Cloud Data Security

Source: Internet
Author: User
Keywords cloud data big data cloud data security
Information technologies such as cloud computing and big data are profoundly changing people's thinking, production, life, and learning methods, and deepening into people's daily lives. With the emergence of big data in various industries and fields such as social media, e-commerce, health care, smart transportation, telecommunications operations, finance, and smart cities, big data analysis technology and applied research make big data show unlimited economic and social value The significance of scientific research and scientific research has caused a research boom in the academic and industrial circles at home and abroad. The governments of various countries also attach great importance to this and continue to rise to the height of national strategy. The big data security problems exposed by data information in many links have become increasingly prominent, which has become a bottleneck restricting the development of big data applications.

Today I want to talk about cloud data security in cloud security. After all, the development of cloud computing technology has caused the security threats faced by big data in the process of collecting, storing, sharing, and using more and more. The personal privacy information of companies leaked by big data has brought users A huge loss.



Encryption and key management
Encryption is not a new technology at all, but in the past, encrypted data was stored on servers, and the servers were placed inside the company, and the company directly controlled them. Since many popular business applications are hosted in the cloud today, business executives either need to rely on contractual provisions to protect assets, choose a cloud service provider that allows customers to encrypt data and then send it to the cloud for storage or processing, or with software As a service (SaaS) provider cooperates, and the other party manages the encryption and decryption of their enterprise data.

Client encryption method
In fact, the main thing on the client side is the visibility of the data. The main security problem is still on the server side. After all, all data is on the server side. The server will check the data when it receives it. It depends on whether it is important. Attacks, etc.; what the client has to do is to prevent decompilation and encryption of transmitted data.

Generally, data transmission is encrypted. Some company apps do not contain sensitive information, so they only use post get. The previous encryption uses the DES and RSA encryption methods. First generate a DESKey, then use the RSA public key to encrypt the DESKey, then use the DESKey to encrypt the data, and finally transmit the encrypted data and the encrypted DESKey to the background; the background first uses RSA The private key decrypts the DESKey, and then uses the decrypted DESKey to decrypt the data.

This is the entire encryption and decryption process, but because the background decryption speed cannot meet the requirements (the background decryption pressure is too large, because the RSA decryption is too time-consuming, the client may feel nothing), so an improvement was made: first exchange DESKey with the server (first Transmit the encrypted DESKey to the background), and after the successful exchange is returned, the data encrypted with DESKey is transmitted to the background. In this way, the server can use the transmission gap to decrypt, appropriately alleviating the pressure on the server.

PS: AES and DES encryption are both symmetric encryption, and RSA is asymmetric encryption. You can check the relevant information for the difference and use~

 

Cloud server encryption method
Content-aware encryption and format-preserving encryption are commonly used encryption methods for cloud computing:

Content-aware encryption: Used in data leakage prevention, content-aware software understands the data or format, and sets encryption based on policies. For example, it will automatically encrypt when sending a credit card number to law enforcement by email;

Encrypted format: after encrypting a message, the result is still like an input message. For example, a 16-digit credit card number is still a 16-digit number after encryption, a phone number is still like a phone number after encryption, and an English word is encrypted Still like an English word;

Cloud server encryption service is an encryption solution on the cloud. The bottom layer of the service uses hardware cryptographic machines that have been tested and certified by the National Cryptography Administration, and through virtualization technology, it helps users meet regulatory compliance requirements for data security and protects the privacy requirements of business data on the cloud. With the help of encryption services, users can manage keys safely and reliably, and can also use multiple encryption algorithms to perform reliable encryption and decryption operations on data.

Cloud cryptographic machine service
The cloud server cipher is a hardware cipher. It uses virtualization technology to generate multiple virtual ciphers (hereinafter referred to as VSMs) in one cipher on demand. Each VSM provides external key management and encryption consistent with common server ciphers. Cryptographic computing service (support SM1/SM2/SM3/SM4 algorithm). At the same time, the cloud server cryptographic machine uses security isolation technology to ensure the security isolation of keys between VSMs.



