Cloud Storage and Security Overview Oussama Arki Abdelhafid Zitouni LIRE Laboratory, Constantine 2 University LIRE Laboratory, Constantine 2 University Ali Mendjli, 25000 Constantine, Algeria Ali Mendjli, 25000 Constantine, Algeria oussama.arki@univ-constantine2.dz abdelhafid.zitouni@univ-constantine2.dz for enabling ubiquitous, convenient, on-demand net- work access to a shared pool of configurable comput- Abstract ing resources (e.g., networks, servers, storage, appli- cations, and services) that can be rapidly provisioned Cloud storage is one of the cloud services, it and released with minimal management effort or ser- allows users to store and manage their data vice provider interaction” [PT11]. remotely in the cloud. Nowadays, cloud stor- Cloud storage is one of the cloud services, it allows age has become an attractive storage scheme the users to store and manage their data remotely in for users to store their data. When users store the cloud servers, Cloud storage is a model of net- their files remotely in a cloud storage system, worked online storage where data is stored on mul- they still worried about the security of their tiple virtual servers [PP13]. The cloud storage users files and the guarantee of the confidentiality are perplexed about how security can be guaranteed in and the integrity of them. In this work, we the cloud storage system. Moreover, they are worried propose a study of cloud storage and the prob- about hosting their sensitive data in the cloud storage lem of security in this service. For that, first, systems. The characteristics of cloud computing can we give an overview of this concept, second, create a serious data risk as the same resources are we talk about the problem of security in cloud used among the different users [CS16]. storage, and then we summarize the different The adaptation of cloud storage needs a good compre- techniques and methods that have been pro- hension of this service and the risks behind the out- posed in order to ensure the security in cloud sourcing of our sensitive data in the cloud. In this pa- storage systems. per, we give an overview of cloud storage system, and we discuss the problem of security in cloud storage, Keywords Cloud Storage, Information Security, and then we classify the existing techniques that aim Confidentiality, Integrity, Availability, Encryption . to secure the cloud storage into different categories. The rest of this paper is organised as follows. Sec- tion 2 is an overview of cloud storage systems. Section 1 Introduction 3 discusses the problem of security in cloud storage. In the last years, information technology has been In section 4, we classified the existing solutions which widely developed, aiming to increase the power of com- aim to secure the cloud storage. Finally, a conclusion puting and decrease their cost, which led to the emerg- is given in Section 5. ing of new technologies. In that context, cloud computing rapidly appeared s 2 Cloud Storage overview as IT solution of choice for many companies and in- The cloud storage is one of the cloud services, it can be dividuals. According to the national institute of stan- considered as a part of the infrastructure as a service, dards and technology, ”cloud computing is a model in this section we give a brief study of cloud storage. Copyright c by the paper’s authors. Copying permitted for private and academic purposes. 2.1 Cloud storage In: Proceedings of the 3rd Edition of the International Conference on Advanced Aspects of Software Engineering Cloud storage is a model of networked online stor- (ICAASE18), Constantine, Algeria, 1,2-December-2018, pub- age where data is stored on multiple virtual servers, lished at http://ceur-ws.org generally hosted by third parties, rather than being Page 26 Cloud Storage and Security Overview ICAASE'2018 hosted on dedicated servers [PP13] , It allows users to Basic cloud storage services are generally not de- store their data at remote disks and access them any- signed to be accessed directly by users but rather time from any place [VMB14]. Through based uses a incorporated into custom software using application Web-Cloud storage services may be accessed through a program-ming interfaces” (API). web service application programming interface(API), Advanced cloud storage services mostly employ or interface[PP13]. basic cloud storage services for the actual storage of data, and provide interfaces such as client or web ap- 2.2 Cloud Storage Architecture plications which greatly simplify the use of the service for the customer. Cloud storage architectures are primarily about de- livery of storage on demand in a highly scalable and multi-tenant way. Generically, cloud storage architec- tures consist of[VMB14] : 2.4 The Existing Interface for cloud Data front end that exports an API to access the stor- Storage age. In traditional