Idea Transcript
Home > eBooks > Data Security in Cloud Computing
Data Security in Cloud Computing Buy e-book PDF
Editors: Vimal Kumar 1 ; Sivadon Chaisiri 1 ; Ryan Ko 1 View affiliations Affiliations: 1: Faculty of Computing and Mathematical Sciences, Waikato University, Waikato, New Zealand Publication Year: 2017
$160.00 (plus tax if applicable) Add to cart
Buy print edition
Description
Cloud Computing has already been embraced by many organizations and individuals due to its benefits of economy, reliability, scalability and guaranteed quality of service among others. But since the data is not stored, analysed or computed on site, this can open security, privacy, trust and compliance issues. This one-stop reference covers a wide range of issues on data security in Cloud Computing ranging from accountability, to data provenance, identity and risk management. Data Security in Cloud Computing covers major aspects of securing data in Cloud Computing. Topics covered include NOMAD: a framework for ensuring data confidentiality in mission-critical cloud based applications; 3DCrypt: privacypreserving pre-classification volume ray-casting of 3D images in the cloud; multiprocessor system-on-chip for processing data in Cloud Computing; distributing encoded data for private processing in the cloud; data protection and mobility management for cloud; understanding software defined perimeter; security, trust and privacy for Coud Computing in transportation cyber-physical systems; review of data leakage attack techniques in cloud systems; Cloud Computing and personal data processing: sorting out legal requirements; the Waikato data privacy matrix; provenance reconstruction in clouds; and security visualization for Cloud Computing.
Book DOI: 10.1049/PBSE007E Chapter DOI: 10.1049/PBSE007E ISBN: 9781785612206 e-ISBN: 9781785612213 Page count: 324 Format: PDF
Related content Review of data leakage attack techniques in cloud systems
Zirak Allaf and Mo Adda View description Hide description
Manipulating and delivering data in heterogeneous environments such as those underlying cloud systems is a critical task because of confidentiality issues. Cloud technology remains vulnerable to data leakage attacks due to its applications in gathering information about multiple independent entities (e.g. end users and VMs) and Inspec keywords: security of data; data privacy; data sharing cloud resources. visualisation; cloud computing; matrix algebra; cyberFurthermore, the number of threats physical systems are increased when the cloud users are using cloud computing services Other keywords: security visualization; Waikato data privacy compared to PC users, due to loss of matrix; software-defined perimeter; data confidentiality; control, privacy and outsourced data cyber-physical systems; cloud computing; data security; data storage. Consequently, hackers leakage attack; data provenance exploit security vulnerabilities to Subjects: Graphics techniques; Information networks; launch attacks to take advantage of Algebra; Data security; General and management topics; sensitive data such as secret keys.
Internet software
When data is manipulated and shared between different parties in
Front Matter
1 A data-centric view of cloud security
p. 1 –17 (17) Cloud computing offers a massive pool of resources and services that cloud users can utilize for storing and processing their data. The users can flexibly control and reduce their operational expenditures, whereas resources provisioned from the clouds can be dynamically resized to meet their demand and especially budgets. The user, however, has to consider unanticipated and expensive costs from threats associated with attacks aiming for the user's data in the cloud. In this chapter, we discuss the primary causes of new attack vectors that create a multitude of data security issues in clouds. We also discuss specific data security challenges in clouds and provide a classification which can help in an easier understanding.
2 Nomad: a framework for ensuring data confidentiality in mission-critical cloud-based applications
p. 19 –44 (26) Due to their low cost and simplicity of use, public cloud services are gaining popularity among both public and private sector organisations. However, there are many threats to the cloud, including data breaches, data loss, account hijacking, denial of service, and malicious insiders. One of the solutions for addressing these threats is the use of secure computing techniques such as homomorphic encryption and secure multiparty computation, which allow for processing of encrypted data stored in untrusted cloud environments without ever having the decryption key. The performance of these techniques is a limiting factor in the adoption of cloud-based applications. Both public and private sector organisations with strong requirements for data security and privacy are reluctant to push their data to the cloud. In particular, mission-critical defense applications used by governments do not tolerate any leakage of sensitive data. In this chapter, we present Nomad, a framework for developing mission-critical cloud-based applications. The framework is comprised of: (1) a homomorphic encryption-based service for processing encrypted data directly within the untrusted cloud infrastructure, and (2) a client service for encrypting and decrypting data within the trusted environment, and storing and retrieving these data to and from the cloud. In order to accelerate the expensive homomorphic encryption operations, we equipped both services with a Graphics Processing Unit (GPU)-based parallelisation mechanism. To evaluate the Nomad framework, we developed CallForFire, a Geographic Information System (GIS)-based mission-critical defense application that can be deployed in the cloud. CallForFire enables secure computation of enemy target locations and selection of firing assets. Due to the nature of the mission, this application requires guaranteed security. The experimental results show that the performance of homomorphic encryption can be enhanced by using a GPU-based acceleration mechanism. In addition, the performance of the CallForFire application demonstrates the feasibility of using the Nomad framework to develop mission-critical cloud-based applications.
