SECNC A Brazilian Experimental Cloud Storage Service 2 2 2 Roberto ARAUJO , Carlos Eduardo DA SILVA , Thomás DINIZ , Tainá MEDEIROS , André 3 MARINS 1 Federal University of Pará – UFPA – INF, Augusto Corrêia Street, Guamá, ZIP 66075110, Belém, Brazil Tel: + 55 91 32017000, E mail:
[email protected] 2 Federal University of Rio Grande do Norte – UFRN – INF, Senador Salgado Filho Av, Lagoa Nova, ZIP 59078970, Natal, Brazil Tel: + 55 84 32153119, Email:
[email protected], {thomasfdsdiniz, tainajmedeiros}@gmail.com 3 Brazilian National Education and Research Network, RNP, 116 Lauro Muller st, room 1103, ZIP 22290906, Rio de Janeiro, Brazil Tel: + 55 51 21029660, Fax: + 55 51 22793731, Email:
[email protected] 1
Abstract Cloudbased storage services are increasingly common tools in everyday life of teachers and researchers. Thus, Cloud business model is a trend to whom are looking for scalability, availability, flexibility and less maintenance issues. The increasing demand for collaborative work has driven these users to commercial cloud solutions, as Dropbox, Google drive or Onedrive, as the means to save and share presentations, lecture notes, research documents. Although those solutions offer many benefits for their users, they have a number of disadvantages, for example, commercial clouds store data in their own servers, are under local rules and government laws, usually not the same rules and laws in which their users are subjected to. Another disadvantage is related to the terms of use/privacy policy. In this context, we present CNC Cloud, Cloud Computing for Science, a project sponsored by the Brazilian NREN RNP, which aims to offer a cloud storage service for researchers and lectures of Brazilian education and research institutes.
Keywords Owncloud, Security, Cloud Computing.
1.
Introduction
Historically, the evolution of information technology has been characterized by innovation and the creation of new paradigms. This behavior has repeated itself with the appearance of cloud computing, a distributed computing model where shared computational resources (e.g., hardware, development platforms, and applications) are virtualized and offered as services, supported by a number of data centers all over the Internet (Armburst et al. 2010, Foster et al. 2008, Vaquero et al. 2009).
This movement has raised a lot of interest by different communities. Nowadays, there are a number of commercial cloud service providers (e.g., Amazon, Google, Microsoft) which have been adopted by users with different profiles (home users, scientific and private communities) for saving and sharing several types of documents, such as presentations, lecture notes, and research documents. Although those solutions offer many benefits for their users, they present a number of disadvantages. In general, commercial clouds store data in their own servers. Those servers, and the data stored on them, are under local rules and government laws, usually not the same rules and laws in which their users are subjected to. Another disadvantage is related to the terms of use/privacy policy. Cloud services can, and usually do, update their terms of use according to enterprise interests, rendering the user defenseless about the ownership of their data. Thus, although there is a search for reliable and internationally recognized standards, there is still no clarity and consensus regarding the rights and obligations between the parties involved in a model of Cloud Computing. So, data stored in commercial clouds can be completely vulnerable to unauthorized monitoring and manipulation. In this context, the CNC Cloud project aims at offering a strictly national cloud storage service, mainly for researchers and lecturers of Brazilian education and research institutes. For this, the CNC team has deployed a continental level infrastructure based on open source technologies. This service also focuses on data privacy, aiming at enabling a secure data storage. CNC Cloud has an infrastructure based on OpenStack Software and the access is granted through Owncloud. Our infrastructure has servers on different Brazilian universities (UFPA, UFRN, UFSC, UFMG) and some Points of Presence (PoP) from the Brazilian NREN (RNP). A user uses the Owncloud Web client to access his files stored in the cloud. All operations are performed using load balance according to the demands. This ensures the high availability and stability of the cloud. This paper is organized as follows: Session 2 presents concepts of cloud computing and identity Federation. In session 3, it will be illustrated how the SECNC was developed and how its architecture works. In Session 4 the results of some tests that have been performed with the SECNC will be presented. Finally, session 5 presents the conclusions and some future work.
