Digital Certificates and Certification Authorities - Report Example

Secured systems by Table of Contents by Table of Contents 2 Introduction 3 2.Digital Certificates and Certification ities 4 2 Public Key Infrastructure 5 2.2.Digital Certificates 6 2.3.Certification Authority 6 2.4.Certificate Authority Business and Digital Certificates 8 3.Cloud storage 10 4.Conclusions 14 References 16 Appendix 18 1. Introduction The main purpose of this document is to explore the use of digital certificates in assuring the security in the communications and the impact of certification authorities (CA’s) dealing with the issuance of those certificates and validating it in PKI (Public Key Infrastructure). Moreover, this document highlights the technology of cloud storage and its impact in terms of privacy and security, if a bad model is adopted. A digital certificate, which is a component of public key infrastructure, is a digital credential that ensures the security and privacy of communication. The digital certificates basically achieve this purpose by giving a unique identity to the companies, businesses and individuals over the Internet. In addition, it correlates the owner of the certificate with a public key which he further brings into play to make the communications secure and confidential (Flasi et al., 2011; Tidd & Heesacker, 2008). A certification authority business which is a main element of public key infrastructure, issues the digital certificates that are used by the applications which involve the communication of critical data, to ensure the security. Public keys are acquired from a digital certificate that is issued and signed by the certification authority and it must be validated that the public key is not reproduced fraudulently. Trusting a certification authority is the responsibility of the application which is using the digital certificate issued by that particular certification authority. It is needed to be verified before making a decision to give affirmation to a certificate that the certification authority’s private key is managed only by itself and the signatures of certification authority on the certificate (Lin et al., 2012; Lin et al., 2007). The other part of the document focuses on the cloud storage and the impact of a bad model in term of privacy and security of stored assets. Cloud storage refers to storing resources in a cloud computing environment. It is basically an arrangement of different components such as network related devices, devices to store the resources (data) , application servers and software, interface allowing public accessibility, services to access the business, providing the storage of data external to the business. In addition, cloud storage is not particularly concerned with any specific device however it deals with a number of storage devices and servers with a number of users related to those servers. The main concept of a cloud storage system basically defines the applications software and devices related to cloud computing. A combination of storage devices and applications software is used to provide a storage service in a cloud computing environment (Zhu & Wang, 2012). The structure of the report is as follows: next section presents the details about digital certificates, certification authorities and the influence of the expansion of certification authority businesses on digital certificates. After that cloud storage and the impact of the adoption of bad model on the promises made by clouds storage will be discussed and the last section summarizes the conclusion. 2. Digital Certificates and Certification Authorities Due to the quick advancements of technology, the majority of business organizations are heavily adopting latest technology trends such as web and internet network technology, e-commerce, e-government and enterprise network management. Such kinds of applications engage a lot of critical and private information. As the information is needed to be communicated over open, unsecured networks, taking into account the risks involved in the distributed nature of businesses, the information security has become the major concern for online applications. Institutions and organizations are focusing on the protection of the information against unauthorized access. In this scenario, different authentication schemes (e.g. digital certificates) have been employed which ensure the privacy, security and authorized access of the confidential information (Kehe et al., 2012). 2.1. Public Key Infrastructure Since 1980’s public key encryption has been used in various applications to ensure the secure communication of data. Furthermore, public key encryption and public key infrastructure have been utilized for the security of e-mails. Taking into account the security of critical information being transferred in the mails over unprotected networks, large and medium sized organization have now realized the significance of these technologies (Rawles & Baker, 2003). In addition, for the purpose of the security of information and data, a system, public key infrastructure (PKI) is employed which supports the use of digital certificates and the encryption of documents in an organization. Digital certificates and encryption are basically used to ensure the security of information that is communicated between different entities in a business process (Henry, 1999). Moreover, public key infrastructure is followed by established standards and it has emerged as a main management platform which makes use of different techniques such as public key encryption theories for the provision of security services. Its main components are the certification authority and a certificate server (Kehe et al., 2012; Tidd & Heesacker, 2008). (For details, see appendix). 