The Research on Cloud computing data security mechanism

Xu Xiaoping1, a, Yan Junhu1, b and Liu Lan 1, c 1School of Electronic and Information

Guangdong Polytechnic Normal University

Guangzhou, P .R. of China

a cathy.xu@163.com,

b yanjh8@ sina.com,

c hust_ll@126.com

Keywords: Cloud computing; data security; security mechanisms.

Abstract. With the application of cloud computing, in data storage, data management, and more

widely, how to ensure that cloud computing data security is becoming an important research direction.

This paper analyzes the cloud computing data security issues, discusses the cloud computing data

security technologies, and proposes a cloud data security solution and the corresponding security

mechanism.

Introduction

Cloud computing is a cluster of the pool of computing power via the Internet to provide to internal

and external users in flexible and on-demand services. With the development of cloud computing,

cloud computing security issues are also a growing concern. How to ensure that data is safely stored in

the cloud and in transit to prevent leaks, cloud computing data security are the main research direction

and the key to development. This paper analyzes the cloud computing data security issues, discusses

cloud data storage security, data transmission security and data auditing security, presents a cloud data

security solutions, and gives the corresponding security mechanismPlease keep a second copy of your

manuscript in your office. When receiving the paper, we assume that the corresponding authors grant

us the copyright to use the paper for the book or journal in question. Should authors use tables or

figures from other Publications, they must ask the corresponding publishers to grant them the right to

publish this material in their paper.

Cloud computing data security technical

Typically, businesses or individual users save in the cloud a large number of private data, which

often represent the individual's privacy or the enterprise's core competitiveness. In the cloud

computing model, business or personal data transmitted over the network to the cloud service

provider for processing, faces several problems: First, how to ensure that businesses and individuals

in the network data transmission process is strictly confidential; Second, how to ensure the corporate

or personal data stored at the cloud service provider is secure, even if stolen, not be restored; three is

how to ensure access to the user is through rigorous certification authority and access to the data is

legitimate, to ensure that the cloud service provider does not leak the confidentiality of enterprise and

personal data [1]. Thus, cloud computing data security related to data transmission security, data

storage security, data auditing security, and many other aspects.

Data Transmission Security. In the cloud computing environment, network transmission of data

is inevitable, so, protecting the security of data transmission is very important. Network transmission

using encryption technology can ensure network transmission data confidentiality, integrity and

availability. Encryption of data transmission can be selected at the link layer, network layer, and

transport layer implementation. For cloud information encrypted transmission, can be MPLS, etc. for

cloud computing within the system to provide data encryption and information security. For user data

encryption transmission, can be IPSec VPN, SSL VPN technologies to improve network transmission

of user data security [2].

Advanced Materials Research Vols. 846-847 (2014) pp 1595-1599Online available since 2013/Nov/21 at www.scientific.net© (2014) Trans Tech Publications, Switzerlanddoi:10.4028/www.scientific.net/AMR.846-847.1595

All rights reserved. No part of contents of this paper may be reproduced or transmitted in any form or by any means without the written permission of TTP,www.ttp.net. (ID: 141.117.125.1, Ryerson University Lib, Toronto-02/06/14,15:33:49)

Data Storage Security. User data storage is an important safety aspect. A main way is data

encryption for data protection, even if the data is being illegally stolen, can not know the specific

content. In encryption algorithms, there are two ways: symmetric encryption and asymmetric

encryption. Encryption should choose better performance, higher operational efficiency algorithm

[3]. In key management, the use of centralized key management and distribution mechanism can

achieve efficient security storage of user information. In the cloud storage service, to encrypt the data

stored, not only can prevent data from being illegally spy, but also ensure the integrity of data content.

Data Auditing Security. Both parties mutual suspicion and distrust, is a forever irreconcilable

contradictions in market transaction. In the cloud computing environment, in order to ensure data

security, accuracy and validity, often use the third-party certification for data audits. Cloud service

providers provide the necessary support to help third-party agencies to audit data security and

accuracy, to achieve the user's data auditing safety requirements. Cloud computing security audit

platform is through a comprehensive analysis of the risks, to objectively evaluate cloud services data

security protection, business continuity capabilities and service standards, to accurately grasp the

cloud services security risk, operational risk and ongoing risk, to adjust construction and application

of cloud services, to ensure the standard of construction and provide decision support for cloud

service providers, users and regulators [4].

