Flexible Secure Cloud Storage
2014, Graf, Sebastian
Our life without Internet-based services is hard to imagine: We search for information with Google, share thoughts on Facebook, buy at Amazon and store our pictures on Flickr. Many of these Internet-based services focus on easy exchange of information, providing comfortable and ubiquitous storage and sharing. Relieved from hardware purchases, software bug fixes and infrastructure maintenance, users as well as companies use these cloud-based stores either for free or at low-cost. The price is the implicit grant of full access to all their sensitive data.
The stored data naturally represents a huge pool of easily accessible and alluring information for cloud providers. Customer questions like “Who accesses my information?” (representing the aspect of confidentiality), “Who altered my data?” (requiring accountability), “Is my data still intact?” (focusing on integrity) or “What happens if the cloud is unavailable?” can rarely be answered in an obligingly and honest way. Answering these questions is challenging since security measures seldom cover all security aims at once. Furthermore, the cloud is used with all kinds of data, wishing their unique characteristics to be respected.
Each of these questions above is transformed closer to an answer in this thesis resulting in an architecture jointly satisfying all the denoted security aims. A versatile key management offers flexible group shares by providing fine-grained access on end-to-end encrypted data. The keys furthermore enable time-based access on versioned storage and are provisioned over the cloud itself without harming confidentiality. Versioning of the data protects accountability in storage. This is tailored to the remote location offering auto-configured checks, constant reconstruction and evened out transfer rates of change sets. The versioning is provided by a sophisticated bucket structure. Hierarchically ordered data provides recursive integrity checks and atomic operations covering multiple buckets. Providing automatic protection of integrity and accountability, the resulting bucket arrangement is implemented by data containers offering storage of all kinds of data. Results show that the storage of blocks, files and even XML in its structural representation becomes possible. The result is a conceptually simple, transparent, yet powerful architecture to bring data securely and efficient to the cloud. The extensibility of the architecture is proven by taking advantage of photo sharing websites as No-SQL stores to shake up the closed market of expensive No-SQL cloud storage providers.
Besides these contributions guarding security on a technical level, this thesis provides an outlook exceeding the area of computer science. The architecture is interpreted from the legal point of view not only increasing confidence in the techniques developed. The resulting mapping offers a bridge between computer scientist and legal experts to exchange knowledge about necessary measures. The need for this cooperation increases as intransparent, maybe even illegal, access to Internet-stored data seem to become the favorite pass-time of governments around the world.
Utilizing Cloud Storages for iSCSI : Is Security really expensive?
2013, Graf, Sebastian, Rain, Andreas, Scharon, Daniel, Waldvogel, Marcel
Cloud storage promises unlimited, flexible and cheap storages, including alltime availability and accessibility with the help of various technologies. Free-of-charge o ffers for endusers allure customers the same way as professional, pay-as-you-go storages do. The delocalization of the data provokes security concerns especially regarding the con dentiality of the data. Even though encryption offers a straight-forward solution to this problem, the performance questions its applicability when it comes to the utilization of professional storage-approaches like iSCSI. In this white-paper, we propose a utilization of NoSQL-based cloudstorages like Amazon S3 or Microsoft Azure for iSCSI. We evaluate the costs of a direct, bucket-based encryption and show, that in complex systems like iSCSI, the distance to the cloud represents the bottleneck instead of the encryption. Performance-boosting techniques like prefetching and caching improve the access and result in no practical overhead within such an utilization. Based on our own developed fully Java-based iSCSI target (jSCSI) and jClouds, our prototype represents, to the best of our knowledge, the rst, free available, cloud-deployable iSCSI.
Versatile key management for secure cloud storage
2012, Graf, Sebastian, Lang, Patrick, Hohenadel, Stefan, Waldvogel, Marcel
Not only does storing data in the cloud utilize specialized infrastructures facilitating immense scalability and high availability, but it also offers a convenient way to share any information with user-defined third-parties. However, storing data on the infrastructure of commercial third party providers, demands trust and confidence. Simple approaches, like merely encrypting the data by providing encryption keys, which at most consist of a shared secret supporting rudimentary data sharing, do not support evolving sets of accessing clients to common data. Based on approaches from the area of stream-encryption, we propose an adaption for enabling scalable and flexible key management within heterogeneous environments like cloud scenarios. Representing access-rights as a graph, we distinguish between the keys used for encrypting hierarchical data and the encrypted updates on the keys enabling flexible join-/leave- operations of clients. This distinction allows us to utilize the high availability of the cloud as updating mechanism without harming confidentiality. Our graph-based key management results in an adaption of nodes related to the changed key. The updates on the keys again continuously create an overhead related to the number of these updated nodes. The proposed scalable approach utilizes cloud-based infrastructures for confidential data and key sharing in collaborative workflows supporting variable client-sets.