2.2. Digital Certificates Inside the system of public key infrastructure, a digital certificate is an electronic file which is used to uniquely identify the entities such as web sites, organizations and individuals in or to ensure the security and privacy of the communication. Digital certificates provide the user with a public key that is used to make his/her communications over the internet more secure using the capabilities of public key infrastructure making it a digital credential. The X.509 is a standard which principally describes the different sections or contents of a digital certificate, some of those sections specify the issuer of the digital certificate, validity, name of the certificate, and a public key which is associated with the user. Web browsers are capable of authenticating/validating the digital certificates owned by different websites and let the users know about the security of the communication with the website. It ensures the security of the communication as the digital certificates confirms the fact that the website in question is controlled by its owner not by a fake entity that may be trying to adopt the identification of business and fraudulently performing the transactions on the behalf of the business. Hence, the digital certificates increase the level of trust of the users who may be interacting with different businesses over the internet (Flasi et al., 2011; Siau & Shen, 2003; Velmurugan, 2009). Digital certificates mostly utilize RSA algorithm for underlying cryptographic processes (see appendix). 2.3. Certification Authority Certification authorities are the trustworthy authorities which create and issue the digital certificates to the users. A certification authority enforces a security policy which defines the key pairs (public key and private key) and other attributes of the certificate over time, hence sets the validity period of a digital certificate. The trustworthiness of the certificate is guaranteed within this period. The validity period of the key pairs or attributes is mentioned and signed along with the relevant data in the certificate by the certification authority. In this way the consistency and trustworthiness of the certificates are assured and it is ensured that the certificates are not fake and typically securely put forward to an authority that provides the certificates. The authority is generally named as a directory. Usually, the validity time of a digital certificate spans over a number of months and two years. However, in some exceptional cases, a certificate must be invalidated which means that its validity must be brought to an end earlier than its actual validity period. It is required to specifically define the revocation management for directories, certification authorities and users. Hence certification authorities are responsible to bring out an appropriate security policy, and must gain user’s trust for its revocation services. Certification authorities must inform the users to whom they issue the certificate that in which circumstances a revocation service would be initiated. The owner of the digital certificate or the approved representative, whose name is defined in the certificate or by a certification authority, is authorized to initiate the revocation service. Otherwise only the certification authority is authorized to revoke the digital certificates and meets the terms with a revocation request in view of the fact that the initiator is capable to provide evidence of his authorization. Typically, the state of all digital certificates is put forward in the directory which is responsible to respond to all the queries of the users with respect to the validity of the certificates. Certification authorities can publish a security policy which may allow other authorities to provide this service as well (Wohlmacher, 2000). There is a special type of certification authority named as Bridge Certification Authority (BCA) that exists with the purpose of connecting with public key infrastructure. BCAs provide the strategic advantage by enhancing the potential of existing enterprises, by giving the users permission to contribute in business processes through digital certificates powered by different enterprise public key infrastructures. BCAs establish mutual public key infrastructures involving public key infrastructures from several organizations by setting up trustworthiness with every contributing enterprise public key infrastructure. This combined public key infrastructure in turn ensures and enhances the security of communication and transactions over the internet but with the added complexity when the digital certificates are to be checked for acceptability (Polk et al., 2003). So far as the structure of certification authority business is concerned basically two architectures or a hybrid of those is followed. These architectures are hierarchical and cross-certified (shared trust). (For details, see appendix). There is a drawback associated with the hierarchical topology that is a failure at root level can affect the whole operation of the certification authority business. In the hierarchical model, the certification authority at root level ensures that the subordinate certification authorities obey to a set of practices in order to keep up with the established community of trust. Certain audits are planned to examine if the subordinate certification authorities are conforming to policies defined by the root certification authority. The cross-certified model is based on peer to peer model, where a peer to peer connection is built between cross-certified certification authorities. Instead of setting up a certification authority at the root level the trust is shared between the certification authorities who are known to one another. In this model, a process, cross certification, is involved in which two certification authorities confirm the acceptability and the trustworthiness of the digital certificates of each other (Flasi et al., 2011; Sheehy et al., 2011; Siau & Shen, 2003).(For details see appendix). 