Technical Route of Cloud Data Security

Source: Internet
Author: User
Keywords cloud cloud data cloud data security
From the perspective of regulatory compliance and corporate and personal sensitive information protection, compared to private cloud environments and traditional corporate IT environments, data in public and hybrid cloud environments are facing unprecedented security challenges from the open environment and cloud operation and maintenance service environment . The author believes that grasping the main contradiction, the most thorough and effective encryption protection is carried out around the core sensitive data. Typical sensitive data includes ID number, name, address, bank card, credit card number, social security number, etc., as well as the core of the enterprise Asset data. In this view, the author proposes a technical route based on encryption protection:

Based on sensitive data encryption
With a safe, reliable, and comprehensive key management system as the core
Separation of powers and sensitive data access control are the main means
Auxiliary database firewall, data desensitization, auditing and other boundary systems to standardize and monitor data access behavior
Cloud data (database) security model and architecture
To realize the technical route based on sensitive data encryption, the most important thing is "who controls and where to manage the key"; at the same time, it is necessary to solve the cost of system operation efficiency, system deployment and transformation caused by data encryption protection and key management. , The impact of automated operation and maintenance and other issues. In this regard, Amazon AWS's solution uses multiple key management models:

Model A: The encryption method, key storage, and key management are all controlled by the user. Typically, the entire KMS [2] (key management system) is deployed in the user's data center.
Model B: The encryption method is the same as that in Model A, the difference is that the key is stored in the cloud KMS instead of the data center on the user side.
Model C: This model provides complete server-side encryption. The encryption method and key management are transparent to users.


Core mechanism security
The storage and management of the model A key is completely in the hands of the user. The "cloud" cannot obtain the key or encrypt and decrypt the user's data. The security is the best
Model B KMS is responsible for generating and storing keys, and responsible for encryption and decryption operations; but not responsible for key lifetime management, access control, key rotation, etc. The security of keys is guaranteed by cloud KMS
Model C is entirely server-side encryption, which is transparent to users. Data security is completely guaranteed by cloud security
Around the three security models, data encryption protection can be implemented on multiple layers—multi-layer data encryption protection architecture, as follows:

1. Disk encryption: Block-Level encryption technology is used, which requires cloud storage volumes to use the Block storage mechanism, such as AWS's EBS[3], Alibaba Cloud's ECS[4], etc. The biggest advantage of this encryption is that it is transparent to the operating system.

2. File encryption: By stacking on other file systems (such as Ext2, Ext3, ReiserFS, JFS, etc.), it provides transparent, dynamic, efficient and secure encryption functions for applications. Typically, it is used to encrypt the specified directory. It is important to note that this encryption method may cause a large performance loss.

3. Database encryption: (1) Take Amazon AWS's RDS[5] as an example. The typical database transparent encryption provided by DBMS[6] is used to automatically encrypt database tablespace data, and key management is also provided by DBMS Implementation of API or components, application transparency. Since RDS does not open the disks used by RDS to store data, the aforementioned "transparent" disks and file encryption technologies cannot be used on RDS. (2) For the DBMS that users deploy and use on the cloud, they can use the products provided by third-party professional database encryption vendors, such as the database safe DBCoffer of Anhua Jinhe, which can provide application-transparent column-by-column encryption capabilities and independent keys. Management, separation of powers, static data masking capabilities.

4. Application layer encryption: protect users' sensitive data in real time before the data reaches the database and RDS, or even before it is sent to the cloud; the key here is to provide good application transparency to ensure that most applications do not need to be modified. Cloud users (enterprises) do not need to trust cloud computing providers to protect the company's data security. Data security is controlled by the enterprise itself.

5. Key management and encryption and decryption components: As the core component of data encryption protection, KMS is responsible for key generation, management and destruction, and provides encryption and decryption capabilities; at the same time, it provides key lifecycle management and open API interfaces as needed .

In summary, cloud users (enterprises) can choose suitable cloud data security models and corresponding data security technologies (products) according to their own security compliance requirements to encrypt and protect sensitive data.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.