For security in the cloud, data security’s role encompasses securing an organization's data at rest in the cloud, as well as data that traverses the organization’s networks. Data security refers to the best practices and technologies that aim to achieve data confidentiality and data integrity. Several technologies are deployed to ensure data confidentiality and data integrity, such as encryption, that allows only authorized parties to access data, and data signatures, that ensures tamper-free data from trusted third parties. Another notable technology is tunneling, which creates a secure connection between two points using encapsulation and encryption to thwart any listening intermediary parties.
For data at rest within the cloud, organizations rely on strong storage security typically built into cloud providers. Leading cloud services providers, Google, Dropbox, Amazon, Microsoft, all provide dedicated data storage and so cloud consumers, in these cases, there is no need to worry about implementing security storage controls. But when providing cloud services, companies will need to understand and implement strong storage controls to ensure the security of their users’ data. As well, protected back-ups are another important concern. Back-ups are duplicates of live data for the express purpose of quickly recovering systems from disasters, whether that be from cyber-attack, or technical difficulty. These back-ups will contain highly valuable and sensitive working data and should be protected like any live data.
Data security has always been a significant concern for IT departments who are preoccupied with protecting user and proprietary company data, as well as complying with government regulations and avoiding steep repercussions. However, the previous strategic security approaches centered on yesteryear’s fortress model has become ill-suited for companies in the cloud. Today, cloud company data traverses the open public internet, all the time exposing proprietary data to potential hackers, and malicious actors. A fortress model, where guards can be posted at control points, must evolve into a city model where no such protective wall encloses the company, but access to sensitive areas requires something more like personal identification and verification.
The following data security control mechanisms are commonly used cooperatively to bolster security, though for specific cases one or none may be deployed. Controls like encryption are extremely common, becoming the de facto security measures deployed over the internet. Other controls can provide enhanced layers of security that trade off protection for performance, for example, tunneling can obscure source and destination IP addresses and secure connections between two endpoints, but there is additional network overhead that can degrade performance.
Initial data security measures bring to mind data encryption. Encryption is the technique of locking data so that it is unreadable to anyone who does not have the decryption key. There are several methods for encrypting data, like obfuscation which uses a defined pattern to cover sensitive data. Substitution, shuffling, and patterned removal are all obfuscation techniques, yet however complex, these methods can still be reversed engineered. Ciphers are preferred encryption methods using advanced algorithms to turn plaintext into ciphertext. Data must be encrypted at two levels, stored data, and data in transit.
Encryption at rest encompasses data stored on any sized storage media (USBs, DVDs, hard drives, etc.) or on storage in the cloud, since the cloud is essentially banks of data servers. Encrypting data at rest can be implemented at multiple levels: storage, file systems, operation systems, databases, or the file and folder level. Storage encryption can be done using self-encrypting hard drives. Storage controller software can encrypt file systems, to aid in access control. More granularly encryption happens at the levels of files and folders, and databases. Proprietary operating systems, such as Microsoft and Apple, provide built-in encryption software for their file systems, that encrypt files, groups of files, and folders for protection. Even more granular, databases can encrypt singular rows and columns within their data schemas, flagging them as confidential and preventing data exposure, examples include banks accounts, social security numbers, personally identifiable information, etc.
Public key infrastructure (PKI) creates a hierarchical bank of trusted security certificates that are issued to various entities, users, applications, or other computing devices. These certificates are used to encrypt and decrypt data, as well as provide digital identification to sign and verify the entity's integrity.
PKI entails coordinating certificate management, key management, digital signatures, and secrets management. Certificate management encompasses a company’s processes around issuing, renewing, storing, authenticating, and when needed, revoking digital certificates. A key management system (KMS) is software that helps to securely document each key for safe management. Digital signatures are used in PKI to create nonrepudiation—that is undeniable signature validity and authentication. Secrets in the cloud, including anything akin to API keys, passcodes, access credentials, etc., must be managed, fortunately major cloud vendors offer their own secrets management systems.