2.4. Certificate Authority Business and Digital Certificates With the rapid expansion in the business of certification authorities, where a large number of certification authorities have been established issuing the digital certificates, it has become almost impossible to verify the trustworthiness of a certification authority in question. This fact has affected the trust of the community on the legitimacy of digital certificates. Hence, due to the expansion of business it has become so difficult for the subscribers and users to determine if the audit process ensuring the conformance to policies of certification authorities can be trusted. Since a large number of certification authorities are working in a distributed manner all around the globe, so the registration authorities that are in charge of conducting the audit for the certification authorities cannot even directly access the local databases. In fact, a certification authority in each city or country may be having its own database, so it weakens the audit process and it is not expected to conform to the standards and may not be able to figure out if the documents proving the identity of a certification authority can be fake which making it impracticable to confirm the authenticity of a business (Flasi et al., 2011; Sheehy et al., 2011; Siau & Shen, 2003). Furthermore, the process of confirming the identity of a certification authority in question is outsourced by the registration authority which makes it even hard for the subscribers to trust because more entities get involved in the process making it more prone to fraudulent activities. An effort is doubled as the registration authorities have to recheck the process performed by the subcontractors. In the views of users and subscribers of certification authorities, such suspicious process increases the risk of the issuance of fake and deceptive digital certificates as those may be issued by a certification authority which would have proven its identity using fake identity documents or by other fraudulent ways such as using the identity of a legitimate certification authority by obtaining and presenting its identity documents in the audit process where the acceptability for the certification authority is verified. In addition to this, businesses become heir to the digital certificates of the hosting companies who host their websites. So such certification authorities can use those certificates to prove their identity thus faking it. So in the light of the aforementioned facts, the rapid expansion of the certification authority business has welcomed the risks of being trapped by the illegitimate businesses for the users. Hence, it has resulted in the lack of trustworthiness and confidence from the community of interest and the trust on digital certificate is heavily compromised (Flasi et al., 2011; Sheehy et al., 2011; Siau & Shen, 2003). 3. Cloud storage Cloud computing technology has come forth as shared resource computing pool, designed over a network containing server, storage services and other applications in its infrastructure, ensuring prompt supply and release of resources through the interaction with service providers. Due to rapid developments in the field of cloud computing technology a wide variety of storage methods have been introduced such as Amazon Web Services, Google App Engine, and Software as a Service (SaaS) applications provided by the companies like Salesforce.com (Su et al., 2012; Weiss, 2007; Tchifilionova, 2011). Basically, cloud storage, which is a modernized version of the existing storage model, is a special form of architecture services. Seeing that cloud-like generalized network and the Internet, cloud storage is very much clear to the user, does not directs to a specific device, but it is the distributed composition of multiple storage devices. The main concept of cloud storage is a mixture of application software and storage devices which basically transforms a traditional storage concept into cloud storage service. Cloud storage, benefiting as well as confining the database management system, has the following peculiarities: It ensures automatic backup in case of a system failure as it keeps a redundant backup for a sub-block file which is kept in another server in order to provide a guard against any hardware failure. The interruption in the service is handled as in case if the server requires updating, the old storage file is easily moved to another storage server and when updating is completed, the file is restored back on that updated server. With cloud storage environment, the load is equally balanced as no storage server is overloaded in order to ensure that it won’t create a bottleneck because of an overloaded server. The performance of the cloud storage can easily be improved as it would require just adding a new storage server (Su et al., 2012; Weiss, 2007; Tchifilionova, 2011). In addition, the enterprise cloud storage system consists of a wide variety of components such as storage node (data pooling, data pooling management layer and storage devices), Storage node set management layer, Storage node set, application interface layer. Additionally, storage node that is a fundamental element of cloud storage is further divided into three subparts: data pooling, data pooling management layer and storage devices (Zhan & Sun, 2009). For details of the cloud storage system, see appendix. 