By: Anam Zahid, MS(IT)-13[NUST201260763MSEECS60012F]

Supervisor: Dr Awais Shibli

Secure Sharding in Federated

Clouds

Agenda• Introduction• Industrial Motivation• Literature Review• Problem Statement• Proposed Architecture• Tools and Technologies• Timeline• References

2

NoSQL Database

• Open source• Flexible Data model• High Scalability and Performance• Handles Large volumes of unstructured

data• Best suitable for Cloud• Integrated Caching

3

Types of NoSQL Databases

4

Sharding

• Horizontal Scalability

• Can be based on Various parameters (Chunk size, data Relevance, key ranges etc)

5

ShardingTwo basic operations

– Chunk Splitting

– Chunk Migration

6

Cloud Computing

7

Essential Characteristics

Service Models

Deployment Models

Software as a Service

Platform as a Service

Infrastructure as a Service

Public Private Hybrid Community

Broad Network Access

Rapid Elasticity

On-Demand Self Service

Resource Pooling

Measured Service

Cloud Security Threats

8

Data Breaches

Data Loss

Account Hijacking

Insecure APIs

Denial of Services

Malicious Insider

Abuse of Cloud Services

Insufficient Due Diligence

Shared Technology Issues

Cloud Database Issues

9

Cloud Database

Availability

Performance

Security &

PrivacyConsistency

Fault Tolerance

Scalability

Inter-operability

Simplified Queries

Cloud Federation

Cloud service providers collaborate dynamically to share their virtual infrastructure for

Load Balancing

Prevention from Vendor

Lock-ins

Prevention from Power Outages &

Failures

Capacity Manageme

nt

Efficient use of Surplus Resources

Scaling Data to other

CSPs

10

Industrial Motivation

11

Reference: http://www.darkreading.com/database/does-nosql-mean-no-security/232400214

“We think the lack of security around NoSQL is going to take a toll on Organizations” Amichai Shulman, Co-

founder & CTO of Imperva

Industrial Motivation (cont.)

12

Reference: http://www.darkreading.com/database/does-nosql-mean-no-security/232400214

“Instead of SQL injection you have JavaScript or JSON injection” Alex Rothacker, manager of Application

Security Inc.'s research division, Team SHATTER

Rothacker suggests that because of the dependence on the perimeter to secure these databases, organizations

strongly consider encryption whenever possible

zNcrypt for MongoDB

Reference: MongoDB, Gazzang, "Securing Data in MongoDB with Gazzang and 10Gen," 10 July 2012. [Online]. Available: http://www.mongodb.com/presentations/securing-data-mongodb-gazzang. [Accessed 19 November 2013].

13

Literature Review

14

MetaStorage

Bermbach, David, Markus Klems, Stefan Tai, and Michael Menzel. "Metastorage: A federated cloud storage system to manage consistency-latency tradeoffs." In Cloud Computing (CLOUD), 2011 IEEE International Conference on, pp. 452-459. IEEE, 2011.

15

16

MetaStorage

Pros• Security maintained through role

based user management• Increased availability because of

multiple storage providers• Low latency due to data

replication

Cons• No communication security (e.g

SSL, TLS) or security of data at rest (e.g encryption) etc

• Additional overhead due to data processing layer

• Consistency issues due to different cloud storage services

• No scalability limitations

Bermbach, David, Markus Klems, Stefan Tai, and Michael Menzel. "Metastorage: A federated cloud storage system to manage consistency-latency tradeoffs." In Cloud Computing (CLOUD), 2011 IEEE International Conference on, pp. 452-459. IEEE, 2011.

RACS

Abu-Libdeh, Hussam, Lonnie Princehouse, and Hakim Weatherspoon. "RACS: a case for cloud storage diversity." In Proceedings of the 1st ACM symposium on Cloud computing, pp. 229-240. ACM, 2010.

17

18

RACS

Pros• Each RACS proxy maintains user

authentication information and credentials for each repository

• Use redundancy through fragmentation for high availability

• Read synchronizations using zookeeper

Cons• No communication as well as

data at rest security• High latency due to mutual

consistency• Data loss when RACS proxy

crashes

Abu-Libdeh, Hussam, Lonnie Princehouse, and Hakim Weatherspoon. "RACS: a case for cloud storage diversity." In Proceedings of the 1st ACM symposium on Cloud computing, pp. 229-240. ACM, 2010.

Management of Symmetric Cryptographic Keys in

cloud

Fakhar, F.; Shibli, M.A., "Management of Symmetric Cryptographic Keys in cloud based environment," Advanced Communication Technology (ICACT), 2013 15th International Conference on , vol., no., pp.39,44, 27-30 Jan. 2013

19

20

Management of Symmetric Cryptographic Keys in cloud

Pros• Distributed Key generation on

client side• Privacy maintained through

client’s key component contribution in key regeneration.

