INTERNATIONAL CONFERENCE ON CURRENT INNOVATIONS IN ENGINEERING AND TECHNOLOGY

ISBN: 378 - 26 - 138420 - 5

Secure data storage against attacks in cloud

Environment using Defence in Depth
1

Naresh.G

(Audisankara College Of Engineering And Technology)

Abstract-

Cloud

computing

is

emerging

organizations. The outsourced storage makes

technology which offers various services with

shared data and resources much more accessible

low cost and flexible manner. One of the most

as users can access from anywhere.

important service models is Data Storage as a

On the other hand, security remains the

Service (DaaS) in which user can remotely store

important issue that concerns privacy of users. A

their data and enjoy the on demand access using

major challenge for any comprehensive access

high quality application. Cloud computing faces

control solution for outsourced data. And have

many devastating problems to ensure the proper

the ability to handle the user requests for

physical, logical and personnel security controls.

resources according to the specified security

While moving large volumes of data and

policies. Several solutions have been proposed

software, the management of the data and

in the past, but most of them dont consider

services may not be fully trustworthy. In this

protecting privacy of the policies and user access

paper, we mainly focus on the security features

patterns.

of data storage in the presence of threats and

attacks and solutions. The paper also proposes

In this paper we address the main aspects related

an effective and flexible distributed scheme with

to security of cloud storage. It presents an

two silent features opposing to its predecessors.

attempt to propose an effective and flexible

Index

terms-

Cloud

Computing,

security policy and procedure explicit to

storage

enhance the Data storage security in the cloud.

correctness, Data Storage as a Service.

I.

II. THREATS AND ATTACKS FROM STORAGE

INTRODUCTION

PERSPECTIVES
Cloud computing is the delivery of the
While the benefits of storage networks have

computing as a service rather than a product,

been widely acknowledged, consolidation of

whereby widely shared resources, software and

enterprise data on networked storage poses

information are provided to IT industry over a

significant security risks. Hackers adept at

network. Cloud can be classified as public,

exploiting network-layer vulnerabilities can now

private or hybridetc. meanwhile, the emerging

explore deeper strata of corporate information

trend of outsourcing data storages at third parties

attention from both research and industry

INTERNATIONAL ASSOCIATION OF ENGINEERING & TECHNOLOGY FOR SKILL DEVELOPMENT

326

www.iaetsd.in

INTERNATIONAL CONFERENCE ON CURRENT INNOVATIONS IN ENGINEERING AND TECHNOLOGY

Following is brief listings of some major drivers

III. SYSTEM DESIGN

to implementing security for networked storage

a) System Model

ISBN: 378 - 26 - 138420 - 5

from perspectives of challenging threats and

Cloud networking can be illustrated by three

attacks:

different network entities:

o

Perimeter

defence

strategies

focus

on
User: who have data to be stored in the cloud

protection from external threats. With the

and rely on the cloud for data computation,

number of security attacks on the rise,

consist of both individual consumers and

relying on perimeter defence alone is not

organizations?

sufficient to protect enterprise data, and a

single security breach can cripple a business

Cloud Service Provider

[7].

significant resources and expertise in building

The number of internal attacks is on the rise

and managing distributed cloud storage servers,

thereby threatening NAS/SAN deployments

owns and operates live Cloud Computing

that are part of the trusted corporate

systems.

(CSP): who

has

networks [8]. Reports such as the CSI/FBIs

Third Party Auditor (TPA): who has expertise

annual Computer Crime & Security Survey

and capabilities that users may not have, is

help quantify the significant threat caused by

trusted to assess and expose risk of cloud storage

data theft
o

services on behalf of the users upon request.

The problem of incorrectness of data storage

in the cloud

b) Adversary Model

The data stored in the cloud may be updated

There are two different sources for Security

by the users, including insertion, deletion,

threats faced by cloud data storage.

modification, appending, reordering, etc.

o

Individual users data is redundantly stored

1. CSP can be self-interested, un-trusted and

in multiple physical locations to further

possibly malicious.

reduce the data integrity threats.

o

It may move data that is rarely accessed to a

Moreover, risks due to compromised storage

lower tier of storage for monetary reasons,

range from tangible loss such as business

but

discontinuity in the form of information

It may hide a data loss incident due to

downtime, to intangibles such as the loss of

management errors, Byzantine failures and

stature as a secure business partner. With the

so on.

number of reported security attacks on the rise, a

firm

understanding

of

networked

2. Economically motivated adversary, who has

storage

the capability to compromise a number of cloud

solutions is a precursor to determining and

data storage servers in different time intervals

mitigating security risks.

and subsequently is able to modify or delete

INTERNATIONAL ASSOCIATION OF ENGINEERING & TECHNOLOGY FOR SKILL DEVELOPMENT

327

www.iaetsd.in

INTERNATIONAL CONFERENCE ON CURRENT INNOVATIONS IN ENGINEERING AND TECHNOLOGY

ISBN: 378 - 26 - 138420 - 5

Layer 1 Devices on the Storage Network

users 'data while remaining undetected by CSPs

for a certain period.

