Methods of Encryption in Cloud Object Storage : OpenStack & IBM Cloud

Users can encrypt each object on cloud storage using the provider’s way, such as using private and public keys. Throughout various articles on this site we discussed about cloud storage and security methods. We often talk around data encryption on cloud storage but avoid going in-depth. Object Storage is a data storage architecture which manages data as objects. Each object typically includes the data, metadata, and an unique identifier. Object storage can be implemented at device level, system level and/or interface level. With growing development of the digital library and mobile devices, the information resources are growingand all information is stored in the form of a file. Object storage system is a distributed storage architecture where a file is divided into multiple objects stored in the storage hardware by the use of the data path and control path separation. The users can retrieve the metadata information of a file by directly thereby improving the efficiency of the storage.

Methods of Encryption in Cloud Object Storage

General purpose storages commonly used encryption schemes only encrypt a file by the all-or-none encryption approach. This way does not distinguish the sensitive part from non-sensitive. For the need of different levels of security on a particular area within a file, these encryption schemes encrypt the entire file with different algorithms. Result is many encrypted files. It wastes a lot of storage space and computing power.

BLESS (oBject Level Encryption for Secured object-based storage System) was designed and implemented in Lustre. Lustre file system provide the bulk data storage for all file content. Each OSS provides access to a set of storage volumes referred to as Object Storage Targets (OSTs) and each object storage target contains a number of binary objects representing the data for files in Lustre. Files in Lustre are composed of one or more OST objects, in addition to the metadata inode stored on the MDS. Lustre consists of a Client, Meta Data Server (MDS) and OSD tripartite composition, in which the Client is responsible for the user interface, and makes file accessing requests to the storage system. MDS is responsible for managing the file’s metadata information, and scheduling the work of a multi-OSD. The data storage work is completed in the OSD.

OpenStack object storage (Swift) supports the optional encryption of object data at rest on storage nodes. The encryption of object data is intended to mitigate the risk of users’ data being read if an unauthorized party were to gain physical access to a disk. Encryption of data at rest is implemented by middleware that may be included in the proxy server WSGI pipeline. The feature is internal to a swift cluster and not exposed through the API. Clients are unaware that data is encrypted by this feature internally to the swift service; internally encrypted data should never be returned to clients through the swift API. Any data or metadata not included which are not encrypted, includes account, container, and object names, object size etc. Documentation of OpenStack object storage encryption can be found here :

IBM uses an Information Dispersal Algorithm (IDA) that is similar to erasure coding as a mechanism for determining data placement. In the same way, access to Oracle’s object storage is based on Oracle Cloud’s Infrastructure Identity and Access Management, which ensures that data is only accessible to authorized users who have been properly authenticated. IBM COS is good for implementing high security with custom software. One can encrypt IBM Cloud Object Storage with own key & combine with their erasure coding aka Information Dispersal Algorithm (IDA). IBM Cloud Object Storage supports multiple authentication methods including OpenStack Keystone Identity Service. IBM Cloud Object Storage provides built-in encryption of data at rest and in motion. Data is encrypted in motion using TLS and at rest using IBM’s innovative SecureSlice, which combines encryption, erasure coding, and geo-dispersal of data.

Conclusion

Although different types of cloud storages are known, a minor percentage of the users (and also the developers) are aware of the encryption features offered by the cloud object storage services.