The study and design on secure-cloud storage
system
Liu Hao
Department of Computer
Xingyang Agricultural College
Xingyang, Henan,China
e-mail: dezhihan88@sina.com.cn
Abstract—For the security issue in cloud storage systems, we
design a cloud security storage system (for short CSSS).
Firstly, The CSSS integrates information isolation, accessing
control, virus detection, metadata safeguard of crucial data
and fast-speed retrieval; Secondly, with the help of connect
control interface, the authorized users can safely access the
data in the CSSS . This system can provide a solid foundation
for data protection and multilevel storage in private enterprise
cloud. The result on trial displays that this system can ensure
the data security in cloud storage system, with few side effects
on the I/O performance of the network
Keywords-distributed file system; Cloud storage security;
Metadata safeguard of crucial data; Cloud controler
I. INTRODUCTION
Cloud computing is one of the most active application
aspects for enterprise, and it is more and more accepted for
the enterprises which can take its advantage of low-cost, fast-
to-deploy and elastic scaling. With the pace of enterprise
information, huge amount of data is generated and dispersed
in the Internet a11 around the worldˊ To store the data
safely and inexpensively becomes a great challenge ˊ
Amazon S3(Simple Storage Service)ˈthe leader of storage
service in cloud computingˈ provides a strong data storage
ˊ However, when using S3ˈthe enterprise users have to
design their own encryption and decryption modules for
application in cloudsˊ That leads to other problem˖ the
access control and discriminating structure for dataˊ With
the prevailing of cloud computingˈthe issue of how to store
data safely and efficiently in cloud is becoming an important
aspect for researchˊ
This paper first introduces the concept of cloud
computing and other related knowledge to raise the pointü
üdata securityˊ That means how to safely save data in the
cloud. For the above, this paper conducts in-depth research
on the security issue of cloud data storage, and designs a
prototype system for private cloud storage, which integrated
private cloud data protection including access control, I/O
classification, metadata protection for sensitive data, and
978-1-4244-8165-1/11/$26.00 ©2011 IEEE
5126
Dezhi Han
Shanghai maritime university
Shanghai, China
South China University of Technology
Guangdong, China
e-mail: han_dezhi88@tom.com.cn
virus detection, content filtration, real-time backup and rapid
information retrieval, providing foundation for grading data
storage and protection in private cloud storage system for
enterprise.
II. ARCHITECTURE OF THE SECURE-CLOUD STORAGE
SYSTEM
A. Software architecture of the secure cloud data storage
system
For security problems of the data storage system in the
private enterprise cloud, we conduct research on testing and
implementation of the private cloud storage security with the
help of the local area network in cooperative enterprise and
our campus, so as to find effective solutions for security
problems of the cloud data storage from both theory and
implementation. We also assess the private cloud storage
system's security requirements and risk level to seek a
balance between security and performance, and ensure that
the new system can run effectively and safely while doing
little effect on the system performance. On this basis, we
design and realize the prototype of private cloud security
storage system, shown in Figure 1. The prototype system
consists of a connect interface, a distributed file system, an
access control module, a security-auditing module and a
classification-write module. The access control module
contains a request-classification submodule, a read-
processing submodule and a write-preprocessing submodule.
The request-classification submodule sends valid read
requests to read-processing module and valid write requests
to write-preprocessing submodule. The read-processing
submodule sends ordinary read requests directly to the
storage system which sends data response to user via server,
and read requests for sensitive data (crucial data) are through
special treatment, like secondary authentication of metadata
access and encryption of metadata. Data written by users are
first stored in buffer, and then processed by security-auditing
module and classification-write module before written into
the storage system. The security-auditing module takes
charge of content detection (filtration) and virus detection.
The classification-write module writes ordinary data directly
into the storage system, and takes special protection for
metadata of sensitive data (namely sending them into a
dedicated metadata server after encryption), so as to achieve
dual protection of important data.
