320 likes | 457 Views
Secure Sharding in Federated Clouds. By: Anam Zahid, MS(IT)-13 [NUST201260763MSEECS60012F] Supervisor: Dr Awais Shibli. Agenda. Introduction Industrial Motivation Literature Review Problem Statement Proposed Architecture Tools and Technologies Timeline References. NoSQL Database.
E N D
Secure Sharding in Federated Clouds By: Anam Zahid, MS(IT)-13 [NUST201260763MSEECS60012F] Supervisor: Dr Awais Shibli
Agenda • Introduction • Industrial Motivation • Literature Review • Problem Statement • Proposed Architecture • Tools and Technologies • Timeline • References
NoSQL Database • Open source • Flexible Data model • High Scalability and Performance • Handles Large volumes of unstructured data • Best suitable for Cloud • Integrated Caching
Sharding • Horizontal Scalability • Can be based on Various parameters (Chunk size, data Relevance, key ranges etc)
Sharding • Two basic operations • Chunk Splitting • Chunk Migration
Cloud Computing Measured Service Broad Network Access Rapid Elasticity On-Demand Self Service Essential Characteristics Resource Pooling Software as a Service Platform as a Service Infrastructure as a Service Service Models Public Private Hybrid Community Deployment Models
Cloud Security Threats Data Breaches Data Loss Account Hijacking Insecure APIs Denial of Services Malicious Insider Abuse of Cloud Services Insufficient Due Diligence Shared Technology Issues
Cloud Database Issues Security & Privacy Availability Consistency Cloud Database Performance Fault Tolerance Scalability Simplified Queries Inter-operability
Cloud Federation Cloud service providers collaborate dynamically to share their virtual infrastructure for Efficient use of Surplus Resources Capacity Management Prevention from Power Outages & Failures Load Balancing Prevention from Vendor Lock-ins Scaling Data to other CSPs
Industrial Motivation “We think the lack of security around NoSQL is going to take a toll on Organizations” Amichai Shulman, Co-founder & CTO of Imperva Reference: http://www.darkreading.com/database/does-nosql-mean-no-security/232400214
Industrial Motivation (cont.) “Instead of SQL injection you have JavaScript or JSON injection” Alex Rothacker, manager of Application Security Inc.'s research division, Team SHATTER Rothacker suggests that because of the dependence on the perimeter to secure these databases, organizations strongly consider encryption whenever possible Reference: http://www.darkreading.com/database/does-nosql-mean-no-security/232400214
zNcrypt for MongoDB Reference: MongoDB, Gazzang, "Securing Data in MongoDB with Gazzang and 10Gen," 10 July 2012. [Online]. Available: http://www.mongodb.com/presentations/securing-data-mongodb-gazzang. [Accessed 19 November 2013].
MetaStorage Bermbach, David, Markus Klems, Stefan Tai, and Michael Menzel. "Metastorage: A federated cloud storage system to manage consistency-latency tradeoffs." In Cloud Computing (CLOUD), 2011 IEEE International Conference on, pp. 452-459. IEEE, 2011.
MetaStorage Pros • Security maintained through role based user management • Increased availability because of multiple storage providers • Low latency due to data replication Cons • No communication security (e.g SSL, TLS) or security of data at rest (e.g encryption) etc • Additional overhead due to data processing layer • Consistency issues due to different cloud storage services • No scalability limitations Bermbach, David, Markus Klems, Stefan Tai, and Michael Menzel. "Metastorage: A federated cloud storage system to manage consistency-latency tradeoffs." In Cloud Computing (CLOUD), 2011 IEEE International Conference on, pp. 452-459. IEEE, 2011.
RACS Abu-Libdeh, Hussam, Lonnie Princehouse, and Hakim Weatherspoon. "RACS: a case for cloud storage diversity." In Proceedings of the 1st ACM symposium on Cloud computing, pp. 229-240. ACM, 2010.
RACS Pros • Each RACS proxy maintains user authentication information and credentials for each repository • Use redundancy through fragmentation for high availability • Read synchronizations using zookeeper Cons • No communication as well as data at rest security • High latency due to mutual consistency • Data loss when RACS proxy crashes Abu-Libdeh, Hussam, Lonnie Princehouse, and Hakim Weatherspoon. "RACS: a case for cloud storage diversity." In Proceedings of the 1st ACM symposium on Cloud computing, pp. 229-240. ACM, 2010.