Several encryption protocols exist that secure and authenticate data. IPSec and SSL/TLS are two backbone security protocols used in the cloud. Internet Protocol Security (IPSec) is an application agnostic way of securing IP traffic through encryption and digital signatures. IPSec is flexible and can be implemented using several methods (PKI certificates, symmetric keys, etc.) because it secures communications between hosts. Incidentally, it can also be used as an encryption or tunneling protocol. Secure Socket Layer (SSL), and its successor Transport Layer Security (TLS), are application specific, and are used to secure communications between configured applications.
Tunneling is a technique used to secure communications and obfuscate its routing between devices so that over public networks intermediary devices cannot read or determine source and destination information. In effect, tunneling creates an undercover tunnel between two points over public networks, allowing secure data sharing as if they were connected locally. Tunneling achieves this effect through encryption and encapsulation. Encryption secures the payload data and its destination, which is then encapsulated in another “envelope” with an address to a proxy server. The message is decapsulated at the next server and then sent on to the final destination. If packages are intercepted, then the final address cannot be read. In practice, tunneling can be set up to bounce traffic around several servers and completely erase any traces of routing.
Tunneling is not without its downsides though, the encapsulating and decapsulating method consumes more network bandwidth resulting in lower performance.
Ciphers are the encryption algorithms used in encryption protocols. They can be symmetric, using the same key, or asymmetric, using paired public and private keys, and can be geared towards block ciphering or stream ciphering. As the name suggests, block ciphers encrypt chunks of data of known size. While stream ciphers can convert plaintext into ciphertext as a stream of unknown length, and is faster than block ciphers when the data length is unknown. Block ciphers still have use though, for example, Advanced Encryption Standard (AES) is the government standard encryption block cipher. Block ciphers can work within other security frameworks to build stream ciphers creating further layers of security.
Cloud storage security, from the point of view of the cloud consumer, is an included feature, and to them these controls are out of their realm of responsibility. But the fact remains, storage security is more than a technology but overlaps contractual agreements and regulatory requirements too.
To help comply with these obligations, and safely partition and secure cloud resources, companies can use granular storage controls, thereby limiting access to storage area networks (SAN) by using logical unit numbers (LUN) masking to segment them, and then use zoning to subsequently limit access to those LUNs. Further using technologies, like digital rights management (DRM) and information rights management (IRM), can limit usage of digital assets and bandwidth of enterprise systems for specific information.
Protected backups are a consideration of disaster recovery. Backups are copies of live system data, actively maintained in the case that system disaster calls for a rollback, or restoration. These copies should be afforded the same data security considerations as their live counterparts, encrypted, password protected, and if possible key physically sealed for authorized access only.
The terms data security, data integrity, and data protection have overlapping domains, but are distinctly different concepts.
Data security is concerned with data confidentiality and data integrity. Data confidentiality relies on encryption to ensure that only authorized entities can access certain data. Data integrity relies on digital signatures to ensure that requesting entities are actually who they say they are, known as being authenticated. In the context of data on disk, data integrity can also refer to how faithfully data is reproduced, and is concerned with data corruption, data errors, etc.
Data protection is an emerging term and is seen as the logical next step in safeguarding organizational data as the cloud and remote work play a more prominent role in many IT operations. Data protection aims at safeguarding data from compromise, corruption, or loss in anticipation of critical data disasters that can cause business operations to halt. Data protection expects to recover from disaster and return to normal operating conditions rapidly by approaching data protection using a data life-cycle model. The data life cycle refers to the entire length that data exists within the system, from creation, ingestion, or capture, through processing, analysis, sharing, publication, until it is archived or destroyed.
Data security software aims to keep data secure using various measures, like encryption and sophisticated access management.
Organizations can look for guidance from the data security best practices established in ISO/iES 27001 and NIST SP 800-53. But they should also keep in mind, while there are many options and suggestions that can make networks and data more secure, budgeting will likely play a key factor in choosing which data security strategy to implement. The following best practices can provide an initial framework for those considerations.
Encryption, public key infrastructure, and data storage security are some of the common foundational data security technologies that build even more specialized data security tools and other related software packages. Some of these packages include: