Auditing a Cloud provider's Compliance with Data Backup Requirements

DESCRIPTION

The new developments in cloud computing have introduced significant security challenges to guarantee the confidentiality, integrity, and availability of outsourced data. A service level agreement (SLA) is usually signed between the cloud provider (CP) and the customer. 

For redundancy purposes, it is important to verify the CP's compliance with data backup requirements in the SLA. There exist a number of security mechanisms to check the integrity and availability of outsourced data. 

This task can be performed by the customer or be delegated to an independent entity that we will refer to as the verifier. However, checking the availability of data introduces extra costs, which can discourage the customer of performing data verification too often. 

The interaction between the verifier and the CP can be captured using game theory in order to find an optimal data verification strategy. In this paper, we formulate this problem as a two player non-cooperative game. 

We consider the case in which each type of data is replicated a number of times, which can depend on a set of parameters including, among others, its size and sensitivity. 

We analyze the strategies of the CP and the verifier at the Nash equilibrium and derive the expected behavior of both the players. Finally, we validate our model numerically on a case study and explain how we evaluate the parameters in the model.

WORK RELATED WITH CLOUD PROVIDER’S COMPLIANCE

It is important to verify the cloud provider’s compliance with the security requirements in the SLA. For example, Popa et al. designed a proof-based system to enable security guarantees in an SLA. 

In recent years, a significant amount of data integrity schemes were proposed by different researchers, and have been gradually adapted to specific use cases such as outsourced databases and cloud computing, for which works focusing on public verifiability issues, were noticeably helpful and allowed clients to delegate the verification process to third parties. 

Among these schemes, the two main directions explored by researchers include the Provable Data Possession (PDP) for ensuring possession of data, and the Proof of Retrievability (POR) for data possession and retrievability. 

The main idea of PDP is that a data owner generates some metadata information for a data file to be used later for verification purposes. 

Many extensions of this scheme managed to decrease the communication cost and complexity, as well as to allow dynamic operations on data such as insertion, modification, or deletion. Moreover, proposed PDP schemes specific to cloud computing.