Journal Home > Volume 24 , Issue 6

With ever greater amounts of data stored in cloud servers, data security and privacy issues have become increasingly important. Public cloud storage providers are semi-trustworthy because they may not have adequate security mechanisms to protect user data from being stolen or misused. Therefore, it is crucial for cloud users to evaluate the security of cloud storage providers. However, existing security assessment methods mainly focus on external security risks without considering the trustworthiness of cloud providers. In addition, the widely used third-party mediators are assumed to be trusted and we are not aware of any work that considers the security of these mediators. This study fills these gaps by assessing the security of public cloud storage providers and third-party mediators through equilibrium analysis. More specifically, we conduct evaluations on a series of game models between public cloud storage providers and users to thoroughly analyze the security of different service scenarios. Using our proposed security assessment, users can determine the risk of whether their privacy data is likely to be hacked by the cloud service providers; the cloud service providers can also decide on strategies to make their services more trustworthy. An experimental study of 32 users verified our method and indicated its potential for real service improvement.


menu
Abstract
Full text
Outline
About this article

Cloud Storage Security Assessment Through Equilibrium Analysis

Show Author's information Yuzhao WuYongqiang LyuYuanchun Shi*( )
Institute for Interdisciplinary Information Sciences, Tsinghua University, Beijing 100084, China.
Research Institute of Information Technology & TNList, Tsinghua University, Beijing 100084, China.
State Key Laboratory of Intelligent Technology and Systems, Tsinghua University, Beijing 100084, China.

Abstract

With ever greater amounts of data stored in cloud servers, data security and privacy issues have become increasingly important. Public cloud storage providers are semi-trustworthy because they may not have adequate security mechanisms to protect user data from being stolen or misused. Therefore, it is crucial for cloud users to evaluate the security of cloud storage providers. However, existing security assessment methods mainly focus on external security risks without considering the trustworthiness of cloud providers. In addition, the widely used third-party mediators are assumed to be trusted and we are not aware of any work that considers the security of these mediators. This study fills these gaps by assessing the security of public cloud storage providers and third-party mediators through equilibrium analysis. More specifically, we conduct evaluations on a series of game models between public cloud storage providers and users to thoroughly analyze the security of different service scenarios. Using our proposed security assessment, users can determine the risk of whether their privacy data is likely to be hacked by the cloud service providers; the cloud service providers can also decide on strategies to make their services more trustworthy. An experimental study of 32 users verified our method and indicated its potential for real service improvement.

Keywords: cloud storage security, security assessment, equilibrium analysis

References(33)