Read flow of private cloud storage system is: ķUser
sends I/O requests on the terminal, the connect control
interface confirms the user's access authority and approves
the authentication, authorization management and security
check; ĸI/O requests arrive at the access control module, the
request-classification module extracts read requests; ĹRead
requests arrive at read-processing module, for ordinary data,
metadata are read directly, for sensitive data, their metadata
should be under special treatment (the second authentication
and decryption of user identity) ˗ ĺ Read requests for
ordinary get response; Ļ Read requests for sensitive data get
response.
6WRUDJH9LUWXDOL]DWLRQ
5HTXHVWFODVVLILFDWLRQ
1HWZRUN6HFXULW\
1HWZRUN&RQQHFW
$XWKHQWLFDWLRQ
$XWKRUL]DWLRQ
&OLHQWV
Figure 1.
Write flow of private cloud storage system is: ķUser
sends I/O requests on the terminal, the connect control
interface confirm the user's access authority and approves the
authentication; ĸI/O requests arrive at the access control
module, the request-classification module extracts write
requests; Ĺ ’Write requests arrive at write-preprocessing
module; ĺ’Write data are stored in buffer; Ļ The data in
buffer are through content detection and virus detection; ļ
’Data are processed by classification-write model after
security auditing; Ľ ’Ordinary data are sent directly to
storage system after extracting the metadata; ľ’Sensitive
data files are sliced and stored in multiple storage nodes, the
metadata are also stored in a dedicated server after
encryption.
B. Service architecture of cloud storage
The service architecture of cloud data storage system
consists of: server cluster (application server and metadata
server), storage devices and various network devices. Users
can access the system in modes of B/S, C/S or iSCSI(intranet
users), its structure is shown in Figure 2. Unprivileged users
can read but not write; read requests are divided into two
types: ordinary data read and sensitive data read. Sensitive
data's metadata which are protected particularly should be
under special treatment like the second authentication and
decryption of metadata access. Users upload files to the data
storage system, file data are cached in the buffer pool
(dedicated storage server or storage device), after content
detection (filtration) and virus detection, then classified and
6WRUDJH 6\VWHP 
Figure 2. Service architecture of cloud storage
written into storage system: ordinary data are written into
storage system directly, their metadata are stored in a
common metadata server; sensitive data (key data) are slice
stored in different storage nodes, their metadata get special
protection, such as stored in dedicated metadata server with
encryption. All users of the system must first register and
Software architecture
access system information with the assigned appropriate
permissions by system administrator. The following modules
are installed in the application server: distributed file system
(used to provide connect interfaces, authentication and
authorization management and security check),
classification-processing module, content detection module,
virus detection module, classification-write module and
content retrieval module; metadata servers are divided into
ordinary data metadata server and sensitive data metadata
server which stores encrypted metadata of sensitive data;
storage devices include iSCSI devices, NAS devices and
storage devices based Fiber Channel (FC).
The client access mode in private cloud storage system is
shown in Figure 3. Remote users on the client do not need to
install any software, namely, if one own certain access
authority, he or she can directly access information of private
cloud storage system through the browser. The users in the
same LAN access information from storage system in modes
of B/S, C/S. The distributed file system includes a variety of
access interfaces, authentication and retrieval of information;
access control module includes the one-way read/write
buffering. Access control module can be made in one-way
gatekeeper. In the information retrieval, data mining
technology is used to research classification rules and feature
extraction, integrating with rapid information retrieval
algorithms. System performance optimization includes cache
management (multilevel cache, storage device cache, the
server cache and client cache), intelligent prefetching and
high-availability module.
5127

Figure 3. Client access mode of the secure-cloud storage system
III. KEY TECHNOLOGIES OF THE SYSTEM
A. The metadata protection of sensitive data based on
distributed storage
At present, most of enterprise network large-scale storage
systems use distributed data storage technology to store files
in different storage nodes, while the files' metadata (index
and content abstract information) are stored in specialized
metadata servers. This facilitates the management, access
and retrieval of massive data files.