A cloud computing data security solution

Overall solutions. For the problem in cloud computing data security, a solution is from the data

transmission, data storage, and data auditing three areas to ensure cloud data security. Shown in Fig1.

Fig.1 Overall designs

Cloud data transmission security mechanism. Cloud data transfer security includes cloud-

client's transport security and cloud between different entities transport security. For the cloud to the

client's data can be transmitted using IPSec VPN, SSL VPN and other technologies to ensure

transmission safety; for data transmission security between cloud entities, MPLS technology can be

used to build a cloud data security transmission channel.

♦ IPSec VPN

IPSec (IP Security) is a protocol for the realization of the most commonly VPN capabilities. The

basic idea is to provide security at the IP layer. IPsec VPN is completely transparent to the application

layer protocol, once established IPsec VPN encrypted tunnel, it is easy to achieve types of connections

in the channel, such as Web, e-mail, file transfer, etc. It is the biggest advantage of IPsec VPN. In

1596 Advances in Mechatronics, Automation and Applied InformationTechnologies

addition, in the actual deployment, IPsec VPN usually opens a network segment to the distal, and its

granularity of security control is relatively coarse, suitable for use in the enterprise.

♦ SSL VPN

SSL VPN is the most simplest and secure technology to a remote user to access sensitive data.

Compared with IPSec VPN, SSL achieve remote connectivity through a simple-to-use way. SSL VPN

is based on the SSL protocol, and the SSL protocol embedded in the browser, so any terminals with a

browser support SSL VPN. Meanwhile, SSL protocol is between TCP / IP protocol and the

application layer protocols, its security control granularity can be done fine. So it is able to open only

one host, a port or a URL. SSL VPN biggest advantage lays: no additional equipment, without

changes to the network structure of the access side, can achieve secure access. Therefore, SSL VPN

technology is very suitable for applications in the cloud's personal terminal.

♦ MPLS technology

MPLS technology is data fast forwarding technology through a label tag. In the conventional

method, the router analysis the lP address of header of the data packet to determine the next hop and

forwards, but addresses long and forward slow. In the MPLS network, once the packet enters the LER

(Label Edge Router) will mark the packet labels, then determine the next path according to the label.

Thus, simply read the label of packets without having to read the IP address of each packet, which

greatly improves the speed of packet forwarding. The MPLS another advantage is its data privacy

protection. In the MPLS network, router only sees the label that the packet carries, will not analyze the

packet load contents and the corresponding IP control information. In necessary cases, even these data

can also be encrypted. By using MPLS technology to the cloud, the cloud can improve data

transmission security and reliability, and can effectively prevent DDoS and other attacks.

Cloud data storage security mechanism. Cloud computing data security storage service need to

encrypt data for users. At present, the common data encryption algorithm is divided into symmetric

encryption algorithm and asymmetric encryption algorithm. Symmetric encryption algorithm is

applied to the more common and matures, because of its encryption and decryption faster is widely

used in large amount of data processed. In symmetric encryption algorithm, both parties use the same

key for data encryption and decryption. The advantage is public algorithm, speed encryption and high

efficiency, the disadvantage is that both sides use the same key, security can not be adequately

ensured. Asymmetric encryption algorithms divide the traditional key into encryption key and

decryption key to control the encryption and decryption processes, ensure the security of the key by

the computational complexity. The advantage is the key's flexibility, but the problem is the large

amount of computation.

Because a symmetric encryption algorithm use the same key and bring key management problems,

it is more difficult using in the distributed network systems; non-symmetric encryption algorithm due

to large amount of computation, not suitable for large amounts of data encryption and decryption.

Thus, the double-encrypted storage solutions with symmetric encryption and asymmetric encryption

can be used to solve the cloud storage data security issues.