storage systems, this API is the SCSI protocol; but in the cloud, these protocols are Since cloud Storage, cloud service providers began to evolving. There, you can find Web service front ends, make their own implementations available to users. As file-based front ends, and even more traditional front a result, a multitude of interfaces have been supplied ends. that have been re-purposed for cloud storage, such as the storage logic behind the front end is a layer block-based access via iSCSI; POSIX interfaces (NFS, of middleware that is called the storage logic. This CIFS, and WebDAV); object-based CRUD (Create, layer implements a variety of features, such as repli- Read, Update, Delete) interfaces over HTTP; and a cation and data reduction, over the traditional data- plethora of proprietary interfaces for database or table placement algorithms . access. Figure 02 presents the cloud storage existing back end implements the physical storage for data. interfaces[Zap12]. This may be an internal protocol that implements spe- cific features or a traditional back end to the physical disks. Figure 01 presents the cloud storage architec- ture. Figure 2: Existing Interfaces for Cloud Data Storage CDMI As cloud storage provides benefits , such as scalabil- ity and cost savings, the adoption of cloud storage is growing. However, each cloud storage provider offers Figure 1: Cloud Storage Architecture its own cloud storage interface. As a result, multi- ple standards exist, which locks clients into propri- etary solutions. The Storage Networking Industry As- sociation (SNIA)’s response has been to develop the 2.3 Definition of Cloud Storage Services Cloud Data Management Interface (CDMI), an exten- Many cloud storage providers are active on the market, sible standard that accommodates vendors’ require- offering various kinds of services to their customers. ments and ensures consistency and interoperability for This study distinguishes between two types of cloud users [Zap12]. Figure 03 shows the cloud storage ref- storage services[MTM+ 12]. erence model. International Conference on Advanced Aspects of Software Engineering Page 27 ICAASE, December, 01-02, 2018 Cloud Storage and Security Overview ICAASE'2018 used to enhance the availability [PS13]. 3.2 Security Challenges in Cloud Storage With adoption of a cloud model, users lose control over physical security. Security overall covers mainly three aspects: confidentiality, integrity and availability (CIA). These aspects are the top most considerations in designing a security measure to ensure maximum protection. [FVRG14]. -Securing access to protected data is restricted to certain level of user authorised to access it. This re- quires mechanisms to be in place to control the access of protected data. The foundation on which access control mechanisms are built starts with authentica- tion, authorization and encryption. -Protecting data from loss and leakage envolves in- Figure 3: Cloud Storage Reference Model [2] tegrity of many parties involved in providing the re- sources. It is suggested to practice auditing tech- 3 Cloud storage and security niques such as Proof-of-Retrivebility(POR) and Proof- In this section, we discuss the problem of cloud storage of-Data Possession(PDP) to enable verification. security. -High-available as access and data are getting se- cured, it is important to keep the hardware high- 3.1 Information Security available. The hardware is the infrastructure hosting the services to store data and information. Without This term means protecting information and informa- ensuring failover, the services are unable to meet the tion systems from unauthorized access, use, disclo- uptime and comply with service level managements. sure, disruption, modification, or destruction in or- der to provide integrity, confidentiality and availabil- 4 Cloud Storage Security Solutions ity. Here, integrity means guarding against improper and Techniques information modification or destruction and includes ensuring information non-repudiation and authentic- In the literature, many techniques and methods are ity. Confidentiality means preserving authorized re- proposed to provide cloud storage security. Those strictions on disclosure and access, including means techniques and methods can be classified into encryp- for defending proprietary and personal privacy infor- tion methods, identity and access management (IAM) mation. Availability means ensuring timely and reli- techniques, data protection techniques and availability able access to and use of information[LSMMM13]. techniques. -Confidentiality: It means keeping user data secret in the Cloud systems. It ensures that the data of 4.1 Ensuring Confidentiality the user, which reside in the Cloud, cannot be ac- Data confidentiality in cloud storage security refers to cessed by an unauthorized person. There are two ba- the