Post on 31-Dec-2015
description
By: Anam Zahid, MS(IT)-13[NUST201260763MSEECS60012F]
Supervisor: Dr Awais Shibli
Secure Sharding in Federated
Clouds
Agenda• Introduction• Industrial Motivation• Literature Review• Problem Statement• Proposed Architecture• Tools and Technologies• Timeline• References
2
NoSQL Database
• Open source• Flexible Data model• High Scalability and Performance• Handles Large volumes of unstructured
data• Best suitable for Cloud• Integrated Caching
3
Types of NoSQL Databases
4
Sharding
• Horizontal Scalability
• Can be based on Various parameters (Chunk size, data Relevance, key ranges etc)
5
ShardingTwo basic operations
– Chunk Splitting
– Chunk Migration
6
Cloud Computing
7
Essential Characteristics
Service Models
Deployment Models
Software as a Service
Platform as a Service
Infrastructure as a Service
Public Private Hybrid Community
Broad Network Access
Rapid Elasticity
On-Demand Self Service
Resource Pooling
Measured Service
Cloud Security Threats
8
Data Breaches
Data Loss
Account Hijacking
Insecure APIs
Denial of Services
Malicious Insider
Abuse of Cloud Services
Insufficient Due Diligence
Shared Technology Issues
Cloud Database Issues
9
Cloud Database
Availability
Performance
Security &
PrivacyConsistency
Fault Tolerance
Scalability
Inter-operability
Simplified Queries
Cloud Federation
Cloud service providers collaborate dynamically to share their virtual infrastructure for
Load Balancing
Prevention from Vendor
Lock-ins
Prevention from Power Outages &
Failures
Capacity Manageme
nt
Efficient use of Surplus Resources
Scaling Data to other
CSPs
10
Industrial Motivation
11
Reference: http://www.darkreading.com/database/does-nosql-mean-no-security/232400214
“We think the lack of security around NoSQL is going to take a toll on Organizations” Amichai Shulman, Co-
founder & CTO of Imperva
Industrial Motivation (cont.)
12
Reference: http://www.darkreading.com/database/does-nosql-mean-no-security/232400214
“Instead of SQL injection you have JavaScript or JSON injection” Alex Rothacker, manager of Application
Security Inc.'s research division, Team SHATTER
Rothacker suggests that because of the dependence on the perimeter to secure these databases, organizations
strongly consider encryption whenever possible
zNcrypt for MongoDB
Reference: MongoDB, Gazzang, "Securing Data in MongoDB with Gazzang and 10Gen," 10 July 2012. [Online]. Available: http://www.mongodb.com/presentations/securing-data-mongodb-gazzang. [Accessed 19 November 2013].
13
Literature Review
14
MetaStorage
Bermbach, David, Markus Klems, Stefan Tai, and Michael Menzel. "Metastorage: A federated cloud storage system to manage consistency-latency tradeoffs." In Cloud Computing (CLOUD), 2011 IEEE International Conference on, pp. 452-459. IEEE, 2011.
15
16
MetaStorage
Pros• Security maintained through role
based user management• Increased availability because of
multiple storage providers• Low latency due to data
replication
Cons• No communication security (e.g
SSL, TLS) or security of data at rest (e.g encryption) etc
• Additional overhead due to data processing layer
• Consistency issues due to different cloud storage services
• No scalability limitations
Bermbach, David, Markus Klems, Stefan Tai, and Michael Menzel. "Metastorage: A federated cloud storage system to manage consistency-latency tradeoffs." In Cloud Computing (CLOUD), 2011 IEEE International Conference on, pp. 452-459. IEEE, 2011.
RACS
Abu-Libdeh, Hussam, Lonnie Princehouse, and Hakim Weatherspoon. "RACS: a case for cloud storage diversity." In Proceedings of the 1st ACM symposium on Cloud computing, pp. 229-240. ACM, 2010.
17
18
RACS
Pros• Each RACS proxy maintains user
authentication information and credentials for each repository
• Use redundancy through fragmentation for high availability
• Read synchronizations using zookeeper
Cons• No communication as well as
data at rest security• High latency due to mutual
consistency• Data loss when RACS proxy
crashes
Abu-Libdeh, Hussam, Lonnie Princehouse, and Hakim Weatherspoon. "RACS: a case for cloud storage diversity." In Proceedings of the 1st ACM symposium on Cloud computing, pp. 229-240. ACM, 2010.
Management of Symmetric Cryptographic Keys in
cloud
Fakhar, F.; Shibli, M.A., "Management of Symmetric Cryptographic Keys in cloud based environment," Advanced Communication Technology (ICACT), 2013 15th International Conference on , vol., no., pp.39,44, 27-30 Jan. 2013
19
20
Management of Symmetric Cryptographic Keys in cloud
Pros• Distributed Key generation on
client side• Privacy maintained through
client’s key component contribution in key regeneration.
