Upload
lan
View
212
Download
0
Embed Size (px)
Citation preview
The Research on Cloud computing data security mechanism
Xu Xiaoping1, a, Yan Junhu1, b and Liu Lan 1, c 1School of Electronic and Information
Guangdong Polytechnic Normal University
Guangzhou, P .R. of China
b yanjh8@ sina.com,
Keywords: Cloud computing; data security; security mechanisms.
Abstract. With the application of cloud computing, in data storage, data management, and more
widely, how to ensure that cloud computing data security is becoming an important research direction.
This paper analyzes the cloud computing data security issues, discusses the cloud computing data
security technologies, and proposes a cloud data security solution and the corresponding security
mechanism.
Introduction
Cloud computing is a cluster of the pool of computing power via the Internet to provide to internal
and external users in flexible and on-demand services. With the development of cloud computing,
cloud computing security issues are also a growing concern. How to ensure that data is safely stored in
the cloud and in transit to prevent leaks, cloud computing data security are the main research direction
and the key to development. This paper analyzes the cloud computing data security issues, discusses
cloud data storage security, data transmission security and data auditing security, presents a cloud data
security solutions, and gives the corresponding security mechanismPlease keep a second copy of your
manuscript in your office. When receiving the paper, we assume that the corresponding authors grant
us the copyright to use the paper for the book or journal in question. Should authors use tables or
figures from other Publications, they must ask the corresponding publishers to grant them the right to
publish this material in their paper.
Cloud computing data security technical
Typically, businesses or individual users save in the cloud a large number of private data, which
often represent the individual's privacy or the enterprise's core competitiveness. In the cloud
computing model, business or personal data transmitted over the network to the cloud service
provider for processing, faces several problems: First, how to ensure that businesses and individuals
in the network data transmission process is strictly confidential; Second, how to ensure the corporate
or personal data stored at the cloud service provider is secure, even if stolen, not be restored; three is
how to ensure access to the user is through rigorous certification authority and access to the data is
legitimate, to ensure that the cloud service provider does not leak the confidentiality of enterprise and
personal data [1]. Thus, cloud computing data security related to data transmission security, data
storage security, data auditing security, and many other aspects.
Data Transmission Security. In the cloud computing environment, network transmission of data
is inevitable, so, protecting the security of data transmission is very important. Network transmission
using encryption technology can ensure network transmission data confidentiality, integrity and
availability. Encryption of data transmission can be selected at the link layer, network layer, and
transport layer implementation. For cloud information encrypted transmission, can be MPLS, etc. for
cloud computing within the system to provide data encryption and information security. For user data
encryption transmission, can be IPSec VPN, SSL VPN technologies to improve network transmission
of user data security [2].
Advanced Materials Research Vols. 846-847 (2014) pp 1595-1599Online available since 2013/Nov/21 at www.scientific.net© (2014) Trans Tech Publications, Switzerlanddoi:10.4028/www.scientific.net/AMR.846-847.1595
All rights reserved. No part of contents of this paper may be reproduced or transmitted in any form or by any means without the written permission of TTP,www.ttp.net. (ID: 141.117.125.1, Ryerson University Lib, Toronto-02/06/14,15:33:49)
Data Storage Security. User data storage is an important safety aspect. A main way is data
encryption for data protection, even if the data is being illegally stolen, can not know the specific
content. In encryption algorithms, there are two ways: symmetric encryption and asymmetric
encryption. Encryption should choose better performance, higher operational efficiency algorithm
[3]. In key management, the use of centralized key management and distribution mechanism can
achieve efficient security storage of user information. In the cloud storage service, to encrypt the data
stored, not only can prevent data from being illegally spy, but also ensure the integrity of data content.
Data Auditing Security. Both parties mutual suspicion and distrust, is a forever irreconcilable
contradictions in market transaction. In the cloud computing environment, in order to ensure data
security, accuracy and validity, often use the third-party certification for data audits. Cloud service
providers provide the necessary support to help third-party agencies to audit data security and
accuracy, to achieve the user's data auditing safety requirements. Cloud computing security audit
platform is through a comprehensive analysis of the risks, to objectively evaluate cloud services data
security protection, business continuity capabilities and service standards, to accurately grasp the
cloud services security risk, operational risk and ongoing risk, to adjust construction and application
of cloud services, to ensure the standard of construction and provide decision support for cloud
service providers, users and regulators [4].
