towards a compliance audit of slas for data replication
play

Towards a compliance audit of SLAs for data replication in Cloud - PowerPoint PPT Presentation

Nov 18, 2023 •147 likes •484 views

Towards a compliance audit of SLAs for data replication in Cloud storage J. Leneutre B. Djebaili, C. Kiennert, J. Leneutre, L. Chen, Data Integrity and Availability Verification Game in Untrusted Cloud Storage, Conference on Decision and Game

  1. Towards a compliance audit of SLAs for data replication in Cloud storage J. Leneutre B. Djebaili, C. Kiennert, J. Leneutre, L. Chen, Data Integrity and Availability Verification Game in Untrusted Cloud Storage, Conference on Decision and Game Theory for Security (GameSec), Los Angeles, CA, USA, November Institut Mines-Télécom 2014, LNCS.

  2. Outline • Introduction • Background • Assumptions • Contributions • Game Models • Conclusion 2 Institut Mines-Télécom Data Integrity Verification Game in Cloud Storage 30/06/15

  3. Outline • Introduction • Background • Contributions • Game Models • Conclusion 3 Institut Mines-Télécom Data Integrity Verification Game in Cloud Storage 30/06/15

  4. Introduction n Cloud features: • On-demand services • Resource pooling via multi-tenancy • Elasticity via dynamic provisioning of resources • Device and location independence ➡ Source of security problems ─ Reduced control over software and data ─ Potential Interference between security and cloud optimization mechanisms n Security of data storage: • Privacy / Confidentiality • Integrity/availability ─ External (hackers) threats for data integrity or availability ─ Cloud Provider (CP) might behave unfaithfully ➡ Users need strong evidence that their data have not been tampered or partially deleted 4 Institut Mines-Télécom Data Integrity Verification Game in Cloud Storage 30/06/15

  5. Problem Statement n Case of an Untrusted CP • Economically-motivated CP that may be tempted to erase (copies of) data to use less storage space ➡ How to check compliance of SLAs with regard to data replication? n Efficient schemes for remote data integrity checking exist • New cryptographic protocols: proof of data possession (PDP), proof of retrieval (POR) … ➡ However verification costs computing resources n How to optimize their use ? • Frequency of the verification process ? • Which data to check in priority ? • Are there data not worth checking at all ? ➡ Optimal verification policies needed • Trade-off between security & cost of verification • Obtained by a Game Theoretical analysis modelling interactions between Verifier & CP 5 Institut Mines-Télécom Data Integrity Verification Game in Cloud Storage 30/06/15

  6. Underlying assumptions n Data replication rate is specified in SLAs • Usually not covered in a cloud storage service provider's SLA ➡ Rather provide guarantees in terms of uptime, or allowed number of retries, or how long a read request can take to be serviced ➡ Offer some sort of tiered credits the users if the guarantees are not satisfied • May be negociated in the case of storage backup or cloud archive servic es ➡ Possible definition of precise retention policies n User is allowed to access to different copies of same data • May be necessary to check geographical location of data 6 Institut Mines-Télécom Data Integrity Verification Game in Cloud Storage 30/06/15

  7. Outline • Introduction • Background • Contributions • Game Models • Conclusion 7 Institut Mines-Télécom Data Integrity Verification Game in Cloud Storage 30/06/15

  8. Background : Integrity verification of outsourced data n Usual techniques for integrity control • Hash functions, error-correcting code, checksum, … ➡ … not suited for intentional modification of data ! Audit Hash(D) D Cloud Hash(D) User Hash(D) storage D: Data No detection of modification 8 Institut Mines-Télécom Data Integrity Verification Game in Cloud Storage 30/06/15

  9. Background : Integrity verification of outsourced data n Need for a new cryptographic primitive ➡ Integrity checking challenge response protocol • Metadata may also be outsourced • Verification may be delegated to a third party auditor (TPA) 9 Institut Mines-Télécom Data Integrity Verification Game in Cloud Storage 30/06/15

  10. Background: Integrity verification of outsourced data n A naive scheme • Requires large metadata size • Consumes too much bandwidth and computation • Verifications limited to the number of precomputed hash values 10 Institut Mines-Télécom Data Integrity Verification Game in Cloud Storage 30/06/15

