1. Security of data on cloud
The
encryption component of the application layer is the core function of cloud security. To ensure that people outside the enterprise (including cloud providers) cannot view or access these data, when the data leaves the enterprise security environment and enters the cloud service provider environment, the enterprise can encrypt all the data, and only the enterprise has the key.
2. How tenants store and use cloud data
·IAAs database (tenant self built database)
Cloud service providers provide users with computer infrastructure, and users install their own operating systems and databases after purchasing services. At present, the mainstream cloud service providers provide this kind of service of purchasing virtual machine. Because the database is self installed, cloud service providers cannot directly obtain the contents of the database. However, the data files of the database are stored on the storage provided by the cloud provider, and the supplier can directly copy the user data file to obtain the data.
·SaaS database:
Cloud service providers provide tenants with encapsulated databases. Users can purchase database services and obtain the right to use database instances. They can store and use their own data in the database. At present, most cloud service providers provide this kind of database service. In this scenario, the cloud service provider has the root permission of the database host OS, so it has the highest database authority, and can directly operate all the data of the tenant without any difficulty.
·SaaS application:
Tenants access data through application services provided by cloud service providers. For example, in an online CRM system or an online OA system, tenants rent this service and enter and use data through this service. The tenant can use the service directly by opening the browser or app. All data is communicated with the back-end database by the web or app. In this case, the tenant completely loses the ability to control the data: the SaaS service provider can easily obtain the tenant's information, while the cloud platform provider can obtain the data completely depends on the data protection measures of the SaaS service provider.
3. Cloud data
encryption
In order to deal with the threat of cloud data, data encryption is an effective solution. In order to ensure security, this encryption must be independent of the cloud platform, that is to say, the encryption mechanism cannot be provided by the cloud platform itself, unless it can be proved that the secret key is completely invisible to the cloud platform. There are three ways to access the cloud database, namely, the cloud gateway, the encryption method, and the cloud database encryption method.
1) Cloud encryption database
Use a database or database engine with encryption function. When the database writes the data to the file, it encrypts the data and decrypts the data when reading the data. After the data file is encrypted, the user data cannot be stolen by directly copying the user data file.
This method usually has relatively high performance and transparency, and has comprehensive support for database triggers, stored procedures and other features. Its disadvantage is that the protection ability is limited, and the database super user's data reading permission cannot be restricted. Moreover, its universality is poor, and it is only suitable for the tenant self built database in the form of IAAs.
2) Cloud database security agent (CDSB)
The CDSB cloud data encryption gateway is used as the access and exit of the database. All data are encrypted and written into the database, and decrypted when reading the data. The plaintext data can be obtained by accessing the database through the gateway, while the ciphertext can only be obtained by reading the data directly through the gateway.
The
encryption method has high universality, which is suitable for SaaS database and IAAs database. This method provides a unified secondary authentication and secondary authentication mechanism for the database, which can well prevent cloud platform providers from accessing real data, so it has good security. In terms of performance, the encryption gateway uses SQL rewriting and provides ciphertext index to improve the overall performance of the system.
3) Cloud access security agent (CASB)
CASB application encryption gateway is mainly set at the exit of internal network of enterprises or individuals. It encrypts the outgoing data and decrypts the incoming data.
The encryption method does not need to consider the database type of the application back-end, so it has higher generality. And the encryption and decryption function is distributed processing, with high comprehensive performance. If the encryption method is strong enough, it has good security in theory. However, due to the consideration of the data retrieval and format compatibility after encryption, the strength of the encryption algorithm has to be reduced.
4. Comparison between CDSB and CASB
From the above analysis, the CDSB database encryption gateway and CASB application encryption gateway have high security. This section makes a further comparative analysis on the applicability and security of the two methods.
1) Applicability
CDSB is suitable for all kinds of cloud data usage, while CASB is only suitable for SaaS applications. Since both methods are applicable to SaaS applications, the following section makes a comparative analysis of their security in SaaS application environment.
2) Performance against statistical analysis attacks
CDSB database encryption gateway can adopt a variety of encryption algorithms, including national encryption algorithm. It also supports high-strength encryption algorithm with random salt value, which makes the results of the same plaintext encryption different. This makes the encryption result secure against statistical analysis attacks.
In order to maintain the compatibility of the application system, CASB encryption gateway is limited in the choice of encryption algorithm. For example, in order to maintain the compatibility of encrypted numeric types, format preserving encryption (FPE) has to be adopted, and the security of this encryption method has not been approved by the authoritative department. Moreover, in order to ensure the encrypted retrieval, because there is no way to directly establish the ciphertext index in the database, it is necessary to maintain the size relationship, location information and statistical characteristics of the content before and after encryption Consistency of signs.
Therefore, the encryption strength of CASB encryption gateway is far less than that of CDSB database encryption gateway.
3) Possibility of direct disclosure of plaintext
In the CDSB mode, the direct disclosure point of plaintext data includes the application server and the front-end browser / APP. In CASB mode, the direct disclosure point of plaintext data is in the front-end browser / APP, that is to say, all data of tenants can be exported from the app side. The application server and app are essentially the same application system, so when SaaS service is provided in app mode, the plaintext leakage risk of CDSB and CASB mode is equivalent. Only when the service is provided in Web mode, the plaintext leakage risk of CASB is lower than that of CDSB.
In fact, from the above analysis, there is no absolutely secure data encryption method for SaaS service mode.
5. Use database encryption gateway to encrypt the data of SaaS service
In SaaS service, the data of many SaaS tenants are stored in a large table at the back end of the service, and distinguished and "isolated" by the tenant's ID. In order to isolate the data of different tenants by encryption, in addition to CASB, the CDSB database encryption gateway can also be used to achieve encryption isolation.
