Data security in cloud storage services

Cloud Computing is considered to be the next-generation architecture for ICT where it moves the application software and databases to the centralized large data centers. It aims to offer elastic IT services where clients can benefit from significant cost savings of the pay-per-use model and can easily scale up or down, and do not have to make large investments in new hardware. However, the management of the data and services in this cloud model is under the control of the provider. Consequently, the cloud clients have less control over their outsourced data and they have to trust cloud service provider to protect their data and infrastructure from both external and internal attacks. This is especially true with cloud storage services. Nowadays, users rely on cloud storage as it offers cheap and unlimited data storage that is available for use by multiple devices (e.g. smart phones, tablets, notebooks, etc.). Besides famous cloud storage providers, such as Amazon, Google, and Microsoft, more and more third-party cloud storage service providers are emerging. These services are dedicated to offering more accessible and user friendly storage services to cloud customers. Examples of these services include Dropbox, Box.net, Sparkleshare, UbuntuOne or JungleDisk. These cloud storage services deliver a very simple interface on top of the cloud storage provided by storage service providers. File and folder synchronization between different machines, sharing files and folders with other users, file versioning as well as automated backups are the key functionalities of these emerging cloud storage services. Cloud storage services have changed the way users manage and interact with data outsourced to public providers. With these services, multiple subscribers can collaboratively work and share data without concerns about their data consistency, availability and reliability. Although these cloud storage services offer attractive features, many customers have not adopted these services. Since data stored in these services is under the control of service providers resulting in confidentiality and security concerns and risks. Therefore, using cloud storage services for storing valuable data depends mainly on whether the service provider can offer sufficient security and assurance to meet client requirements. From the way most cloud storage services are constructed, we can notice that these storage services do not provide users with sufficient levels of security leading to an inherent risk on users\u27 data from external and internal attacks. These attacks take the form of: data exposure (lack of data confidentiality); data tampering (lack of data integrity); and denial of data (lack of data availability) by third parties on the cloud or by the cloud provider himself. Therefore, the cloud storage services should ensure the data confidentiality in the following state: data in motion (while transmitting over networks), data at rest (when stored at provider\u27s disks). To address the above concerns, confidentiality and access controllability of outsourced data with strong cryptographic guarantee should be maintained. To ensure data confidentiality in public cloud storage services, data should be encrypted data before it is outsourced to these services. Although, users can rely on client side cloud storage services or software encryption tools for encrypting user\u27s data; however, many of these services fail to achieve data confidentiality. Box, for example, does not encrypt user files via SSL and within Box servers. Client side cloud storage services can intentionally/unintentionally disclose user decryption keys to its provider. In addition, some cloud storage services support convergent encryption for encrypting users\u27 data exposing it to “confirmation of a file attack. On the other hand, software encryption tools use full-disk encryption (FDE) which is not feasible for cloud-based file sharing services, because it encrypts the data as virtual hard disks. Although encryption can ensure data confidentiality; however, it fails to achieve fine-grained access control over outsourced data. Since, public cloud storage services are managed by un-trusted cloud service provider, secure and efficient fine-grained access control cannot be realized through these services as these policies are managed by storage services that have full control over the sharing process. Therefore, there is not any guarantee that they will provide good means for efficient and secure sharing and they can also deduce confidential information about the outsourced data and users\u27 personal information. In this work, we would like to improve the currently employed security measures for securing data in cloud store services. To achieve better data confidentiality for data stored in the cloud without relying on cloud service providers (CSPs) or putting any burden on users, in this thesis, we designed a secure cloud storage system framework that simultaneously achieves data confidentiality, fine-grained access control on encrypted data and scalable user revocation. This framework is built on a third part trusted (TTP) service that can be employed either locally on users\u27 machine or premises, or remotely on top of cloud storage services. This service shall encrypts users data before uploading it to the cloud and decrypts it after downloading from the cloud; therefore, it remove the burden of storing, managing and maintaining encryption/decryption keys from data owner\u27s. In addition, this service only retains user\u27s secret key(s) not data. Moreover, to ensure high security for these keys, it stores them on hardware device. Furthermore, this service combines multi-authority ciphertext policy attribute-based encryption (CP-ABE) and attribute-based Signature (ABS) for achieving many-read-many-write fine-grained data access control on storage services. Moreover, it efficiently revokes users\u27 privileges without relying on the data owner for re-encrypting massive amounts of data and re-distributing the new keys to the authorized users. It removes the heavy computation of re-encryption from users and delegates this task to the cloud service provider (CSP) proxy servers. These proxy servers achieve flexible and efficient re-encryption without revealing underlying data to the cloud. In our designed architecture, we addressed the problem of ensuring data confidentiality against cloud and against accesses beyond authorized rights. To resolve these issues, we designed a trusted third party (TTP) service that is in charge of storing data in an encrypted format in the cloud. To improve the efficiency of the designed architecture, the service allows the users to choose the level of severity of the data and according to this level different encryption algorithms are employed. To achieve many-read-many-write fine grained access control, we merge two algorithms (multi-authority ciphertext policy attribute-based encryption (MA- CP-ABE) and attribute-based Signature (ABS)). Moreover, we support two levels of revocation: user and attribute revocation so that we can comply with the collaborative environment. Last but not least, we validate the effectiveness of our design by carrying out a detailed security analysis. This analysis shall prove the correctness of our design in terms of data confidentiality each stage of user interaction with the cloud

