Cloud computing Data and Information Security Protection

Cloud computing Data and Information Security Protection

The processing and storage of cloud computing data are carried out on the cloud platform. The separation of computing resource owners and users has become an inherent feature of the cloud computing model, as a result, users' concerns about secure storage and privacy of their data are inevitable.
Specifically, user data and even private content may be intentionally or unintentionally disclosed during Remote Computing, storage, and communication, there are also data loss problems caused by failures such as power outages or downtime. Even unreliable cloud infrastructure and service providers may also speculate through analysis of user behavior, obtain the user's privacy information. These problems will directly lead to conflicts and frictions between users and cloud providers, reduce users' trust in the cloud computing environment, and affect the further promotion of cloud computing applications.
One of the main goals of information security is to protect user data and information security. In the transition to cloud computing, traditional data security methods will be challenged by the cloud model architecture. Elastic, multi-tenant, new physical and logical architecture, and abstract control require new data security policies.

1.1 data security management and challenges

The key challenges in cloud computing data lifecycle security are as follows.
(1) Data Security: confidentiality, integrity, availability, authenticity, authorization, authentication, and non-repudiation.
(2) Data storage location: ensure that all data includes all copies and backups, stored in the geographical location permitted by contracts, service level agreements, and regulations. For example, the use of electronic health records managed by the EU's "Regulation-compliant storage regulations" may pose a challenge to data owners and cloud service providers.
(3) data deletion or persistence: data must be completely and effectively removed before it can be considered as destruction. Therefore, an available technology is required to ensure that cloud computing data is fully and effectively located, erased, and destroyed, and that the data has been completely eliminated or cannot be restored.
(4) mixing of different customer data: data, especially confidential/sensitive data, cannot be used, stored, or transmitted, mixing with other customer data without any compensation control. Data mixing will add security challenges in terms of data security and geographic location.
(5) data backup and recovery (rediscovery and restoration) Plan: ensure data availability, cloud data backup, and cloud recovery plans must be in place and effective, to prevent data loss, unexpected data coverage, and destruction. Do not simply assume that data in cloud mode is certainly backed up and recoverable.
(6) data discovery: as the legal system continues to pay attention to Electronic Evidence discovery, cloud service providers and data owners will need to focus on data discovery and ensure that all data required by legal and regulatory authorities can be retrieved. These questions are extremely difficult to answer in the cloud environment and will require management, technology and necessary legal controls to cooperate with each other.
(7) data aggregation and reasoning: when data is on the cloud, new data aggregation and reasoning concerns may result in violations of the confidentiality of sensitive and confidential data. Therefore, in practice, the interests of data owners and data stakeholders should be guaranteed to avoid any, even slight, leakage of data when data is mixed and aggregated (for example, medical data with names and medical information is mixed with other anonymous data, and cross-control fields exist on both sides ).
As shown in Table 1-1, security control requirements are related to cloud service models (SAAS, paas, or IAAS) in conjunction with each stage of information lifecycle management. In addition, based on the data confidentiality level, defines the hierarchical control requirements for different levels of information.
Table 1 Data Security Control Requirements

#	Lifecycle	Security Control Requirements
1	Create	Identifies available data tags and classifications. Itpub personal space 8_u5s1me7d "B Enterprise digital permission management (DRM) may be an option. Xbz 'bhe] user tags of p13164110 data have been widely used in Web 2.0 environments and may be of great help to classified data.
2	Use	Activity monitoring can be implemented through log files and Agent-based tools. Application logic. Object-level control based on database management system solutions
3	Storage	Identifies access control in a file system, database management system DBMS, and document management system. Encryption solutions include email, network transmission, databases, file and file systems. Content discovery tools (such as DLP data loss Protection) are helpful for identification and auditing in some aspects that need to be controlled.
4	Share	Activity monitoring can be implemented through log files and Agent-based tools. Application logic. Object-level control based on the database management system solution. Identifies Access Control in environments such as file systems, database management systems, and document management systems. Encryption solutions include email, network transmission, databases, file and file systems. Implement Content-based data protection through DLP
5	Archive	Encryption, such as tape backup and other long-term storage media. Asset management and tracking
6	Destroy	Encryption and crushing: the destruction of all key media related to encrypted data. The disk is wiped and related technologies are used for secure deletion. Physical destruction, such as degaussing of physical media. Confirm the destruction process through content discovery