[1]
Reed A., Rezek C., Simmonds P., eds., Security guidance for critical areas of focus in cloud computing v3.0, http://cloudsecurityalliance.org/guidance/, 2011.
[2]
Cuschieri D., Cloud encryption and key management considerations, Tech. report, RHUL–MA–2014–9, University of London, Royal Holloway, UK, 2014.
[3]
International Organization for Standardization, ISO 31000, Risk Management: Principles and Guidelines. 2009.
[4]
Fitó J. O., Mácias M., and Guitart J., Toward business driven risk management for cloud computing, in 2010 International Conference on Network and Service Management (CNSM), 2010, pp. 238-241.
DOI
[5]
Furuncu E. and Sogukpinar I., Scalable risk assessment method for cloud computing using game theory (CCRAM), Computer Standards & Interfaces, vol. 38, pp. 44-50, 2015.
[6]
Wazir U., Khan F. G., Shah S., Service level agreement in cloud computing: A survey, International Journal of Computer Science and Information Security, vol. 14, no. 6, p. 324, 2016.
[7]
Li J., Li J.W., and Chen X. F., Identity-based encryption with outsourced revocation in cloud computing, IEEE Transactions on Computers, vol. 64, no. 2, pp. 425-437, 2015.
[8]
Yi X., Rao F. Y., and Bertino E., Privacy-preserving association rule mining in cloud computing, in Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security, 2015, pp. 439-450.
DOI
[9]
Yong Y., Au M. H., and Ateniese G., Identity-based remote data integrity checking with perfect data privacy preserving for cloud storage, IEEE Transactions on Information Forensics and Security, vol. 12, no. 4, pp. 767-778, 2017.
[10]
Narwal P., Kumar D., and Sharma M., A review of game-theoretic approaches for secure virtual machine resource allocation in cloud, in Proceedings of the Second International Conference on Information and Communication Technology for Competitive Strategies, 2016.
DOI
[11]
Manshaei M. H., Zhu Q. Y., and Alpcan T., Game theory meets network security and privacy, ACM Computing Surveys (CSUR), vol. 45, no. 3, p. 25, 2013.
[12]
Anderson R. and Moore T., The economics of information security, Science, vol. 314, no. 5799, pp. 610-613, 2006.
[13]
Camp L. J. and Lewis S., eds., Economics of Information Security. New York, NY, USA: Kluwer, 2006.
DOI
[14]
Böhme R. and Schwartz G., Modeling cyber-insurance: Towards a unifying framework, presented at Workshop on the Economics of Information Security (WEIS), Cambridge, MI, USA, 2010.
[15]
Grossklags J., Christin N., and Chuang J., Secure or insure?: A game-theoretic analysis of information security games, in Proceedings of the 17th International Conference on World Wide Web, 2008, pp. 209-218.
DOI
[16]
Grosslags J. and Johnson B., Uncertainty in the weakestlink security game, in Game Theory for Networks, 2009. GameNets’ 09. International Conference on, 2009, pp. 673-682.
DOI
[17]
Lou J. and Vorobeychik Y., Equilibrium analysis of multi-defender security games, in Proceedings of the Twenty-Fourth International Joint Conference on Artifical Intelligence (IJCAI), 2015, pp. 596-602.
[18]
Ardagna D., Panicucci B., and Passacantando M., A game theoretic formulation of the service provisioning problem in cloud systems, in Proceedings of the 20th International Conference on World Wide Web, 2011, pp. 177-186.
DOI
[19]
Bertino E. and Ferrari E., Secure and selective dissemination of XML documents, ACM Transactions on Information and System Security (TISSEC), vol. 5, no. 3, pp. 290-331, 2002.
[20]
Gerome M. and Dan S., Controlling access to published data using cryptography, in Proceedings of the 29th International Conference on Very Large Data-bases, 2003, pp. 898-909.
DOI
[21]
Di Vimercati S. D., De Capitani S., and Foresti S., Overencryption: Management of access control evolution on outsourced data, in Proceedings of the 33rd International Conference on Very Large Data-bases, 2007, pp. 123-134.
[22]
Goyal V., Pandey O., and Sahai A., Attribute-based encryption for fine-grained access control of encrypted data, in Proceedings of the 13th ACM Conference on Computer and Communications Security, 2006, pp. 89-98.
DOI
[23]
Shamir A., Identity-based cryptosystems and signature schemes, in Workshop on the Theory and Application of Cryptographic Techniques, 1984, pp. 47-53.
DOI
[24]
Wang G. J., Liu Q., and Wu J., Hierarchical attribute-based encryption for fine-grained access control in cloud storage services, in Proceedings of the 17th ACM Conference on Computer and Communications Security, 2010, pp. 735-737.
DOI
[25]
Nabeel M., Shang N., Zage J., and Bertino E., Mask: A system for privacy-preserving policy-based access to published content, in Proceedings of the 2010 ACM SIGMOD International Conference on Management of Data, 2010, pp. 1239-1242.
DOI
[26]
Nabeel M., Shang N., and Bertino E., Privacy preserving policy-based content sharing in public clouds, IEEE Transactions on Knowledge and Data Engineering, vol. 25, no. 11, pp. 2602-2614, 2013.
[27]
Nabeel M. and Bertino E., Privacy preserving delegated access control in public clouds, IEEE Transactions on Knowledge and Data Engineering, vol. 26, no. 9, pp. 2268-2280, 2014.
[28]
Sharma N. K. and Joshi A., Representing attribute based access control policies in owl, in 2016 IEEE Tenth International Conference on Semantic Computing(ICSC), 2016, pp. 333-336.
DOI
[29]
Sangroya A., Kumar S., Dhok J., and Varma V., Towards analyzing data security risks in cloud computing environments, in International Conference on Information Systems, Technology and Management, 2010, pp. 255-265.
DOI
[30]
Kaliski Jr B. S. and Pauley W., Toward Risk assessment as a service in cloud environments, in HotCloud’10 Proceedings of the 2nd USENIX Conference on Hot Topics in Cloud Computing, 2010, p. 13.
[31]
Theharidou M., Tsalis N., and gritzalis D., In cloud we trust: Risk-assessment-as-a-service, in IFIP International Conference on Trust Management, 2013, pp. 100-110.
DOI
[32]
Drissi S., Houmani H., and Medromi H., Survey: Risk assessment for cloud computing, International Journal of Advanced Computer Science and Applications, vol. 412, 2013.
[33]
Ismail Z., Kiennert C., Leneutre J., and Chen L., Auditing a cloud provider’s compliance with data backup requirements: A game theoretical analysis, IEEE Transactions on Information Forensics and Security, vol. 11, no. 8, pp. 1685-1699, 2016.
Publication history
Copyright
Rights and permissions

Publication history

Received: 05 July 2018
Accepted: 25 September 2018
Published: 05 December 2019
Issue date: December 2019

Copyright

© The author(s) 2019

Rights and permissions

Return