Issue No. 652

In this Edition

1
2
3
4
5
6
7
8
9
10
11
12

Journal of Unicamp

Download PDF version Campinas, April 11, 2016 to April 24, 2016 – YEAR 2016 – No. 652

Study proposes security techniques
data in clouds

FEEC researcher defines requirements for which system
storage is simple, secure and reliable

A study on security and privacy in data storage in clouds highlights a set of problems and concerns in this regard and suggests techniques to alleviate them, in addition to evaluating the costs and benefits of these techniques and their possible combinations to offer better protection to the user. In his master's thesis, Vitor Hugo Galhardo Moia carried out a survey of commercial and academic solutions for storing data in clouds, defined requirements considered essential for a safe, reliable and simple-to-use system, and even developed an application that he called of CPG (Cloud Privacy Guard). The research was guided by professor Marco Aurélio Amaral Henriques and presented at the Faculty of Electrical and Computer Engineering (FEEC).

Vitor Moia notes that cloud computing is already a well-known and consolidated technology, which can bring several advantages to users. “Among other facilities, cloud service providers (CSP – Cloud Service Providers) provide space on their servers for personal files to be deposited, for example. There are several advantages, such as backup, as providers maintain servers spread across the world: a file is stored in the cloud, copies are sent to all points, freeing the customer from the worry of making backups to store their data in safe locations. It is necessary to pay attention, however, to the fact that free providers do not guarantee that data will not be lost.”

The author of the dissertation also highlights the financial advantage, as the user can count on powerful computing resources without the costs associated with local infrastructure and maintenance, paying only for the time and space they consume (pay-as-you-go model). “However, perhaps the biggest advantage is the possibility of accessing your file from any location and at any time, all you need is a device with internet access. Cloud storage is also interesting for companies, which sometimes share the same database, such as customer or product records, which employees can access and update.”

Having listed the advantages, Moia returns to the focus of his study, on the risks posed by cloud storage in terms of security and privacy, starting with the fact that the service is outsourced. “When a person stores their data in the cloud, they end up handing over control of the file to the provider who, intentionally or not, may access it inappropriately. There are several so-called free CSPs, but there is always a price, which is not made explicit to the user. The provider may, for example, use the information for its own benefit or sell it to marketing companies. Even services that guarantee data protection are not that safe, as they do not meet essential requirements.”

Feature of encryption

The dissertation presents a study on users' main concerns regarding their privacy, as well as techniques to alleviate them. “Anyone who wants data confidentiality can resort to encryption, encoding it so that only those who hold a secret (key) can access it. Another protection technique is data fragmentation, dividing a file into many fragments that are stored in different clouds, thus preventing third parties, including providers, from having access to the entire content.”

Another concern concerns the naming and attributes of the files, which generally receive names that are too suggestive, such as “bank statement”, for example, directing attackers to data of interest to them. “The use of encryption in file names and other attributes creates an additional layer of protection. Other users want to keep their location secret from the provider and, for this, there are also solutions. A final concern is regarding ownership of the data, that is, preventing the provider from being able, through the stored information, to reach the real identity of the user; as a solution, we can use auxiliary identification services, such as those used in federated identity systems.”

Vitor Moia explains that given the numerous security problems to be resolved, he focused on encryption for a more detailed study. “We surveyed and ranked several cloud service providers that also offer encryption among their solutions. Based on this study, we defined security requirements that a provider must present to make the service as reliable as possible. We evaluated 17 cloud and application service providers for this purpose and, in the end, concluded that they are not as secure as they advertise; None of them met all the requirements we defined, and there is still a lot of room for improvement.”

Simple to use solution

Having identified the gaps in this context, the research author proposed a solution to provide a layer of protection to files stored in clouds. “After comparing existing systems and arriving at a set of essential requirements for privacy and security, we present, as a proof of concept, an application based on these same requirements. This solution, which we call CPG (Cloud Privacy Guard), serves precisely to encrypt user data before sending it to the cloud. It is a version still under development, but it already allows several tests to be carried out.”

According to Moia, the biggest challenge was coming up with an application that was simple to use, requiring as little effort as possible from the user. “One of the problems identified in relation to encryption is the extra workload required from the user, with a series of complex and tedious procedures even for professionals in the field. With CPG, the user simply drags the file into a folder and the application itself will encrypt and migrate the data to the default cloud folder.”

Vitor Moia considers that his dissertation provides very useful information for the use of cloud data storage technology, such as the survey and comparison of the main providers on the market, in order to help the user differentiate them and choose the one that best suits them. meets your needs; the study of techniques, drawing attention to other problems associated with this service and not just regarding confidentiality; and also the costs and benefits for each technique, when applied individually or combined. “It is possible to obtain greater protection in several aspects at a much lower cost than one might imagine. We develop several requirements, but each user has their own needs and may not need a provider that meets all of them.”

Publication

Dissertation: “A Study about the Security and Privacy on Cloud Data Storage”
Author Vitor Hugo Galhardo Moia
Advisor: Marco Aurélio Amaral Henriques
Unity: Faculty of Electrical and Computer Engineering (FEEC)