property that information stored in the cloud stor- sic approaches to achieve such confidentiality, physi- age is not made available or disclosed to unauthorized cal isolation and cryptography. Confidentiality can be individuals, entities, or processes. Access control and achieved through proper encryption technique: sym- data encryption have been widely deployed to protect metric and asymmetric algorithms [PS13]. data confidentiality [CtLZ+ 14]. -Data Integrity: Data integrity is one of the most critical elements in any information system. Generally, 4.1.1 Encryption of data data integrity means protecting data from unautho- Cryptography is the art of keeping message secure by rized deletion, modification, or fabrication. Managing changing the data into non-readable forms [NAK16]. entitys admittance and rights to specific enterprise re- Traditional Cryptographic Techniques Tradi- sources ensures that valuable data and services are not tional cryptography consists of three algorithms, abused, misappropriated, or stolen [YJYG14]. Symmetric-key algorithms, Asymmetric-key algo- -Availability: Data should be available when it is rithms and Hashing : requested via the owner. It ensures that user can be able to use the service anytime from any place. Two • Asymmetric cryptography is a class of crypto- strategies called hardening and redundancy are mainly graphic algorithms which requires two separate International Conference on Advanced Aspects of Software Engineering Page 28 ICAASE, December, 01-02, 2018 Cloud Storage and Security Overview ICAASE'2018 keys, one of which is secret (or private) and one of of attributes to encrypt the data and only the au- which is public. Although different, the two parts thorized users who has the predicted or certain of this key pair are mathematically linked. The attributes can decrypt the data. public key is used to encrypt plaintext or to ver- ify a digital signature; whereas the private key is 4.1.2 Identity and Access Management (IAM) used to decrypt cipher text or to create a digital IAM remains one of the greatest challenges in cloud signature [ZAH+ 15]. computing, IAM refers to the processes, technologies, • Symmetric-key algorithms are a class of algo- and policies that manage access of identities to digital rithms for cryptography that use the same crypto- resources and determine what authorization identities graphic keys for both encryption of plaintext and have over these resources [EO16]. decryption of cipher text. The keys may be identi- Identity Management (IdM) is the process of cre- cal or there may be a simple transformation to go ating, managing, and using identities, and the infras- between the two keys. The keys, in practice, rep- tructure that provides support for these processes. In resent a shared secret between two or more parties IdM, each person or application is identified by a cre- that can be used to maintain a private informa- dential, which represents a set of attributes, issued by tion link [ZAH+ 15]. a reliable source [JCC17] • Identity in the Cloud Model: identity provider • A hash function takes a data of variable length and service provider merge also in this model. and produces a data of fixed length. It produces This means for the cloud case that the cloud ser- small and static length data which is unique for vice provider, which hosts the application, is also each data. The hash code is also specified as mes- responsible for the identity management [BTK14]. sage digest or Hash value. Any kind of change Figure 4 illustrates this model. to any bits in the data consequences in a huge alteration to the hash code [PPPS17]. Advanced Cryptographic Techniques In the beginning of the Cloud Computing, common encryp- tion Technique like Public Key Encryption was ap- plied. This traditional technique does not provide ex- pected result as it support one to one encryption type communication [RDD15]. • Searchable Encryption: A searchable encryption scheme is applied at high level in order to encrypt the content that is available in search index so Figure 4: The Identity in the Cloud Model that it can hidden from others except the party that provide the authorised tokens. • Identity to the Cloud Model: Also in this model, the identity provider takes over the tasks regard- • Homomorphic Encryption: the Homomorphic en- ing identity management for the service provider. cryption scheme allows executing computations However, the main difference in this model is that on the encrypted data. It is only of the advanced the service provider and its applications are cloud- cryptographic technique. It has a slow processing based [BTK14].Figure 5 illustrates this model. time during computation. • Identity based Encryption: In Identity Based En- cryption, an identity of the user plays a vital role. The sender who sends the message only needs to know the receivers