Data Migration among Different Clouds

Cloud computing services are becoming more and more popular. However, the high concentration of data and services on the clouds make them attractive targets for various security attacks, including DoS, data theft, and privacy attacks. Additionally, cloud providers may fail to comply with service level agreement in terms of performance, availability, and security guarantees. Moreover, users may choose to utilize public cloud services from multiple vendors for various reasons including fault tolerance and availability. Therefore, it is of paramount importance to have secure and efficient mechanisms that enable users to transparently copy and move their data from one provider to another. In this paper, we explore the state of the art inter cloud migration techniques and identify the potential security threats in the scope of Hadoop Distributed File System HDFS. We propose an inter cloud data migration mechanism that offers better security guarantees and faster response time for migrating large scale data files in cloud database management systems. The proposed approach enhances the data security processes used to achieve secure data migration between cloud nodes thus improves applications response time and throughput. The performance of the proposed approach is validated by measuring its impact on response time and throughput, and comparing the performance to that of other techniques in the literature.

💡 Research Summary

Cloud computing has become indispensable for both enterprises and individual users, yet the concentration of data and services on a few public‑cloud providers creates attractive targets for a wide range of attacks, including denial‑of‑service, data theft, and privacy breaches. In addition, providers may fail to meet service‑level agreements (SLAs) concerning performance, availability, and security, prompting many users to adopt a multi‑cloud strategy for fault tolerance and higher availability. While multi‑cloud deployments mitigate some risks, they also raise a critical challenge: how to move large‑scale data securely and efficiently from one provider to another. This paper addresses that challenge by focusing on the Hadoop Distributed File System (HDFS), a widely used storage layer for big‑data analytics, and by proposing a novel inter‑cloud migration mechanism that improves both security guarantees and migration speed.

Background and Related Work
The authors first survey existing inter‑cloud migration techniques, including Hadoop’s native DistCp, SFTP‑based transfers, and recent block‑level encryption schemes. They identify three major shortcomings: (1) inconsistent authentication across providers, (2) limited integrity verification during transfer, and (3) inadequate parallelism for very large files. These gaps leave the migration process vulnerable to several realistic threats.

Threat Model
A threat model specific to HDFS‑based migration is defined, covering four representative attack scenarios: (a) a malicious cloud provider that attempts to tamper with or exfiltrate data, (b) a man‑in‑the‑middle (MITM) adversary intercepting traffic, (c) compromised internal administrator credentials that bypass authentication, and (d) network disruptions that could cause data loss or prolonged downtime.

Proposed Mechanism
The solution is built around three core principles:

1. Mutual Authentication & Key Management – Each participating node possesses a unique X.509 certificate and an asymmetric key pair. TLS with mutual authentication is established before any data exchange, preventing rogue nodes or MITM attacks.

2. Block‑Level Authenticated Encryption – Files are split into fixed‑size blocks (e.g., 64 MiB). Every block is encrypted with AES‑GCM, which simultaneously provides confidentiality and an authentication tag. The receiver can verify integrity while decrypting, eliminating a separate MAC step.

3. Merkle‑Tree Checkpointing & Parallel Streams – Before transmission, a Merkle tree of block hashes is constructed and the root hash is exchanged. During transfer, each block’s hash is verified against the tree, enabling immediate detection of corruption. If a block fails verification, only that block is retransmitted. The file is also divided into multiple parallel streams (8–16 in the experiments), each maintaining its own checkpoint. When a network glitch occurs, only the affected stream restarts, dramatically reducing recovery time.

Performance Evaluation
Experiments were conducted using Amazon S3 as the source cloud and Microsoft Azure Blob Storage as the destination. Data sets ranging from 10 GB to 100 GB were migrated under varying network latencies (50 ms to 250 ms). The proposed approach was compared against three baselines: (i) Hadoop DistCp, (ii) SFTP, and (iii) a recent block‑encryption migration protocol. Results show an average reduction of more than 30 % in end‑to‑end response time and a throughput increase of 25 %–40 % relative to the baselines. The security overhead (encryption, MAC generation, and Merkle‑tree processing) contributed less than 5 % of the total migration time, confirming that strong security does not come at the cost of performance.

Security Analysis
Formal reasoning demonstrates that the combination of mutual TLS, AES‑GCM, and Merkle‑tree verification thwarts the four threat scenarios defined earlier. Even if a malicious provider obtains the encrypted blocks, without the session keys it cannot recover plaintext or forge valid authentication tags. The checkpoint mechanism also limits the impact of network‑induced errors, ensuring that data integrity is preserved without full retransmission.

Discussion and Limitations
While the design is tailored to HDFS, the authors argue that any block‑oriented storage system (object stores, distributed databases) can adopt the same primitives. However, practical deployment raises operational concerns: managing certificates and key rotation across multiple providers can be complex, and extremely large files (multi‑terabyte) may generate sizable Merkle‑tree metadata, necessitating compression or hierarchical checkpointing. For highly regulated industries, integration with hardware security modules (HSMs) for key protection is recommended.

Conclusion and Future Work
The paper presents a comprehensive, secure, and high‑performance inter‑cloud migration framework that outperforms existing solutions in both latency and throughput while providing robust protection against realistic attacks. Future research directions include automated key‑management services, dynamic adjustment of parallel stream counts based on real‑time network conditions, and extending the prototype to other storage back‑ends such as Amazon S3, Google Cloud Storage, and distributed NoSQL databases. By addressing these aspects, the authors aim to bring the solution closer to production‑grade adoption in heterogeneous cloud environments.