3 Preserving privacy in pre-classification volume ray-casting of 3D images
p. 45 –64 (20) With the evolution of cloud computing, organizations are outsourcing the storage and rendering of volume (i.e., 3D data) to cloud servers. Data confidentiality at the thirdparty cloud provider, however, is one of the main challenges. Although state-of-the-art non-homomorphic encryption schemes can protect confidentiality by encrypting the volume, they do not allow rendering operations on the encrypted volumes. In this chapter, we address this challenge by proposing 3DCrypt-a modified Paillier cryptosystem scheme for multiuser settings that allows cloud datacenters to render the encrypted volume. The rendering technique we consider in this work is the preclassification volume ray-casting. 3DCrypt is such that multiple users can render volumes without sharing any encryption keys. 3DCrypt's storage and computational overheads are approximately 66.3 MB and 27 s, respectively, when rendering is performed on a 256 × 256 × 256 volume for a 256 × 256 image space. We have also proved that 3DCrypt is INDistinguishable under Chosen Plaintext Attack (IND-CPA) secure.
4 Multiprocessor system-on-chip for processing data in cloud computing
p. 65 –88 (24) Cloud computing enables cloud customers to obtain shared processing resources and data on demand. Cloud providers configure computing resources to provide different services to users and enterprises. These cloud providers satisfy the need for highperformance computing by bringing more PEs inside a chip (known as Multiprocessor System-on-Chip (MPSoC)) instead of increasing operating frequency. An MPSoC usually employs Network-on-Chip (NoC) as the scalable on-chip communication medium. An MPSoC can contain multiple Trusted Execution Environments (TEEs) and Rich Execution Environments (REEs). Security critical applications run in TEEs and normal applications run in REEs. Due to sharing of resources (for example, NoC) in cloud computing, applications running in two TEEs may need to communicate over an REE that is running applications of a malicious user (attacker). This scenario can cause unauthorized access attack if the attacker launches router attack inside the NoC. Apart from this attack, an attacker can also launch misrouting attack using router attack causing various types of ill effects. To deal with these security concerns, we discuss in detail different hardware-based security mechanisms. These mechanisms mainly employ monitoring to detect a router attack and possibly a malicious router location. The hardware-based mechanisms can provide much-needed protection to users' data in a cloud computing MPSoC platform. Apart from the threat model with practical examples, detailed hardware description of each security mechanism is given in this chapter for easy understanding of the readers.
5 Distributing encoded data for private processing in the cloud
p. 89 –115 (27) Traditional cryptography techniques require our data to be unencrypted and to be processed correctly. This means that at some stage on a system we have no control over, our data will be processed in plain text. Solutions that allow the computation of arbitrary operations over data securely in the cloud are currently impractical. The holy grail of cryptography, fully homomorphic encryption, still requires minutes to compute a single operation. To provide a practical solution, this chapter proposes taking a different approach to the problem of securely processing data. This is achieved by each cloud service receiving an encoded part of the data, which is not enough to decode the plain-text value. The security strength is shifted from a computation problem to the
sheer number possible options. Given the greater threat to data stored in the cloud is from insiders, this is the primary attack vector the presented schemes Bin Encoding and FRagmenting Individual Bits (FRIBs) aim to protect against.
