Case Study on

“Data Storage Security in Private Cloud”

Submitted By

Ayush Kumar BETB42

Aditya Katyarmal BETB36

UNDER THE GUIDANCE OF

Mrs. Vaishali Biradar

IN PARTIAL FULFILLMENT OF

B.E. (ELECTRONICS & TELECOMMUNICATION)

DEGREE OF SAVITRIBAI PHULE PUNE UNIVERSITY

OCT/NOV-2022

DEPERTMENT OF ELECTRONICS &

TELECOMMUNICATION ENGINEERING

Dr. D. Y. Patil Unitech Society’s

DR. D.Y.PATIL INSTITUTE OF TECHNOLOGY,
PIMPRI, PUNE – 411018

1|Case Study
 INDEX

Sr.No. Chapter No. Page No.

1. ABSTRACT 3
2. INTRODUCTION 4

3. METHOLOGY 9
4. RESULT 11
5. CONCLUSION 11

Figures

Table No. Table Name Page No.

1 Threats to Cloud Computing 6

2 Basic Cryptography Process 9

3 Block Cipher Mechanism 9

4 Stream Cipher Mechanism 10

5 Cryptographic Hash Function Mechanism 10

2|Case Study
 ABSTRACT

Cloud services are becoming an essential part of many organizations. Cloud providers have to adhere
to security and privacy policies to ensure their users' data remains confidential and secure. Though
there are some ongoing efforts on developing cloud security standards, most cloud providers are
implementing a mish-mash of security and privacy controls. This has led to confusion among cloud
consumers as to what security measures they should expect from the cloud services, and whether these
measures would comply with their security and compliance requirements. We have conducted a
comprehensive study to review the potential threats faced by cloud consumers and have determined
the compliance models and security controls that should be in place to manage the risk. Based on this
study, we have developed an ontology describing the cloud security controls, threats and compliances.
We have also developed an application that classifies the security threats faced by cloud users and
automatically determines the high-level security and compliance policy controls that have to be
activated for each threat. The application also displays existing cloud providers that support these
security policies. Cloud consumers can use our system to formulate their security policies and find
compliant providers even if they are not familiar with the underlying technology.

3|Case Study
 INTRODUCTION

While cloud based solutions are attractive for their cost savings and rapid provisioning/scaling;
privacy and security of cloud data remains a concern for most consumers and a key barrier in adoption
of the cloud. In recent years, various cloud security standards have been proposed or are being
developed by standards bodies like Cloud Security Alliance (CSA, International Organization for
Standards (ISO) , National Institute for Standards and Technology (NIST) etc. Most cloud providers
are implementing a mish-mash of security and privacy controls. This has led to confusion and concern
among consumers as to what security measures they should expect from the cloud services and what
compliance policies to adopt for their enterprise data on the cloud.
This case study will have Two Sections:
I. PRIVATE CLOUD BASED SECUIRTY RISKS
II. THREATS TO CLOUD COMPUTING & PROTECTION SECURITY COMPLAINCE
METHODS

I. PRIVATE CLOUD BASED SECUIRTY RISKS

In this section we discuss the key security risks that affect private cloud security.
1. Interruptions: Hardware problems happen. Even in high availability environments, sporadically
you may encounter an interruption in the contracted cloud services.
Server failures, human errors, malware, intrusions, or hardware/software updates can always cause
unforeseen collateral damage.
Some cloud storage services have additional security features that can be contracted to prevent data
loss, but interruptions can happen at any time, even in IT infrastructures with no prior history of
problems
2. Data Security: The majority of companies that use the cloud think that protecting their data is the
responsibility of their cloud providers.
However, this is not the case, cloud service providers only cover the security of the cloud itself, but
do not protect customer data, nor the use of their infrastructure and platforms by customers
Companies are thus faced with the need to take charge of the security of their data, and possibly
that of their customers, in the cloud.
3. Internal Threats: Controlling data in the cloud also depends on the ability of organizations to
control who can access it.
Most threats to data hosted in the cloud come from compromised and internal accounts.

4|Case Study
 The employees, business partners, and contractors you trust can be some of your potential security
risks.
4. Lack of Technical Support: Whether in your IT infrastructure or when hiring any cloud service,
unforeseen events will always be part of everyday life.
With private cloud solutions hosted in-house, IT needs to take responsibility and manage the private
cloud. For external solutions, private cloud offerings are generally more expensive than a public
cloud.
An internal expertise resource is needed for handling deployment over a private cloud.
If not available within the organization, it is unable to control it and therefore to secure as well. The
consequences can be manifold.
5. Compliance & Regulation: Conditions for managing compliance & regulations via on-premise
hardware are usually more distinct than in the cloud.
Nevertheless, it requires a considerable amount of time and is also costly to do so. Therefore,
forcing a company to hire a team that’s well aware of compliance and regulations.
6. Improper Configuration: Improper configuration is always a security risk as it can put make the
cloud vulnerable against various attacks.
This can cause data to be publicly exposed, manipulated, or even deleted.
The business’s outcomes may vary depending on the nature of the misconfiguration, especially the
pace with which it is detected.