Management of Symmetric Cryptographic Keys in cloud Fakhar, F.; Shibli, M.A., "Management of Symmetric Cryptographic Keys in cloud based environment," Advanced Communication Technology (ICACT), 2013 15th International Conference on , vol., no., pp.39,44, 27-30 Jan. 2013
Management of Symmetric Cryptographic Keys in cloud Pros • Distributed Key generation on client side • Privacy maintained through client’s key component contribution in key regeneration. • Recoverable key components except for client side component Cons • Communication overhead when key to decrypt data is needed in cloud • Key combiner on client terminal Fakhar, F.; Shibli, M.A., "Management of Symmetric Cryptographic Keys in cloud based environment," Advanced Communication Technology (ICACT), 2013 15th International Conference on , vol., no., pp.39,44, 27-30 Jan. 2013
Summary So, besides providing high availability and throughput because of data fragmentation, there is a need for • strong client authentication and authorization mechanisms • Security of data during transmission (e.g. through TLS, SSL, IPSec etc) • Data-at-rest security (e.g. hashing, encryption etc)
Our Motivation According to Microsoft’s Framework For data Governance Source: http://www.microsoft.com/privacy/datagovernance.aspx
Our motivation Compliance Organizations rules and policies:
Fine Grained Access Control for Database Management Systems Masood, R.; Shibli, M.A., “Fine Grained Access Control for Database Management Systems," MS Thesis, SEECS NUST, (2013).
Problem Statement In order to avoid the prevalent problem of data breaches in distributed cloud environment, there is a need to provide effective access control and encryption to ensure the security of data residing on the domain of various cloud providers.
Proposed Architecture Our Domain
Proposed Architecture Key Distribution Store For Distributed Data “PUT” request 10 6 NoSQL Database Server NoSQL Database Server NoSQL Database Server NoSQL Database Server NoSQL Database Server 11 FCSP NoSQL Database Server 11 Config. Server Encryption/ Decryption Engine 9 Query Router HCSP 7 7 12 Config. Server Encryption/ Decryption Engine 5 8 4 7 Query Router Fine Grained Access Control Authentication 3 2 Client Application 1
Contribution In our proposed system, data security would be ensured by: • Client side Authentication • Embedded Fine grained authorization • Selective field Encryption of data chunks • Distribution of data across several service providers
Tools and Technologies • MongoDB • C++ (MS Visual Studio) • Open Stack • XACML
References • [1] Fox, Armando, Rean Griffith, A. Joseph, R. Katz, A. Konwinski, G. Lee, D. Patterson, A. Rabkin, and I. Stoica. "Above the clouds: A Berkeley view of cloud computing." Dept. Electrical Eng. and Comput. Sciences, University of California, Berkeley, Rep. UCB/EECS 28 (2009). • [2] Arora, Indu, and Anu Gupta. "Cloud Databases: A Paradigm Shift in Databases."International J. of Computer Science Issues 9, no. 4 (2012): 77-83. • [3] https://downloads.cloudsecurityalliance.org/initiatives/top_threats/The_Notorious_Nine_Cloud_Computing_Top_Threats_in_2013.pdf • [4] Mell, Peter, and Timothy Grance. "The NIST definition of cloud computing (draft)." NIST special publication 800, no. 145 (2011): 7. • [5] MongoDB, Gazzang, "Securing Data in MongoDB with Gazzang and 10Gen," 10 July 2012. [Online]. Available: http://www.mongodb.com/presentations/securing-data-mongodb-gazzang. [Accessed 19 November 2013]. • [6] http://www.forbes.com/sites/benkepes/2013/11/04/was-garantia-is-now-redisdb-either-way-nosql-is-hot/ • [7] http://www.darkreading.com/database/does-nosql-mean-no-security/232400214 • [8] Bermbach, David, Markus Klems, Stefan Tai, and Michael Menzel. "Metastorage: A federated cloud storage system to manage consistency-latency tradeoffs." In Cloud Computing (CLOUD), 2011 IEEE International Conference on, pp. 452-459. IEEE, 2011. • [9] Abu-Libdeh, Hussam, Lonnie Princehouse, and Hakim Weatherspoon. "RACS: a case for cloud storage diversity." In Proceedings of the 1st ACM symposium on Cloud computing, pp. 229-240. ACM, 2010. • [10] Fakhar, F.; Shibli, M.A., "Management of Symmetric Cryptographic Keys in cloud based environment," Advanced Communication Technology (ICACT), 2013 15th International Conference on , vol., no., pp.39,44, 27-30 Jan. 2013 • [11] Hashizume, Keiko, David G. Rosado, Eduardo Fernández-Medina, and Eduardo B. Fernandez. "An analysis of security issues for cloud computing." Journal of Internet Services and Applications 4, no. 1 (2013): 1-13. • [12] Chandra, DekaGanesh, Ravi Prakash, and SwatiLamdharia. "A Study on Cloud Database." In Computational Intelligence and Communication Networks (CICN), 2012 Fourth International Conference on, pp. 513-519. IEEE, 2012. • [13] Subashini, S., and V. Kavitha. "A survey on security issues in service delivery models of cloud computing." Journal of Network and Computer Applications 34, no. 1 (2011): 1-11.