[Part 1 provides an overview of cloud data security issues, including data control, data types and common risks. Part 2 considers cryptographic techniques and common mistakes using data encryption for data stored on the Internet.]
Vic (J.R.) Winkler
CLOUD DATA SECURITY: SENSITIVE DATA CATEGORIZATION
When it comes to cloud data protection methods, no particularly new technique is required. Protecting data in the cloud can be similar to protecting data within a traditional data center. Authentication and identity, access control, encryption, secure deletion, integrity checking, and data masking are all data protection methods that have applicability in cloud computing. This section will briefly review these methods and will note anything that is particularly unique to when these are deployed in a cloud.
A centralized identity system must meet many criteria and must have high availability and integrity. The essential use cases for identity management are:
- Login A user logs in to a system, an application, or other controlled access context.
- Logout A user logs out of a system, an application, or other controlled access context.
- Single Sign On A user logs in to one system, application, and so on and is thereby granted access to other related systems.
- Password and Identity Information Synchronization When a password or other user identity information is changed, it is synchronized throughout the identity realm.
- Add/Delete User Identity information is added or deleted for a user throughout the identity realm.
- Authentication The identity system verifies a user's identity.
- Authorization The identity system verifies that the authenticated subject has specific permissions to perform an operation or access a specific resource.
- Audit and Reporting The logging of security relevant events related to any identity operation.
Authentication and Identity
Maintaining confidentiality, integrity, and availability for data security is a function of the correct application and configuration of familiar network, system, and application security mechanisms at various levels in the cloud infrastructure. Among these mechanisms are a broad range of components that implement authentication and access control. Authentication of users and even of communicating systems is performed by various means, but underlying each of these is cryptography.
Authentication of users takes several forms, but all are based on a combination of authentication factors: something an individual knows (such as a password), something they possess (such as a security token), or some measurable quality that is intrinsic to them (such as a fingerprint). Single factor authentication is based on only one authentication factor. Stronger authentication requires additional factors; for instance, two factor authentication is based on two authentication factors (such as a pin and a fingerprint).
Authentication is usually predicated on an underlying identity infrastructure. The most basic scheme is where account information for one or a small number Cloud Data Security: Sensitive Data Categorization 137 of users is kept in flat files that are used to verify identity and passwords, but this scheme does not scale to more than a very few systems. A full discussion of identity and access controls is beyond the scope of this book, but the key to effective access controls is the centralization of identity.
One problem with using traditional identity approaches in a cloud environment is faced when the enterprise uses multiple CSPs. In such a use case, synchronizing identity information with the enterprise is not scalable. Another set of problems arises with traditional identity approaches when migrating infrastructure toward a cloud-based solution.
Infrastructure tends to employ domain-centric identity approaches that do not allow for looser alignment such as with partnership. For these reasons, federated identity management (FIM) is an effective foundation for identity in cloud computing. However, federated identity uses a claim-based token model, which entails a departure for traditional schemes. However, traditional identity needs can still be supported by a federated token model. For a lengthy discussion on identity in cloud computing, the reader is referred to the April 2010 Domain 12: Guidance for Identity & Access Management V2.1 that was prepared by the Cloud Security Alliance.A