II. THREATS TO CLOUD COMPUTING & PROTECTION SECURITY COMPLAINCE METHODS

We analyzed the security threats faced by cloud consumers. We related them to the security controls
and compliance models that protect from these threats (Table 1). The key threats to cloud security
include:
1. Data breaches: affect the confidentiality of data and eventually the organization. Data encrypted so
that even if it is stolen, the attacker cannot use it.
2. Inadequate Identity and Access Management: Attacks and security breaches can also result from
non-usage of multifactor authentication, lack of ongoing automated rotation of cryptographic keys
and certificates, as well as weak password usage.
3. Insecure APIs: As Application Programming Interfaces (APIs) enable the provisioning,
management and monitoring of cloud services, their security is of prime importance. The interfaces
must be designed to prevent any malicious efforts pertaining to authentication, access control,
encryption and activity monitoring.

5|Case Study
4. System Vulnerabilities: Attackers can infiltrate and take control of the systems in addition to
disrupting the service operations, utilizing the system vulnerabilities or exploitable bugs. To reduce
the security gaps and mitigate the damage caused by system vulnerabilities, installation of security
patches or upgrades, regular vulnerability scanning and following up on reported system threats are
mandatory.

Fig.1: Threats To Cloud Computing

5. Account or Service Hijacking : Service hijacking includes attack methods such as phishing, fraud
and exploitation of software vulnerabilities that enable attackers to misuse the account access, steal
data, impact cloud services and systems, and damage the overall reputation.Wherever possible,
organizations should prohibit the sharing of account credentials among users and leverage strong
two-factor authentication techniques.

6|Case Study
6. Malicious Insider Threats: are people within the organization who can access and misuse the data.
Legal action is advised for this type of threat.
7. Advanced Persistent Threats (APTs): Advanced Persistent Threats (APTs) steal data and
Intellectual Property (IP) by infiltrating the IT systems of target companies. The common points of
entry for APTs are spear-phishing, direct hacking systems and use of unsecured or third-party
networks.Though APTs are difficult to detect and eliminate, they can be restricted with proactive
security measures.
8. Malware Injection: Malware injection attacks are becoming a major security concern in cloud
computing. These are malicious scripts or code that enable attackers to eavesdrop, steal data and
compromise the integrity of sensitive information.
9. Data Loss: Data loss can occur because of multiple reasons such as a catastrophe like fire or
earthquake, or even accidental deletion by the CSP. To avert this, both the providers and the users
need to ensure proper data backup measures and follow the best practices pertaining to disaster
recovery and business continuity.
10. Insufficient Due Diligence: Organizations need to perform the necessary due diligence and
develop a proper roadmap before adopting cloud technologies and selecting the cloud providers,
failing which they might be exposed to several security risks.
11. Poor IP Protection : Safeguarding IP demands the highest encryption and security protocols. In
addition to identification and classification of IP for determining potential security risks,
vulnerability assessment and appropriate encryption must be carried out.
12. Abuse of Cloud Services: Malicious attacks can also result from issues such as unsecured cloud
service deployments, fraudulent account sign-ups and free cloud service trials. Large-scale
automated click fraud, hosting of malicious or pirated content, launching distributed DoS attacks,
phishing campaigns and email spam are some of the examples of cloud-based resource misuse.
13. DoS Attacks: Denial-of-Service (DoS) attacks cause the consumption of disproportionately large
amounts of system resources including memory, disk space, network bandwidth and processor
power by the targeted cloud services, thereby preventing the users from accessing their data and
applications.
14. Vulnerabilities Caused by Shared Technology: CSPs deliver scalable services by sharing
infrastructure, applications and platforms without substantial alterations to the off-the-shelf
hardware and software.If the underlying components such as CPU caches and GPUs do not offer
strong isolation properties for a multitenant architecture (IaaS), multi-customer applications (SaaS)
or redeployable platforms (PaaS), it could lead to shared technology vulnerabilities.

7|Case Study
15. Communication with CSPs: Customers need to define the exact security requirements in the
Service Level Agreements (SLAs) with CSPs. They can use the CSA Security, Trust and Assurance
Registry (CSA STAR) as a reference for understanding the security controls offered by CSPs. CSPs
also need to provide details on how they protect multi-tenant boundaries and ensure PCI and
Federal Information Security Management Act (FISMA) compliance.

