Securing Storage as a Service Model of Cloud Computing using Client Authentication in Virtualized Environment Maria Andleeb Siddiqui 1 and Hammad Kamal 2 Syed Abbas Ali 1 Lab Engineer, D.H.A Suffa Univeristy, Karachi, Pakistan. N.E.D University of Engineering & Technology, 2 Assistant Divisional Engineer, National Telecommunication Karachi, Pakistan. Corporation, Karachi, Pakistan. saaj.scholar@yahoo.com 1 m.siddiqui@dsu.edu.pk, 2 hammad.kamal@ntc.org.pk Abstract One of the most difficult tasks in cloud computing is to implement security because of different types of network attacks in hardware components and applications. Storage as a service (STaaS) is an architecture model in cloud computing can be used to solve offsite backup challenges and implemented as business model for service provider which can rents space in their storage infrastructure on a subscription basis. This research paper proposes an approach for securing storage as a service model based on client authentication before accessing service using digital signatures by incorporating virtualization aspect in cloud computing. The methodology of the proposed approach can be divided in to two phases; implementation of virtual machines using VMware and providing secure approach for data access and storage in virtualized environment by ensuring client authentication over internet model using 3700 cisco series routers in GNS3. Index Terms Storage as a Service, Client authentication, VMware, security, Certificate Authority, SAN. I. INTRODUCTION This is the age of highly flexible IT infrastructures in which we live. Nowadays a common need is flexibility and the most important pillar of IT infrastructure all over the world is virtualization; a core technology in cloud computing. The use of encapsulating software layer (Hypervisor or Virtual Machine Monitor) is involved in virtualization which surrounds an OS and provides the same input, output and behavior as an actual physical device [1]. Today, around the globe, cloud computing is top of mind with IT organizations. The capability of delivering storage-as-a-service is a cornerstone to the road to cloud computing. That s because cloud computing places new demands on storage infrastructure. STaaS help user to store their data at remote disk and they can also access data anytime from any place. Cloud Storage system helps to meet the several rigorous requirements for maintaining user s data and information. These requirements include availability, reliability, performance, replication and data consistency and these are highly conflicting so that no one system implements all of them together.there are three cloud delivery models i.e. IaaS, PaaS and SaaS and four main cloud storage models i.e. Private, Hybrid, Public and Community Clouds are used for cloud computing architecture [2]. The two well-known pioneers and examples of Cloud Computing are Amazon Simple Storage Service (S3) and Amazon Elastic Compute Cloud (EC2). The two main tasks which these internet based online services are performing simultaneously are: providing huge amounts of storage space and customizable computing resources as well as eliminating the responsibility of local machines for data maintenance at the same time. The biggest obstacle to the adoption of cloud computing is the security concern, because all information and data (including reallocation of data, and security management level) are completely under the control of cloud service providers. CSA, ENISA and NIST published general recommendations security guidance for the cloud usage in order to provide same level of protection ranging from physical security to network/system/application security [3]. Encryption is the best option for securing data access and storage. Data transmission ensures by authentication and Integrity protection mechanisms without modification in the data contents whereas; user s authentication is the primary basis for access control and cloud deployment. Fig. 1 Cloud Delivery Models.