2.
Background
2.1. Cloud Computing Cloud computing is a relatively new business model in the computing world. According to NIST definition, cloud computing is a model for enabling ubiquitous, convenient, ondemand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications and services). NIST also defines three service models for cloud computing: Software as a Service (SaaS), Platform as a Service (PaaS) and Infrastructure as a Service (IaaS). SaaS is the model that provides to the user applications running on cloud infrastructure. PaaS provides to the user a cloud environment to deploy its own applications using programming
languages, libraries and services supported by the cloud. IaaS aims to provide fundamental computing resources such as processing, storage, networks to the user. In this case, the user does not control underlying cloud infrastructure, he controls over deployed operations. Currently, many users have signed up to some type of cloud service, such as storage services (e.g., dropbox1 ) , and virtual machine services (e.g., amazon2). Moreover, the use of cloud services has gained widespread adoption beyond that of a common user, and can now be perceived in a number of environments, such as, companies, research centres, universities, etc. Thus, the increasing use of cloud computing services has required a new architecture and design solutions to support those demands Openstack is a toolbox to build cloud infrastructures, one of them is the Object Storage (Swift). Swift allows the creation of storage clouds. Thus, swift is composed by modules that performs specific services for the cloud and has an distributed deploy approach, with storage servers and proxy servers. Keystone is a OpenStack project that aims to provide a service for Identity management. OpenStack projects the use of keystone to authenticate users to access cloud services. According to Figure 1, in our infrastructure, keystone is deployed on proxy nodes. Native keystone authentication process is based on tokens credentials. After success authentication the user receives a token to access the cloud services.
2.2. Identity Federation Cloud services are normally available through a great number of users that can be in many domains (such as schools and colleges). These users need to perform some kind of authentication before gaining access to the services. This authentication is usually done by regular means and has the cloud as responsible for all authentication management, including the storage of users access information. However, as the number of users increases, the authentication process becomes more difficult, so the cloud services are starting to find other alternatives, in order to facilitate it. A federated identity management system consists mainly of service and identity providers. These providers establish a relationship of trust with the users informations exchange, so as to allow access to the resources [Chadwick 2009] [Wangham et al. 2010]. A service provider offers resources to a user, which is authenticated through a identity provider (IdP). Besides performing the user authentication process, the IdP is also responsible for issuing attribute assertions to the authenticated user. An attribute corresponds to a characteristic or property of a user, whereas a attribute assertion is an affirmation made by the IdP, through a message signed digitally, saying that a user has a determined attribute. By utilizing the attributes that belong to the user, the service providers will then, based on their own access control policies, make decisions about the resources and operations allowed to the users.
1 2
https://www.dropbox.com/ http://www.amazon.com/
There are many technologies that help in the development of identity federated management systems, such as SAML and OpenID Connect4. The federated environment of RNP utilizes SAML (Security Assertion Markup Language) [OASIS 2008]. It defines standard messages and protocols for safe sending and receiving of information. Besides, SAML also sets a group of roles, that can be performed by an entity in the SAML infrastructure, as well as the metadata that describes these entities [Wangham et al. 2010].
3.
CNC Cloud
3.1. Infrastructure Overview Aiming to provide a safe, reliable and scalable data storage service in cloud, SECNC performed an extensive study on tools for building a cloud. The service considers the community cloud model implementation and the IaaS model Infrastructure as a Service. It was built utilizing the Swift, OpenStack's storage service. In this project, there are servers laid out on different states and universities, such as UFPA, UFRN, UFSC, UFMG, PoPs PA and SC. It consists of client and server softwares. The client softwares are utilized by users in order to access the cloud services. The server softwares provide the cloud service to the users. Figure 01 shows the architecture's overview.
Fig 01: Architecture’s overview
3.2. SE CNC Architecture The cloud storage service consists of a set of services arranged in servers. These services are: Proxy, Object, Container and Account. The proxy server receives user requisitions and forwards them to the cloud storage services. The cloud utilizes three proxy services. Each one of these services is available in different servers. One of the servers is located in UFPA; another one is in UFSC and the third one is in UFMG. Figure 02 shows the disposition of these servers.
