Maxim Schnjakin

A security and high-availability layer for cloud storage

Cloud Computing as a service on demand architecture has become a topic of interest in the last few years. The outsourcing of duties and infrastructure to external parties enables new services to be established quickly, scaled on demand, and with low financial risk. Cloud storage enables organizations to manage their data with low operational expenses. Nevertheless, several issues such as security and the risk to become dependent on a provider for its service should be considered before entering the cloud. In general, a switch of a storage provider is associated with high costs of adapting new APIs and additional charges for inbound and outbound bandwidth and requests. In this paper we use the principle of RAID-technology in cloud infrastructure to manage data distribution across cloud storage providers. The distribution is based on users expectations regarding providers geographic location, quality of service, providers reputation, and budget preferences. Our approach allows users to avoid vendor lock-in, reduce cost of switching providers and increase security and availability of their data. We also explain on how the proposed system removes the complexity of interacting with multiple storage providers while maintaining security.

A pattern-driven security advisor for service-oriented architectures

Service-oriented Architectures (SOA) provide a flexible infrastructure to allow independently developed software components to communicate in a seamless manner. Increased connectivity entails significant higher security risks. To face these risks, a broad range of specifications e.g. WS-Security and WS-Trust has emerged to ensure security in SOA. These specifications are supported by all major Web Service Frameworks and enforced by security modules provided by these frameworks to apply security to ingoing and outgoing messages. In general, a security module is configured declaratively using a security policy e.g. WS-SecurityPolicy that expresses security goals and related configurations. To support a broad range of use cases, these security policy languages offer a variety of settings and options. However, the complexity of security policy languages leads to an error-prone and tedious creation of security policies. To simplify and support the generation of Web Services, we present an architecture for a security advisor in this paper. This security advisor facilitates the configuration of security modules for service-based systems based on a pattern-driven approach that enables the transformation from general security goals to concrete security configurations. Therefore, we will introduce a security pattern system which is used to resolve concrete protocols and security mechanisms at a technical level.

Evaluation of Cloud-RAID: A Secure and Reliable Storage above the Clouds

Cloud Computing as a service-on-demand architecture has grown in importance over the previous few years. One driver of its growth is the ever increasing amount of data which is supposed to outpace the growth of storage capacity. The usage of cloud technology enables organizations to manage their data with low operational expenses. However, the benefits of cloud computing come along with challenges and open issues such as security, reliability and the risk to become dependent on a provider for its service. In general, a switch of a storage provider is associated with high costs of adapting new APIs and additional charges for inbound and outbound bandwidth and requests. In this paper, we present a system that improves availability, confidentiality and reliability of data stored in the cloud. To achieve this objective, we encrypt users data and make use of the RAID-technology principle to manage data distribution across cloud storage providers. We conduct a proof-of-concept testbed experiment for our application to evaluate the performance and cost effectiveness of our approach. We deployed our application using eight commercial cloud storage repositories in different countries. Our approach allows users to avoid vendor lock-in, and reduces significantly the cost of switching providers. We also observed that our implementation improved the perceived availability and, in most cases, the overall performance when compared with individual cloud providers. Moreover, we estimated the monetary costs to be competitive to the cost of using a single cloud provider.

Towards Context-Aware Service-Oriented Semantic Reputation Framework

Reputation has been explored in diverse disciplines such as artificial intelligence, electronic commerce, peer-to-peer network, and multi-agent systems. Recently it has been a vital component for ensuring trust in web services and service oriented architecture domains. In this paper, we show details about our context-aware reputation framework. The framework is based on our semantic representation model for reputation called Reputation Object (RO) model. We discuss the advantages and propositions to construct such framework, its components, and how it is implemented. The importance of developing and using such generic reputation framework is highlighted within the emergence of the Semantic Web and service oriented architecture.

Implementation of Cloud-RAID: A Secure and Reliable Storage above the Clouds

Cloud Computing as a service-on-demand architecture has grown in importance over the previous few years. One driver of its growth is the ever increasing amount of data which is supposed to outpace the growth of storage capacity. In this way public cloud storage services enable organizations to manage their data with low operational expenses. However, the benefits of cloud computing come along with challenges and open issues such as security, reliability and the risk to become dependent on a provider for its service. In general, a switch of a storage provider is associated with high costs of adapting new APIs and additional charges for inbound and outbound bandwidth and requests. In this paper, we describe the design, architecture and implementation of Cloud-RAID, a system that improves availability, confidentiality and integrity of data stored in the cloud. To achieve this objective, we encrypt user’s data and make use of the RAID-technology principle to manage data distribution across cloud storage providers. The data distribution is based on users’ expectations regarding providers geographic location, quality of service, providers reputation, and budget preferences. We also discuss the security functionality and reveal our observations on the utility and users benefits from using our system. Our approach allows users to avoid vendor lock-in, and reduce significantly the cost of switching providers.

