Encryption and data security based on cloud computing

More and more different cloud computing applications are creating a "golden" that stores data encryption engineers. Encryption has always been an important security tool, but in most cases we have not used this tool frequently to protect stored data. This has changed since the advent of cloud computing and the impact of numerous public data leaks.


　　


Currently, the reason for using cloud computing encryption may not be as you think. The most common idea is that your cloud services administrator should protect your data (mainly public cloud computing). There is no doubt that the cloud vendor that is salivating over your data is a potential risk, but for most people this may be a small risk. This also gives us the illusion that private cloud computing data does not need to be encrypted.


　　

The reason for
to implement cloud computing encryption is that there are two main reasons for the common reasons for encrypting data (whether in or out of the cloud):


　　


1. Cloud computing is managed by APIs rather than physical access. Therefore, if someone gains administrative access to the management platform, they can easily replicate and move large amounts of data, which is simply not possible in the traditional infrastructure. All that is needed is just a not-strong management system to steal your entire cloud-based data center.


　　


2. Even private cloud computing is a multi-tenant feature. Encryption allows you to keep your data at a safe distance from other users, even administrators. It allows you to use a more open shared infrastructure while also protecting your own data, assuming you have to operate correctly.


　　


for these reasons, let's look at two types of IaaS storage methods and how they should be encrypted for IaaS security.


　　


Cloud Computing Cryptography: Object storage is first object storage, such as AmazonS3 or Openstackswift. Object storage is a file/object library. You can think of it as a file server or a hard drive. Although you can configure most of your object storage systems and encrypt all of the data they store, this is a one-sided way to prevent drive loss, not to protect your files from outsiders.


　　


To protect your files in a shared library, you need to use a schema that I call "virtual private storage." Just as a virtual private network (VPN) allows us to encrypt private data and use a public network, virtual private storage allows us to protect private data in a public storage device.


　　

The
principle is fairly straightforward: encrypt your data before sending it to the cloud. Depending on your actual work, this step can be performed automatically in the proxy/application that you use to access the object store. For example, I use Dropbox, which stores files in S3, to protect sensitive files by storing them in the encrypted volume label that is stored in the service. Only I have the key, so my data is secure.


　　


Cloud Computing Encryption: Volume label storage below, let's talk about volume label storage, such as Amazonebs or rackspaceraid. You use this storage system when you run a long-term computing instance in cloud computing. They simulate a normal hardware label, and then we use a similar technique to encrypt it.


　　


the first method is to encrypt the volume label associated with your instance. Your instance is not encrypted (the situation is more complex for the boot label), but your sensitive data is stored in the encrypted volume label associated with the instance. There are many tools that support this feature, and they don't even have to make any special changes to cloud computing. For further security, you can store your keys outside your instance (I'm sorry, given the limited space, I'll explain this in future articles).


　　


Another method is to use a special encryption agent, which is between a computed instance and a storage volume label or a second instance for a file server. This approach is useful when you have a bunch of instances connected to the same storage or need to simulate more types than the one supported by the tools in the instance. These agents are generally mature products and are basically virtual devices that run in your cloud computing environment.


　　


Finally, for private cloud computing or hybrid cloud computing, you can use external management encryption tools, which may be physical hardware. In addition, these mature commodities are useful for leveraging existing cryptographic investments or more complex subordinates.