3.1. Security and Privacy in terms of Cloud storage One fundamental aspect of cloud storage is outsourcing of data to the cloud. From the point of view of the users i.e. individuals and IT organizations, remote storage in the cloud in a robust on-demand way, comes with certain advantages. It provides a relief against the trouble of storage management, the remote access to the data, and saving of capital costs of hardware, software, and resource maintenance. At the same time as cloud storage, attract users with these advantages; if cloud storage service providers are adopting a bad model in this domain, it also introduces certain risks and security threats. In view of the fact that the cloud service provider is an independent administrative entity, therefore data outsourcing is in fact handing user’s decisive control over the data to the providers, so a bad model of cloud storage may put accuracy and privacy of data in cloud in danger. Indeed the fundamental infrastructures under the cloud are much consistent and effective as compared to traditional computing devices, however, these are having extensive array of inside and outside threat for data reliability (Wang et al., 2013; Josyula et al., 2011; Rittinghouse & Ransome, 2009). Certain instances of suspension of operation and security failures of significant cloud services come into view over the time. Secondly, some incentives may attract cloud service providers to operate disloyally to cloud users with respect to the status of their outsourced data. Cloud storage service providers might repossess storage because of financial issues of disposing the data that is accessed once in a blue moon, or may even hide from view, the data loss occurrence to keep up a good status. Concisely, outsourcing data in the cloud is economically favorable for long term storage on a large scale but a bad model of cloud storage will not guarantee the data reliability and accessibility. This problem may hinder the success of the cloud architecture. In terms of a bad model of cloud storage, as a user got no physical possession of data, conventional cryptographic techniques to ensure the privacy and confidentiality of data against illegitimate accesses may not be applied. Specifically, to verify the integrity of data, just downloading it all is not a good solution at all. As the I/O transmission may be expensive across the network. In addition, sometimes it is not adequate to find out data fraud just when accessing the data, as it does not assure user of the accuracy of data which is not accessed and it might be too late to retrieve the lost or damaged data. Taking into account the huge volumes of the data that is outsourced and users’ naturally restricted possession over the data, it may be expensive for the users to assure the correctness of the data in the process of auditing. Furthermore, cloud usage should be reduced as much as possible, so that the user needn’t to carry out too many processes to make use of data. In fact, the user would not want to undergo many complications in order to confirm the data reliability (Wang et al., 2013; Josyula et al., 2011; Rittinghouse & Ransome, 2009). In addition, more than one user may be accessing the same cloud storage, for example in an organizational environment. For the sake of easy management, it should be like, cloud only considers the authentication request of a single selected user group. The model for cloud storage must be amended, so that to save computation resources and online burden for the users, and to make sure of data integrity, auditing service must be enabled for cloud data storage. So that users may have an option of contacting with an independent third-party auditor so that an audit of the resources data may be conducted when it is desirable. The third party auditor turns out to be much more skilled and proficient in verifying the integrity of data stored in cloud than the users themselves and it also proposes a lot more easy and reasonable means for users to guarantee their storage in the cloud. Additionally, it would not only assist users in estimating the risk of their subscribed cloud storage services but also the audit results of the process conducted by third party auditors would also gainful for cloud service providers. In this scenario, it will help them better their cloud storage service platform. In a nutshell now, in order to emerge as an established provider, cloud storage service providers must improve their service provision model, facilitating the subscribers with public auditing services which would play a significant role to increase user satisfaction by verifying the security and privacy of data, where users will be desiring to evaluate risk and put on trust in the cloud. In recent times, the concept of public audit has been anticipated in the perspective of verifying the integrity of remotely stored data under various security models for cloud storage (Wang et al., 2013; Josyula et al., 2011; Rittinghouse & Ransome, 2009). When a bad model for cloud storage service in terms of data privacy is applied, with respect to the handling of private data, situations are more complex. In this scenario privacy deals with gathering, utilization, disclosure, storage, and distribution of personal data. Bad model does not guarantee the users who own private data that whether their personal information is consistently being used with the purposes of collection of that information. Users are unaware if their personal information is being shared with third parties (Chen & Zhao, 2012). Third parties are not guaranteed to be authentic which may result in the leakage of private information of the cloud storage service providers. There are evidences that immature clouds equally affect the privacy of end-users and their private data are made open to hackers due to inadequate security measures examples include bugs in access control enforcement systems, 2009 Google cyber attack or to governments. Even though skilled consultants to take adequate security measures are hired by the companies but ultimate users usually lack awareness and resources for the security to evaluate the practices of cloud storage service providers. Following an immature model, cloud storage service providers don’t reflect the risks of data confidentiality, security and privacy in their terms of services and privacy policies. It is frequent practice cloud storage services which are free of cost, these services do not offer any sureties of the service, to suppose no accountability for any loss or damage to the data, and to reserve the rights to disable the accounts of users without any sufficient reason or warning and to stop the service at any point in time, which may result in total loss of valuable data of the users. Users on their behalf also show carelessness by not paying heed to the terms of service and privacy policies (Ion et al., 2011). 