♦ Encryption process

In the encryption process, a key generator of symmetric encryption algorithm generates a random

key to encrypt user data; then, user extract the corresponding public key of the target user from the

cloud key store of asymmetric encryption algorithm to encrypt the key of symmetric encryption

algorithm; Finally, after symmetric encryption algorithm to encrypt data, and asymmetric encryption

algorithm to encrypt key, package together, upload them to the cloud, and complete the encryption

process.

♦ Decryption process

To decrypt the data, the first, use the private key of asymmetric encryption algorithm to decrypt the

key of symmetric encryption algorithm, to restore the key, and then use the key of symmetric

encryption algorithm to decrypt the data, to restore the entire original, to complete of the decryption of

a packet.

Advanced Materials Research Vols. 846-847 1597

In this solution, the user holds the respective private key of asymmetric encryption algorithm, and

the corresponding public key is stored in the cloud key library. When data is exchanged between

users, it is downloaded from the cloud target user's public key of asymmetric encryption algorithm,

using the public key to encrypt the key of symmetric encryption algorithm. Encrypted data packet is

stored in the cloud. Target users to access data, with their corresponding private key of asymmetric

encryption algorithm to decrypt the key, and then get the original. Two encryption methods with a

combination achieve a double encryption of data, ensuring data security storage.

Cloud data auditing security mechanisms. Compared to traditional systems, layered

architecture of cloud computing system makes its log information more important for the operation

and maintenance, security event tracing, forensic investigation and other aspects. Cloud computing

system is through the security audit platform to do unified and complete audit analysis, through the

operation, maintenance, and other types of system security audit log to improve the ability to review

violations. Perfect cloud security audit platform should have logging and audit mechanisms. Main

features include:

♦ User access to the account information. Record the user access to the account information,

including: the user account and password changes, user account information changes, delete,

increase and Inquire; while also records the user access to other users resources and

information.

♦ The way to sign a system. Record the methods user login, including: general account with a

password to login, use the SSL VPN to login, log in using an external UKEY, etc., in order to

prevent unauthorized access or crack.

♦ Failed access attempts. Failed attempts to access are able to record the times that individual

unauthorized users want into the system in violence. If doing not log failed login attempts, the

people may never know the number of hackers trying to enter the system. It will ultimately

lead to hackers to break the system.

♦ The user's operating records. User operation record on the file is the most important part of

cloud service security audit. The user's operations include documents to add, delete, query and

modify, but also includes the operation of the application and so on.

♦ Access to the system log. Record the user access to the system log that can know which users

and what actions are modified or deleted, so that the people is able to carry out this user

permissions restrictions later.

♦ Other system records related account information security. The audit content, such as

attack detection, the detection of abnormal behavior, risk analysis of potential and so on,

should be recorded to ensure the data information security of cloud services user.

Summary

Cloud computing data security involves the user data storage, processing, transmission and so

on. How to ensure data security of cloud services, and how to implement effective data security audit,

it is a challenges. This paper discusses the technical aspects of cloud computing data security

solutions, gives the mechanisms of transmission security, storage security, auditing security. From the

non-technical aspects, cloud service providers need lower security risk from management, establish a

sound cloud computing data security mechanisms from technology and management-pronged

approach.

1598 Advances in Mechatronics, Automation and Applied InformationTechnologies

References

[1]Wu Xudong. Research on cloud computing data security. 26th National Computer Security

Symposium, 2011 (9).

[2]Zhang Qiyun. Cloud computing data security issues. Computer software and applications, 2012

(6).

[3]Xiao Juan, WU Juan. A SM2 algorithms to realize COS data security. Wuhan Polytechnic

University, 2013 (2).

[4]Liu Xinhua, Hu Chunrong. Cloud computing data security critical technology and solutions. The

new vision, 2012.

Advanced Materials Research Vols. 846-847 1599

Advances in Mechatronics, Automation and Applied Information Technologies 10.4028/www.scientific.net/AMR.846-847 The Research on Cloud Computing Data Security Mechanism 10.4028/www.scientific.net/AMR.846-847.1595