6 Data protection and mobility management for cloud
p. 117 –149 (33) Cloud computing has become an alternative IT infrastructure where users, infrastructure providers, and service providers all share and deploy resources for their business processes and applications. In order to deliver cloud services cost effectively, users' data is stored in a cloud where applications are able to perform requests from clients efficiently. As data is transferred to the cloud, data owners are concerned about the loss of control of their data and cloud service providers (CSPs) are concerned about their ability to protect data when it is moved about both within and out of its own environment. Many security and protection mechanisms have been proposed to protect cloud data by employing various policies, encryption techniques, and monitoring and auditing approaches. However, data is still exposed to potential disclosures and attacks if it is moved and located at another cloud where there is no equivalent security measure at visited sites. In a realistic cloud scenario with hierarchical service chain, the handling of data in a cloud can be delegated by a CSP to a subprovider or another. However, CSPs do not often deploy the same protection schemes. Movement of user's data is an important issue in cloud, and it has to be addressed to ensure the data is protected in an integrated manner regardless of its location in the environment. The user is concerned whether its data is located in locations covered by the service level agreement, and data operations are protected from unauthorized users. When user's data is moved to data centers located at locations different from its home, it is necessary to keep track of its locations and data operations. This chapter discusses data protection and mobility management issues in cloud environment and in particular the implementation of a trust-oriented data protection framework.
7 Understanding software-defined perimeter
p. 151 –169 (19) In network security, a perimeter of a network of computers and other equipment is formed as a secure barrier protecting digital assets in the network from being accessed and compromised by unauthorized users. In cloud computing, building such a perimeter is challenging due to a wider and likely unknown boundary of multiple overlay networks of cloud services, resources and devices communicating with each other. To overcome this challenge, the software-defined perimeter (SDP) proposed by the Cloud Security Alliance (CSA) can be used to build a manageable secure perimeter for cloud-connected services, resources and devices. So far, SDP has proved to be a strong defense against network attacks under simulated tests and security challenges, hackathons conducted by CSA. In this chapter, we present the SDP specification and also discuss its security features and components, including zero visibility, single packet authorization, mutual transport layer security, device validation, dynamic firewalls and application binding that are behind the successful defense of SDP and a potential solution for securing data in the cloud.
8 Security, trust, and privacy for cloud computing in Transportation Cyber-Physical Systems
p. 171 –195 (25)
Transportation Cyber-Physical Systems (TCPS) strive to achieve the seamless interoperability of a rich set of sensors embedded in vehicles, roadside units, and other infrastructure with computing platforms ranging from smartphones to cloud servers, through a variety of communication mechanisms. A successful TCPS will provide smart and scalable solutions to some of the major problems urban societies facing today including high fatalities in road crashes, time and emission costs of traffic congestion, and efficient allocation of parking spaces. However, the practicality of such a TCPS is challenged by (1) stakeholders with different and often conflicting security and privacy requirements, (2) the demands of real-time data intensive computing and communication, and (3) a high level of heterogeneity in the types of technologies deployed. Transportation Cloud Computing, which is the integration of Cloud Computing with TCPS, is a promising solution to the challenges listed above for a scalable implementation. This chapter presents the security, trust, and privacy issues posed by integrating cloud computing with TCPS as in the first challenge above. We will survey the state of the art with respect to countermeasures which are capable ofproviding improved security and privacy for cloud computing in TCPS. More specifically, we will first discuss the unique challenges and the current state of the art in TCPS as well as the integration of cloud computing techniques into a TCPS application scenario. Next, we will present a comprehensive literature review on attack surface and strategies for cloud computing in TCPS. To address these attacks, we will describe various techniques to enhance security, trust, and privacy to help better safeguard cloud computing paradigms for TCPS.
9 Review of data leakage attack techniques in cloud systems
p. 197 –217 (21) Manipulating and delivering data in heterogeneous environments such as those underlying cloud systems is a critical task because of confidentiality issues. Cloud technology remains vulnerable to data leakage attacks due to its applications in gathering information about multiple independent entities (e.g. end users and VMs) and sharing cloud resources. Furthermore, the number of threats are increased when the cloud users are using cloud computing services compared to PC users, due to loss of control, privacy and outsourced data storage. Consequently, hackers exploit security vulnerabilities to launch attacks to take advantage of sensitive data such as secret keys. When data is manipulated and shared between different parties in cloud systems, it will be vulnerable to threats in cloud systems. This chapter explores data vulnerability throughout its life cycle to categorise existing data leakage attack techniques in terms of where they can be implemented and what can be stolen in this untrusted environment, and also classifies data leakage attack techniques according to the type of data, such as files and secret keys. Furthermore, this study explores core technologies upon which cloud computing is built, such as the web, virtualisation and cryptography, and their vulnerabilities prone to such attacks. We also propose existing data leakage detection and protection techniques to mitigate and alleviate such attacks.
