6 Steps to Implement Cloud Data Potection

Due to the complexity of cloud environments, enterprise cloud application systems, and core data, choosing a suitable cloud data protection plan becomes particularly important. So what kind of scheme is suitable? The author believes that the following key points should be covered: (1) Meeting safety requirements and related regulations; (2) Effective protection against various sources of hazards; (3) Acceptable deployment and maintenance complexity.

Therefore, in order to protect data in the cloud, it is necessary to implement cloud data (library) security protection in a planned and step-by-step manner. Combining the previous architecture and key technologies, the following 6 basic steps for implementing cloud data (library) protection are proposed:

Step 1: Analyze and determine the key data that needs to be protected
Before protecting cloud data, it is necessary to accurately analyze which data needs to be protected and why it needs to be protected; evaluate and classify which data needs to be placed in the cloud, so as to determine which data is the key data that must be protected, such as user identity Certificate number, bank card or credit card number, social security number, etc. Another concern is the need for regulatory compliance.

Step 2: Choose a suitable technical solution and encryption algorithm
As the key to the successful implementation of cloud data protection, companies need to consider the security of key data, maintaining the functional availability of cloud application systems, and system maintainability to determine a technical solution for encryption protection that suits the needs of the company. The following two charts compare the protection effects, security, and deployment complexity that the key encryption protection technologies mentioned above can provide for readers' reference.

The choice of encryption method is also very important. Here is a typical example. In many application systems, bank card number data is formatted. If the data does not conform to the format, the application system will not be able to accept "wrong" bank card number data. At the same time, bank card number encryption needs to retain its format characteristics. The encryption algorithms available for selection include FPE and Tokenization. The name and other data can use more general encryption algorithms such as AES256.

Step 3: Protect the encryption key of the data
In order to protect the ciphertext data from being stolen illegally and prevent cloud service vendors and third-party maintainers from accessing the plaintext data, the best practice is to control the key of the ciphertext data in the hands of the cloud user; readers can refer to the previous figure. 1 Cloud data security model and table 1 security model comparison.

Step 4: Implement necessary measures to prevent data leakage
Although necessary data encryption measures have been taken, it cannot completely solve the security threats from the application system environment and cloud operation and maintenance environment. Typical examples are SQL injection attacks from cloud application systems, backdoor programs, attacks using database vulnerabilities, and Misoperation of tripartite operation and maintenance personnel, etc. Therefore, it is necessary to adopt a data boundary protection technology such as a database firewall, and use its fine-grained access control, anti-attack, and anti-batch data download features to achieve effective data leakage prevention.

Step 5: Monitor and audit data access behavior
On the one hand, hacker attacks are ever-changing, and on the other hand, normal data maintenance and management behaviors brought about by the complexity of the system are often unpredictable. Therefore, it is necessary to take continuous and timely monitoring and auditing of the access behavior of important data to form an effective risk report to provide users with new risks and help users better protect their data.

Step 6: Use automatic desensitization to prevent data leakage in the test environment
In addition to the data protection of the cloud environment, the internal test environment of the enterprise is also an important source of information leakage, especially when it is necessary to "extract" cloud production data for testing the system; the use of automatic data desensitization technology can effectively protect production data at the same time , Provide usable test data in line with user expectations for the test environment.