Professional Documents
Culture Documents
The Study and Design On Secure-Cloud Storage System: Liu Hao Dezhi Han
The Study and Design On Secure-Cloud Storage System: Liu Hao Dezhi Han
system
Abstract—For the security issue in cloud storage systems, we virus detection, content filtration, real-time backup and rapid
design a cloud security storage system (for short CSSS). information retrieval, providing foundation for grading data
Firstly, The CSSS integrates information isolation, accessing storage and protection in private cloud storage system for
control, virus detection, metadata safeguard of crucial data enterprise.
and fast-speed retrieval; Secondly, with the help of connect
control interface, the authorized users can safely access the II. ARCHITECTURE OF THE SECURE-CLOUD STORAGE
data in the CSSS . This system can provide a solid foundation SYSTEM
for data protection and multilevel storage in private enterprise
cloud. The result on trial displays that this system can ensure A. Software architecture of the secure cloud data storage
the data security in cloud storage system, with few side effects system
on the I/O performance of the network
For security problems of the data storage system in the
Keywords-distributed file system; Cloud storage security; private enterprise cloud, we conduct research on testing and
Metadata safeguard of crucial data; Cloud controler implementation of the private cloud storage security with the
help of the local area network in cooperative enterprise and
I. INTRODUCTION our campus, so as to find effective solutions for security
problems of the cloud data storage from both theory and
Cloud computing is one of the most active application implementation. We also assess the private cloud storage
aspects for enterprise, and it is more and more accepted for system's security requirements and risk level to seek a
the enterprises which can take its advantage of low-cost, fast- balance between security and performance, and ensure that
to-deploy and elastic scaling. With the pace of enterprise the new system can run effectively and safely while doing
information, huge amount of data is generated and dispersed little effect on the system performance. On this basis, we
in the Internet a11 around the worldˊ To store the data design and realize the prototype of private cloud security
safely and inexpensively becomes a great challenge ˊ storage system, shown in Figure 1. The prototype system
Amazon S3(Simple Storage Service)ˈthe leader of storage consists of a connect interface, a distributed file system, an
service in cloud computingˈ provides a strong data storage access control module, a security-auditing module and a
ˊ However, when using S3ˈthe enterprise users have to classification-write module. The access control module
design their own encryption and decryption modules for contains a request-classification submodule, a read-
processing submodule and a write-preprocessing submodule.
application in cloudsˊ That leads to other problem˖ the
The request-classification submodule sends valid read
access control and discriminating structure for dataˊ With requests to read-processing module and valid write requests
the prevailing of cloud computingˈthe issue of how to store to write-preprocessing submodule. The read-processing
data safely and efficiently in cloud is becoming an important submodule sends ordinary read requests directly to the
aspect for researchˊ storage system which sends data response to user via server,
This paper first introduces the concept of cloud and read requests for sensitive data (crucial data) are through
computing and other related knowledge to raise the pointü special treatment, like secondary authentication of metadata
üdata securityˊ That means how to safely save data in the access and encryption of metadata. Data written by users are
cloud. For the above, this paper conducts in-depth research first stored in buffer, and then processed by security-auditing
on the security issue of cloud data storage, and designs a module and classification-write module before written into
prototype system for private cloud storage, which integrated the storage system. The security-auditing module takes
private cloud data protection including access control, I/O charge of content detection (filtration) and virus detection.
classification, metadata protection for sensitive data, and The classification-write module writes ordinary data directly
into the storage system, and takes special protection for
5HTXHVWFODVVLILFDWLRQ
1HWZRUN6HFXULW\
1HWZRUN&RQQHFW
$XWKHQWLFDWLRQ
$XWKRUL]DWLRQ
&OLHQWV
6WRUDJH 6\VWHP
Figure 2. Service architecture of cloud storage
5127
(1) It greatly improves the efficiency of information
protection: the core of the technology is to achieve the
protection of the original files by protecting their metadata
data, which only take the 1% content of the original files. So
this way greatly improves the efficiency of protection, and
makes the implementation of the more advanced and
complex protection possible.
