Presentation is loading. Please wait.

Presentation is loading. Please wait.

“Ensuring distributed accountability for data sharing in the cloud”

Published byGavin Preston Modified over 7 years ago

Similar presentations

Presentation on theme: "“Ensuring distributed accountability for data sharing in the cloud”"— Presentation transcript:

1 “Ensuring distributed accountability for data sharing in the cloud”
Smitha Sundareswaran, Anna C. Squicciarini and Dan Lin

2 Contents Cloud computing Introduction to CIA framework
Problem statement Information accountability Automated logging mechanism End-to-end auditing mechanism Security discussion Performance study Conclusion References

3 Cloud computing

4 Introduction to CIA framework
Security of user data in cloud computing Cloud computing & its services User’s data processed in remote machine Fear of losing data & other security concerns Cloud Information Accountability(CIA) framework Highly decentralized We leverage JAR programmable capabilities Also use distributed auditing mechanisms

5 Problem statement Cloud user send his/her data & access control policies to the service provider The service provider will have granted access rights If the rights are granted using conventional access control mechanisms, data will be fully available at the service provider We use new logging and auditing techniques to track the actual usage of data

6 Requirements The logging technique must satisfy:
Logging should be decentralized Every access to user’s data should be automatically logged Log files should be reliable and tamper proof Recovery mechanisms are also desirable Log files should sent back to data owners periodically

7 Information accountability
Accountability helps to Trace the user’s data Protect sensitive & confidential information Enhance user’s trust in cloud computing A cloud is accountable if: Faults can be reliably detected Each fault can be linked to one party (customer or provider)

8 Accountable clouds

9 Major components of CIA framework
Logger Have logging access to a particular instance of user data Encrypt log record using the public key of the content owner Periodically send the log record to log harmonizer Ensure access & usage control policies associated with data are honored Generate the error correction information for each log record Log harmonizer Responsible for auditing: Two strategies: Push strategy Pull strategy Responsible for handling log file corruption

10 Accountability mechanism

11 Data flow

12 Automated logging mechanism

13 Logger structure Outer JAR Inner JAR Contain more than one inner JARs
Handle authentication of entities to access the data Selecting the correct inner JAR Checking the JVM’s validity Managing the Graphical User interface Inner JAR Encrypted data, retrieval of log files, display enclosed data Two options Pure log Access log

14 Log record generation The log records(Lr) are generated as
Lr = r1, r2, r3, r4... Rk rk = ( id, action, T, loc, h((id, action, T, loc)ri-1…r1), sig ) rk = log record id = user identification action = perform on user's data T = Time at location loc loc = Location h((id, action, T, loc)ri-1…r1) = checksum component sig = Signature of record by server Checksum is computed using hash function, H[i] = f(H[i − 1] ,m[i])

15 Ensuring log correctness
Verify the access time, locations & actions JAR can perform an IP lookup to find the location of the cloud service provider Actions to user’s data has to be logged Mainly four types of actions used: View Download Timed access Location-based access.

16 Dependabililty of logs
JARs Availability Log harmonizer deals with Copies of JARs and logger components Recovering of corrupted logs Stores error correction information Decrypt the log records & handle duplicate records Log Correctness JRE of the system must remain unmodified Verify the integrity of the logger component by: Repair the JRE before logger is launched Insert hash codes to detect modifications of the JRE

17 End-to-end auditing mechanism
Push and Pull Mode Push mode: The logs are periodically pushed to the data owner by the harmonizer: Ensures size of the log files does not explode Enables timely detection and correction of any loss or damage to log files Pull mode auditors may retrieve the logs anytime Pull message contains FTP pull command

18 End-to-end auditing mechanism
Algorithms: Pushing strategy Pull strategy Hybrid strategy

19 Security discussion The attacker copies entire JAR files.
Copying Attack The attacker copies entire JAR files. Disassembling Attack Disassemble the JAR file & attempt to extract useful information Man-in-the-Middle Attack Attacker intercept messages during authentication of service provider with certificate authority, and reply messages Compromised JVM Attack Attacker try to compromise the JVM

20 Performance study Experimental Settings
By setting up a small cloud, using the Emulab testbed On OpenSSL-enabled servers Servers are installed with Eucalyptus Used Linux-based servers running Fedora 10 OS a 64-bit Intel Quad Core Xeon E5530 processor 4 GB RAM 500 GB Hard Drive