A cloud computing data security solution
Overall solutions. For the problem in cloud computing data security, a solution is from the data
transmission, data storage, and data auditing three areas to ensure cloud data security. Shown in Fig1.
Fig.1 Overall designs
Cloud data transmission security mechanism. Cloud data transfer security includes cloud-
client's transport security and cloud between different entities transport security. For the cloud to the
client's data can be transmitted using IPSec VPN, SSL VPN and other technologies to ensure
transmission safety; for data transmission security between cloud entities, MPLS technology can be
used to build a cloud data security transmission channel.
♦ IPSec VPN
IPSec (IP Security) is a protocol for the realization of the most commonly VPN capabilities. The
basic idea is to provide security at the IP layer. IPsec VPN is completely transparent to the application
layer protocol, once established IPsec VPN encrypted tunnel, it is easy to achieve types of connections
in the channel, such as Web, e-mail, file transfer, etc. It is the biggest advantage of IPsec VPN. In
1596 Advances in Mechatronics, Automation and Applied InformationTechnologies
addition, in the actual deployment, IPsec VPN usually opens a network segment to the distal, and its
granularity of security control is relatively coarse, suitable for use in the enterprise.
♦ SSL VPN
SSL VPN is the most simplest and secure technology to a remote user to access sensitive data.
Compared with IPSec VPN, SSL achieve remote connectivity through a simple-to-use way. SSL VPN
is based on the SSL protocol, and the SSL protocol embedded in the browser, so any terminals with a
browser support SSL VPN. Meanwhile, SSL protocol is between TCP / IP protocol and the
application layer protocols, its security control granularity can be done fine. So it is able to open only
one host, a port or a URL. SSL VPN biggest advantage lays: no additional equipment, without
changes to the network structure of the access side, can achieve secure access. Therefore, SSL VPN
technology is very suitable for applications in the cloud's personal terminal.
♦ MPLS technology
MPLS technology is data fast forwarding technology through a label tag. In the conventional
method, the router analysis the lP address of header of the data packet to determine the next hop and
forwards, but addresses long and forward slow. In the MPLS network, once the packet enters the LER
(Label Edge Router) will mark the packet labels, then determine the next path according to the label.
Thus, simply read the label of packets without having to read the IP address of each packet, which
greatly improves the speed of packet forwarding. The MPLS another advantage is its data privacy
protection. In the MPLS network, router only sees the label that the packet carries, will not analyze the
packet load contents and the corresponding IP control information. In necessary cases, even these data
can also be encrypted. By using MPLS technology to the cloud, the cloud can improve data
transmission security and reliability, and can effectively prevent DDoS and other attacks.
Cloud data storage security mechanism. Cloud computing data security storage service need to
encrypt data for users. At present, the common data encryption algorithm is divided into symmetric
encryption algorithm and asymmetric encryption algorithm. Symmetric encryption algorithm is
applied to the more common and matures, because of its encryption and decryption faster is widely
used in large amount of data processed. In symmetric encryption algorithm, both parties use the same
key for data encryption and decryption. The advantage is public algorithm, speed encryption and high
efficiency, the disadvantage is that both sides use the same key, security can not be adequately
ensured. Asymmetric encryption algorithms divide the traditional key into encryption key and
decryption key to control the encryption and decryption processes, ensure the security of the key by
the computational complexity. The advantage is the key's flexibility, but the problem is the large
amount of computation.
Because a symmetric encryption algorithm use the same key and bring key management problems,
it is more difficult using in the distributed network systems; non-symmetric encryption algorithm due
to large amount of computation, not suitable for large amounts of data encryption and decryption.
Thus, the double-encrypted storage solutions with symmetric encryption and asymmetric encryption
can be used to solve the cloud storage data security issues.