(2) It enhances the security of information protection: the
original file based the protection of the metadata files is
actually implemented the dual protection.
(3) The system has lower cost and good scalability. As
distributed storage is the main form of mass information
storage in the private cloud, we only need to store and
protect metadata files hierarchically in existing private cloud
storage systems, without adding too much investment (we
don't need to implement protection on all server nodes, and
only focus on protecting the metadata server2). Also, the
scalability of systems will not affect the security of sensitive
data files.
(4) It can be easily transplanted to WAN distributed
storage environment such as cloud computing and cloud
storage.
Figure 3. Client access mode of the secure-cloud storage system
B. The implementation of security audit
III. KEY TECHNOLOGIES OF THE SYSTEM Content filtration, virus detection and write-classification
strategies are key problems of security audit. Content
A. The metadata protection of sensitive data based on filtration's core is to prevent malicious tampering, and to
distributed storage avoid writing the repetition data to the storage system. The
Content filtration mostly monitor the modification of the
At present, most of enterprise network large-scale storage existing file, which includes the write-ahead automatic
systems use distributed data storage technology to store files backup of the existing files, and reducing write the repetition
in different storage nodes, while the files' metadata (index data to the storage system, etc. Virus detection mainly
and content abstract information) are stored in specialized detects the buffer data written by users so as to ensure
metadata servers. This facilitates the management, access security of the entire storage system. In the secure-intranet
and retrieval of massive data files. storage system, we provide common interfaces to go
Currently, we have successfully developed a "massive compatible with existing anti-virus software. Write-
fixed-content storage system" and a "network storage system classification strategy's core is the design of the classification
merging NAS and SAN". Both products are cloud-based policy library, with the help of which the metadata of the
mass storage systems, whose key technology is the uploaded file is stored to the metadata servers according to
development and implementation of global distributed file their classification. In the private cloud storage systems, the
system and metadata management system. Our study classification strategies need adapt to the actual situation.
combines with existing achievements and technological
advantages in the distributed storage technologies, and IV. MEASUREMENT AND ANALYSIS OF I/O PERFORMANCE
achieves the target of protecting sensitive data by using
different protection methods for different metadata servers in A. Measurement environment
the private cloud. The main testing purpose is to assess performance affects
The protection principle of sensitive data in the private of the security modules on the private cloud storage system.
cloud: the metadata of ordinary data files is stored in the The performance tests are divided into two groups: in the
metadata server 1; the metadata of sensitive data files is first group, we use IOMeter 2006.07.27.win32.i386
stored in the metadata server 2 which is protected, such as developed by Intel to test the system I/O performance and
file encryption, security authentication and access control. use FTP software to test speeds of file uploads and
It's difficult for unauthorized users to get the metadata of downloads. IOMeter is a very powerful IO benchmark,
sensitive data files from the metadata server 2, so that they which includes a load generator (called Worker), and offers a
can not access sensitive data file which are distributed in range of standard components to simulate the actual
multiple storage nodes, thus achieving the purpose of applications, such as the Web server, File Server and OLTP
protecting sensitive data files. (Online Transaction Processing) server. These test
The metadata protection of the sensitive data files based components can produce input and output requests with
the distributed storage technology has the following different sizes and reading/writing distributions to simulate
advantages: the behavior of real applications; in the second group we test
5128
overall system performance with bonnie++ 1.03, which tests main reason is: in the security system, writes and uploads
characters' read/write, blocks' read/write, creating files need to go through the cache, content filtering and virus
orderly, creating files randomly, deleting files randomly, etc. detection, so the speed of security server is slower than in
Test environment configurations are shown in Table 1 and ordinary file server. However, this can still be acceptable in
Figure 4. Host 1 is the client which sends I/O requests, Host practical applications for security consideration.