  11. Background: Integrity verification of outsourced data n A simple protocol based on DLP [Deswarte & alii, 2004] • Metadata: Tag computed using an homomorphic function C=g r mod n d R=C d mod n T=g d mod n F(d) Storage Verifier provider DLP problem à security T r = C d ? à “d”: data “T”: tag (metadata) “C”: challenge “R”: response “n”: RSA modulus “r”: random integer “DLP”: discrete logarithm problem Deswarte, Y., Quisquater, J.-J., and Saïdane, A.. Remote Integrity Checking. In Proceedings of 6th Working Conference on Integrity and Internal Control in Information Systems (IICIS) , 2004. 11 Institut Mines-Télécom Data Integrity Verification Game in Cloud Storage 30/06/15

  12. Background: Integrity verification of outsourced data n Two main approaches for data verification schemes • Deterministic protocols: checks entire data • Probabilistic protocols: randomly checks blocks of data ➡ reduce the computing time of verification n Main efficient verification schemes • PDP (Provable Data Possession) [Ateniese & alii 2011] ─ Minimize bandwith • POR (Proofs of Retriability) [Juels, Kaliski 2007] ─ Ability to recover corrupted files by using error correcting codes n Other features • Public verification • Management of dynamic data • Verification of multiple copies of a data [Ateniese & alii 2011] Ateniese, G., Burns, R., Curtmola, R., Herring, J., Khan, O., Kissner, L., ... & Song, D. (2011). Remote data checking using provable data possession. ACM TISSEC, 14(1), 12. [Juels, Kaliski 2007] Juels, A., & Kaliski Jr, B. S. (2007, October). PORs: Proofs of retrievability for large files. In Proceedings of the 14th ACM conference on Computer and communications security. 12 Institut Mines-Télécom Data Integrity Verification Game in Cloud Storage 30/06/15

  13. Background: Game Theory n Game theory : aims at modeling situations in which decision makers have to make specific actions that have mutual, possibly conflicting consequences n Glossary: • Players : a strategic decision maker (can be a person, a machine, etc.) • Actions : a move that can be carried out by the player at any given time • Utility function : assigns a numerical value for every possible outcome of the game for a given player taking into account other players’ actions • Strategy : a plan of actions taken in the game • Nash Equilibrium : strategy from which no player has an incentive to deviate unilaterally 13 Institut Mines-Télécom Data Integrity Verification Game in Cloud Storage 30/06/15

  14. Background: Game Theory n Example: Forwarder’s dilemma • Goal: device p 1 (resp. p 2 ) wants to send a packet to his receiver r 1 (resp. r 2 ) using p 2 (resp. p 1 ) as a forwarder, in each time slot • Actions: Forward (F) or Drop (D) a packet • Utility function: ─ c (0<c<<1): cost representing the energy and computation spent for the forwarding action ─ Reward when forwarding : 1 • Nash equilibrium: (D,D) 14 Institut Mines-Télécom A strategic approach to manage security risks 30/06/15

  15. Outline • Introduction • Game Theory • Contributions • Game Models • Conclusion 15 Institut Mines-Télécom Data Integrity Verification Game in Cloud Storage 30/06/15

  16. Contributions n Define a basic model • Static game with deterministic verification protocol • CP stores only one copy of the data n Study different extensions of the model • Dynamic game with deterministic verification (Stackelberg game) • Static game with probabilistic verification protocol • Extension where CP stores multiple copies of data • Repeated game (multiple consecutive interactions over time) n For each model : • Prove the existence of an attractive data set on which both attacker and verifier should focus exclusively • Find the Nash Equilibrium • Analyze the results in terms of expected behaviours & deduce guidelines for optimal TPA data checking 16 Institut Mines-Télécom Data Integrity Verification Game in Cloud Storage 30/06/15

  17. Outline • Introduction • Game Theory • Contributions • Game Models • Conclusion 17 Institut Mines-Télécom Data Integrity Verification Game in Cloud Storage 30/06/15

