KTH-SEECS Applied Information Security Lab

National University of Sciences and Technology (NUST)

Secure Sharding and Key management in Cloud

Domain:Cloud database security

Status: Completed
Contact Person(s): Anam Zahid , Awais Shibli

NoSQL databases are non relational databases specially designed to provide high availability, reliability and scalability with big data processing capabilities. These databases are further classified into key/value stores, document stores, object stores, tuple stores, column stores and graph stores etc. There are many NoSQL databases available in market e.g MongoDB, CouchDB, RavenDB, Amazon’s SimpleDB etc. MongoDB is one of the most widely used NoSQL database out of these. It is a schema-free document database written in C++ and developed as an open-source project which is mainly driven by the company 10gen Inc.

Sharding is one of the main advantages of NoSQL databases. Database Sharding is a highly scalable approach for improving the throughput and overall performance of high-transaction, large database-centric business applications. The main idea behind sharding is to partition database/collection horizontally among various nodes known as shards. Furthermore, the security of shards is an important factor in an organization as any organization considers its data as a valuable asset. A NoSQL database such as MongoDB provides this security by providing authentication and authorization across cluster.

This project aims to provide effective access control and data encryption in MongoDB to ensure the security of unstructured data residing on domains of multiple cloud providers. Our proposed solution will offer user authentication, data security, encryption key security and load balancing by using MongoDB’s existing sharding architecture. This will be done by embedding collection level fine grained access control using XACML for user authorization. Authorized users send query request to HCSP’s (Home Cloud Service Provider) query router for successful query results. All of the sharded data will be stored across multiple cloud providers after trust establishment and a secure channel is established for data protection and communication over the network. Moreover, each cloud will have its own encryption/decryption engine which provides field level data encryption while encryption keys will be stored in a single KDS (Key Distribution Store) after successful security certificate exchange. This solution will not only provide security of data-at-rest but also data transmission security across MongoDB sharded data stores. 

Architecture

 


Project Documents:

  • Publication

      ► "Security of sharded NoSQL databases: A comparative analysis" (Link)