How to avoid data loss and theft in the cloud computing age

[Guide] existing http://www.aliyun.com/zixun/aggregation/13793.html "> Cloud service Providers can provide a foundation encryption key scheme to protect cloud-based application development and services, Or they leave these protections to their users. When cloud service providers develop programs that support robust key management, more work needs to be done to overcome the barriers that are being used. The criteria under development should be resolved in the near future, but the work is still ongoing. There are many key management issues and challenges in cloud computing.

Today, personal and corporate data encryption is highly recommended and, in some cases, mandated by worldwide laws and regulations. Cloud users want their providers to encrypt their data to ensure that, regardless of where the data is physically stored, cloud users and providers need to avoid data loss and theft. Today, personal and corporate data encryption is highly recommended and, in some cases, mandated by worldwide laws and regulations. Cloud users want their providers to encrypt their data to ensure that no matter where the data is physically stored is protected. Similarly, cloud providers need to protect sensitive data for their users.

Strong encryption and Key management is a core mechanism that cloud computing systems need to protect data. Because encryption itself does not guarantee the loss of data, the liability haven (Safe harbor Provisions) in the laws and regulations regards the loss of encrypted data as not at all lost. Encryption provides resource protection while key management provides access control over protected resources.

Confidentiality and integrity of encryption

The cloud environment is shared by multiple tenants, and the service provider has privileged access to the data in the environment. Therefore, the secret data stored in the cloud must be protected by access control combination, contractual liability, and encryption measures. Among them, encryption provides the benefit of minimizing reliance on cloud service providers and reducing dependency on Run-time error (Operational failures) detection.

Encrypting data in a network transmission: Encrypting the Multipurpose confidential data (credentials) transmitted over the network is essential, such as credit card numbers, passwords, and private keys. Although cloud provider networks may be more secure than open networks, they use their unique architecture, composed of many different components, and share the cloud by different organizations. Therefore, even in a cloud provider's network, it is important to protect sensitive and regulated information in these transmissions. In general, these are the same ease of implementation in SaaS, PAAs, and IaaS environments.

Encrypting still data: Encrypting data on a disk or data in a production database is important because it can be used to prevent malicious cloud service providers, malicious neighbor "tenants", and misuse of certain types of applications. For long-term archival storage, some users encrypt their own data and send ciphertext to the cloud data store. These customers control and save the key and decrypt the data if they need it. In an IAAS environment, it is common to encrypt still data using multiple providers and Third-party tools. Encrypting still data in a PAAs environment is generally more complex, requiring a provider or specially tailored device. Encrypting still data in a SaaS environment is not directly implemented by cloud users and needs to be requested from their provider. Encrypt the data in the backup medium. This can prevent misuse of the media for loss or theft. Ideally, cloud service providers will be implemented in transparent mode. However, as users and data providers, it is your responsibility to verify that you have this encryption. One consideration for cryptographic infrastructure is the lifetime of processing data. In addition to these common cryptographic applications, the special attacks that a cloud provider may suffer require further analysis of how encrypted dynamic data, including data in memory, can be analyzed.

Key Management

Existing cloud service providers can provide a basic encryption key scheme to protect cloud-based application development and services, or they will leave these protections to their users. When cloud service providers develop programs that support robust key management, more work needs to be done to overcome the barriers that are being used. The criteria under development should be resolved in the near future, but the work is still ongoing. There are many key management issues and challenges in cloud computing.

Protection key Store (KeyStore): The key store must be protected like any other sensitive data. must be protected in storage, transport, and backup, and improper key storage can compromise all encrypted data.

Access key Store: You must limit the access of key stores to entities that require a separate key. Related policies are also required to manage the key store and use role separation to help with access control: The use entity for a given key cannot be the entity that stores the key.

Key backup and recovery: Losing a key means losing the data protected by these keys. Although this is an effective process for destroying data, accidental loss of keys to protect mission-critical data destroys a business, so you must perform a secure backup and recovery solution.

There are a number of standards and guidelines that apply to key management in the cloud. Oasis Key Management Cooperative Protocol (KMIP) is a new standard for collaborative key management in cloud. The IEEE1619.3 standard covers storage encryption and key management, especially for storing IaaS.

Recommendations

• Use encryption to separate data usage from data storage.

Separate the cloud service provider that holds the data from the key management and set up a series of "separation". This protects the cloud provider and protects the user. Avoid conflicts arising from the provision of data as a result of legal requirements.

• When encryption is agreed in the contract, ensure that the encryption follows the relevant industry and government standards.

• Understand whether cloud provider facilities provide role management and segregation of duties.

• If the cloud provider must have key management, understand whether the provider defines the Key management lifecycle: How the key is generated, used, stored, backed up, recovered, rotated, and deleted. Also, learn whether each customer uses the same key or whether each customer has its own key family.

• Ensure that monitored and/or sensitive customer data is encrypted at rest, and that it is encrypted when it is transferred within the cloud provider's internal network. In an IAAS environment, this will be implemented by the cloud user, in a PAAs environment, shared by the user and provider, and in the SaaS environment by the cloud provider.

In an IAAS environment, understanding how sensitive information and key materials that are protected by traditional encryption may be exposed (proxied) in use. For example, virtual machine swap files and other temporary data storage locations may also need to be encrypted.

Summary

Strong encryption and Key management is a core mechanism that cloud computing systems need to protect data. Encryption provides resource protection while key management provides access control over protected resources. Encryption and key management play an important role in cloud computing security. In order to prevent sensitive data from being easily accessed by malicious users, in addition to strict restrictions on access to and access to data, it is also necessary to encrypt it, because the encryption algorithm is very strong in the case of encryption data to crack becomes very difficult, This ensures that when data is stolen, important information is not easily stolen and used by malicious users. Also for the key to the equivalent of cloud computing process, the specific operation of the authentication credentials, key management is directly related to the integrity of the cloud in the certification can be normal.

(Responsible editor: Liu Fen)