4. Conclusions Digital certificates have been compromised due to the expansion in the business of certification authority. It has become so difficult for the subscribers and users to determine if the audit process ensuring the conformance to policies of certification authorities can be trusted. As this business is so much expanded and certification authorities are geographically distributed all around the globe, the audit process has become so complex, registration authorities, who perform the audit, are not able to properly evaluate the identity of certification authority business. This fact has damaged the trust of a community of interest, which is the main factor, hindering adopting the use digital certificates. Concluding the second part of the report, if cloud storage service providers are adopting a bad model in this domain, it also introduces certain risks and security threats. Since cloud service providers are independent administrative entity, consequently data outsourcing is in fact handing over user’s decisive control to the providers, so a bad model of cloud storage may put accuracy and privacy of data in cloud in danger. Moreover, if service provider doesn’t keep the storage of data transparent to the user, since user got no physical possession of data, he/ she would be still doubtful if conventional cryptographic techniques to ensure the privacy and confidentiality of data against illegitimate accesses may not be applied. The main reason for the security and privacy risks however could be that users usually lack awareness and resources for the security to evaluate the practices of cloud storage service provider. Security and privacy policies are not usually published by immature cloud storage service providers, and even if published, the user doesn’t pay heed to it which results in the provision of service according to providers will and ultimately may result in security breaches and privacy leakage. References Chen, D. & Zhao, H., 2012. Data Security and Privacy Protection Issues in Cloud Computing. In International Conference on Computer Science and Electronics Engineering (ICCSEE). Hangzhou, 2012. IEEE. Flasi, A.A., Serhani, M.A. & Barka, E., 2011. A collaborative reputation-based vetting model for online certification of businesses. In KCESS 11 Proceedings of the Second Kuwait Conference on e-Services and e-Systems. KU Kuwait University, 2011. ACM. Henry, D., 1999. Whos got the key? In SIGUCCS 99 Proceedings of the 27th annual ACM SIGUCCS conference on User services: Mile high expectations. New York, 1999. ACM. Ion, I., Sachdeva, N., Kumaraguru, P. & Capkun, S., 2011. Home is Safer than the Cloud! Privacy Concerns for Consumer Cloud Storage. In Symposium on Usable Privacy and Security (SOUPS) 2011. Pittsburgh, PA, USA, 2011. Josyula, V., Orr, M. & Page, G., 2011. Cloud Computing: Automating the Virtualized Data Center. 1st ed. New York: Cisco Press. Kehe, W., Wei, C. & Yueguang, G., 2012. The Research and Implementation of the Authentication Technology Based on Digital Certificates. In 2012 Fourth International Conference on Computational and Information Sciences (ICCIS). Chongqing, 2012. IEEE. Lin, J., Jing, J. & Liu, P., 2007. Framework for Intrusion Tolerant Certification Authority System Evaluation. In (SRDS 2007), 26th IEEE Symposium on Reliable Distributed Systems. Beijing, China, 2007. Lin, J., Jing, J. & Liu, P., 2012. Evaluating Intrusion-Tolerant Certification Authority Systems. Quality and Reliability Engineering International, 28(8), pp.825-41. Polk, W., Hastings, N. & Malpani, A., 2003. Public key infrastructures that satisfy security goals. IEEE Internet Computing, 7(4), pp.60-67. Rawles, P.T. & Baker, K.A., 2003. Developing a public key infrastructure for use in a teaching laboratory. In CITC4 03 Proceedings of the 4th conference on Information technology curriculum. New York, 2003. ACM. Rittinghouse, J. & Ransome, J., 2009. Cloud Computing: Implementation, Management, and Security. 1st ed. Boca Raton, FL, USA: CRC Press, Inc. Sheehy, D.E. et al., 2011. Trust Service Principles and Criteria for Certification Authorities. Supersedes WebTrust for Certification Authorities Principles Version 1.0 August 2000. Canadian Institute of Chartered Accountants. Siau, K. & Shen, Z., 2003. Building customer trust in mobile commerce. Communications of the ACM , Volume 46 Issue 4, pp.91-94. Su, L., Li, L., Zhang, L. & Nie, X., 2012. Research and Design of Electric Power Private Cloud Data Storage Model. In Fourth International Conference on Computational and Information Sciences (ICCIS). Chongqing, China, 2012. IEEE. Tchifilionova, V., 2011. Security and privacy implications of cloud computing: lost in the cloud. In iNetSec10 Proceedings of the 2010 IFIP WG 11.4 international conference on Open research problems in network security., 2011. Springer-Verlag Berlin, Heidelberg. Tidd, R.R. & Heesacker, G., 2008. Digital Signatures and Certificates. CPA Journal, 78(5), pp.60-61. Velmurugan, M.S., 2009. Security and Trust in E-business: Problems and Prospects. International Journal of Electronic Business Management, 7(3), pp.151-58. Wang, C. et al., 2013. Privacy-Preserving Public Auditing for Secure Cloud Storage. IEEE Transactions on Computers, 62(2), pp.362-75. Weiss, A., 2007. Computing in the Clouds. ACM Networker Volume 11, Issue 4, pp.18-25. Wohlmacher, P., 2000. Digital certificates: a survey of revocation methods. In MULTIMEDIA 00 Proceedings of the 2000 ACM workshops on Multimedia. New York, 2000. ACM. Zhan, Y. & Sun, Y., 2009. Cloud Storage Management