  18. Generic game Model n Non-cooperative game n Two rational players • Attacker (CP) • Verifier (TPA) n Two actions per player for each data : • Attacker : Not replicating / Do nothing • Verifier : Check data integrity / Do nothing n Strategies: distribution of attack/verification resources • For each data D i , the attacker decides to not replicate data with probability p i, and the verifier checks data with probability t i • Available resources for attacker (resp. verifier) : P (resp. T ) Lin Chen and Jean Leneutre. A game theoretical framework on intrusion Detection in heterogeneous networks.IEEE TIFS, 4(2):165-178, 2009 18 Institut Mines-Télécom Data Integrity Verification Game in Cloud Storage 30/06/15

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Standardizing Your Compliance Activities to Implement Data Analytics and RPA #AuditBoardWebinars

Standardizing Your Compliance Activities to Implement Data Analytics and RPA #AuditBoardWebinars

Standardizing Your Compliance Activities to Implement Data Analytics and RPA #AuditBoardWebinars Jason Sechrist Director of Audit and Compliance Solutions AuditBoard Former Head IT Compliance and Internal Audit Volunteer Board/Audit

427 views • 30 slides
August 23, 2012 Data Replication/ETL: Terms Data Replication : Data Replication is the process of

August 23, 2012 Data Replication/ETL: Terms Data Replication : Data Replication is the process of

State of Connecticut Criminal Justice Information System Connecticut Information Sharing System (CISS) Technology Workshop 1: Data Replication/ETL August 23, 2012 Data Replication/ETL: Terms Data Replication : Data Replication is the process of

535 views • 24 slides
Subpart F Income: Critical Tax Compliance and Audit Issues Compliance and Audit Issues Mastering

Subpart F Income: Critical Tax Compliance and Audit Issues Compliance and Audit Issues Mastering

Presenting a live 110 minute teleconference with interactive Q&amp;A Subpart F Income: Critical Tax Compliance and Audit Issues Compliance and Audit Issues Mastering Income Calculation, Tax Rates, Audit Preparation and Other Complexities WEDNES

1.42k views • 73 slides
CHECKLISTS CHECKLISTS FOR FINANCIAL AND COMPLIANCE AUDIT FOR FINANCIAL AND COMPLIANCE AUDIT OF

CHECKLISTS CHECKLISTS FOR FINANCIAL AND COMPLIANCE AUDIT FOR FINANCIAL AND COMPLIANCE AUDIT OF

CHECKLISTS CHECKLISTS FOR FINANCIAL AND COMPLIANCE AUDIT FOR FINANCIAL AND COMPLIANCE AUDIT OF PUBLIC PROCUREMENT OF PUBLIC PROCUREMENT CRISTINA BREDEN Director Directorate for Public Procurement Audit, Methodology and Training Audit,

619 views • 38 slides
PRE-AUDIT REPORT TO THE AUDIT &amp; COMPLIANCE COMMITTEE MAY 2, 2017 BKD, LLP MARY MCKINLEY,

PRE-AUDIT REPORT TO THE AUDIT &amp; COMPLIANCE COMMITTEE MAY 2, 2017 BKD, LLP MARY MCKINLEY,

PRE-AUDIT REPORT TO THE AUDIT &amp; COMPLIANCE COMMITTEE MAY 2, 2017 BKD, LLP MARY MCKINLEY, PARTNER JOANIE DUCKWORTH, DIRECTOR 1 // experience access PRE-AUDIT REPORT SUMMARY Auditors Responsibility Obtain reasonable, but not absolute,

177 views • 7 slides
OFFICE OF UNIVERSITY COMPLIANCE OFFICE OF UNIVERSITY COMPLIANCE Who We Are: Joint Audit and

OFFICE OF UNIVERSITY COMPLIANCE OFFICE OF UNIVERSITY COMPLIANCE Who We Are: Joint Audit and

OFFICE OF UNIVERSITY COMPLIANCE OFFICE OF UNIVERSITY COMPLIANCE Who We Are: Joint Audit and Compliance Committee President Kimberly Fearney Associate Vice President &amp; Chief Compliance Officer Liz Vitullo Executive Assistant Omar

127 views • 8 slides
Board of Visitors Audit, Compliance, and Risk Committee June 2018 1 Action Items: 1. Audit