identity attribute in order to send the encrypted messages. However, key revo- cation is not achieved in Identity Based Encryp- tion. • Attribute-based Encryption: Attribute-based En- cryption come up with access control. In At- Figure 5: The Identity to the Cloud Model tribute Based Encryption, data owner uses a set International Conference on Advanced Aspects of Software Engineering Page 29 ICAASE, December, 01-02, 2018 Cloud Storage and Security Overview ICAASE'2018 • Identity from the Cloud Model: The identity from • Federated Cloud Identity Broker Model: The the cloud model fully features the cloud comput- federated cloud identity broker model combines ing paradigm. In this case, both the cloud appli- the traditional federated identity model with the cation and the identity provider are operated in newly Cloud Identity Broker-Model. This com- the cloud. However, in contrast to the Identity bined model aims on eliminating the drawbacks in the Cloud-Model both entities are operated by of the central Cloud Identity Broker-Model. The distinct cloud service providers [BTK14]. Figure general architecture is illustrated in Figure 8, 6 illustrates this model. showing the federation of two different cloud iden- tity brokers. Compared to the simple Cloud Iden- tity Broker- Model, in this federated model users and service providers do not need to rely on one and the same identity broker. Actually, both the user and the service provider can rely on the in- dividual broker of their choice[BTK14]. Figure 6: The Identity from the Cloud Model • Cloud Identity Broker Model: The cloud iden- tity broker model can be seen as an exten- sion to the Identity from the Cloud-Model. In this Cloud Identity Broker-Model, the identity provider in the cloud acts now as an identity bro- ker in the cloud. In other words, the cloud iden- tity broker is some kind of hub between one or more service providers and one or more identity providers[BTK14].Figure 7 illustrates this model. Figure 8: The Federated Cloud Identity Broker Model Access Control Access control has been one of the key mechanisms to protect data confidentiality in tra- ditional data networks. It is designed to block unau- thorized users and malicious hackers from accessing data [CtLZ+ 14]: • Attribute-Based Access Control (ABAC): it is based in attribute-based encryption (ABE).In ABAC model, access is granted based on at- tributes of the user. When applied to cloud stor- age, access control is enforced on data encrypted using ABE schemes. In an ABE system, a users keys and ciphertexts are labeled with sets of de- scriptive attributes. A particular key can decrypt a particular ciphertext only if there is a match between the attributes of the ciphertext and the users key [CtLZ+ 14]. • Role Besed Access Controle(RBAC): has also been commonly adopted in traditional storage Figure 7: The Cloud Identity Broker Model system in order to simplify management of per- missions. Its access policy is determined based International Conference on Advanced Aspects of Software Engineering Page 30 ICAASE, December, 01-02, 2018 Cloud Storage and Security Overview ICAASE'2018 on different roles assigned to users by the system, purpose of read/write speed improvement or reliabil- while the data owner can specify a set of permis- ity of stored data enhancement, or both . There are 2 sions of their data to different roles. By separation implementations of RAID [MPNL16]: the tasks of role assignment and permission as- Hardware RAID requires a RAID controller that signment, RBAC is much more efficient and scal- controls Input/Output. Hardware RAID is used for able compared to other access control based on host servers. It is high-performance yet expensive. individual users, because the number of roles are Software RAID: The operating system controls usually significantly less than the number of users Input/Output. Software RAID is implemented on [CtLZ+ 14] . computers to boost the performance with low-cost solution. 4.2 Data Protection RAID Levels RAID uses many different architecture called levels, A number of different techniques and mechanisms have each level have a different scenario of disk and storage been proposed and designed for cloud data integrity technique, depending on the balance between fault verification process. The mainstream of research in tolerance and performance. In cloud architecture this field belongs to POR and Provable Data Posses- levels of RAID describe how data distributed across sion (PDP). The two methods originally emerged with the drives, there are 7 levels of RAID with different a similar concept but different approaches [CtLZ+ 14] features, established on two basis levels RAID 0 and .These techniques allow detecting data integrity dam- RAID 1 [MPNL16]. ages without requiring a copy of the user local data. RAID 0: RAID 0 consists of at least 2 similar