• Recoverable key components except for client side component

Cons• Communication overhead when

key to decrypt data is needed in cloud

• Key combiner on client terminal

Fakhar, F.; Shibli, M.A., "Management of Symmetric Cryptographic Keys in cloud based environment," Advanced Communication Technology (ICACT), 2013 15th International Conference on , vol., no., pp.39,44, 27-30 Jan. 2013

21

Summary

So, besides providing high availability and throughput because of data fragmentation, there is a need for

• strong client authentication and authorization mechanisms

• Security of data during transmission (e.g. through TLS, SSL, IPSec etc)

• Data-at-rest security (e.g. hashing, encryption etc)

22

Our MotivationAccording to Microsoft’s Framework For data

Governance

Source: http://www.microsoft.com/privacy/datagovernance.aspx

23

Our motivationCompliance Organizations rules and

policies:

Fine Grained Access Control for Database

Management Systems

Masood, R.; Shibli, M.A., “Fine Grained Access Control for Database Management Systems," MS Thesis, SEECS NUST, (2013).

24

Problem Statement

25

In order to avoid the prevalent problem of data breaches in distributed cloud environment, there is a need to provide effective access control and encryption to ensure the security of data residing on the domain of various cloud providers.

26

Proposed Architecture

Our Domain

Proposed Architecture

27

For Distributed Data “PUT” request

9

Authentication

Fine Grained Access Control

Client Application

Key Distribution

Store

Encryption/Decryption

Engine

Query Router

HCS

P Config

.Serve

r

NoSQL Databas

e Server

NoSQL Databas

e Server

NoSQL Databas

e Server

FCSP Encryption/Decryption

EngineQuery Router

Config.

Server

NoSQL Databas

e Server

NoSQL Databas

e Server

NoSQL Databas

e Server

1

23

45

6

7 7

78

10

11 11

12

Contribution

In our proposed system, data security would be ensured by:

• Client side Authentication• Embedded Fine grained authorization• Selective field Encryption of data chunks • Distribution of data across several service

providers

28

Tools and Technologies

• MongoDB• C++ (MS Visual Studio)• Open Stack• XACML

29

Proposed Timeline# Milestone Duration

1 Preliminary Literature Review Done

2 Implementation

2.1 Sharding in NoSQL database 3 weeks

2.2 Encryption and Decryption Module + KDS

1 month & 3 weeks

2.3 Fine grained access control Module 1 month

2.4 Cloud federation establishment and tag aware sharding implementation

1 month

2.5 Integration of all modules 2-3 weeks

3 Testing and Evaluation 1 month

4 Final Documentation 1 month

30

References[1] Fox, Armando, Rean Griffith, A. Joseph, R. Katz, A. Konwinski, G. Lee, D. Patterson, A. Rabkin, and I. Stoica. "Above the clouds: A Berkeley

view of cloud computing." Dept. Electrical Eng. and Comput. Sciences, University of California, Berkeley, Rep. UCB/EECS 28 (2009).[2] Arora, Indu, and Anu Gupta. "Cloud Databases: A Paradigm Shift in Databases." International J. of Computer Science Issues 9, no. 4 (2012):

77-83.[3] https://downloads.cloudsecurityalliance.org/initiatives/top_threats/The_Notorious_Nine_Cloud_Computing_Top_Threats_in_2013.pdf

[4] Mell, Peter, and Timothy Grance. "The NIST definition of cloud computing (draft)." NIST special publication 800, no. 145 (2011): 7. [5] MongoDB, Gazzang, "Securing Data in MongoDB with Gazzang and 10Gen," 10 July 2012. [Online]. Available:

http://www.mongodb.com/presentations/securing-data-mongodb-gazzang. [Accessed 19 November 2013].[6] http://www.forbes.com/sites/benkepes/2013/11/04/was-garantia-is-now-redisdb-either-way-nosql-is-hot/[7] http://www.darkreading.com/database/does-nosql-mean-no-security/232400214[8] Bermbach, David, Markus Klems, Stefan Tai, and Michael Menzel. "Metastorage: A federated cloud storage system to manage

consistency-latency tradeoffs." In Cloud Computing (CLOUD), 2011 IEEE International Conference on, pp. 452-459. IEEE, 2011.[9] Abu-Libdeh, Hussam, Lonnie Princehouse, and Hakim Weatherspoon. "RACS: a case for cloud storage diversity." In Proceedings of the

1st ACM symposium on Cloud computing, pp. 229-240. ACM, 2010.[10] Fakhar, F.; Shibli, M.A., "Management of Symmetric Cryptographic Keys in cloud based environment," Advanced Communication

Technology (ICACT), 2013 15th International Conference on , vol., no., pp.39,44, 27-30 Jan. 2013[11] Hashizume, Keiko, David G. Rosado, Eduardo Fernández-Medina, and Eduardo B. Fernandez. "An analysis of security issues for cloud

computing." Journal of Internet Services and Applications 4, no. 1 (2013): 1-13.[12] Chandra, Deka Ganesh, Ravi Prakash, and Swati Lamdharia. "A Study on Cloud Database." In Computational Intelligence and

Communication Networks (CICN), 2012 Fourth International Conference on, pp. 513-519. IEEE, 2012.[13] Subashini, S., and V. Kavitha. "A survey on security issues in service delivery models of cloud computing." Journal of Network and Computer

Applications 34, no. 1 (2011): 1-11.

31

THANK YOU !!!!

32