1.2 Data and Information Security Protection

Data transmission, processing, and storage of cloud computing users are all related to cloud computing systems. In typical application environments such as multi-tenant and thin terminal access, the security threats to user data are even more prominent. For information security protection requirements in cloud computing environments, technical measures such as data isolation, access control, encrypted transmission, secure storage, and residual information protection must be adopted, it provides end-to-end Information Security and Privacy Protection for cloud computing users, thus ensuring the availability, confidentiality and integrity of user information.
Data and information security protection can be divided into the following aspects.
1. Data Security Isolation
To isolate data information between different users, you can use physical isolation, virtualization, multi-tenancy, and other solutions to achieve secure isolation of data and configuration information between different tenants based on application requirements, to protect the data security and privacy of each tenant.
2. Data Access Control
In terms of data access control, real-time identity monitoring, permission authentication, and certificate check can be performed through Identity Authentication-based permission control to prevent unauthorized access between users. If the default "deny all" access control policy can be used, the corresponding port or access policy can be opened only when data access is required. In a virtual application environment, you can set logical border security access control policies in a virtual environment. For example, you can attach a virtual firewall to implement refined data access control policies between virtual machines and within virtual units.
3. Encrypted data storage
Data Encryption is an important way to implement data protection. Even if the data is stolen illegally, it is only a bunch of garbled characters for them, and they cannot know the specific information. In terms of encryption algorithm selection, we should select symmetric encryption algorithms with high encryption performance, such as AES, 3DES, and other international general algorithms, or scb2, a Chinese state-owned commercial cryptography algorithm. In terms of encryption key management, a centralized user key management and distribution mechanism should be adopted to achieve efficient and secure management and maintenance of user information storage. For cloud storage services, cloud computing systems should support the provision of encryption services to encrypt and store data to prevent unauthorized spying on data. For services such as virtual machines, we recommend that you encrypt important user data before uploading and storing it.
4. Encrypted data transmission
In the cloud computing application environment, network transmission of data is inevitable, so it is also important to ensure the security of data transmission. Data transmission encryption can be implemented at the link layer, network layer, and transmission layer. Network Transmission encryption technology is used to ensure the confidentiality, integrity, and availability of data transmitted over the network. For encrypted management information transmission, you can use SSH, SSL, and other methods to provide a data encryption channel for maintenance and management within the cloud computing system to ensure the security of management information. For encrypted transmission of user data, IPSec VPN, SSL and other VPN technologies can be used to improve the network transmission security of user data.
5. data backup and recovery
Regardless of where the data is stored, users should carefully consider the risk of data loss. It is very important to back up and quickly restore the data in response to sudden cloud computing platform system faults or disasters. For example, in a virtualized environment, disk-based backup and recovery should be supported to achieve rapid recovery of virtual machines. File-level integrity and Incremental backup should be supported to save incremental changes to improve backup efficiency.
6. Residual Information Protection
Because user data is shared in the cloud computing platform, the storage space allocated to a user today may be allocated to another user tomorrow. Therefore, we need to take measures to protect the remaining information. Therefore, the cloud computing system must complete Data erasure before re-allocating storage resources to new users. After deleting the Stored User Files/objects, complete Data erasure or identifier for the corresponding storage area as write-only (only new data can be overwritten) to prevent unauthorized and malicious recovery.

-- This paragraph is excerpted from the book cloud computing security: technology and application.

Books: http://blog.csdn.net/broadview2006/article/details/7403731