Privacy Preserving Access Control Policies Using Two Level Encryption In Public Cloud

With many features of cloud computing, many organizations have been considering moving their information systems to the cloud storage. Cloud storage is a service model, in which data is stored, maintained, managed and backup remotely, And made available to the users over the network. However, an important problem in public cloud is preserving confidentiality of stored data from both unauthorized access and the storage provider i.e. cloud. So, in order to make confidentiality the data owners first encrypts the file before uploading them on the cloud storage, and re-encrypting whenever user credentials change .That thus incur high communication and computational cost. We propose an approach based on two level encryption. Under such approach the data owner performs coarse grained encryption before uploading to the cloud server, and then cloud performs complete access control policy encryption on top of the encrypted data by the owner. Our system handles both confidentiality of data and preserves privacy of users from unsecured cloud

Organize Cloud Data Access Privilege and Anonymity with Fully Nameless Attribute-Based Encryption

Cloud computing may be a computing ideas that allows once needed and low maintenance usage of resources, however the info is shares to some cloud servers and varied privacy connected issues emerge from it. Various schemes based on the Attribute-Based Encryption have been proposed to secure the cloud storage. However, most work focuses on the data contents privacy and the access control, while less attention is paid to the privilege control and the identity privacy. In this paper, we present a semianonymous privilege control scheme AnonyControl to address not only the data privacy, but also the user identity privacy in existing access control schemes. Anony Control decentralizes the central authority to limit the identity leakage and thus achieves semianonymity. Besides, it also generalizes the file access control to the privilege control, by which privileges of all operations on the cloud data can be managed in a fine-grained manner. Our security analysis shows that both AnonyControl and AnonyControl-F are secure under the decisional bilinear Diffie–Hellman assumption, and our performance evaluation exhibits the feasibility of our schemes

A Privacy-Aware Distributed Storage and Replication Middleware for Heterogeneous Computing Platform

Cloud computing is an emerging research area that has drawn considerable interest in recent years. However, the current infrastructure raises significant concerns about how to protect users\u27 privacy, in part due to that users are storing their data in the cloud vendors\u27 servers. In this paper, we address this challenge by proposing and implementing a novel middleware, called Uno, which separates the storage of physical data and their associated metadata. In our design, users\u27 physical data are stored locally on those devices under a user\u27s full control, while their metadata can be uploaded to the commercial cloud. To ensure the reliability of users\u27 data, we develop a novel fine-grained file replication algorithm that exploits both data access patterns and device state patterns. Based on a quantitative analysis of the data set from Rice University, this algorithm replicates data intelligently in different time slots, so that it can not only significantly improve data availability, but also achieve a satisfactory performance on load balancing and storage diversification. We implement the Uno system on a heterogeneous testbed composed of both host servers and mobile devices, and demonstrate the programmability of Uno through implementation and evaluation of two sample applications, Uno@Home and Uno@Sense

Modeling software architecture design on data storage security in cloud computing environments

Cloud-based computation is known as the source architecture of the upcoming generation of IT enterprise. In context to up-coming trade solutions, the Information Technology sections are established under logical, personnel, and physical control, it transfers application software and large database to appropriate data centers, where security and management of database with services are not trustworthy fully. So this process may face many challenges towards society and organizations and that not been well understood over a while duration. This becomes one of the major challenges days today. So in this research, it focuses on security-based data storage using cloud, which plays one of the important aspects bases on qualities of services. To assure user data correctness in the cloud system, a flexible and effective distributed technique with two different salient features was examined by utilizing the token called homomorphic with erasure-coded data for distributed verification, based on this technique it achieved error data localization and integration of storage correctness. Also, it identifies server misbehaving, efficient, and security-based dynamic operations on data blocking such as data append, delete, and update methods. Performance analysis and security show the proposed method is more effective resilient and efficient against Byzantine failure, even server colluding attacks and malicious data modification attacks

Ciphertext Policy Attribute based Homomorphic Encryption (CP-ABHERLWE): a fine-grained access control on outsourced cloud data computation

Recently, homomorphic encryption is becoming one of the holy grail in modern cryptography research and serve as a promising tools to protect outsourced data solutions on cloud service providers. However, most of the existing homomorphic encryption schemes are designed to achieve Fully Homomorphic Encryption that aimed to support arbitrary computations for only single-data ownership scenario. To bridge these gaps, this paper proposed a non-circuit based Ciphertext Policy-Attribute Based Homomorphic Encryption (CP-ABHER-LWE) scheme to support outsourced cloud data computations with a fine-grained access control under the multi-user scenario. First, this paper incorporates Attribute Based Encryption (ABE) scheme into homomorphic encryption scheme in order to provide a fine grained access control on encrypted data computation and storage. Then, the proposed CP-ABHER-LWE scheme is further extended into non-circuit based approach in order to increase the practical efficiency between enterprise and cloud service providers. The result shows that the non-circuit based CP-ABHER-LWE scheme has greatly reduced the computation time and ciphertext size as compared to circuit based approach. Subsequently, the proposed CP-ABHER-LWE scheme was proven secure under a selective-set model with the hardness of Decision Ring-LWEd,q,ई problem