Applying Erasure Codes for Fault Tolerance in Cloud-RAID

Public cloud storage services enable organizations to manage data with low operational expenses. However, the benefits come along with challenges and open issues such as security and reliability. In our work, we presented a system that improves availability, confidentiality and reliability of data stored in the cloud. To achieve this objective, we encrypt users data and make use of erasure codes to stripe data across cloud storage providers. In this paper we focus on the need to identify an algorithm for encoding and reassembling the data from the clouds. Erasure codes have been introduces more than three decades ago. Due to new technology trends and powerful hardware, new codes as well as improvements on classic codes have been developed recently. Therefore, we provide an overview of the current state of erasure codes. Further, we introduce the relevant codes in detail and compare them on the basis of identified criteria that are relevant to their application in a cloud context. Furthermore, we take a look at the current open source libraries, that support the discussed algorithms. The comparative study will help us to identity the best algorithm for our Cloud-RAID system.

POTR: Practical On-the-Fly Rejection of Injected and Replayed 802.15.4 Frames

The practice of rejecting injected and replayed 802.15.4 frames only after they were received leaves 802.15.4 nodes vulnerable to broadcast and droplet attacks. Basically, in broadcast and droplet attacks, an attacker injects or replays plenty of 802.15.4 frames. As a result, victim 802.15.4 nodes stay in receive mode for extended periods of time and expend their limited energy. He et al. considered embedding one-time passwords in the synchronization headers of 802.15.4 frames so as to avoid that 802.15.4 nodes detect injected and replayed 802.15.4 frames in the first place. However, He et al.s, as well as similar proposals lack support for broadcast frames and depend on special hardware. In this paper, we propose Practical On-the-fly Rejection (POTR) to reject injected and replayed 802.15.4 frames early during receipt. Unlike previous proposals, POTR supports broadcast frames and can be implemented with many off-the-shelf 802.15.4 transceivers. In fact, we implemented POTR with CC2538 transceivers, as well as integrated POTR into the Contiki operating system. Furthermore, we demonstrate that, compared to using no defense, POTR reduces the time that 802.15.4 nodes stay in receive mode upon receiving an injected or replayed 802.15.4 frame by a factor of up to 16. Beyond that, POTR has a small processing and memory overhead, and incurs no communication overhead.

Scrutinizing the State of Cloud Storage with Cloud-RAID: A Secure and Reliable Storage Above the Clouds

Public cloud storage services enable organizations to manage data with low operational expenses. However, the benefits come along with challenges and open issues such as security, reliability and the risk to become dependent on a provider for its service. In our previous work, we presented a system that improves availability, confidentiality and reliability of data stored in the cloud. To achieve this objective, we encrypt users data and make use of the RAID-technology principle to manage data distribution across cloud storage providers. Recently, we conducted a proof-of-concept experiment for our application to evaluate the performance and cost effectiveness of our approach. We observed that our implementation improved the perceived availability and, in most cases, the overall performance when compared with cloud providers individually. We also observed a general trend that cloud storage providers have constant throughput values - whereby the individual throughput performance differs strongly from one provider to another. With this, the experienced transmissions can be utilized to increase the throughput performance of the upcoming data transfers. The aim is to distribute the data across providers according to their capabilities utilizing the maximum of the available throughput capacity. To assess the feasibility of the approach we have to understand how providers handle high simultaneous data transfers. Thus, in this paper we focus on the performance and the scalability evaluation of particular cloud storage providers. To this end, we deployed our application using eight commercial cloud storage repositories in different countries and conducted a set of extensive experiments.

Security Requirements Specification in Process-aware Information Systems

Service-oriented Architectures deliver a flexible infrastructure to allow independently developed software com-ponents to communicate in a seamless manner. In the scope of organisational workflows, SOA provides a suitable foundation to execute business processes as an orchestration of multiple independent services. In order to secure services, requirements are usually defined on a technical level, rather than on an organisational level that would provide a comprehensive view on the participants, the assets and their relationships regarding security.