Home > Internet > Online Trends

Technical Route of Cloud Data Security

Source: Internet
Author: User
Keywords cloud cloud data cloud data security
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >
From the perspective of regulatory compliance and corporate and personal sensitive information protection, compared to private cloud environments and traditional corporate IT environments, data in public and hybrid cloud environments are facing unprecedented security challenges from the open environment and cloud operation and maintenance service environment . The author believes that grasping the main contradiction, the most thorough and effective encryption protection is carried out around the core sensitive data. Typical sensitive data includes ID number, name, address, bank card, credit card number, social security number, etc., as well as the core of the enterprise Asset data. In this view, the author proposes a technical route based on encryption protection:

Based on sensitive data encryption
With a safe, reliable, and comprehensive key management system as the core
Separation of powers and sensitive data access control are the main means
Auxiliary database firewall, data desensitization, auditing and other boundary systems to standardize and monitor data access behavior
Cloud data (database) security model and architecture
To realize the technical route based on sensitive data encryption, the most important thing is "who controls and where to manage the key"; at the same time, it is necessary to solve the cost of system operation efficiency, system deployment and transformation caused by data encryption protection and key management. , The impact of automated operation and maintenance and other issues. In this regard, Amazon AWS's solution uses multiple key management models:

Model A: The encryption method, key storage, and key management are all controlled by the user. Typically, the entire KMS [2] (key management system) is deployed in the user's data center.
Model B: The encryption method is the same as that in Model A, the difference is that the key is stored in the cloud KMS instead of the data center on the user side.
Model C: This model provides complete server-side encryption. The encryption method and key management are transparent to users.


Core mechanism security
The storage and management of the model A key is completely in the hands of the user. The "cloud" cannot obtain the key or encrypt and decrypt the user's data. The security is the best
Model B KMS is responsible for generating and storing keys, and responsible for encryption and decryption operations; but not responsible for key lifetime management, access control, key rotation, etc. The security of keys is guaranteed by cloud KMS
Model C is entirely server-side encryption, which is transparent to users. Data security is completely guaranteed by cloud security
Around the three security models, data encryption protection can be implemented on multiple layers—multi-layer data encryption protection architecture, as follows:

1. Disk encryption: Block-Level encryption technology is used, which requires cloud storage volumes to use the Block storage mechanism, such as AWS's EBS[3], Alibaba Cloud's ECS[4], etc. The biggest advantage of this encryption is that it is transparent to the operating system.

2. File encryption: By stacking on other file systems (such as Ext2, Ext3, ReiserFS, JFS, etc.), it provides transparent, dynamic, efficient and secure encryption functions for applications. Typically, it is used to encrypt the specified directory. It is important to note that this encryption method may cause a large performance loss.

3. Database encryption: (1) Take Amazon AWS's RDS[5] as an example. The typical database transparent encryption provided by DBMS[6] is used to automatically encrypt database tablespace data, and key management is also provided by DBMS Implementation of API or components, application transparency. Since RDS does not open the disks used by RDS to store data, the aforementioned "transparent" disks and file encryption technologies cannot be used on RDS. (2) For the DBMS that users deploy and use on the cloud, they can use the products provided by third-party professional database encryption vendors, such as the database safe DBCoffer of Anhua Jinhe, which can provide application-transparent column-by-column encryption capabilities and independent keys. Management, separation of powers, static data masking capabilities.

4. Application layer encryption: protect users' sensitive data in real time before the data reaches the database and RDS, or even before it is sent to the cloud; the key here is to provide good application transparency to ensure that most applications do not need to be modified. Cloud users (enterprises) do not need to trust cloud computing providers to protect the company's data security. Data security is controlled by the enterprise itself.

5. Key management and encryption and decryption components: As the core component of data encryption protection, KMS is responsible for key generation, management and destruction, and provides encryption and decryption capabilities; at the same time, it provides key lifecycle management and open API interfaces as needed .

In summary, cloud users (enterprises) can choose suitable cloud data security models and corresponding data security technologies (products) according to their own security compliance requirements to encrypt and protect sensitive data.

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
data security in the world of cloud computing pdf future of cloud security cloud data center security cloud data security ppt the security of cloud computing data security in cloud computing levels of technical support
Related Article
Getting Started with CDN
Front-end Must Learn: CDN Acceleration Principle
Elements of CDN Network
Understand the Principle of CDN Acceleration in One Article
Cloud Security Issues Derived from the Development of Cloud C...
8 New Types of Attacks Facing the Cloud Environment

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

Hot Article
Hot Tags
computing conference access forum computer class data get http html applications
Popular Keywords
direct digital landing development documentation data user director of marketing deploy it ddos how to description of products and services ddos information data website domain to dns

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More