Hecate, Managing Authorization with RESTful XML
2011, Graf, Sebastian, Zholudev, Vyacheslav, Lewandowski, Lukas, Waldvogel, Marcel
The potentials of REST offers new ways for communications between louse coupled entities featured through the Web of Things . The binding of the disjunct components of this architecture creates security issues, such as the centralized authorization techniques respecting the independence of the underlying entities. This results in the question how authorization is performed respecting the flexibility of REST without any knowledge about the underlying resources. Nevertheless, possible knowledge about these resources should enable the authorization workflow to offer finer-granular permissions on substructures of the resources. With our new approach - we named Hecate- we offer a framework to assure simplified handling while keeping the potentials and flexibility of REST . We have designed an architecture based on XML with a flexible authorization mechanism on the one hand and optional resource-awareness on the other hand. The flexibility within the authorization work-flow bases on permission sets respecting the HTTP- verbs. Additional in-depth knowledge of the entity option- ally extends these permissions with resource-aware filters. Hecate offers not only great benefits because of its flexibility, but also because of the optional extensibility proved within the two reference implementations. With Hecate, we show that a centralized authorization mechanism combining independence and optional resource-based filtering extends the flexibility of REST rather than restricting it.
"You can find my CV on LinkedIn ..." - Privacy-Aware Distributed Social Networking for Research Facilities
2013, Graf, Sebastian, Rain, Andreas, Waldvogel, Marcel
Being a part of any social network becomes a necessity especially for the sake of self-presentation. Specialized social networks like LinkedIn are aware of these needs and offer tailored functionalities like referencing to relevant projects and topics including specific searching functionalities.
Since the social data stored within any centralized social network represents an alluring mass of information, security and privacy concerns come up within their utilization. As a consequence, guidelines for their usage are deployed within institutions to increase awareness related to these concerns. Unfortunately, the specific toolsets deployed within universities for presenting users and projects support neither the sharing of group-based or public information nor the ability to create social connections between users especially not over the borders of single institutions.
To combine the need of self-presentation with the ability of virtual social interaction, we present a prototype of a federated, distributed, social network tailored to the need of researchers. Our prototype is based on Diaspora, representing the largest distributed social platform nowadays. Enriched with automated, user-related profiles, our Diaspora-pod offers all members of the University of Konstanz the ability to interact in combination with automated university-profiles.
Tightly integrated in the existing infrastructure of the University of Konstanz and hosted on trusted infrastructure, the described prototype offers not only user-defined sharing of personal profiles in a federated way. It also leverages from the centralized handling of profiles and reduces as a consequence the administrative overhead of maintaining any personal information.
Based on its simple usage and the tight integration into the services of the University of Konstanz, our prototype has the potential to push university life to a new social level without generating concerns about security and privacy.
Versatile Key Management for Secure Cloud Storage
2012-10, Graf, Sebastian, Lang, Patrick, Hohenadel, Stefan, Waldvogel, Marcel
Not only does storing data in the cloud utilize specialized infrastructures facilitating immense scalability and high availability, but it also offers a convenient way to share any information with user-defined third-parties. However, storing data on the infrastructure of commercial third party providers, demands trust and confidence. Simple approaches, like merely encrypting the data by providing encryption keys, which at most consist of a shared secret supporting rudimentary data sharing, do not support evolving sets of accessing clients to common data. Based on approaches from the area of stream-encryption, we propose an adaption for enabling scalable and flexible key management within heterogeneous environments like cloud scenarios. Representing access-rights as a graph, we distinguish between the keys used for encrypting hierarchical data and the encrypted updates on the keys enabling flexible join-/leave-operations of clients. This distinction allows us to utilize the high availability of the cloud as updating mechanism without harming confidentiality. Our graph-based key management results in an adaption of nodes related to the changed key. The updates on the keys again continuously create an overhead related to the number of these updated nodes. The proposed scalable approach utilizes cloud-based infrastructures for confidential data and key sharing in collaborative workflows supporting variable client-sets.
