Development of zero trust security model in cloud computing

In June 2013, the exposure of the private files stolen by the U.S. National Security Agency (NSA) rekindled fears of corporate data stored on the cloud.

However, the exposure of the NSA surveillance program does not prevent some enterprises from adopting managed services for fear of data breaches. Instead, it enables enterprise users and cloud service providers to reform their internal security and privacy protection strategies, enhance the security of cloud data, And this is what businesses and suppliers should have done, but have not done yet. When Edward Snowden leaked the NSA monitoring program to the media for the first time, industry analysts had expected that the leak would bring a big change to cloud computing deployment. For example, in August 2013, the Information Technology and Innovation Foundation (ITIF) said exposure of the NSA surveillance program will result in US cloud computing providers losing 10% to 20% of overseas market share or by 2016 Businesses will lose $ 35 billion in potential sales.

Based on concerns of European companies about U.S. government data collection, another industry group, the Cloud Security Alliance (CSA), also predicted the impact this concern would have on US cloud service providers. About six months later, the impact of the NSA monitoring project exposure incident has followed, but not so serious. Although there are reports that US cloud service providers are in a sluggish overseas market, some experts predict that the Snowden leak will have a minor impact on the long-term sales of US cloud service providers. Because the business benefits of using cloud services will gradually erode the fear of the U.S. government over monitoring. At the same time, as the details of the NSA monitoring project are exposed, awareness of the security of cloud data is growing and will rise to a high level in 2014. Snowden leaks also make it clear that there is little control over how much data an enterprise stores on the cloud. Richard Stiennon, head of consulting firm IT-Harvest, said: "There will be a fundamental shift in the zero-trust security paradigm in cloud computing that will enable businesses to strengthen cloud-based security measures that will enable companies to transfer data from the enterprise to the cloud , Or downloaded from the cloud to all aspects of the enterprise medium, are as far as possible to avoid any gaps, resulting in enterprise data leakage. "Analysts said the corporate security officers are preparing to improve the enterprise cloud security protection, and from a few major This includes starting with data encryption, ownership of keys and data, regionalizing and improving government transparency. Data Encryption Since the Snowden leak, data encryption began to attract great attention. Major cloud service providers, such as Microsoft, Yahoo and Google, have end-to-end encryption of user data that they host and manage. For example, Google Cloud Storage can now automatically encrypt new data written to disk, and this server-side encryption will soon be used for old data stored on Google Cloud to keep all data secure. Since the announcement of the NSA surveillance project, Microsoft has announced to the industry its new plan to enhance the encryption set by Microsoft for various services including Outlook.com, Office 365, SkyDrive and Windows Azure. By the end of 2014, Microsoft wanted to find a suitable way to encrypt data transmitted between users and Microsoft data centers, as well as to encrypt data transmitted between its data centers. Microsoft said it wants to encrypt all the data stored on Microsoft Cloud like Google does. Other cloud service providers, such as Dropbox, Sonic.net and SpiderOak, have also announced plans to implement similar data encryption projects and provide 2048-bit key-length services along with "perfect forward confidentiality" for future use data encryption. Experts say these approaches are crucial to protecting the data transmitted between enterprise users and data providers. Information in the classified documents about NSA attempts to weaken encryption algorithms, and to tap fiber links connecting service provider data centers for much of the impetus for these efforts. Information in the NSA Encryption File shows that NSA attempts to weaken encryption algorithms and passes fiber links The road connects to the cloud service provider's data center for user data. Key Management and Data Ownership The controversial relationship between the U.S. government and Lavabit raises key concerns about key management and data ownership. Lavabit, a secure e-mail service provider, told the cloud services company Request data key. Eric Chiu, president of HyTrust, a cloud-based infrastructure management company, said: "Encryption by cloud service providers is really an important way to improve cloud security, but they do just that." "Only its key management system is secure , Data encryption will be secure, "Chiu said." When cloud providers use encryption, users need to be clear: vendors are likely to steal user data if they hold data keys or Leave the key to someone if someone wants them. "This concern spurred interest in finding ways to protect cloud security by allowing business users of cloud services to own