♦ Encryption process
In the encryption process, a key generator of symmetric encryption algorithm generates a random
key to encrypt user data; then, user extract the corresponding public key of the target user from the
cloud key store of asymmetric encryption algorithm to encrypt the key of symmetric encryption
algorithm; Finally, after symmetric encryption algorithm to encrypt data, and asymmetric encryption
algorithm to encrypt key, package together, upload them to the cloud, and complete the encryption
process.
♦ Decryption process
To decrypt the data, the first, use the private key of asymmetric encryption algorithm to decrypt the
key of symmetric encryption algorithm, to restore the key, and then use the key of symmetric
encryption algorithm to decrypt the data, to restore the entire original, to complete of the decryption of
a packet.
Advanced Materials Research Vols. 846-847 1597
In this solution, the user holds the respective private key of asymmetric encryption algorithm, and
the corresponding public key is stored in the cloud key library. When data is exchanged between
users, it is downloaded from the cloud target user's public key of asymmetric encryption algorithm,
using the public key to encrypt the key of symmetric encryption algorithm. Encrypted data packet is
stored in the cloud. Target users to access data, with their corresponding private key of asymmetric
encryption algorithm to decrypt the key, and then get the original. Two encryption methods with a
combination achieve a double encryption of data, ensuring data security storage.
Cloud data auditing security mechanisms. Compared to traditional systems, layered
architecture of cloud computing system makes its log information more important for the operation
and maintenance, security event tracing, forensic investigation and other aspects. Cloud computing
system is through the security audit platform to do unified and complete audit analysis, through the
operation, maintenance, and other types of system security audit log to improve the ability to review
violations. Perfect cloud security audit platform should have logging and audit mechanisms. Main
features include:
♦ User access to the account information. Record the user access to the account information,
including: the user account and password changes, user account information changes, delete,
increase and Inquire; while also records the user access to other users resources and
information.
♦ The way to sign a system. Record the methods user login, including: general account with a
password to login, use the SSL VPN to login, log in using an external UKEY, etc., in order to
prevent unauthorized access or crack.
♦ Failed access attempts. Failed attempts to access are able to record the times that individual
unauthorized users want into the system in violence. If doing not log failed login attempts, the
people may never know the number of hackers trying to enter the system. It will ultimately
lead to hackers to break the system.
♦ The user's operating records. User operation record on the file is the most important part of
cloud service security audit. The user's operations include documents to add, delete, query and
modify, but also includes the operation of the application and so on.
♦ Access to the system log. Record the user access to the system log that can know which users
and what actions are modified or deleted, so that the people is able to carry out this user
permissions restrictions later.
♦ Other system records related account information security. The audit content, such as
attack detection, the detection of abnormal behavior, risk analysis of potential and so on,
should be recorded to ensure the data information security of cloud services user.
Summary
Cloud computing data security involves the user data storage, processing, transmission and so
on. How to ensure data security of cloud services, and how to implement effective data security audit,
it is a challenges. This paper discusses the technical aspects of cloud computing data security
solutions, gives the mechanisms of transmission security, storage security, auditing security. From the
non-technical aspects, cloud service providers need lower security risk from management, establish a
sound cloud computing data security mechanisms from technology and management-pronged
approach.
1598 Advances in Mechatronics, Automation and Applied InformationTechnologies
References
[1]Wu Xudong. Research on cloud computing data security. 26th National Computer Security
Symposium, 2011 (9).
[2]Zhang Qiyun. Cloud computing data security issues. Computer software and applications, 2012
(6).
[3]Xiao Juan, WU Juan. A SM2 algorithms to realize COS data security. Wuhan Polytechnic
University, 2013 (2).
[4]Liu Xinhua, Hu Chunrong. Cloud computing data security critical technology and solutions. The
new vision, 2012.
Advanced Materials Research Vols. 846-847 1599
Advances in Mechatronics, Automation and Applied Information Technologies 10.4028/www.scientific.net/AMR.846-847 The Research on Cloud Computing Data Security Mechanism 10.4028/www.scientific.net/AMR.846-847.1595