Key Management Service
Existing cloud service providers can provide basic encryption key schemes to protect cloud-based application development and services, or they can leave these protection measures to their users. As cloud service providers develop solutions that support robust key management, more work needs to be done to overcome barriers to adoption.

Data encryption (storage & transmission)
Encryption technology is used to protect the security of data during storage and transmission (link encryption technology). For storage technicians, the encryption schemes and technologies usually encountered are mainly the storage backend supporting encryption, such as encryption Disk or storage encryption. However, encryption technology is generally divided into application layer encryption (such as backup software, database), gateway layer encryption (such as encryption server, encryption switch, etc.) from the data encryption position, storage system encryption and encrypted hard disk technology.

The best compatibility is application layer encryption technology (many office software uses this encryption implementation), because this encryption scheme is imperceptible at the storage and network layers. I personally think that the application-layer encryption technology has greater significance and practical value, which can ensure the end-to-end security of the data, instead of only encrypting the data on the storage side or on the disk.



Data backup and recovery
data backup
Data backup is the basis of disaster recovery. It refers to the process of copying all or part of the data set from the hard disk or array of the application host to other storage media in order to prevent the system from operating errors or system failures causing data loss.

With the continuous development of technology and the massive increase in data, many enterprises have begun to adopt network backup. Network backup is generally achieved through professional data storage management software combined with corresponding hardware and storage devices. Enterprises can also extend the mirror disk to a place far away from the production machine through high-speed fiber channel lines and disk control technology. The mirror disk data is completely consistent with the primary disk data, and the update method is synchronous or asynchronous.

Data recovery exercise
When the storage medium is damaged or the data is invisible, unreadable, or lost due to personnel misoperation or operating system failure. Engineers use special means to read data that is invisible, unreadable, and unreadable under normal conditions.

Hardware failures account for more than half of all data accidental failures. Circuit failures caused by lightning strikes, high voltages, high temperatures, etc., mechanical failures caused by high temperature, vibration and collisions, and physical bad track sector failures caused by high temperature, vibration collisions, and aging storage media are common. Of course, there are accidental loss of damaged firmware BIOS information, etc. Of course, the data recovery of hardware failure is to first diagnose and prescribe the right medicine, first repair the corresponding hardware failure, and then repair other soft failures, and finally restore the data successfully.

Let’s get into it. In fact, data recovery is a relatively high-tech industry. Data recovery technicians need to have assembly language and software application skills, as well as electronic maintenance, mechanical maintenance, and hard disk technology.

Backup encryption
Data disaster tolerance
Data disaster recovery refers to the establishment of a remote data system. In order to protect data security and improve the continuous availability of data, enterprises must consider RAID protection, redundant structure, data backup, failure warning and other aspects, and copy the necessary files of the database to In the process of storing equipment, backup is the most important thing to consider in the system, although they are in the overall planning of the system.

Data desensitization
Data desensitization refers to data deformation of some sensitive information through desensitization rules to achieve reliable protection of sensitive privacy data. In the case of customer security data or some commercially sensitive data, the real data should be modified and used for testing without violating system rules. Personal information such as ID card number, mobile phone number, card number, customer number, etc. are required Perform data desensitization.

Data deletion
Baidu said that if there are errors or duplicate data in the table, a simpler and faster way is to select the data and then delete it. There are two types of data deletion: common data deletion methods and pseudo-column data deletion methods.

Pseudo column value delete data:



Sensitive data processing:

Encryption to ensure data privacy, using approved algorithms and long random keys;
Encrypted first, and then transmitted from the enterprise to the cloud provider;
Encryption should be maintained whether in transmission, static or in use;
The cloud provider and its staff cannot obtain the decryption key at all;
 

Although encryption is a basic technology that privacy experts agree that it is the cornerstone of security, cloud encryption has many difficulties. How to build a manageable, controllable and credible data security system around the full life cycle of big data in the cloud, deeply integrate big data security and cloud data applications, formulate top-level plans to ensure the healthy development of the cloud security industry, and become a big data application And major scientific issues in the field of security research.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.