Board of Visitors Audit, Compliance, and Risk Committee June 2018 1 Action Items: 1. Audit

Board of Visitors Audit, Compliance, and Risk Committee June 2018 1 Action Items: 1. Audit Plan FY2019-FY2020 2. Revised Audit and Compliance Charters Audit Plan: FY2019-FY2020 Sense and Respond: Moving Toward Real-Time Assurance

297 views • 19 slides
Community College Audit and Fiscal Compliance Workshop VAVRINEK, TRINE, DAY &amp; CO., LLP May

Community College Audit and Fiscal Compliance Workshop VAVRINEK, TRINE, DAY &amp; CO., LLP May

Community College Audit and Fiscal Compliance Workshop VAVRINEK, TRINE, DAY &amp; CO., LLP May 23, 2017 Audit Responsibilities Overview An annual financial statement and compliance audit of California Community College Districts is

295 views • 28 slides
Todays Topics - Chapter 15 Slide 1 performance enhancement Replication Replication of

Todays Topics - Chapter 15 Slide 1 performance enhancement Replication Replication of

Distributed Systems Lecture 5 1 Replication 15.1 Group Communications 15.2 Fault Services 15.3 Todays Topics - Chapter 15 Slide 1 performance enhancement Replication Replication of read-only data is simple, but replication

726 views • 14 slides
Ohio Tax Advanced: Leveraging Technology &amp; Data to Improve Tax Compliance, Audit Defense

Ohio Tax Advanced: Leveraging Technology &amp; Data to Improve Tax Compliance, Audit Defense

27th Annual Tuesday &amp; Wednesday, January 2324, 2018 Hya Regency Columbus, Columbus, Ohio Workshop L Ohio Tax Advanced: Leveraging Technology &amp; Data to Improve Tax Compliance, Audit Defense &amp; Produce Significant Tax Savings

913 views • 42 slides
Audit and Compliance Committee Internal Audit Proposed Internal Audit Charter March 15, 2019

Audit and Compliance Committee Internal Audit Proposed Internal Audit Charter March 15, 2019

Audit and Compliance Committee Internal Audit Proposed Internal Audit Charter March 15, 2019 Internal Audit Open Meeting Internal Audit Charter Internal Audit Charter (The following 3 slides are excerpts from the Institute of Internal

205 views • 6 slides
Why have a Human Resources Compliance Audit? WHICH APPLY TO YOUR COMPANY? ARE YOU IN COMPLIANCE?

Why have a Human Resources Compliance Audit? WHICH APPLY TO YOUR COMPANY? ARE YOU IN COMPLIANCE?

Why have a Human Resources Compliance Audit? WHICH APPLY TO YOUR COMPANY? ARE YOU IN COMPLIANCE? Sometimes You dont know What you dont know. This is where our expertise can help you! WHY HAVE A HR AUDIT? Analyze &amp; minimize

186 views • 16 slides
Internal Audit and Compliance Reporting Summary March 14, 2019 1 Compliance Long Range Plan

Internal Audit and Compliance Reporting Summary March 14, 2019 1 Compliance Long Range Plan

Internal Audit and Compliance Reporting Summary March 14, 2019 1 Compliance Long Range Plan One of the core requirements from the Compliance Resource Group (CRG) was that Compliance should develop a 3-5 year strategic plan to model the

793 views • 13 slides
Office of Internal Compliance Audit Committee Meeting June 20, 2019 2:00 PM Presented by:

Office of Internal Compliance Audit Committee Meeting June 20, 2019 2:00 PM Presented by:

Office of Internal Compliance Audit Committee Meeting June 20, 2019 2:00 PM Presented by: Connie Brown, Executive Director Internal Compliance Content OIC Update Audit Report Discussions Infinite Campus Monitoring Access Review

480 views • 26 slides
Internal Audit and Compliance Blurred Lines of Responsibility Tim Robinson April 24, 2014

Internal Audit and Compliance Blurred Lines of Responsibility Tim Robinson April 24, 2014

Internal Audit and Compliance Blurred Lines of Responsibility Tim Robinson April 24, 2014 Understanding the audience Do you have an established compliance function within your company? Have you performed a compliance function audit?