It's important to note that, aiming to meet a larger number of user requisitions, more proxy servers can be added to the architecture in the future. Those 3 proxy servers utilize load balancing performed through roundrobin DNS. The communication between the proxy servers and the users is made through HTTPS protocol. However, as a way to provide the storage service to users, the cloud requires some form of authentication. For this, a strategy was used in order to integrate the cloud service to the Identity Federation of RNP, CAFe Expresso. The federation authenticates the user to access the cloud resources. The account, container and object services take care of the data storage. The object service handles the object storing, the container service handles the list of objects inside the containers and the account service handles the list of containers. On the cloud, all three services are also available in a single server (Storage Node) following Rackspace's recommendation. The cloud consists in a total of 15 (fifteen) servers (nodes) of storage, that can be seen in the Figure 02 of this section. Each storage server consists of these three services: Object, Container and Account. These servers make up the storage cloud and are responsible for storing user data. The ring determines where the data are in the cloud and this is performed through a mapping. A ring can be created exclusively to each service. That means that the container service can have his own ring, just like the object and account services. The cloud uses a ring to each service (container, object and account). All three rings are laid out in each of the 15 storage servers that make up the cloud. Because of Swift's flexibility property, new servers can be added to the cloud, aiming to offer a bigger storage capacity. Each new server added will contain three rings. The ring also requires the establishment on the number of replicas that will be used to storage data. With the data replicated, if a server becomes inoperant, the other ones will provide the requested data. As illustrated on Figure 02, the clients access the cloud via HTTPS protocol. After that, the load balancer will transfer the users requisitions to the UFPA or UFSC proxy. Then, the proxy first authenticates the user and verifies if the requisition can be answered. If the user has the proper authentication, the proxy communicates with the storage servers to answer those requests.
Figure 02: SECNC Architecture
4.
Results
Currently, SECNC involves a number of 10 educational institutes distributed on Brazilian country ( University of Juiz de Fora UFJF, Federal University of Santa Maria UFSM, Point of presence of Pará PoPPA, Federal University of Bahia UFBA, Point of presence of Santa Catarina PoPSC, Federal University of Cariri UFCA, Federal University of Paraná UFPR, Medical University Network RUTE, Coordination of Improvement of Higher Education Personnel CAPES and some users from Brazilian NREN). Those institutes attended to tests in our cloud environment. Thus, the methodology used to apply the case tests was based on detailed description sent to each institute. Those tests were composed by orientations, as well as a description of the actions to be executed. After this, each institute reported a feedback. Below it will be described the four test stages recently applied.
In the first stage, it was made the first contact of the user with the cloud. Test cases were explored encompassing the following information: ● ● ● ● ● ●
Federated authentication Object and Directory List. Directory creation. Object upload. To remove objects Web Client usability through the main browsers perspective.
Each test was performed by 20 users who did not report any error in this stage of tests. In the second stage, it was defined three test cases referred to object share and three test cases about Encrypted data storage. Those tests were: ● Object share; ● Directory share; ● Temporary link share. The following tests were encompassed related to cryptography: ● Data Storage and cryptography. ● Data De – cryptography. ● Cryptographed file share. A number of 9 users executed those test cases. They did not report any error during the execution of the second test stage. Related to cryptography tests, 11 users executed the test cases. All the cryptography tests showed errors due the crypto application. This application was blocked by security rules in some browsers. In the stage three, three test cases were defined related to document editing. For this stage we defined the following tests: ● Document Creation. ● Document Share editing ● Upload document to be edited in the cloud. We observed that even the five users, which tested, could reach the main goal of the tests. They reported errors about the execution of the tests related to document editing. Everyone reported a different problem, such as slowness to perform actions and reopen a document to edit it. Others tests have been applied and will be available soon to the institute partners. Once the tests were executed, we had good results about the perform and usability of CNC Cloud. Figure three shows 76% of success of the tests applied in the three test stages.
Figure 03: Percentage of success and faults on the tests
5.