Treetank, Designing A Versioned XML Storage
2011, Graf, Sebastian, Kramis, Marc, Waldvogel, Marcel
XML underlies the same constant modification scenarios like any other resource especially in flexible environments like the WWW. Therefor intelligent handlings of versioned XML are mandatory. Due to the structural nature of XML, the efficient storage of changes in the data and therefor in the tree needs new paradigms regarding efficient storage and effective retrieval operations. We present a node granular XML versioning approach which relies on the independence of the storage and the versioning system. Different layers which have the ability to satisfy specific aspects of a node-granular versioning storage guarantee this independence. Results prove that our architecture offers efficient handling of consecutive changes within all modification scenarios while not restricting XML regarding its usage. Hence, our prototype system handles even huge XML instances while ensuring equal access to each revision of the data.
Utilizing Photo Sharing Websites for Cloud Storage Backends
2013, Graf, Sebastian, Miller, Wolfgang, Waldvogel, Marcel
Cloud Storages combine high availability with the unences- sity to maintain any own infrastructure and all-time availability. A wide field of different providers offer a flexible portfolio for any technical need and financial possibility. Yet, the possibilities of different cloud storage providers have all one issue in common: Basic storage is cheap whereas the costs increase with the storage consumed adhering the pay-as-you- go paradigm. Photo sharing websites such as Facebook, Picasa-Web, and Flickr leverage from own cloud infrastructure and offer unlimited storage for less or no charge. Obviously pictures can be used to store information in, which has been used for steganography and watermarking at low data rates. We propose a general framework for storing large amounts of data, its data density and error-correcting mechanisms tunable to the properties of the photo sharing website of your choice. Our cost- performance-analysis shows that photo sharing websites compare favorably to professional cloud storage services such as Amazon S3. Thanks to the integration of our software as a backend to the widely-used jClouds framework, everyone can now use photo sharing websites as one component for low-cost purposes, including archival.
A legal and technical perspective on secure cloud storage
2012, Graf, Sebastian, Eisele, Jörg, Waldvogel, Marcel, Strittmatter, Marc
Public cloud infrastructures represent alluring storage platforms supporting easy and flexible, location-independent access to the hosted information without any hassle for maintaining own infrastructures.
Already widely established and utilized by end-users as well as by institutions, the hosting of data on untrusted platforms, containing private and confidential information, generates concerns about the security. Technical measures establishing security rely thereby on the technical applicability. As a consequence, legal regulations must be applied to cover those measures even beyond this technical applicability.
This paper provides an evaluation of technical measures combined with legal aspects representing a guideline for secure cloud storage for end-users as well as for institutions. Based upon current approaches providing secure data storage on a technical level, german laws are applied and discussed to give an overview about correct treatment of even confidential data stored securely in the cloud.
As a result, a set of technical possibilities applied on fixed defined security requirements is presented and discussed. These technical measures are extended by legal aspects which must be provided from the site of the hosting Cloud Service Provider.
The presented combination of the technical and the legal perspective on secure cloud storage enables end-users as well as hosting institutions to store their data securely in the cloud in an accountable and transparent way.
A secure cloud gateway based upon XML and web services
2011, Graf, Sebastian
Storing data in the cloud offers a scalable and easy way to handle large amounts of data guaranteeing availability and scalability by the hosting Cloud Service Providers. The price for the gained availability is uncertainness about the integrity and confidentiality of the data. Even if common approaches provide high availability and end-to-end encryption necessary to achieve Availability and Confidentiality as security goals, other security requirements like Integrity and Accountability are neglected. The key management of those clients for encrypting data to satisfy Confidentiality must furthermore support join-/leave-operations within the client set. This work presents an architecture for a secure cloud gateway satisfying the common security goals Availability, Confidentiality, Integrity and Accountability. Mapping these security goals, XML as storage base is equipped with recursive integrity checks, encryption and versioning based on the native XML storage Treetank. A Key Manager extends this approach to provide the deployment of multiple clients sharing keys to the storage in a secure way. New key material is pushed to a server instance deployed as Platform-as-a-Service (PaaS) propagating this update to the clients. The server furthermore applies integrity checks on encrypted data within transfer and storage. Any communication between client, server and Key Manager relies on fixed defined workflows based upon web ser- vices. The proposed architecture called SecureCG thereby enables collaborative work on shared cloud storages within multiple clients ensuring confidentiality, consistency and availability of the stored data.