• Recoverable key components except for client side component
Cons• Communication overhead when
key to decrypt data is needed in cloud
• Key combiner on client terminal
Fakhar, F.; Shibli, M.A., "Management of Symmetric Cryptographic Keys in cloud based environment," Advanced Communication Technology (ICACT), 2013 15th International Conference on , vol., no., pp.39,44, 27-30 Jan. 2013
21
Summary
So, besides providing high availability and throughput because of data fragmentation, there is a need for
• strong client authentication and authorization mechanisms
• Security of data during transmission (e.g. through TLS, SSL, IPSec etc)
• Data-at-rest security (e.g. hashing, encryption etc)
22
Our MotivationAccording to Microsoft’s Framework For data
Governance
Source: http://www.microsoft.com/privacy/datagovernance.aspx
23
Our motivationCompliance Organizations rules and
policies:
Fine Grained Access Control for Database
Management Systems
Masood, R.; Shibli, M.A., “Fine Grained Access Control for Database Management Systems," MS Thesis, SEECS NUST, (2013).
24
Problem Statement
25
In order to avoid the prevalent problem of data breaches in distributed cloud environment, there is a need to provide effective access control and encryption to ensure the security of data residing on the domain of various cloud providers.
26
Proposed Architecture
Our Domain
Proposed Architecture
27
For Distributed Data “PUT” request
9
Authentication
Fine Grained Access Control
Client Application
Key Distribution
Store
Encryption/Decryption
Engine
Query Router
HCS
P Config
.Serve
r
NoSQL Databas
e Server
NoSQL Databas
e Server
NoSQL Databas
e Server
FCSP Encryption/Decryption
EngineQuery Router
Config.
Server
NoSQL Databas
e Server
NoSQL Databas
e Server
NoSQL Databas
e Server
1
23
45
6
7 7
78
10
11 11
12
Contribution
In our proposed system, data security would be ensured by:
• Client side Authentication• Embedded Fine grained authorization• Selective field Encryption of data chunks • Distribution of data across several service
providers
28
Tools and Technologies
• MongoDB• C++ (MS Visual Studio)• Open Stack• XACML
29
Proposed Timeline# Milestone Duration
1 Preliminary Literature Review Done
2 Implementation
2.1 Sharding in NoSQL database 3 weeks
2.2 Encryption and Decryption Module + KDS
1 month & 3 weeks
2.3 Fine grained access control Module 1 month
2.4 Cloud federation establishment and tag aware sharding implementation
1 month
2.5 Integration of all modules 2-3 weeks
3 Testing and Evaluation 1 month
4 Final Documentation 1 month
30
References[1] Fox, Armando, Rean Griffith, A. Joseph, R. Katz, A. Konwinski, G. Lee, D. Patterson, A. Rabkin, and I. Stoica. "Above the clouds: A Berkeley
view of cloud computing." Dept. Electrical Eng. and Comput. Sciences, University of California, Berkeley, Rep. UCB/EECS 28 (2009).[2] Arora, Indu, and Anu Gupta. "Cloud Databases: A Paradigm Shift in Databases." International J. of Computer Science Issues 9, no. 4 (2012):
77-83.[3] https://downloads.cloudsecurityalliance.org/initiatives/top_threats/The_Notorious_Nine_Cloud_Computing_Top_Threats_in_2013.pdf
[4] Mell, Peter, and Timothy Grance. "The NIST definition of cloud computing (draft)." NIST special publication 800, no. 145 (2011): 7. [5] MongoDB, Gazzang, "Securing Data in MongoDB with Gazzang and 10Gen," 10 July 2012. [Online]. Available:
http://www.mongodb.com/presentations/securing-data-mongodb-gazzang. [Accessed 19 November 2013].[6] http://www.forbes.com/sites/benkepes/2013/11/04/was-garantia-is-now-redisdb-either-way-nosql-is-hot/[7] http://www.darkreading.com/database/does-nosql-mean-no-security/232400214[8] Bermbach, David, Markus Klems, Stefan Tai, and Michael Menzel. "Metastorage: A federated cloud storage system to manage
consistency-latency tradeoffs." In Cloud Computing (CLOUD), 2011 IEEE International Conference on, pp. 452-459. IEEE, 2011.[9] Abu-Libdeh, Hussam, Lonnie Princehouse, and Hakim Weatherspoon. "RACS: a case for cloud storage diversity." In Proceedings of the
1st ACM symposium on Cloud computing, pp. 229-240. ACM, 2010.[10] Fakhar, F.; Shibli, M.A., "Management of Symmetric Cryptographic Keys in cloud based environment," Advanced Communication
Technology (ICACT), 2013 15th International Conference on , vol., no., pp.39,44, 27-30 Jan. 2013[11] Hashizume, Keiko, David G. Rosado, Eduardo Fernández-Medina, and Eduardo B. Fernandez. "An analysis of security issues for cloud
computing." Journal of Internet Services and Applications 4, no. 1 (2013): 1-13.[12] Chandra, Deka Ganesh, Ravi Prakash, and Swati Lamdharia. "A Study on Cloud Database." In Computational Intelligence and
Communication Networks (CICN), 2012 Fourth International Conference on, pp. 513-519. IEEE, 2012.[13] Subashini, S., and V. Kavitha. "A survey on security issues in service delivery models of cloud computing." Journal of Network and Computer
Applications 34, no. 1 (2011): 1-11.
31
THANK YOU !!!!
32