10 Cloud computing and personal data processing: sorting-out legal requirements
p. 219 –242 (24) Cloud computing facilitates and accelerates the collection and processing of (personal) data and the development of new services and applications. When data collection involves personal data, specific risks and challenges for privacy and data protection of the individuals arise. The interference with privacy and data protection necessitates the
implementation of appropriate safeguards. Therefore, new impacts and risks need to be analysed and assessed. In the cloud computing context, privacy and data protection should not be inferior to the level of protection required in any other data processing context. Looking at the European legal framework, the EU has thorough legislation for the protection of personal data. The new General Data Protection Regulation introduces detailed provisions establishing obligations and new instruments, such as certification. In addition, the EU data protection legislation has what is often called an extra-territorial effect, which entails that under conditions is applicable to natural or legal persons not established in the EU jurisdiction. The extra-territorial effect of the EU data protection legislation makes the EU legislation relevant for service providers who are not established in the EU but are processing personal data of EU citizens. This chapter aims to provide an overview of the legal requirements applicable to cloudbased applications and data processing, drawing examples primarily from the EU legal framework. This overview can serve as an index of key obligations and responsibilities for cloud service providers and cloud clients, but also for further research purposes (i.e. comparative analysis with other legal frameworks).
11 The Waikato Data Privacy Matrix
p. 243 –259 (17) Data privacy is an expected right of most citizens around the world, but there are many legislative challenges within the boundary-less cloud computing and World Wide Web environments. The Waikato Data Privacy Matrix outlines our global project for alignment of data privacy laws, by focusing on Asia Pacific data privacy laws and its relationships with the European Union and the United States. Some alignment already exists for the European Union and United States, there is a lack of research on Asia Pacific alignment within its region and across other regions. The Waikato Data Privacy Matrix also suggests potential solutions to address some of the issues that may occur when a breach of data privacy occurs, in order to ensure an individual has their data privacy protected across the boundaries within the Web.
12 Data provenance in cloud
p. 261 –275 (15) One of the barriers of cloud adoption is the security of data stored in the cloud. In this chapter, we introduce data provenance and briefly show how it is applicable for data security in the cloud. Building on this, we discuss the underlying question of how data provenance, required for empowering data security in the cloud, can be acquired. The strengths and weaknesses of two methodologies for provenance acquisition, active collection and reconstruction, are discussed. The goal is to provide an understanding on the current state-of-the-art for generating provenance, such that better methodologies and solutions can be developed.
13 Security visualization for cloud computing: an overview
p. 277 –295 (19) Cloud services continue to attract organizations with advantages that enable subsidiary costs. While there are advantages, security in the cloud is an ongoing challenging process for cloud providers and users. Cyber-threats are penetrating cloud technologies and exposing flaws in the cloud technologies. Data Provenance as a Security Visualization Service (DPaaSVS) and Security Visualization as a Cloud
Service (SVaaCS) for cloud technologies are solutions to help track and monitor data in the cloud. Either data is at-rest or in in-transit, security visualization empowers cloud providers and users to track and monitor their data movements. Security visualization refers to the concept of using visualization to represent security events. In this chapter, we (1) provide our security visualization standardized model and (2) provide the security visualization intelligence framework model and finally discuss several security visualization use-cases.