Type of Threat Recommended Security Compliance Model

STIG [13], FedRAMP [5], DMTF- CADF[25], ISO-27001[15],
Data Breaches FIPS 140-2[19], PCI DSS [29], ISO 27002[14], HIPAA[17],
SOX[22]
STIG [13], FedRAMP [5], DMTF- CADF [25], FIPS 140-2 [19],
Data Loss
PCI DSS [29], ISO 27002[14], HIPAA[17], SOX[22]
Account or Service STIG [13], FedRAMP [5], DMTF-OVF [25], ISO- 27002[14], FIPS
Hijacking 140-2[19], NIST 800- 61[30], ISO 17799[24]
Insecure OASIS and OVF, DMTF-CADF [25], ISO 27002[14], FIPS 140-
interfaces/API 2[19]
PCI DSS, ISO 27001[15], HIPAA[17], SOX[22], NIST 800-61[30],
Denial of Services
ISO 17799[24]
Malicious insiders ISO 27002[14], FIPS 140-2[19], Vaultive[12], FedRAMP[5]
Abuse of cloud
NIST 800-61[30], ISO 17799[24], NIST 800- 50 [27]
services
Insufficient due
EDRM[21], NIST 800-61[30]
diligence
Table 1: Recommendation of Security compliance model based on security threat

8|Case Study
 METHOLOGY

Data security in cloud computing can be achieved by encryption of data. Different cryptographic
techniques are used for encrypting the data these days. Cryptography has increased the level of
data protection for assuring content integrity, authentication, and availability. In the basic form
of cryptography, plaintext is encrypted into cipher text using an encryption key, and the resulting
cipher text is then decrypted using a decryption key as illustrated in Fig 2.

Fig 2: Basic Cryptography Process

Normally there are four basic uses of cryptography:
A. Block Ciphers : A block cipher is an algorithm for encrypting data (to produce cipher text) in
which a cryptographic key and algorithm are applied to a block of data instead of per bit at a
time. In this technique, it is made sure that similar blocks of text do not get encrypted the same
way in a message. Normally, the cipher text from the previous encrypted block is applied to the
next block in a series. As illustrated in Fig 3, the plain text is divided in to blocks of data, often
64 bits. These blocks of data are then encrypted using an encryption key to produce a cipher
text.

Fig 3: Block Cipher Mechanism

B. Stream Ciphers : This technique of encrypting data is also called state cipher since it depends
upon the current state of cipher. In this technique, each bit is encrypted instead of blocks of
data. An encryption key and an algorithm is applied to each and every bit, one at a time.
9|Case Study
 Performance of Stream ciphers is normally faster than block ciphers because of their low
hardware complexity. However, this technique can be vulnerable to serious security problems
if not used properly.

Fig 4: Stream Cipher Mechanism

As illustrated in Fig 4, stream cipher uses an encryption key to encrypt each bit instead of
block of text. The resultant cipher text is a stream of encrypted bits that can be later decrypted
using decryption key to produce to original plain text.
C. Hash Functions: In this technique, a mathematical function called a hash function is used to
convert an input text in to an alphanumeric string. Normally the produced alphanumeric string
is fixed in size. This technique makes sure that no two strings can have same alphanumeric
string as an output. Even if the input strings are slightly different from each other, there is a
possibility of great difference between the output string produced through them .
This hash function can be a very simple mathematical function like the one shown in equation
(1) or very complex.
F(x) = x mod 10 (1)
Fig 5, below shows the mechanism of hash function cryptography.

Fig 5: Cryptographic Hash Function Mechanism

10 | C a s e S t u d y
All these above mentioned methods and techniques are widely used in encrypting the data in the cloud
to ensure data security. Use of these techniques varies from one scenario to another. Whichever
tchnique is used, it is highly recommended to ensure the security of data in both private and public
clouds.

RESULT

The above proposed method helps in reducing data security issues in private cloud network.
Encrypting protects data from any insider and outsider attack. Encryption leverages advanced
algorithms to encode the data, making it meaningless to any user who does not have the key.
Authorized users leverage the key to decode the data, transforming the concealed information back
into a readable format. Keys are generated and shared only with trusted parties whose identity is
established and verified through some form of multi-factor authentication.

CONCLUSION

Increased use of cloud computing for storing data is certainly increasing the trend of improving the
ways of storing data in the cloud. Data available in the cloud can be at risk if not protected in a rightful
manner. This paper discussed the risks and security threats to data in the cloud and given an overview
of three types of security concerns. Virtualization is examined to find out the threats caused by the
hypervisor. Similarly, threats caused by Public cloud and multitenancy have been discussed. One of
the major concerns of this paper was data security and its threats and solutions in cloud computing.
Data in different states has been discussed along with the techniques which are efficient for encrypting
the data in the cloud. The study provided an overview of block cipher, stream cipher and hash function
which are used for encrypting the data in the cloud whether it is at rest or in transit.

11 | C a s e S t u d y