Fig. 2 Description of Cloud Storage Model. Access control and authentication are the two most significant parameters in cloud computing environment for cloud and all of its data accessibility to anyone over the Internet. Table 1 show possible security threats to cloud storage which leads to authentication failure. TABLE I LIST OF POSSIBLE THREATS THAT LEADS TO AUTHENTICATION FAILURE Threats Description Risk Analysis Implication Account or service traffic hijacking API s and insecure interfaces The attackers can access the credentials information of users by return falsified information, manipulate data, redirect the clients to illegitimate sites and eavesdrop on the transactions and activities. The new base for the attacker then eventually is the account or service instances. Cloud computing providers exposed a set of software interfaces or APIs that customers use to manage and interact with cloud services. Provisioning, management, Tampering with Data, Repudiation, Information Disclosure, Elevation of Privilege, Spoofing Identity. Tampering with Data, Repudiation, Information Disclosure, Elevation of Privilege The top threat is the account and service hijacking with stolen credentials. Attackers often make use of these credentials for accessing the critical area of cloud computing services. Organizations are exposed to a variety of security issues related to confidentiality, Integrity, availability and
Data leakage orchestration, and monitoring is performed by the help of these interfaces. The security and availability of general cloud services is dependent upon the security of these basic APIs. Protection against both accidental and malicious attempts to circumvent policy, from authentication and access control to encryption and activity monitoring depends upon the proper designing of these APIs A threat that will lead to information compromise and could be caused by fault in the hardware or human error among competitor organizations using similar cloud provider. Failure of physical transport, electronics and security access rights among multiple domains systems for cloud data and backups. accountability by relying on a weak set of interfaces and APIs. Individuals and corporations that are the victims of an organizations data theft may elect to sue the business for damages. This has the potential to put the company out of business. Denial of Service (DoS) A type of attack on a network that is designed to flood the useless traffic through the network and brings it to its knees. Availability and authentication failure. With denial-of-service attack there s no way to get to the destination and nothing can be done except wait. Therefore the idea under consideration in this article is to provide authentication in storage as a service in cloud computing in SAN environment using VMware virtualization so that the clients that are connected to the environment can t have an access to the stored files until the certificate authority (CA) allows them. The CA server is used to issue certificates to hosts on the private network so that they can use the certificates to authenticate themselves to other. Space for storage is also defined by the service provider. Here authentication challenge includes the reliance on hypervisors. The rest of the paper is organized as follows. The subsequent section present the related work based on review of previous work. Section III presented the proposed methodology and simulation results with the help of webpages. Conclusion and future work is presented in section IV. II. LITERATURE REVIEW The next generation in the Internet's technology is cloud computing which provides the user everything in terms of services like computing power to compute applications, business processes and infrastructure as per need of user over the internet. The term cloud can be defined in cloud computing as a set of services, interfaces, network, hardware and storage that combine to provide computing aspect as a service [4]. A survey on different issues related to data storage security on single cloud as well as multi cloud and fault tolerance has been represented in [5] with an aim to solve the security issues faced by the data owners. One of the authentication model proposed in [6] based on Kerberos protocol using threshold cryptography for cloud computing to provide more security and to increase the availability of key. Kerberos based authentication model filtering the unauthorized access and minimize the burden of memory usage and computation of cloud provider against authentication checks for each client. A distributed scheme with explicit dynamic data support were presented in [7], which investigate data security problem in cloud service provider including Kerberos authentication service and third party to authenticate the user in the cloud server and vice-versa. Trust-aware IdM architecture with SAMLv2/ID-FF standards and privacy enhancement is proposed in [8] to provide an access control for better scalability and efficient identity management in cloud computing services. In service-oriented identity authentication privacy protection method [9], process defined as cloud service access control and cloud client related information represented as fuzzy set by defining the amount of information security level which provides global minimal sensitive information disclosure, high service-oriented identity authentication and extremely protects individual privacy. A working architecture of Cloud data security using DES algorithm is presented in [10] to ensure the security of data. A policy based file access and policy based file assured deletion
for better access to the files and deletes the files methodology is proposed in [11] to renew the policy without downloading the data key and control keys. Storage service separation from encryption/ decryption, auditing and authentication services based secure cloud computing model is reported in [12], one cloud in this architecture is responsible for storage whereas the other one is responsible for encryption/decryption, auditing and authentication services. In [13], A secure cloud storage by providing access to the files with the policy based file access using Attribute Based Encryption (ABE) scheme with RSA key public-private key combination is implemented. Private Key is the combination of the user s credentials. So that high security will be achieved. Time based file Revocation scheme is used for file assured deletion. When the time limit of the file expired, the file will be automatically revoked and cannot be accessible to anyone in future. Data privacy ensure using fuzzy set theory [14] in cloud computing by permitting the gradual assessment of membership of elements in a set in comparison with classical set theory in which the assessment of membership of elements binary terms based on bivalent conditions. III. PROPOSED METHODOLOGY & SIMULATION RESULTS The main focus of this proposed methodology is client authentication before accessing service. The simulation is divided into four parts. Virtualized Environment is created by implementing three Virtual Machines Using VMware Workstation as shown in Fig 3.Virtual Machines provide the ability to support legacy applications and allow servers to be consolidated. On two virtual machines Windows Server 2008 is installed and on one virtual machine Windows Server 2003 is installed. An internet model is shown in which dynamic routing is performed using RIP (Routing internet protocol) by using 3700 Cisco series routers, through GNS3. Through this we pinged the routers and the virtual machines for efficient working. On one virtual machine firewall is installed. As soon as the Client hits the firewall the firewall redirects the filtered traffic to the appropriate server. ISA (Internet Security and Acceleration) server 2006 is used for this purpose. It is a network layer firewall and an application layer inspection security gate way. Another Virtual Machine is used as a Certificate authority (CA, for encryption so the communication will be in encrypted form. ISCSI SAN (Storage Area Network) server is used for the storage as shown in Fig 3. Website is designed in which HTTPS and FTP works in the background to configure the Certificate authority (CA), 128 bits encryption is enabled to authenticate the client. When the client has accessed to the website an authentication option appears that ask the user name and password. As soon as the client is authenticated it is connected through FTP to browse the local files or remote files to be uploaded or downloaded. The flow of scheme referring to Fig 4 is that as soon as the client is connected to the website a home page occurs asking the username and password as shown in Fig 4.1 Fig. 3 Schematic diagram of methodology
Fig. 4 Flow chart of Proposed Methodology If the user is an existing user then CA issues the digital signature to enter the username and password otherwise if the client is new to avail the service a registration page occurs to register the client as shown in Fig 4.2 When the client is authenticated he is directed to the user page to download or upload the required file as shown in Fig 4.3. Depending upon the choice of selection to upload or download, the following pages occur shown in Fig 4.4 and Fig 4.5. Fig. 4.1 Home page of service Fig. 4.3 User Page of service. Fig. 4.2 Registration page of service. Fig. 4.4 Upload Page of Service.
