Simple data encryption is not the only solution to rely upon in cloud data security. It can be met by applying existing security techniques and following sound security practices. The prospective cloud adopters definitely would have security concerns with the storing and processing of data in a public, hybrid, or in a community cloud. When it comes to data protection in the cloud, authentication, identity, access control, encryption, secure deletion, integrity checking, and data masking are all the techniques applicable to cloud computing.
Data Protection Controls in the Cloud
Authentication and Identity
Authentication of users may take several forms like a password, a security token, or some measurable quality that is intrinsic to them, such as a fingerprint. Single-factor authentication is based only on one authentication factor, whereas, multiple-authentication-factor (MAF) is usually a secure two-step identity authentication like the use of a password and a one-time password (OTP) SMS. Federated-Identity-Management OR FIM could efficiently be utilized by more than one firm, which allows subscribers to use the same identification for obtaining access to all the networks of the group enterprises. Then, there is the Single sign-on (SSO), which lets the user login to multiple applications while authenticating only once.
Access Control Techniques
The access Control mechanism is the key, wherein maintaining a complex IT environment becomes easy that supports the separation and integrity of different levels. It, together with other cloud security protocols, work towards securing the cloud data. The most common types of this technique are as follows for data protection:
- Discretionary Access Control (DAC): In this, the owner of the object decides who will have access and the privileges they will have.
- Role-Based Access Control (RBAC): Here, the access policy is determined by the system, and a subject can access a particular document or file or execute a function only if their set of permissions or role allows it.
- Mandatory Access Control (MAC): In this, the Operating system constrains the ability of the user to access or execute the function on an object. Whenever any of the users try accessing the purpose, the OS kernel would examine security attributes and then grant access.
These three access controls, though fundamentally different, can be combined in various ways to give multi-level security to the cloud data.
Data categorization and use of Data labels
For adequate data protection controls to be put in place, the nature of information is to be understood first. So the valuable data has to be categorized as to what is sensitive and what can be accessed. After the data identification and categorization, cloud security strategies can be implemented on it. Data can be categorized and labeled as unclassified, confidential, secret, top-secret, or compartmented. Labeling also helps in segregating categories such as finance, business, HR, IT, and so on. There has to be a balance in managing sensitive information and sound strategies for protecting the data.
Encryption for Data at Rest and in Motion
Secure encryption forms a pivotal strategy to protect the data at rest in the cloud, particularly for the data which has continuing value for an extended period. There are various methods to encrypt the data at rest. The plans are full disk level, directory level, file-level, and application level. For the data, which is in motion, there are two considerations –
1) one is maintaining the integrity and
2) the other is to ensure that the data remains confidential when in motion. This type of data can be protected by combining encryption and authentication so that data can pass safely to and from the cloud.
Deletion of Data
It is essential to know how the data is deleted in cloud security.
- Clearing: Here, the data on the media is eradicated before reusing the media and, at the same time, providing an acceptable level of protection for the information that was in the press before clearing.
- Sanitization: Here, an acceptable level of protection to the previous data is not provided. Such type of information is usually released for use at a lower classification level. Very often, the cloud data is not sanitized to the DoD level with the risk of the data getting exposed.
- Data Masking: This technique involves removing all the identifiable and distinguishable characteristics from the data to render it anonymous and still be operable.
As more and more people shift to cloud services, the demand for cloud security is rising. Thus, organizations must know how well their data can be protected so that the correct procedure is adopted and followed for data protection.