Data Security in the Cloud Best Practices
By Connor Craven
Data security in the cloud best practices include: understanding and implementing security fundamentals, securing cloud infrastructure along the shared responsibility model, encrypting data in the cloud, and ensuring compliance with applicable regulations. Data security fundamentals often come back to the CIA Triad: data confidentiality, data integrity, and data availability.
The shared responsibility model refers to the idea that both a cloud provider and the organization using the cloud are responsible for ensuring the overall security of the organization’s cloud infrastructure, including the data housed there. Data encryption is a basic element of data security that is especially important in a cloud environment. Cloud providers can offer advanced encryption tools as well as secure storage modules for cryptographic keys.
Finally, regulations around data security, and in particular data privacy, continue to evolve. Organizations should have systems in place to ensure they are always in compliance with any relevant laws and regulations.
The CIA Triad and Data Security in the Cloud
The CIA triad is a set of three security attributes that guide organizations when securing any environment, including the cloud. The triad covers foundational aspects to security and can help an organization understand and better implement security tools. The three attributes are confidentiality, integrity, and availability. It is sometimes referred to as the AIC triad in order to not be confused with the U.S. intelligence agency. Major cloud providers offer security services capable of adhering to the triad.
Data confidentiality is when private data remains private and is not seen by unauthorized entities. Organizations will commonly use encryption to ensure only authorized entities with access to the data can see it. Data has integrity when an organization knows the data has not been manipulated by accident or by malicious actors. An organization can use identity access management (IAM) tools to only allow authorized entities access to the data. By using IAM tools, an organization can follow the principle of least privilege, where employees only have the amount of cloud access needed to effectively do their jobs.
Availability refers to the amount of time data is accessible to authorized entities. One way data will become unavailable is when a denial of service (DoS) attack or network outage brings down a cloud data center. Having data backups that are spread out geographically can improve data availability. There are challenges in using the CIA triad in cloud computing, however. It is a foundational approach to security, but not one that covers every modern security threat. For example, the proliferation of Internet of Things (IoT) devices is challenging for the CIA triad alone to protect against.
Many IoT devices rely on the cloud, and IoT devices often are not patched often enough, use weak passwords, and can easily be corrupted to be used in botnets for DoS attacks. These security risks open a door into the cloud and compromise integrity. There also may be tradeoffs an organization may have to make. For example, if data requires high confidentiality and integrity, it may have to have less availability. Sacrificing availability may mean the data can’t be spread over multiple data centers.
One way for an organization to mitigate risks around IoT devices is to have consistent policy enforcement. With consistency in policy enforcement across the cloud environment, the weak points in an organization’s cloud environment are limited. This is because having security policies that are the same across the board reduces the chance of a weak point in the cloud that can be exploited
The Security Techniques of Major Cloud Providers
Major cloud providers take the security of their cloud data centers seriously. There are many actions cloud providers take to provide a secure environment for customer data. These actions can include physical data center security, security software, root of trust hardware, thorough data erasure, and destruction of hardware. However, the cloud provider is not wholly responsible for securing the cloud and customer data. The shared responsibility model, which can vary by cloud provider, delineates whether the provider or the customer is responsible for securing different aspects of the cloud. There are differences in the amount of responsibility based on whether the organization is using software-as-a-service (SaaS) applications running in the cloud, platform-as-a-service (PaaS) offerings, or infrastructure-as-a-service (IaaS) offerings. Here is Microsoft Azure’s shared responsibility model, for example:
Some of the cloud security services an organization can take advantage of include:
- Data backups
- Data encryption
- Hardware security modules (HSMs)
- Identity access management tools
- Monitoring software
The use of monitoring software grants high visibility into the cloud infrastructure so it can detect when a security breach occurs sooner rather than later.
Encryption in the Cloud
Data encryption and decryption is performed by cryptographic keys, whether it occurs in the cloud or not. The algorithms that these keys use are ideally very complex and hard to crack. One such algorithm used by major cloud providers, like AWS, is the 256-bit Advanced Encryption Standard (AES). To keep encrypted data secure, the cryptographic keys that encrypt and decrypt the data must be stored securely as well. That is where services like AWS CloudHSM, Azure Key Vault, or GCP’s Cloud Key Management Service (KMS) come into play.
HSMs are pieces of hardware designed with physical security aspects and software security tools that meet government regulations. Physical security aspects can include pick-resistant locks or tamper-evident seals. Software security aspects can include identity-based authentication where user identities are checked to see if they have the authorization to access the keys.
Laws and Regulations
There are both government and industry standards and regulations established for data security in the cloud, including SOC 2, Federal Information Processing Standards (FIPS) 140, Payment Card Industry Data Security Standard (PCI DSS), and the Health Insurance Portability and Accountability Act (HIPAA). SOC 2 is a standard developed by the American Institute of CPAs (AICPA). It is an audit that reviews how well customer data is managed. The basis of the audit is five principles, which the AICPA website delineates as “security, availability, and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information processed by these systems.”
FIPS 140 is focused on testing requirements for cryptographic modules for both hardware and software. To meet the requirements, a cryptographic module, like an HSM, must pass a series of tests that cover physical security, mitigation of attacks, authentication, and interfaces, among other aspects. There are four levels to FIPS 140, though they each fit a specific use case and don’t necessarily equate to a higher degree of security at each level.
PCI DSS is an industry standard established by credit card companies. The standard establishes a baseline of security requirements and industry tools a cloud provider must have to ensure sensitive information is kept secure.
Data Security in the Cloud: Key Takeaways
1.Best practices to secure data in the cloud include using security fundamentals, securing cloud infrastructure, encrypting data, and complying with regulations.
2.The CIA triad can be used by organizations as a guide to securing data in their cloud environment.
3.The shared responsibility model shows which parts of the cloud the customer is responsible for.
4.To encrypt data, organizations can use security services from cloud providers.
5.Organizations should be vigilant about the laws and regulations that apply to them, and when those laws and regulations change or are added to.