[13] R. Ranjith, D. Kayathri Devi, Secure Cloud Storage Using Decentralized Access Control with Anonymous Authentication, IJARCCE, Volume 2, Issue 11, Nov 2013. [14] X. Li and J. He, A User- Centric Method for Data Privacy Protection in Cloud Computing, International Conference on Computer, Electrical, System Sciences and Engineering, 2011. Fig. 4.5 Download Page of Service. IV. CONCLUSION This paper proposed security in storage as a service in cloud using digital signatures for client authentication by incorporating Virtualization aspect in cloud computing. It provides a successful approach towards security in business model of cloud such as STaaS. The files are uploaded or downloaded in a secure manner using encryption. Uploading and downloading of a file to a cloud with standard certificate authorization is more secure. In future work, Multi Authority and Attribute based Encryption for file access can be implemented to avoid the number of wrong hits during authentication. Create a random delay for authentication, so the hacker can confuse to identify the algorithm. REFERENCES [1] M. Pearce, R. Hunt and S. Zeadally, Virtualization: Issues, Security, Threats and Solutions, ACM, Volume 45, Issue 2, Feb 2013. [2] G. Kulkarni, R. Sutar and J. Gambhir, Cloud Computing- Storage as a Service, IJERA, Volume 2, Issue 1, Jan/Feb 2012. [3] T. Sivashakthi and N. Prabakaran, A survey on Storage Techniques in Cloud Computing, IJETAE, Volume 3, Issue 12, December 2013. [4] J. Hurwitz, R. Bloor, M. Kaufman and F. Halper. What is Cloud Computing for Dummies, Last modified 2013. [5] M. Dave, Data Storage Security in Cloud Computing- A Survey, IJARCSSE, Volume 3, Issue 10, October 2013. [6] S. Bharill, T. Hamsapriya and P. Lalurani, A Secure Key for Cloud using Threshold Cryptography in Kerberos, IJCA, Volume 79-No. 9, Issue October 2013. [7] M. Hojabri and K.Venkat Rao, Innovation in Cloud Computing: Implementation of Kerberos Version 5 in Cloud Computing in order to enhance the Security Issues, IEEE (ICICES), 2013. [8] R.Sanchez, F. Almenares, P. Arias, D. Diaz Sanchez and A. Marin, Enhancing Privacy and Dynamic Federation in IdM for Consumer Cloud Computing, IEEE Trans. on Consumer Electronics, 2012. [9] X. Li, J. He and T. Zhang, A Service- Oriented Identity Authentication Privacy Protection method in Cloud Computing, International Journal of Grid and Distributed Computing Volume. 6, No. 1, February, 2013. [10] S. Sharma, A. Chugh, A. Kumar, Enchancing Data Security in Cloud Storage, IJARCCE, Volume 2, Issue 5, May 2013. [11] Y. Tang, C. Lee, J. Lui and R. Perlman, Secure Overlay Cloud Storage with Access Control and Assured Deletion, IEEE Trans. on Dependable and Secure Computing, Volume 9, No. 6, Nov/Dec 2012. [12] M. Marthan and D. B. Sudarsa, A Secure Cloud Computing Model Based on Multi Cloud Service Providers, IJARCSE, Volume 3, Issue 5, May 2013.