Cloud computing encryption and IaaS Security

I joke that more and more different cloud computing applications are like creating a "golden rice bowl" for Data Encryption engineers. Encryption has always been an important security tool, but in most cases, we have not frequently used this tool to protect data storage. This has changed because of the emergence of cloud computing and the impact of many public data leaks.

At present, the reason for using cloud computing encryption may not be as you think. The most common idea is that your cloud computing service administrator should protect data, which mainly refers to public cloud computing ). There is no doubt that cloud computing vendors that are coveted for your data are a potential risk, but for most people, this may be just a small risk. This also gives us the illusion that we do not need to encrypt private cloud computing data.

Motivation for implementing cloud computing encryption

In addition to the common causes of data encryption, whether in or out of cloud computing, there are two main reasons:

1. Cloud computing is managed by API rather than physical access. Therefore, if someone GAINS management-level access to the management platform, they can easily copy and move a large amount of data, this cannot be achieved in traditional infrastructure. All you need is an unsupported Management System to steal your entire cloud computing-based data center.

2. Even private cloud computing has the characteristics of multiple tenants. Encryption technology keeps your data secure from other users and even administrators. It allows you to use a more open shared infrastructure while protecting your own data, on the premise that you must perform the operation correctly.

For these reasons, let's take a look at the two IaaS storage methods and how they should be encrypted to achieve IaaS security.

Cloud computing encryption: Object Storage Service

The first is OSS, such as Amazon S3 or OpenStack Swift. OSS is a file/Object Library. You can think of it as a file server or hard drive. Although you can configure most object storage systems and encrypt all the data they store, this method is one-sided and can only prevent drive loss, instead of protecting your files from external access.

To protect your files in a shared library, you need to use an architecture called "virtual private storage. Just like a Virtual Private Network VPN) that allows us to encrypt private data and use a public network, virtual private storage allows us to protect private data in public storage devices.

The principle is quite simple: encrypt your data before you send it to cloud computing. Depending on your actual work, this step can be automatically executed in the proxy/application you use to access OSS. For example, I use Dropbox (which stores files in S3) to protect sensitive files by storing them in an encrypted volume tag stored in the service. Only I have my own keys, so my data is secure.

Cloud computing encryption: volume label Storage

Next, let's talk about the volume label storage, such as Amazon EBS or RackSpace RAID. This storage system is used when you run long-term computing instances in cloud computing. They are simulated as a common hardware volume label and then encrypted using similar technologies.

The first method is to encrypt the volume tag associated with your instance. Your instance is not encrypted, which is more complicated for the boot volume label), but your sensitive data is stored in the encrypted volume label related to the instance. Many tools support this function, and they do not even need to make any special changes to cloud computing. For further security, you can store your key out of your instance. Sorry, due to the limited space, I will introduce this issue in future articles ).

Another method is to use a special encryption proxy, which is located between the computing instance and the storage volume label or the second instance used for the file server. This method is useful when you have a bunch of instances connected to the same storage or need to simulate more types than the storage supported by tools in the instance. These agents are generally mature products, basically virtual devices running in your cloud computing environment.

Finally, for private cloud computing or hybrid cloud computing, you can use external management encryption tools, which may be physical hardware. In addition, these mature products are useful for leveraging existing encrypted investments or more complex subordinates.

I don't want to over-Simplify IaaS storage encryption. I didn't use too much ink to introduce many methods and use cases, but the security foundation of IaaS may not be as complicated as you think. Cloud computing security alliance training includes a hand-held volume label encryption operation, which takes 10 minutes.