21 Performance study Experimental Results Log Creation Time

22 Performance study Authentication Time Time Taken to Perform Logging
Not too much overhead is added Performance can be further improved by caching the certificates Time Taken to Perform Logging Time for executing the action is negligible

23 Performance study Log Merging Time

24 Performance study Size of the Data JAR Files

25 Conclusion CIA performs automatic authentication of users
Data owner can confirm that his data is safe in the cloud by using auditing mechanism Able to distribute applications to many different mobile devices Information gathering capabilities is high High portability

26 References [1] Smitha Sundareswaran, Anna C. Squicciarini and Dan Lin, "Ensuring Distributed Accountability for Data Sharing in the Cloud,", IEEE Transaction on dependable a secure computing, VOL. 9, NO. 4, pg , 2012. [2] S. Pearson and A. Charlesworth, "Accountability as a Way Forward for Privacy Protection in the Cloud, " Proc First Int'l conf. Cloud Computing, 2009. [3] B. Chun and A. C. Bavier ,"Decentralized Trust Management and Accountability in Federated System," Proc. Ann. Hawaii Int'l Conf. System Science (HICSS), 2004. [4] B. Crispo and G. Ruffo, “Reasoning about Accountability within Delegation,” Proc. Third Int’l Conf. Information and Comm. Security (ICICS), pp , 2001 26

27 Thank you! 

Download ppt "“Ensuring distributed accountability for data sharing in the cloud”"

Similar presentations

Thomas S. Messerges, Ezzat A. Dabbish Motorola Labs Shin Seung Uk.

Thomas S. Messerges, Ezzat A. Dabbish Motorola Labs Shin Seung Uk.
Security by Design A Prequel for COMPSCI 702. Perspective “Any fool can know. The point is to understand.” - Albert Einstein “Sometimes it's not enough.

Security by Design A Prequel for COMPSCI 702. Perspective “Any fool can know. The point is to understand.” - Albert Einstein “Sometimes it's not enough.
Chapter 23 Database Security and Authorization Copyright © 2004 Pearson Education, Inc.

Chapter 23 Database Security and Authorization Copyright © 2004 Pearson Education, Inc.
Cryptography and Network Security 2 nd Edition by William Stallings Note: Lecture slides by Lawrie Brown and Henric Johnson, Modified by Andrew Yang.

Cryptography and Network Security 2 nd Edition by William Stallings Note: Lecture slides by Lawrie Brown and Henric Johnson, Modified by Andrew Yang.
Confidentiality and Privacy Controls

Confidentiality and Privacy Controls
DICOM INTERNATIONAL DICOM INTERNATIONAL CONFERENCE & SEMINAR April 8-10, 2008 Chengdu, China DICOM Security Eric Pan Agfa HealthCare.

DICOM INTERNATIONAL DICOM INTERNATIONAL CONFERENCE & SEMINAR April 8-10, 2008 Chengdu, China DICOM Security Eric Pan Agfa HealthCare.
Database Management System

Database Management System
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
WAP Public Key Infrastructure CSCI 5939.02 – Independent Study Fall 2002 Jaleel Syed Presentation No 5.

WAP Public Key Infrastructure CSCI – Independent Study Fall 2002 Jaleel Syed Presentation No 5.
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.

1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.

CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.
Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.

Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Cambodia-India Entrepreneurship Development Centre - : :.... :-:-

Cambodia-India Entrepreneurship Development Centre - : :.... :-:-
Security Management.

Security Management.
1 Chapter Overview Managing Compression Managing Disk Quotas Increasing Security with EFS Using Disk Defragmenter, Check Disk, and Disk Cleanup.

1 Chapter Overview Managing Compression Managing Disk Quotas Increasing Security with EFS Using Disk Defragmenter, Check Disk, and Disk Cleanup.
Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.

Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.
11 CERTIFICATE SERVICES AND SECURE AUTHENTICATION Chapter 10.

11 CERTIFICATE SERVICES AND SECURE AUTHENTICATION Chapter 10.
Digital Signature Xiaoyan Guo/102587 Xiaohang Luo/104446.

Digital Signature Xiaoyan Guo/ Xiaohang Luo/

Similar presentations

Ads by Google