Back Matter
cloud systems, it will be vulnerable to threats in cloud systems. This chapter explores data vulnerability throughout its life cycle to categorise existing data leakage attack techniques in terms of where they can be implemented and what can be stolen in this untrusted environment, and also classifies data leakage attack techniques according to the type of data, such as files and secret keys. Furthermore, this study explores core technologies upon which cloud computing is built, such as the web, virtualisation and cryptography, and their vulnerabilities prone to such attacks. We also propose existing data leakage detection and protection techniques to mitigate and alleviate such attacks. Understanding software-defined perimeter
Chenkang Tang ; Vimal Kumar ; Sivadon Chaisiri View description Hide description In network security, a perimeter of a network of computers and other equipment is formed as a secure barrier protecting digital assets in the network from being accessed and compromised by unauthorized users. In cloud computing, building such a perimeter is challenging due to a wider and likely unknown boundary of multiple overlay networks of cloud services, resources and devices communicating with each other. To overcome this challenge, the software-defined perimeter (SDP) proposed by the Cloud Security Alliance (CSA) can be used to build a manageable secure perimeter for cloud-connected services, resources and devices. So far, SDP has proved to be a strong defense against network attacks under simulated tests and security challenges, hackathons conducted by CSA. In this chapter, we present the SDP specification and also discuss its security features and components, including zero visibility, single packet authorization, mutual transport layer security, device validation, dynamic firewalls and application binding that are behind the successful defense of SDP and a potential solution for securing data in the cloud. The Waikato Data Privacy Matrix
Craig Scoon and Ryan K. Ko View description Hide description Data privacy is an expected right of most citizens around the world, but there are many legislative challenges within the boundary-less cloud computing and World Wide Web environments. The Waikato Data Privacy Matrix outlines our global project for alignment of data privacy laws, by focusing on Asia Pacific data privacy laws and its relationships with the European Union and the United States. Some alignment already exists for the European Union and United States, there is a lack of research on Asia Pacific alignment within its region and across other regions. The Waikato Data Privacy Matrix also suggests potential solutions to address some of the issues that may occur when a breach of data privacy occurs, in order to ensure an individual has their data privacy protected across the boundaries within the Web. Challenges in the adoption of hybrid cloud: an exploratory study using systematic literature review
Siffat Ullah Khan and Naeem Ullah View description Hide description Cloud computing is a growing computing paradigm that provides Internet-based computer services on-demand basis. Adoption of cloud infrastructure promises enterprises numerous benefits. In particular, hybrid cloud, a combination of both public and private clouds, offers benefits of both the public and private clouds. The objective of this study is to identify the critical challenges, faced by client organisations in the adoption of hybrid cloud computing. The authors have reviewed the literature through systematic literature review (SLR) process. We have followed all the SLR steps by developing SLR protocol first which was then validated and implemented. We have identified a list of ten challenges, by extracting data from a sample of 120 papers, in the adoption of hybrid cloud. The identified challenges include three critical challenges such as: ‘public cloud security concern’, ‘efficient management issue’, and ‘integration complexity’. We have further analysed the identified challenges with respect to time and study strategy. Clients should address all the identified challenges in general and the critical challenges in particular. Our next phase of the study is validation of the identified challenges through industry practitioners and to find solutions/practices for addressing these challenges, which will be published in future. Data provenance in cloud
Alan Yu Shyang Tan ; Sivadon Chaisiri ; Ryan Ko Leong ; Geoff Holmes ; Bill Rogers View description Hide description One of the barriers of cloud adoption is the security of data stored in the cloud. In this chapter, we introduce data provenance and briefly show how it is applicable for data security in the cloud. Building on this, we discuss the underlying question of how data provenance, required for empowering data security in the cloud, can be acquired. The strengths and weaknesses of two methodologies for provenance acquisition, active collection and reconstruction, are discussed. The goal is to provide an understanding on the current state-of-the-art for generating provenance, such that better methodologies and solutions can be developed. Multi-DAGs Scheduling Integrating with Security and Availability in Cloud Environment
Yaqiu Liu ; Hongrun Shao ; Weipeng Jing ; Zhaowen Qiu View description Hide description In view of the issue concerns multiple Directed acyclic graphs (DAGs) scheduling in multi-tenantcloud computing environment, a scheduling strategy thatintegrate security and availability is proposed to satisfythe tenants’ requirements for resource security and availability, as thus it can not only protect the users’ privacyand data security but also advance the success rate. Theproposal assesses resource reputation to ensure jobs canbe scheduled onto relatively security nodes; during taskscheduling, it classifies the DAGs to achieve fairness; inthe process of resources allocation, the objective functionwould maximize the user’s security satisfaction and minimize the deviation of availability; meanwhile, it takes advantage of “time chips” flexibly to promote resource utilization rate; afterwards, we present a Greedy algorithmintegrating with security and availability (GISA) to implement the strategy. The experimental results show thecorrectness and superior of the novel strategy.