the provider if requested.
Avoid unauthorized access
policy-based access control
Unrecoverable deleted files
policy based assured deletion
C A S E S T U D Y : A M A Z O N W E B S E R V I C E S
Compute (Amazon Elastic Compute Cloud (Amazon EC2), Amazon Elastic MapReduce
(Amazon EMR), Auto Scaling, Elastic Load Balancing)
Networking (Amazon Virtual Private Cloud (Amazon VPC), Amazon Route 53, AWS Direct
Storage (Amazon S3, Amazon Glacier, Amazon Elastic Block Storage (EBS), AWS Storage Gateway, AWS
Content Delivery - Amazon CloudFront
Database (Amazon Relational Database Service (Amazon RDS), Amazon DynamoDB, Amazon
ElastiCache, Amazon Redshift)
Deployment & Management (AWS Identity and Access Management (IAM), Amazon
CloudWatch, AWS Elastic Beanstalk, AWS CloudFormation, AWS Data Pipeline, AWS OpsWorks)
Application Services (Amazon Simple Queue Service (Amazon SQS), Amazon Simple Notification
Service (Amazon SNS), Amazon Simple Workflow Service (Amazon SWF), Amazon Simple Email Service
(Amazon SES), Amazon CloudSearch, Amazon Elastic Transcoder)
A W S G E N E R A L S E C U R I T Y M E A S U R E S
Certifications and accreditations
A W S I N F R A S T R U C T U R E S E C U R I T Y
( S H A R E D R E S P O N S I B I L I T Y )
AWS Compliance Program (SOC 1/SSAE 16/ISAE 3402 (formerly SAS 70 Type II), HIPAA)
Physical and Environmental Security
Fire detection, Power, temperature Control, Storage Device Decommissioning
Business Continuity Management (Availability, Incident Reporting, Communication)
Secure Network Architecture
Network Monitoring and Protection (protection against, DDoS, MITM, IP Spoofing, Port scanning)
AWS Access (Account Review and Audit, background checks, Password policy)
Secure Design Principles
AWS Account Security Features
AWS Identity and Access Management (AWS IAM)
Key Management and Rotation
Temporary Security Credentials
AWS Multi‐Factor Authentication (AWS MFA)
A W S S E C U R I T Y B E S T P R A C T I C E S
Protect your data in transit
Protect your stored data
Protect your cloud account (AWS)
Manage multiple users with IAM
Secure your Applications
C O N C L U S I O N
The revolution of cloud computing has provided opportunities for
research in all aspects of cloud computing.
Research in the secure cloud storage is compounded by the fact
that users data may be kept at several locations for either
redundancy/fault tolerance or because the service is provided
through a chain of service providers.
We explored the security measures adopted by the largest cloud
service provider (Amazon web services or AWS) including their
infrastructure security and security best practices followed by AWS.
A C K N O W L E D G E M E N T
The support provided by the department of
Information and Computer Science and
Deanship of Scientific Research at King
Fahd University of Petroleum and Minerals
The Secure Access controlled File Encryption (SAFE) system is an overlay which
works seamlessly over the existing cloud storage services without any changes on
the cloud side. Furthermore, the implementation only requires basic data access
API functions like put (upload) and get (download).
In SAFE, a file is encrypted with a data key by the owner of the file, using the
SAFE client. The data key is further encrypted with a secret key which is in turn is
encrypted with a control key, based on the access control policy selected by the
owner, with the help of a separate key server. The encrypted keys are stored as a
separate metadata file, along with the encrypted data file.
The purpose of SAFE is to achieve policy-based access control and assured
SAFE client: This is an interface application between client’s or user’s storage system and the cloud
storage. It communicates with Key server securely (SSL protocol) to request appropriate cryptographic
operations. The application performs all required upload, download, encryption and decryption
Key Server: This is a multi-threaded server application which provides all needed backend services
to SAFE clients. It utilizes SSL socket to communicates with SAFE clients securely. It provides storage
for users, policies and corresponding public/private key pair.
The owner of the file needs to select proper policy for the file which needs to be
uploaded to the cloud. There are two types of policies:
1) Individual. Each user of the SAFE system is assigned a unique individual
policy at the time he/she register with the Key server.
2) Group Policy. Separate policies can be added for a group of users. For
example, a department in a company can have a group policy so that the
employees of that department can share files on the cloud, if the owner of
the file, uploads the file with the group policy assigned to that department.
Similarly, there could be group policy for a team project so all members can
share files related to the project.
SAFE uses three types of cryptographic keys to protect the data files stored on the cloud.
1) Data key. A data key is a random secret that is generated by a SAFE client. It is used
for encrypting or decrypting data files via symmetric (AES) key encryption.
2) Secret key. Similar to the data key, a secret key is generated by a SAFE client. It is
used for encrypting or decrypting the data key via symmetric (AES) key encryption.
3) Policy key. This key is associated with a particular policy. It is represented by a public-
private key pair, which is maintained by the key server. It is used to encrypt/decrypt the
secret key of the file via RSA. To ensure file deletion (inaccessibility), the corresponding
policy can be revoked.
UPLOAD OPERATION OF SAFE
The file upload function is shown below. The client first requests the public key Ppub of policy
P from the key server. Then the client generates two random keys K and S and perform the
encryption eS(K), ePpub(S) and eK(F). Finally, the client sends eK(F) i.e. the encrypted file and P,
eS(K) , ePpub(S) (as metadata) to the cloud. The client should discard K and S. There will be two
objects on the cloud: One the encrypted client’s file and the other is the corresponding
metadata text file containing policy and related keys (encrypted).
DOWNLOAD OPERATION OF SAFE
The client fetches the metadata file to get P, eS(K) , ePpub(S) from the storage system.
Then the client sends ePpub(S) to the key server for decryption. The key server
decrypts using the policy’s private key and returns S = dPprv(ePpub(S)) to the client.
The client can now decrypt eS(K) to get K. The client finally fetches the actual
encrypted file eK(F) and decrypt with K to get the original file F. The client should
immediately discard K and S.
• Only needs to download the corresponding metadata
• Update the last line (secret key encrypted with new
policy key) .
• Write back the modified metadata file.
• There is no need to access the actual encrypted data
The SAFE is implemented purely in Java based on design framework
presented in the previous section.. All the libraries used are third party or
built in Java libraries including the following:
javax.swing (for SAFE GUI)
com.amazonaws (for amazon S3 APIs)
com.dropbox (for Dropbox APIs)
org.apache.log4j (for interactive on-screen and file logging)
javax.crypto and javax.Security for crypto-graphical operations like AES/RSA
encryption/decryption, Key generation, etc.
Many other built-in libraries for File I/O, SSL socket programming. There are
also other external Java libraries which are used by Amazon and Dropbox
IMPLEMENTATION - METADATA
Here is an example of a metadata file generated after an upload to the cloud:
This metadata file is saved along with the encrypted file on the cloud with
IMPLEMENTATION - UPLOAD
2013-05-21 14:22:36 File will be uploaded from: C:Users
2013-05-21 14:22:36 Encrypting ..
2013-05-21 14:22:36 Uploading a new object to S3 ..
2013-05-21 14:22:38 Uploading the corresponding metadata ..
2013-05-21 14:22:39 Uploaded file: abc.pdf Done.
IMPLEMENTATION - DOWNLOAD
2013-05-22 05:51:26 Downloading the object metadata.
2013-05-22 05:51:24 Downloading the object
2013-05-22 05:51:26 File Name: abc.pdf
2013-05-22 05:51:27 Decrypting ..
2013-05-22 05:52:13 File will be saved to: C:abc.pdf