Technology. In ICIC 09 Proceedings of the 2009 Second International Conference on Information and Computing Science - Volume 01., 2009. IEEE Computer Society Washington, DC, USA. Zhu, Y. & Wang, Y., 2012. A Safety Design of Cloud Storage. In 2012 Fourth International Conference on Computational and Information Sciences (ICCIS). Chongqing, China, 2012. IEEE. Appendix Cryptography Technique for Digital Certificates In view of the fact that digital certificates make use of RSA algorithm designed for public key cryptography, hence every certificate is based on a pair of a private key and public key. In this scenario, the user holds the private key that they use for the decryption of digital signature and encrypted information. On the other hand, a public key that is presented to other entities is fundamentally used for encrypting the information and verification and validation of the digital signature. For security purpose the process of encryption with digital certificates cannot be reversed. They only way to decrypt the information is to match the private key after the data has been encrypted using public key. In this way, sending data to a third party with a public key encryption scheme in digital certificates is made confidential and secured. Since a 1024 bit private key is owned by the user, so it is impossible for the data to be accessed by a fake third party even the public key and cryptography is all known (Kehe et al., 2012). Components of Public Key Infrastructure Certification authority that is the vital component of public key infrastructure is believed to be in charge of issuing digital certificates, validating and verifying the certificates and managing the issued certificates. In this scenario, the certificate server performs various management related tasks for issued certificates. In addition, it is responsibility of the certificate server to provide the capabilities of querying, storage, and recovering issued certificates by a certification authority. In view of the fact that digital certificates are the foundation of this authentication scheme hence public key infrastructure is followed to provide digital certificates to users. Rather than developing an organization’s own public key infrastructure service, existing PKI services are utilized. In this scenario, some of the well-known examples of such existing public key infrastructure services include: Entrust Authority of Entrust, service of Managed PKI of VeriSign and Windows Server systems from Microsoft, and so on. Users can directly apply for the digital certificates by registering for these products through the web browsers Structure of Certification authorities’ Business Following a hierarchical model, a certification authority is set up at a higher/root level and further subordinate certification authorities may be deployed for different business units, fields or areas of interest. The certification authority at the root level is responsible for validating the secondary certification authorities, which are then responsible for issuing digital certificates to the certification authorities at lower levels of directly to the users. So, keeping in view the security concerns, certification authorities at root level needs to confirm more strict requirements of security than it is significant for a subordinate certification authorizes. As if the root certification authority is illegally accessed, it would be easier for attackers to perform illegal operations on the behalf of the root certification authority. Even though it is hard for an attacker to hack the certification authority at root level as it rarely perform online operations, only if it has to issue, renew or initiate the revocation services of subordinate certification authority digital certificate (Flasi et al., 2011; Sheehy et al., 2011; Siau & Shen, 2003). If two certification authorities named CA1 and CA2 work in a cross-certified model, CA2 would be sharing its public key in the digital certificate that is issued and digitally signed by CA1. Accordingly, it is assured to the subscribers or the users of each certification authority that the certification authorities share the trust among them so consequently users of each certification authority also trust each other. As compared to hierarchical model there is not a single point of failure for certification authorities in cross-certified model. On the other hand, the strength of the cross-certified certification authorities’ network is affected by the weakest certification authority and it needs a frequent enforcement of policies. Audits are planned in the cross-certified model, to evaluate if each participating certification authority adheres to agreed policy, established by the member of a community of trust (Flasi et al., 2011; Sheehy et al., 2011; Siau & Shen, 2003). Cloud Storage System In this cloud storage system, storage devices can comprise fiber channel storage devices, networking storage devices, additional devices compatible with cloud storage services or direct-attached storage devices. Moreover, data pooling is basically a data set that encompasses different components such as historical data pooling, backup pooling, online data pooling and data warehouse. In fact, with data pooling management layer, the data in data pooling is managed dynamically, which saves the data in the pool from getting wasted. This ensures secrecy, accessibility and reliability of the data. The storage node set is a network which connects distributed storage nodes whereas storage node set is controlled and managed by the storage management layer. Furthermore, through cluster, grid computing technology and distributed file system, a management implementation must be designed with the purpose of managing cloud storage nodes, to make sure that a number of storage nodes work in coordination in cloud storage, to automate the monitoring of the state of Storage node (Zhan & Sun, 2009). Read More