The following risk-mitigation measures are

There are two types of adversary

recommended:

Weak Adversary: The adversary is interested in

Authentication schemes provisioned by the

corrupting the users data files stored on

Operating System should be evaluated.

individual servers. Once a server is comprised,

Schemes utilizing public-private key based

an adversary can pollute the original data files

authentication such as SSH or Kerberos,

by modifying or introducing its own fraudulent

which

data to prevent the original data from being

communications on the network.

retrieved by the user.

also

encrypt

authentication

Authentication using Access control Lists

(ACL) to setup role-based access and

Strong Adversary: This is the worst case

appropriate

scenario, in which we assume that the adversary

permissions

will

enhance

security,

can compromise all the storage servers so that he

can intentionally modify the data files as long as

Strong password schemes like minimum

length and periodic change of passwords

they are internally consistent.

should be enforced. The default user name

and passwords that are configured on the

IV. PROPOSED SOLUTIONS

device should be changed.

Control Access Data Storage that includes the
necessary

policies,

processes

and

Constant

control

monitoring

of

published

OS

activities for the delivery of each of the Data

vulnerabilities using database, SANS Security

service offerings. The collective control Data

Alert Consensus newsletter and the NAS

Storage encompasses the users, processes, and

vendors support site, is a

technology

necessary

to

maintain

an

environment that supports the effectiveness of

necessity to prepare for possible attacks

Logging and auditing controls should be

specific controls and the control frameworks.

implemented to prevent unauthorized use,

The Security, correctness and availability of the

track usage and for incident response

data files being stored on the distributed cloud

servers must be guaranteed by the following:
o

Layer -2 Network Connectivity

Providing Security policy and Procedure for

NAS appliances face similar vulnerabilities as IP

Data Storage

based network devices. Common techniques

used to protect IP networks are also applicable

The Defence in Depth (referred to as did in this

to Storage Network:

paper) is an excellent framework advocating a

layered approach to defending against attacks,

thereby mitigating risks.

Extending

network

perimeter

defence

strategies like using a Firewall and IDS

INTERNATIONAL ASSOCIATION OF ENGINEERING & TECHNOLOGY FOR SKILL DEVELOPMENT

328

www.iaetsd.in

INTERNATIONAL CONFERENCE ON CURRENT INNOVATIONS IN ENGINEERING AND TECHNOLOGY

ISBN: 378 - 26 - 138420 - 5

device to filter traffic reaching the NAS

localization in our challenge- response

appliance will increase protection

protocol

Use VLANs for segregating traffic to the

The response values from servers for each

NAS appliances

challenge

Separate and isolate management interface

correctness of the distributed storage, but

from

the Storage

also contain information to locate.

Network, thus enforcing out of band

b) Reliability of the analysis strategy

data

interfaces

on

not

only

determine

the

management which is more secure

o

Monitor

traffic

patterns

on

the

The reliability of secure data storage strategy

data

depends on security procedure and the backup

interfaces of the NAS devices for unusual

data coefficients. When one or more nodes

activity

cannot be accessed, the secure strategy can

Layer 3 Management Access

ensure that the data will be restored as long as

one of the k nodes can be accessed. However,

Management access is a significant source of

traditional data storage methods require all the

attack. To address the vulnerabilities, the

data in the k nodes to be retrieved. Thus, the

following guidelines provide help

o

more blocks the data are split into, the poorer the
reliability of traditional data storage

Disable the use of telnet and HTTP and

enforce management access through SSH

V. CONCLUSION

and HTTPS for encrypted communication

o

Create separate user accounts based on the

This paper suggests a methodical application of

management tasks assigned to the users

defence in depth security techniques that can

Implement

authentication

help allay security risks in networked storage.

mechanisms like two-factor authentication

More importantly, a defence in depth based

using tokens, biometrics, etc

networked storage security policy provides a

Strong password schemes like minimum

comprehensive framework to thwart future

length passwords and periodic change of

attacks as the current technologies are more

passwords should be enforced

clearly understood.

Implement

strong

authorization

using

Access

REFERENCES

Control Lists to setup role based access and

appropriate permissions

[1] What is Cloud Computing? Retrieved April

a) Correctness verification
o

6, 2011, available at:

Error localization is a key prerequisite for

http://www.microsoft.com/business/engb/sol

eliminating errors in storage systems.

utions/Pages/Cloud.aspx

We

can

correctness

do

that

by integrating the

verification

and

error

INTERNATIONAL ASSOCIATION OF ENGINEERING & TECHNOLOGY FOR SKILL DEVELOPMENT

329

www.iaetsd.in

INTERNATIONAL CONFERENCE ON CURRENT INNOVATIONS IN ENGINEERING AND TECHNOLOGY

[2]

EMC,

Information-Centric

ISBN: 378 - 26 - 138420 - 5

Security.

http://www.idc.pt/resources/PPTs/2007/IT&
Internet_Security/12.EMC.pdf.
[3] End-User Privacy in HumanComputer
Interaction.
http://www.cs.cmu.edu/~jasonh/publications
/fnt-enduser-privacy-in-human-computerinteractionfinal. pdf.
[4] ESG White Paper, the Information-Centric
Security Architecture. http://japan.emc.com/
collateral/analystreports/emc-white-paper

v4-4-21-2006.pdf.
[5] Subashini S, Kavitha V., A survey on
security issues in service delivery models of
cloud computing, Journal of Network and
Computer Applications (2011) vol. 34 Issue
1, January 2011 pp. 1-11.
AUTHORS
First Author
Second Author

INTERNATIONAL ASSOCIATION OF ENGINEERING & TECHNOLOGY FOR SKILL DEVELOPMENT

330

www.iaetsd.in