Currently, we have successfully developed a "massive
fixed-content storage system" and a "network storage system
merging NAS and SAN". Both products are cloud-based
mass storage systems, whose key technology is the
development and implementation of global distributed file
system and metadata management system. Our study
combines with existing achievements and technological
advantages in the distributed storage technologies, and
achieves the target of protecting sensitive data by using
different protection methods for different metadata servers in
the private cloud.
The protection principle of sensitive data in the private
cloud: the metadata of ordinary data files is stored in the
metadata server 1; the metadata of sensitive data files is
stored in the metadata server 2 which is protected, such as
file encryption, security authentication and access control.
It's difficult for unauthorized users to get the metadata of
sensitive data files from the metadata server 2, so that they
can not access sensitive data file which are distributed in
multiple storage nodes, thus achieving the purpose of
protecting sensitive data files.
The metadata protection of the sensitive data files based
the distributed storage technology has the following
advantages:
5128
(1) It greatly improves the efficiency of information
protection: the core of the technology is to achieve the
protection of the original files by protecting their metadata
data, which only take the 1% content of the original files. So
this way greatly improves the efficiency of protection, and
makes the implementation of the more advanced and
complex protection possible.
(2) It enhances the security of information protection: the
original file based the protection of the metadata files is
actually implemented the dual protection.
(3) The system has lower cost and good scalability. As
distributed storage is the main form of mass information
storage in the private cloud, we only need to store and
protect metadata files hierarchically in existing private cloud
storage systems, without adding too much investment (we
don't need to implement protection on all server nodes, and
only focus on protecting the metadata server2). Also, the
scalability of systems will not affect the security of sensitive
data files.
(4) It can be easily transplanted to WAN distributed
storage environment such as cloud computing and cloud
storage.
B. The implementation of security audit
Content filtration, virus detection and write-classification
strategies are key problems of security audit. Content
filtration's core is to prevent malicious tampering, and to
avoid writing the repetition data to the storage system. The
Content filtration mostly monitor the modification of the
existing file, which includes the write-ahead automatic
backup of the existing files, and reducing write the repetition
data to the storage system, etc. Virus detection mainly
detects the buffer data written by users so as to ensure
security of the entire storage system. In the secure-intranet
storage system, we provide common interfaces to go
compatible with existing anti-virus software. Write-
classification strategy's core is the design of the classification
policy library, with the help of which the metadata of the
uploaded file is stored to the metadata servers according to
their classification. In the private cloud storage systems, the
classification strategies need adapt to the actual situation.
IV. MEASUREMENT AND ANALYSIS OF I/O PERFORMANCE
A. Measurement environment
The main testing purpose is to assess performance affects
of the security modules on the private cloud storage system.
The performance tests are divided into two groups: in the
first group, we use IOMeter 2006.07.27.win32.i386
developed by Intel to test the system I/O performance and
use FTP software to test speeds of file uploads and
downloads. IOMeter is a very powerful IO benchmark,
which includes a load generator (called Worker), and offers a
range of standard components to simulate the actual
applications, such as the Web server, File Server and OLTP
(Online Transaction Processing) server. These test
components can produce input and output requests with
different sizes and reading/writing distributions to simulate
the behavior of real applications; in the second group we test
overall system performance with bonnie++ 1.03, which tests main reason is: in the security system, writes and uploads
characters' read/write, blocks' read/write, creating files need to go through the cache, content filtering and virus
orderly, creating files randomly, deleting files randomly, etc. detection, so the speed of security server is slower than in
Test environment configurations are shown in Table 1 and ordinary file server. However, this can still be acceptable in
Figure 4. Host 1 is the client which sends I/O requests, Host practical applications for security consideration.