disks, The idea was to encode the protocol with the data be- which creates an array of n disks (n ≥ 2). Data is fore storing it[FVRG14]. split up evenly and get written across all devices in Provable Data Possesion (PDP):In this client pre- the array. Each disk stores 1/n data. The size of the computes tags for each block of a file. Then stores the array is the size of the smallest drive multiples the file and its tags with a server. Later the client can number of drives . Advantages: Read/Write transfer verify that the server possesses the file by generating rate enhancement: Each disk has to Read/Write 1/n a random challenge against a randomly selected set of of the data. Theoretically, performance is n times file blocks. Using the queried blocks and their corre- higher. Disadvantages: Lower reliability. If one drive sponding tags, the server generates a proof of posses- fails, all data in RAID 0 array is lost. Data loss rate of sion. The client is thus convinced of data possession, RAID 0 array is n times higher than the single-disks. without actually having to retrieve file blocks [CGB14] Figure 9 shows the RAID 0 model. Proof of Retrievability (PoR):In this scheme ,first file is divided into blocks and then encoded with error correcting codes. Then check blocks called sentinels are embedded for each block. Encryption is performed to make check blocks indistinguishable from other file blocks. The verifier challenges the prover by specifying the positions of a collection of sentinels. The prover returns the respective sentinels. If prover has modi- fied or deleted a substantial portion of file, then with high probability , it will have also suppressed a num- ber of sentinels. Using error correcting code file can be recovered. otherwise it is tampered [CGB14]. Figure 9: RAID 0 Storage Level 4.3 Cloud Storage Availability RAID 1: This is the simplest RAID level that Availability refers to the system uptime and the provides data reliability. Like RAID 0, RAID 1 system capability to operate continuously. Different requires at least 2 drives to operate. Data are stored techniques can be implemented to increase the system twice in 2 drives (Mirroring). If one disk fails, the availability [WMF17].In the cloud data is stored using other will continue to operate. Therefore, broken RAID (Redundant Array of Independent Disk). It drive can be replaced without any worry of data provide way to store same data in different places in loss. RAID 1 is not high-performance; however, it multiple disk (Redundantly) [Gor16]. is essential for administrations and individuals that RAID Features in Data Storage manage important data. An RAID 1 array capacity is RAID is a technology that combines independent the size of a single drive. Figure 10 shows the RAID physical disk drives into a single hard drive for the 1 model. International Conference on Advanced Aspects of Software Engineering Page 31 ICAASE, December, 01-02, 2018 Cloud Storage and Security Overview ICAASE'2018 Table 1: Cloud Storage Security Techniques. Cloud Data Storage Security Techniques Symmetric Traditional Asymmetric Hashing Encryption searchable Holomorphic Advanced Role based Attribute Identity in the Cloud- Figure 10: RAID 1 Storage Level Model Identity to the Cloud- RAID 10: RAID 10 combines the approaches of Identity Model RAID 1 and RAID 0. It requires a minimum of Identity Management Identity from the Cloud- 4 drives to set up an RAID 10 array. Data are and Model written on 4 drives at the same time: using Striping Access Cloud Identity Broker- (RAID 0) on 2 drives, and using Mirroring (Raid Management Model 1) on the two others.RAID 10 is fast and secure. Federated Cloud Identity Performance are improved while reliability is ensured Broker-Model even if 1 drive fails. However, RAID 10 has its dis- Attribute-based access advantages of high cost, effective space is 1/2 of total Access control (ABAC) size of 4 drives . Figure 11 shows the RAID 10 model. Control Role-based access con- trol (RBAC) Provable Data Possesion (PDP) Integrity Proof of Retrievability (PoR) Hardware RAID Availability RAID Software RAID References [BTK14] Zwattendorfer Bernd, Zefferer Thomas, and Stranacher Klaus. An overview of cloud identity management-models. In 10th International Conference on Web Figure 11: RAID 10 Storage Level Information Systems and Technologies (WEBIST), pages 3–6, 2014. [CGB14] V. Desai Charmee and Jethava Gord- 5 Conclusion han B. Survey on data integrity checking In cloud storage systems, there is always a big concern techniques in cloud data storage. Inter- about data security. The guarantee of security is the national Journal of Advanced Research main challenge for the cloud storage provider. First; in Computer Science and Software En- they have to secure the access to the user’s data, sec- gineering, 4(12):293, December 2014. ond; they have to