Application-agnostic Personal Storage for Linked Data

Personaalsete andmete ristkasutuse puudumine veebirakenduste vahel on viinud olukorrani, kus kasutajate identiteet ja andmed on hajutatud eri teenusepakkujate vahel. Sellest tulenevalt on suuremad teenusepakkujad, kel on rohkem teenuseid ja kasutajaid,\n\rväiksematega võrreldes eelisseisus kasutajate andmete pealt lisandväärtuse, sh analüütika, pakkumise seisukohast. Lisaks on sellisel andmete eraldamisel negatiivne mõju lõppkasutajatele, kellel on vaja sarnaseid andmeid korduvalt esitada või uuendada eri teenusepakkujate juures vaid selleks, et kasutada teenust maksimaalselt. Käesolevas töös kirjeldatakse personaalse andmeruumi disaini ja realisatsiooni, mis lihtsustab andmete jagamist rakenduste vahel. Lahenduses kasutatakse AppScale\n\rrakendusemootori identiteedi infrastruktuuri, millele lisatakse personaalse andmeruumi teenus, millele ligipääsu saab hallata kasutaja ise. Andmeruumi kasutatavus eri kasutuslugude jaoks tagatakse läbi linkandmete põhimõtete rakendamise.Recent advances in cloud-based applications and services have led to the continuous replacement of traditional desktop applications with corresponding SaaS solutions. These cloud applications are provided by different service providers, and typically manage identity and personal data, such as user’s contact details, of its users by its own means.\n\rAs a result, the identities and personal data of users have been spread over different applications and servers, each capturing a partial snapshot of user data at certain time moment. This, however, has made maintenance of personal data for service providers difficult and resource-consuming. Furthermore, such kind of data segregation has the overall negative effect on the user experience of end-users who need to repeatedly re-enter and maintain in parallel the same data to gain the maximum benefit out of their applications. Finally, from an integration point of view – sealing of user data has led to the adoption of point-to-point integration models between service providers, which limits the evolution of application ecosystems compared to the models with content aggregators and brokers.\n\rIn this thesis, we will develop an application-agnostic personal storage, which allows sharing user data among applications. This will be achieved by extending AppScale app store identity infrastructure with a personal data storage, which can be easily accessed by any application in the cloud and it will be under the control of a user. Usability of data is leveraged via adoption of linked data principles

ROLE BASED SECURED ACCESS OF DATA IN CLOUDS

In mobile wireless sensor network, coverage and energyCloud computing is a type of internet-based computing that provides shared computer processing resources and data to computers and other devices on demand. It is a model for enabling ubiquitous, on-demand access to a shared pool of configurable computing resources e.g., computer networks, servers, storage, applications and services, which can be rapidly provisioned and released with minimal management effort. Attribute-based access control defines an access control paradigm whereby access rights are granted to users through the use of policies which combine attributes together. The policies can use any type of attributes such as user attributes, resource attributes, object and environment attributes etc. This model supports Boolean logic, in which rules contain "if-then" statements about who is making the request, the resource and the action. The main problem in attribute–based access control is not having user-centric approach for authorization rules. In ABAC model role hierarchy and object hierarchy is not achieved and restriction in level of expressiveness in access control rules.Secured role-based access control allows managing authorization based on rule-based approach where rules are under the control of data owner and provides enriched role-based expressiveness including role and object hierarchies. Data user without the knowledge of data owner cannot use the cloud server where privilege is provided to data user by data owner. Access control computations are delegated to the cloud service provider, being this not only unable to access the data, but also unable to release it to unauthorized parties. A identity-based proxy re-encryption scheme has been used in order to provide a comprehensive and feasible solution for data centric-approach. Semantic web technologies have been exposed for the representation and evaluation of the authorization model

CONTROL ENCRYPTION OF TECHNIQUE USING THE CLOUD COMPUTING SYD

Information storage and computing information issues can be overcome by mobile applications by using cloud computing. The new model can also make various data based on the cloud to chat, complete the location services and the operating system in real time well and at the same time. By combining cloud computing, security issues may arise, for example, data secrets and user authorization within cloud computing systems, which concern the first restrictions on the development of a mobile computer cloud. In order to provide a safe and powerful process, the hierarchical access control system is proposed using the encryption based on a fixed schedule and a structure under a modified format in this document. In this study, the independent control system is proposed through the encryption of the file according to the structural design of a three-story structural design. The ABE-based access control system uses several tags to distinguish the attributes the authorized user has to have. Within a certain cloud computing environment, large data for all types of mobile devices, such as mobile phones, calls, PDAs, etc., can be controlled and tested by the system, and the data can respond to an unauthorized third party and restricted to legal users as well