The following data security control mechanisms are commonly used cooperatively to bolster security, though for specific cases one or none may be deployed. Controls like encryption are extremely common, becoming the de facto security measures deployed over the internet. Other controls can provide enhanced layers of security that trade off protection for performance, for example, tunneling can obscure source and destination IP addresses and secure connections between two endpoints, but there is additional network overhead that can degrade performance.
Initial data security measures bring to mind data encryption. Encryption is the technique of locking data so that it is unreadable to anyone who does not have the decryption key. There are several methods for encrypting data, like obfuscation which uses a defined pattern to cover sensitive data. Substitution, shuffling, and patterned removal are all obfuscation techniques, yet however complex, these methods can still be reversed engineered. Ciphers are preferred encryption methods using advanced algorithms to turn plaintext into ciphertext. Data must be encrypted at two levels, stored data, and data in transit.
Encryption at rest encompasses data stored on any sized storage media (USBs, DVDs, hard drives, etc.) or on storage in the cloud, since the cloud is essentially banks of data servers. Encrypting data at rest can be implemented at multiple levels: storage, file systems, operation systems, databases, or the file and folder level. Storage encryption can be done using self-encrypting hard drives. Storage controller software can encrypt file systems, to aid in access control. More granularly encryption happens at the levels of files and folders, and databases. Proprietary operating systems, such as Microsoft and Apple, provide built-in encryption software for their file systems, that encrypt files, groups of files, and folders for protection. Even more granular, databases can encrypt singular rows and columns within their data schemas, flagging them as confidential and preventing data exposure, examples include banks accounts, social security numbers, personally identifiable information, etc.
Public Key Infrastructure (PKI)
Public key infrastructure (PKI) creates a hierarchical bank of trusted security certificates that are issued to various entities, users, applications, or other computing devices. These certificates are used to encrypt and decrypt data, as well as provide digital identification to sign and verify the entity's integrity.
PKI entails coordinating certificate management, key management, digital signatures, and secrets management. Certificate management encompasses a company’s processes around issuing, renewing, storing, authenticating, and when needed, revoking digital certificates. A key management system (KMS) is software that helps to securely document each key for safe management. Digital signatures are used in PKI to create nonrepudiation—that is undeniable signature validity and authentication. Secrets in the cloud, including anything akin to API keys, passcodes, access credentials, etc., must be managed, fortunately major cloud vendors offer their own secrets management systems.
Data Encryption Protocols
Several encryption protocols exist that secure and authenticate data. IPSec and SSL/TLS are two backbone security protocols used in the cloud. Internet Protocol Security (IPSec) is an application agnostic way of securing IP traffic through encryption and digital signatures. IPSec is flexible and can be implemented using several methods (PKI certificates, symmetric keys, etc.) because it secures communications between hosts. Incidentally, it can also be used as an encryption or tunneling protocol. Secure Socket Layer (SSL), and its successor Transport Layer Security (TLS), are application specific, and are used to secure communications between configured applications.
Tunneling is a technique used to secure communications and obfuscate its routing between devices so that over public networks intermediary devices cannot read or determine source and destination information. In effect, tunneling creates an undercover tunnel between two points over public networks, allowing secure data sharing as if they were connected locally. Tunneling achieves this effect through encryption and encapsulation. Encryption secures the payload data and its destination, which is then encapsulated in another “envelope” with an address to a proxy server. The message is decapsulated at the next server and then sent on to the final destination. If packages are intercepted, then the final address cannot be read. In practice, tunneling can be set up to bounce traffic around several servers and completely erase any traces of routing.
Tunneling is not without its downsides though, the encapsulating and decapsulating method consumes more network bandwidth resulting in lower performance.
Ciphers are the encryption algorithms used in encryption protocols. They can be symmetric, using the same key, or asymmetric, using paired public and private keys, and can be geared towards block ciphering or stream ciphering. As the name suggests, block ciphers encrypt chunks of data of known size. While stream ciphers can convert plaintext into ciphertext as a stream of unknown length, and is faster than block ciphers when the data length is unknown. Block ciphers still have use though, for example, Advanced Encryption Standard (AES) is the government standard encryption block cipher. Block ciphers can work within other security frameworks to build stream ciphers creating further layers of security.
Cloud storage security, from the point of view of the cloud consumer, is an included feature, and to them these controls are out of their realm of responsibility. But the fact remains, storage security is more than a technology but overlaps contractual agreements and regulatory requirements too.
To help comply with these obligations, and safely partition and secure cloud resources, companies can use granular storage controls, thereby limiting access to storage area networks (SAN) by using logical unit numbers (LUN) masking to segment them, and then use zoning to subsequently limit access to those LUNs. Further using technologies, like digital rights management (DRM) and information rights management (IRM), can limit usage of digital assets and bandwidth of enterprise systems for specific information.
Protected backups are a consideration of disaster recovery. Backups are copies of live system data, actively maintained in the case that system disaster calls for a rollback, or restoration. These copies should be afforded the same data security considerations as their live counterparts, encrypted, password protected, and if possible key physically sealed for authorized access only.