Conclusion
It has been concluded that the Owncloud refers, essentially, to the idea of utilizing, anywhere and in any platform, a big variety of applications via internet as easily as having them installed on the computer. Data storage clouds are tools that are becoming more and more common on the daily lives of teachers and researchers. These users utilize the cloud to store and share data, such as class notes and scientific research results. Thus, SECNC has presented a data storage service in cloud that's genuinely brazilian, especially for teachers and researchers. For this purpose, SECNC has servers around the country and utilizes open source technologies. The service also prioritizes data confidentiality, so that the data is always safe. Based on the tests that were performed, it can be made a positive evaluation of the service provided by SECNC.
References Armbrust, M. et al. (2009) Above the clouds: A Berkeley view of Cloud Computing – Technical report. Reliable Adaptive Distributed Systems Laboratory, University of California at Berkeley, USA. Foster, I., Zhao, Y., Raicu, I., Lu, S. (2008). Cloud computing and grid computing 360degree compared. In Grid Computing Environments Workshop, 2008. GCE’08, p. 1–10. IEEE. Vaquero, L. M., RoderoMerino, L., Caceres, J., and Lindner, M. (2009). “A Break in the Clouds: Towards a Cloud Definition”. ACM SIGCOMM Computer Communication Review, Vol. 39(1), p.50–55, Janeiro de 2009. Juve, G., Deelman, E., Vahi, K., Mehta, G., et al (2009). Scientific Workflow Applications on Amazon EC2. Workshop on Cloudbased Services and Applications in conjunction with 5th IEEE International Conference on eScience (eScience 2009), Oxford, UK.
Mahjoub, M., Mdhaffar A., et al (2011). A comparative study of the current Cloud Computing technologies and offers. 2011 First International Symposium on Network Cloud Computing and Applications. IEEE. p. 131 a 134. Khan, R.H., Ylitalo, J., Ahmed, A.S., (2011). OpenID Authentication As A Service in Openstack. 7th International Conference on Information Assurance and Security (IAS), p. 372377, Dezembro de 2011 Chadwick, David W. (2009). Federated identity management. Foundations of Security Analysis and Design V, p. 996120 OASIS (2005g). Security Assertion Markup Language (SAML) 2.0 Technical Overview. OASIS. Wangham, M. S., Mello, E. R., Boger, D. S., Guerios, M., and Fraga, J. S.(2010a). Gerenciamento de Identidades Federadas. Minicursos do Simposio Brasileiro em Segurança da Informação e de Sistemas Computacionais, pages 3–52.
Biographs Roberto Araujo is the coordinator of SECNC. He is a professor at Universidade Federal do Pará (Brazil). He holds a Ph.D. in informatics from Theoretical Computer Science group at TUDarmstadt (Germany) and a Master's degree in computer science from Universidade Federal de Santa Catarina (Brazil). Computer security is his main research area.His topics of interest include secure voting, secure protocols, cryptography and cloud security. Carlos Eduardo da Silva has received a PhD in Computer Science from the University of Kent at Canterbury (2011). He is an Assistant Professor at the Metropole Digital Institute of the Federal University of Rio Grande do Norte (IMD/UFRN) in Brazil. His main research interests are software engineering for selfadaptive software systems, cloud computing, security and identity management. Thomas Filipe is Bachelor in Computer Science from State University of Rio Grande do Norte and Science and Technology with emphasis in Web Development from Federal university of Rio Grande do Norte (UFRN) . He’s working on his master’s degree in the Department of Informatics and Applied Mathematics ( DIMAp ), Center of Exact and Earth Sciences, UFRN . His main research topics are related to Cloud Computing systems and Access Control with focuses on Identity Federated Management. Tainá Medeiros studied at the University Center of João Pessoa (Brazil) where she graduated in Computer Science. She is a specialist in Information Security at Faculdade Idez (Brazil) and Master in Computer Science at Federal University of Rio Grande do Norte (Brazil). She’s
working at the Mauricio de Nassau College as a professor and works as a project manager of SE CNC. Her main research interests are Software Engineering, Information Security, Artificial Intelligence and Digital Games.