Simple data encryption is not the only solution which can be relied upon in cloud data security. It can be met by applying existing security techniques and following sound security practices. The prospective cloud adopters definitely would have security concerns with the storing and processing of data in a public, hybrid or in a community cloud. When it comes to data protection in the cloud, authentication, identity, access control, encryption, secure deletion, integrity checking and data masking are all the techniques applicable to cloud computing.
Authentication and Identity
Authentication of users may take several forms like a password, a security token or some measurable quality that is intrinsic to them such as fingerprint. Single-factor authentication is based only on one authentication factor, whereas, multiple-authentication-factor (MAF) is usually a secure two-step identity authentication like the use of a password and a one-time password (OTP) SMS. Federated-Identity-Management OR FIM could easily be utilized by more than one firm which allows subscribers to use the same identification for obtaining access to all the networks of the group enterprises. Then, there is the Single sign-on (SSO), which lets the user login to multiple applications while authenticating only once.
Access Control Techniques
Access Control mechanism is the key, wherein, maintaining a complex IT environment becomes easy that supports separation and integrity of different levels. This, together with other cloud security protocols, work towards securing the cloud data. The most common types of this technique are as follows for data protection:
- Discretionary Access Control (DAC): In this, the owner of the object decides who will have access and the privileges they will have.
- Role Based Access Control (RBAC): Here the access policy is determined by the system and a subject can access a particular document or file or execute a function only if their set of permissions or role allows it.
- Mandatory Access Control (MAC): In this, the Operating system constrains the ability of the user to access or execute the function on an object. Whenever any of the users try accessing the object, the OS kernel would examine security attributes and after that decide if access could be granted.
These three access controls, though fundamentally different, can be combined in different ways to give a multi-level security to the cloud data.
Data categorization and use of Data labels
For effective data protection controls to be put in place, the nature of information is to be understood first. So the valuable data has to be categorized as to what is sensitive and what can be accessed. After the data is identified and categorized, then the needed cloud security strategies can be implemented on it. Data can be categorized and labeled as unclassified, confidential, secret, top secret or compartmented. Labeling also helps in segregating categories such as finance, business, HR, IT and so on. There has to be a balance in managing sensitive information and sound strategies for protecting the data.
Encryption for Data at Rest and in Motion
Strong encryption forms a key strategy to protect the data at rest in the cloud particularly for the data which has continuing value for an extended time period. There are various methods to encrypt the data at rest. The methods are full disk level, directory level, file level and application level. For the data, which is in motion; there are two considerations – 1) one is maintaining the integrity and 2) the other is to ensure that the data remains confidential when in motion. This type of data can be protected by combining encryption and authentication so that data can pass safely to and from the cloud.
Deletion of Data
When the matter of data deletion in cloud is considered, it is important to know how the data is deleted.
- Clearing: Here the data on the media is eradicated before reusing the media and at the same time providing an acceptable level of protection for the data that was in the media before it was cleared.
- Sanitization: Here an acceptable level of protection to the previous data is not provided. Such type of information is usually released for use at a lower classification level. Very often the cloud data is not sanitized to the DoD level with the risk of the data getting exposed.
- Data Masking: This technique involves removing all the identifiable and distinguishable characteristics from the data in order to render it anonymous and still be operable.
As more and more people shift to cloud services, the demand for cloud security is rising. Thus, it is important that organizations know how well their data can be protected, so that correct procedure is adopted and followed for data protection.