guarantee the integrity of this data, [CS16] Prakash Chandan and Dasgupta Sura- and then; they have to provide a continuous and per- jit. Cloud computing security analy- manent access to this data. In this paper, we gave sis: Challenges and possible solutions. an overview of cloud storage and security. In the first In International Conference on Electri- step; we provided a whole study of this service; like cal, Electronics, and Optimization Tech- the definition, it’s architecture and the different forms niques (ICEEOT), page 3, 2016. of this service. In the second step; we discussed the problem of security in this service. In the last step, [CtLZ+ 14] Huang Chun-ting, Huang Lei, Qin we summarized the cloud storage security technique Zhongyuan, Yuan Hang, Zhou Lan, according to the CIA properties of security. Table 1 Varadharajan Vijay, and Jay Kuo C.- summirizes the cloud storage security solutions and C. Survey on securing data storage techniques. in the cloud. APSIPA Transactions International Conference on Advanced Aspects of Software Engineering Page 32 ICAASE, December, 01-02, 2018 Cloud Storage and Security Overview ICAASE'2018 on Signal and Information Processing, [PPPS17] Parisha, Khanna Pooja, Sharma Puneet, 3(2014):4,7–9, May 2014. and Rizvi Sheenu. Hash function based data partitioning in cloud computing for [EO16] Sturrus Edwin and Kulikova Olga. Iden- secured cloud storage. Int. Journal of tity and Access Management. Encyclo- Engineering Research and Application, pedia of Cloud Computing, 2016. 7(7):3, July 2017. [FVRG14] Yahya F., Chang V., Walters R.J., and [PS13] Yadav Poonam and Sujata. Security is- Wills G.B. Security challenges in cloud sues in cloud computing solution of ddos storage. In IEEE 6th International Con- and introducing two-tier captcha. Inter- ference on Cloud Computing Technology national Journal on Cloud Computing: and Science, pages 1052–1054, 2014. Services and Architecture (IJCCSA), [Gor16] Ranvir Gorai. Deep dive into cloud com- 3(3):29, June 2013. puting. International Journal of Re- search in Engineering, Technology and [PT11] Mell Peter and Grance Timothy. The Science, VI(Special Issue):4, July 2016. nist definition of cloud computing. Tech- nical report, National Institute of Stan- [JCC17] Werner Jorge, Merkle Westphall Carla, dards and Technology, September 2011. and Becker Westphall Carlos. Cloud identity management: a survey on pri- [RDD15] Kirubakaramoorthi R., Arivazhagan D., vacy strategies. Computer Networks, and Helen D. Survey on encryption 122:3–4, July 2017. techniques used to secure cloud storage system. Indian Journal of Science and [LSMMM13] Akter Lipi, Rahman S M Monzurur, Technology, 36(8):2–4, December 2015. and Hasan Md. Information security in cloud computing. International Journal [VMB14] Spoorthy V., Mamatha M., and San- of Information Technology Convergence thosh Kumar B. A survey on data stor- and Services (IJITCS), 3(4):18, August age and security in cloud computing. 2013. International Journal of Computer Sci- ence and Mobile Computing, 3(6):307– [MPNL16] Le Quang Minh, Huy Anh Phan, 311, June 2014. Anh Chuyen Nguyen, and Khanh Duong Le. Research on enhancing security in [WMF17] Bajaber Wejdan, AlQulaity Manahil, cloud data storage. In ICTA: Interna- and S. Alotaibi Fahd. Different tech- tional Conference on Advances in Infor- niques to ensure high availability in mation and Communication Technology, cloud computing. International Journal pages 511–512, 2016. of Advanced Research in Computer and Communication Engineering, 6(11):6, [MTM+ 12] Borgmann Moritz, Hahn Tobias, Herfert November 2017. Michael, Kunz Thomas, Richter Mar- cel, Viebeg Ursula, and Vowe Sven. On [YJYG14] Sun Yunchuan, Zhang Junsheng, Xiong the security of cloud storage services. Yongping, and Zhu Guangyu. Data secu- Technical report, Fraunhofer Institute rity and privacy in cloud computing. In- for Secure Information Technology SIT, ternational Journal of Distributed Sen- March 2012. sor Networks, 2014:3, 2014. [NAK16] Hassan Hussein Nidal, Khalid Ahmed, [ZAH+ 15] Kartit Zaid, Azougaghe Ali, Idrissi and Khanfar Khalid. A survey of cryp- H.Kamal, Marraki M.El, Hedabou M., tography cloud storage techniques. Int. Belkasmi M., and Kartit A. Applying Journal of Computer Science & Mobile encryption algorithm for data security in Computing, 5(2):186, February 2016. cloud storage. In The International Sym- posium on Ubiquitous Networking, pages [PP13] O. Balbudhe Pravin and O. Balbudhe 6–7, 2015. Pradip. Cloud storage reference model for cloud computing. International [Zap12] Vytautas Zapolskas. Securing cloud Journal of IT, Engineering and Applied storage service. Master’s thesis, KTH Sciences Research (IJIEASR), 2(3):83, Royal Institute of Technology, 2012. March 2013. International Conference on Advanced Aspects of Software Engineering Page 33 ICAASE, December, 01-02, 2018