2 acts as both application server and storage server, Host 3
acts as the metadata server. Host 2 is loaded with the various V. CONCLUSION
software modules we developed, while Host 3 is installed on From trial results of the prototype systems, the
with the metadata management system we developed. advantages of cloud storage system include the follows: (1) it
can fully guarantee the data security within the private
TABLE I. EXPERIMENT CONFIGURATIONS
enterprise cloud, achieving dual protection for sensitive data
CPU memory OS within the private enterprise cloud; (2) As the system uses
Host 1 Intel Pentium4 3.0 1GB Windows XP the content-based storage methods, intranet users can access
Host 2 Intel Pentium dual- 2GB Linux 9.0
core
required files much faster, and download files more
Host 3 Intel Pentium dual- 2GB Linux 9.0 conveniently, and enhance their learning initiative on the
core cloud; (3) it uses a content-based data detection technology,
harddisk NIC/HBA harddisk reducing the repetition data of storage system significantly,
RAID and thus saving storage space in the private cloud storage
Host 1 Maxtor 250G (ATA) AGE-1000SX Maxtor 250G (ATA)
(NIC) system.
Host 2 AGE-1000SX The developed secure-cloud storage system is in trial,
ST318437LW(SCSI) (NIC) ST318437LW(SCSI)
FC-RAID improve and perfect stage, and need go through the process
Host 3 AGE-1000SX of constantly improving. Next, after further trial uses in
ST318437LW(SCSI) (NIC) ST318437LW(SCSI) many enterprises and improvement the bug, we will
gradually introduce our products to more schools and
enterprises. Therefore, this project is supposed to create good
social and economic benefits
ACKNOWLEDGMENT
This work is supported by national Natural Science
Foundation of P. R. China under the Grant NO 61070154
and Supported by Science & Technology Program of
Shanghai Maritime University NO.20010014
Figure 4. the configuration of experimentation
REFERENCES
The performance testing of private cloud storage system [1] Gao Fuxiang, Li Sha㧘et al. A Security Architecture for Intranet
is mainly to compare the different I/O performance between Based on Security Area Division[C] //Proc of the 2010 Third
security file servers and common file servers. The results are International Symposium on Intelligent Information Technology and
shown in Fig. 6, Fig. 7 and Fig. 8, in which FS represents Security Informatics. NW Washington, IEEE, 2010:539 - 543
ordinary file servers, while SFS represents security file [2] PBaixing Chen, Xiufen F, et al. Design and Implementation of
servers in which the our security modules are installed. Intranet Security Audit System Based on Load Balancing[C] //Proc of
the 2007 IEEE International Conference on Granular Computing. NW
Figure 7 shows the system of ordinary file server's I/O speed Washington, IEEE, 2007:588.
is up to 35.9MB/s, while the security server is up to [3] Al-Ahmad Walid㧘Al-Kaabi Reem. An extended security framework
28.6MB/s. This illustrates that the security modules affects for e-government[C] Proc of IEEE International Conference on
the system I/O performance to a certain extent, mainly for Intelligence and Security Informatics. Taipei , NJ: IEEE, 2008:294-
the effects of certification, I/O request classification, and 295.
security auditing. In this test, we set data to be ordinary data [4] Peng You, Wang Yan-Zhang. Research about security audit platform
for all read requests and write requests, and the I/O in E-government system[C] //Proc of 2008 IEEE/WIC/ACM
International Conference on Web Intelligence and Intelligent Agent
performance for sensitive data has not been fully considered. Technology - Workshops, WI-IAT Workshops. Sydney, NSW, NJ:
From the experimental results we can see that security IEEE, 2008: 235-239.
system's impacts on the performance of the whole storage [5] Zhang, X.F. Design of e-government security system based on
system are acceptable. information security model //Proc of 2008 International Conference
In addition, we use the bonnie++ 1.03 to compare I/O on Advanced Computer Theory and Engineering, ICACTE:IEEE,
service performance between the common server and the 2008: 875-878.
security server, the security system's impact on the FTP [6] Lambrinoudakis, Costas; Gritzalis, Stefanos; et al. Security
server upload speeds is relatively large, slowing 23.5% ~ requirements for e-government services: A methodological approach
for developing a common PKI-based security policy[J]. Computer
29.5%, while the impact on download speeds is little. The Communications, 2009 㧘 6(26): 1873-1883.

5129