their data keys , And understand the data at rest, data management and data transfer key management procedures. More and more cloud computing providers such as Vaultive, CipherCloud, TrendMicro and HyTrust provide tools that empower corporate users with greater control over their own data while using cloud-hosted infrastructures and services. For example, CipherCloud offers a gateway technology that lets business users encrypt data that is transmitted and stored in the cloud. At the same time, this gateway allows businesses to store keys locally and manage encrypted data stored in the cloud. The advent of this technology means that government agencies can only get data through the owner of the data in order to eliminate the behavior of the cloud service provider handing over the key to the government department without the data owner's knowledge. Security experts have been proposing the use of persistent, stable encryption to secure data in the cloud, but so far the adoption of this approach is still low due to the high cost and complexity of key management. But this situation is changing. Chiu predicts: "For compliance and internal goals, some organizations require real data privacy, and we'll also see these businesses enforcing encryption and storing keys inside the enterprise." Vaultive, CipherCloud , As well as other cloud service providers, said business users have seen a significant increase in the technology they are providing due to the exposure of the NSA surveillance scandal. Regionalized Snowden leaks can also accelerate the regionalization of cloud computing services. Concerns about hosted data on servers and infrastructure clouds located in the United States have led to the desire of business users, especially those not in the United States, to use services provided by cloud service providers closer to their own businesses. Companies in China and Asia-Africa in particular, have been very worried about the US cloud service providers and the technologies they provide since the announcement of the NSA surveillance program, Stiennon said. Many businesses are starting to opt for hosting services from suppliers outside the United States or from local vendors. Steinnon said: "I do not like to use the word" Balkanization, "but now the world's cloud computing providers do show a decentralized phenomenon." In the past few years, in different parts of the world, hundreds Small public cloud service providers have sprung up and served the local market. According to Stiennon, many of these suppliers will benefit from the Snowden leak. In the meantime, major cloud service providers based in the United States will also set up service operations around the world to reduce shipping costs and provide better service to local users, according to Lawrence Pingree, an analyst at Gartner. For example, in December 2013, Amazon announced the relocation of its AWS public cloud services to China in 2014. The plan includes Amazon's installation of a cloud server in China to provide hosting services to Chinese businesses. Pingree said: "Many cloud service providers and SaaS providers are implementing regionalization to improve agility and product performance." Pingree said the high level of focus on security will speed up the use of regional data centers. Enhancing transparency Frustrated by Snowden's leaks, people are also asking the government to increase transparency and increase people's access to information as it collects data. Google, Microsoft, Yahoo! and a host of other tech providers are putting pressure on the government to allow the government to release details of the user data it receives from NSA and other intelligence agencies. The companies said they were misunderstood by their role in the government's stealing of user data due to the law prohibiting them from disclosing details of NSA's user data. Executives from companies such as Google, Apple, Facebook and Microsoft all wrote letters to President Obama urging the government to reform its surveillance and transparency. This is unprecedented in the United States. Google, Microsoft and others plan to provide more details on government data collection in their regularly released transparency reports, and the companies also said they will actively and legitimately challenge the government's request for data. Analysts said even telcos, even if they respond to government data collection events significantly slower than these cloud service providers, but in the future they will have the same plan. For example, Verizon, a U.S. telecommunications company, said the company will soon release a transparency report announcing the details of the law enforcement agencies' requests for user data. In December 2013, Brad Smith, Microsoft's general counsel, wrote in a blog: "Government surveillance combined with sophisticated malware and cyber attacks have created a" high-profile, ongoing threat. " In addition to some very restricted circumstances, Smith said Microsoft will fight the government's bidding for its cloud user data in the future. Smith said: "We think government departments can go directly to business users or government users to get every employee's information and data, just as the user data did not move to the cloud when they did, rather than through our Cloud service provider to get the data. "