2 acts as both application server and storage server, Host 3
acts as the metadata server. Host 2 is loaded with the various V. CONCLUSION
software modules we developed, while Host 3 is installed on From trial results of the prototype systems, the
with the metadata management system we developed. advantages of cloud storage system include the follows: (1) it
can fully guarantee the data security within the private
TABLE I. EXPERIMENT CONFIGURATIONS
enterprise cloud, achieving dual protection for sensitive data
CPU memory OS within the private enterprise cloud; (2) As the system uses
Host 1 Intel Pentium4 3.0 1GB Windows XP the content-based storage methods, intranet users can access
Host 2 Intel Pentium dual- 2GB Linux 9.0
core
required files much faster, and download files more
Host 3 Intel Pentium dual- 2GB Linux 9.0 conveniently, and enhance their learning initiative on the
core cloud; (3) it uses a content-based data detection technology,
harddisk NIC/HBA harddisk reducing the repetition data of storage system significantly,
RAID and thus saving storage space in the private cloud storage
Host 1 Maxtor 250G (ATA) AGE-1000SX Maxtor 250G (ATA)
(NIC) system.
Host 2 AGE-1000SX The developed secure-cloud storage system is in trial,
ST318437LW(SCSI) (NIC) ST318437LW(SCSI)
FC-RAID improve and perfect stage, and need go through the process
Host 3 AGE-1000SX of constantly improving. Next, after further trial uses in
ST318437LW(SCSI) (NIC) ST318437LW(SCSI) many enterprises and improvement the bug, we will
gradually introduce our products to more schools and
enterprises. Therefore, this project is supposed to create good
social and economic benefits
ACKNOWLEDGMENT
This work is supported by national Natural Science
Foundation of P. R. China under the Grant NO 61070154
and Supported by Science & Technology Program of
Shanghai Maritime University NO.20010014
Figure 4. the configuration of experimentation
REFERENCES
The performance testing of private cloud storage system [1] Gao Fuxiang, Li Sha㧘et al. A Security Architecture for Intranet
is mainly to compare the different I/O performance between Based on Security Area Division[C] //Proc of the 2010 Third
security file servers and common file servers. The results are International Symposium on Intelligent Information Technology and
shown in Fig. 6, Fig. 7 and Fig. 8, in which FS represents Security Informatics. NW Washington, IEEE, 2010:539 - 543
ordinary file servers, while SFS represents security file [2] PBaixing Chen, Xiufen F, et al. Design and Implementation of
servers in which the our security modules are installed. Intranet Security Audit System Based on Load Balancing[C] //Proc of
the 2007 IEEE International Conference on Granular Computing. NW
Figure 7 shows the system of ordinary file server's I/O speed Washington, IEEE, 2007:588.
is up to 35.9MB/s, while the security server is up to [3] Al-Ahmad Walid㧘Al-Kaabi Reem. An extended security framework
28.6MB/s. This illustrates that the security modules affects for e-government[C] Proc of IEEE International Conference on
the system I/O performance to a certain extent, mainly for Intelligence and Security Informatics. Taipei , NJ: IEEE, 2008:294-
the effects of certification, I/O request classification, and 295.
security auditing. In this test, we set data to be ordinary data [4] Peng You, Wang Yan-Zhang. Research about security audit platform
for all read requests and write requests, and the I/O in E-government system[C] //Proc of 2008 IEEE/WIC/ACM
International Conference on Web Intelligence and Intelligent Agent
performance for sensitive data has not been fully considered. Technology - Workshops, WI-IAT Workshops. Sydney, NSW, NJ:
From the experimental results we can see that security IEEE, 2008: 235-239.
system's impacts on the performance of the whole storage [5] Zhang, X.F. Design of e-government security system based on
system are acceptable. information security model //Proc of 2008 International Conference
In addition, we use the bonnie++ 1.03 to compare I/O on Advanced Computer Theory and Engineering, ICACTE:IEEE,
service performance between the common server and the 2008: 875-878.
security server, the security system's impact on the FTP [6] Lambrinoudakis, Costas; Gritzalis, Stefanos; et al. Security
server upload speeds is relatively large, slowing 23.5% ~ requirements for e-government services: A methodological approach
for developing a common PKI-based security policy[J]. Computer
29.5%, while the impact on download speeds is little. The Communications, 2009 㧘 6(26): 1873-1883.
5129