275 views • 23 slides
Asynchronous Replication and Bayou Asynchronous Replication and Bayou Asynchronous Replication

Asynchronous Replication and Bayou Asynchronous Replication and Bayou Asynchronous Replication

Asynchronous Replication and Bayou Asynchronous Replication and Bayou Asynchronous Replication Asynchronous Replication Idea: build available/scalable information services with read-any-write-any replication and a weak consistency model. - no

738 views • 48 slides
Mission Critical Security for your Mission Critical Applications Bringing NonS top to the

Mission Critical Security for your Mission Critical Applications Bringing NonS top to the

Mission Critical Security for your Mission Critical Applications Bringing NonS top to the Enterprise and the Enterprise to NonS top About XYPRO 29 years serving the HP NonS top community S pecialists in Mission

448 views • 19 slides
SCADA Testbed for Vulnerability Assessments, Penetration Testing and Incident Forensics Sundar

SCADA Testbed for Vulnerability Assessments, Penetration Testing and Incident Forensics Sundar

SCADA Testbed for Vulnerability Assessments, Penetration Testing and Incident Forensics Sundar Krishnan &amp; Dr. Mingkui Wei Department of Computer Science Sam Houston State University, Huntsville, Texas ISDFS 2019 SC SCADA Ov Overv

635 views • 22 slides
Introduction to Change Introduction to Change Management Management Tuesday, September 23, 2008

Introduction to Change Introduction to Change Management Management Tuesday, September 23, 2008

San Francisco Chapter San Francisco Chapter Introduction to Change Introduction to Change Management Management Tuesday, September 23, 2008 Mark Lundin Steve Owyoung Partner Manager KPMG LLP, IT Advisory KPMG LLP, IT

835 views • 37 slides
WITHIN AN SDM SYSTEM Matthias Bchse, M. Thiele, H. Mllerschn SCALE GmbH, Germany Agenda

WITHIN AN SDM SYSTEM Matthias Bchse, M. Thiele, H. Mllerschn SCALE GmbH, Germany Agenda

NEW DEVELOPMENTS ON COMPRESSION AND TRANSFER OF SIMULATION DATA WITHIN AN SDM SYSTEM Matthias Bchse, M. Thiele, H. Mllerschn SCALE GmbH, Germany Agenda Company and Products - Brief Introduction Motivation for Data Compression

579 views • 18 slides
Implementation and Evaluation of a NAT-Gateway for the General Internet Signaling Transport

Implementation and Evaluation of a NAT-Gateway for the General Internet Signaling Transport

Implementation and Evaluation of a NAT-Gateway for the General Internet Signaling Transport Protocol Roland Bless and Martin Rhricht Institute of Telematics, Department of Computer Science KIT University of the State of Baden-Wuerttemberg

345 views • 15 slides
Security Issues in Database Dr.Nermin Hamza Ewais Assistance Professor IT department Faculty

Security Issues in Database Dr.Nermin Hamza Ewais Assistance Professor IT department Faculty

Security Issues in Database Dr.Nermin Hamza Ewais Assistance Professor IT department Faculty of Computing and information Technology King Abd El-Aziz University Abstract Many organizations today are implementing cloud-based solutions to

1.06k views • 84 slides
E-Mail Tools David Hilley davidhi@cc.gatech.edu David Hilley, March 5, 2008 L A T EX - p. 1

E-Mail Tools David Hilley davidhi@cc.gatech.edu David Hilley, March 5, 2008 L A T EX - p. 1

E-Mail Tools David Hilley davidhi@cc.gatech.edu David Hilley, March 5, 2008 L A T EX - p. 1 Roadmap Introduction / Overview Roadmap Introduction Local Mail Utilities Local Mail Utilities &amp; Configuration Mail Server

520 views • 21 slides
CORPORATION December 2, 2011 Fred Hume, President and CEO Safe Harbor The matters that we

CORPORATION December 2, 2011 Fred Hume, President and CEO Safe Harbor The matters that we

DATA I/O CORPORATION December 2, 2011 Fred Hume, President and CEO Safe Harbor The matters that we discuss today will include forward-looking statements that involve risks factors that could cause Data I/O Corporations results to differ

765 views • 30 slides

More recommend