Cloud computing encryption and IAAS security

I joked that more and more different cloud applications were creating "golden" for a http://www.aliyun.com/zixun/aggregation/17326.html "> Storage Data Encryption engineer." Encryption has always been an important security tool, but in most cases we have not used this tool frequently to protect stored data. This has changed since the advent of cloud computing and the impact of numerous public data leaks.

Currently, the reason for using cloud computing encryption may not be as you think. The most common idea is that your cloud services administrator should protect your data (mainly public cloud computing). There is no doubt that the cloud vendor that is salivating over your data is a potential risk, but for most people this may be a small risk. This also gives us the illusion that private cloud computing data does not need to be encrypted.

The motivation of implementing cloud computing encryption

In addition to the common causes of encrypting data, whether in or out of the cloud, there are two main reasons:

1. Cloud computing is managed by APIs rather than physical access. Therefore, if someone gains administrative access to the management platform, they can easily replicate and move large amounts of data, which is simply not possible in the traditional infrastructure. All that is needed is just a not-strong management system to steal your entire cloud-based data center.

2. Even private cloud computing has a multi-tenant character. Encryption allows you to keep your data at a safe distance from other users, even administrators. It allows you to use a more open shared infrastructure while also protecting your own data, assuming you have to operate correctly.

For these reasons, let's look at two types of IaaS storage methods and how they should be encrypted to achieve IAAS security.

Cloud Computing Cryptography: Object Storage

The first is object storage, such as Amazon S3 or OpenStack Swift. Object storage is a file/object library. You can think of it as a file server or a hard drive. Although you can configure most of your object storage systems and encrypt all of the data they store, this is a one-sided way to prevent drive loss, not to protect your files from outsiders.

To protect your files in a shared library, you need to use a schema that I call "virtual private storage." Just as a virtual private network (VPN) allows us to encrypt private data and use a public network, virtual private storage allows us to protect private data in a public storage device.

The principle is quite simple: encrypt your data before sending it to the cloud. Depending on your actual work, this step can be performed automatically in the proxy/application that you use to access the object store. For example, I use Dropbox, which stores files in S3, to protect sensitive files by storing them in the encrypted volume label that is stored in the service. Only I have the key, so my data is secure.

Cloud Computing Encryption: Volume label storage

Next, let's talk about volume label storage, such as Amazon EBS or RackSpace RAID. This storage system is used when you run long-term computing examples in cloud computing. They simulate a normal hardware label, and then we use a similar technique to encrypt it.

The first method is to encrypt the volume label associated with your instance. Your instance is not encrypted (the situation is more complex for the boot label), but your sensitive data is stored in the encrypted volume label associated with the instance. There are many tools that support this feature, and they don't even have to make any special changes to cloud computing. For further security, you can store your keys outside your instance (I'm sorry, given the limited space, I'll explain this in future articles).

Another method is to use a special encryption agent that is located between the computed instance and the storage volume label or the second instance used for the file server. This approach is useful when you have a bunch of instances connected to the same storage or need to simulate more types than the one supported by the tools in the instance. These agents are generally mature products and are basically virtual devices that run in your cloud computing environment.

Finally, for private cloud computing or hybrid cloud computing, you can use external management encryption tools, which may be physical hardware. In addition, these mature commodities are useful for leveraging existing cryptographic investments or more complex subordinates.

I'm not trying to simplify the IaaS storage encryption. I don't use too much ink to introduce many methods and use cases, but the security underpinnings of IaaS may not be as complex as you might think. The Cloud Computing Security Alliance training includes a hands-on volume label encryption operation that takes only 10 minutes.

(Responsible editor: The good of the Legacy)