[Part 1 provides an overview of cloud data security issues, including data control, data types and common risks. Part 2 considers cryptographic techniques and common mistakes using data encryption for data stored on the Internet. Part 3 briefly reviews data protection methods and any unique aspects that may apply when they are deployed in a cloud.]
CLOUD DATA STORAGE
Among other advances, cloud computing has brought advantages in the form of online storage. In this section, we are referring to Storage-as-a-Service. The range of service offerings in this space is remarkable, and they are continuing to grow.
Data security for such a cloud service encompasses several aspects including secure channels, access controls, and encryption. And, when we consider the security of data in a cloud, we must consider the security triad: confidentiality, integrity, and availability. In the cloud storage model, data is stored on multiple virtualized servers. Physically the resources will span multiple servers and can even span storage sites.
Among the additional benefits of such generally low-cost services are the storage maintenance tasks (such as backup, replication, and disaster recovery), which the CSP performs. The most notable provider in this space is Amazon with its S3 (Simple Storage Service). Amazon launched S3 in March of 2006.
A common aspect of many cloud-based storage offerings is the reliability and availability of the service. Figure 5.6 depicts an abstracted view of how many individual disks in many aggregated storage devices are composed into a virtualized unit of storage.
FIGURE 5.6 Cloud storage: replication and availability.
Replication of data is performed at a low level by such mechanisms as RAID or by a file system. One such file system is ZFS, which was designed by Sun Microsystems as both a file system and a volume manager. ZFS supports high storage capacities and performs numerous security relevant functions including copy-on-write cloning and continuous integrity checking along with automatic repair.
One of the more recent trends in online cloud-based storage is the cloud storage gateway. Several vendors offer such solutions that are generally implemented as an appliance that resides onsite at the customer premises. These appliances can provide multiple features, including:
- Translation of client-used APIs and protocols (such as REST or SOAP) to those that are used by cloud-based storage services (such as NFS, iSCSI, or Fibre Channel). The goal is to enable integration with existing applications over standard network protocols.
- Backup and recovery capabilities that work with in-cloud storage.
- Onsite encryption of data that keeps keys local to the onsite appliance.
The vendors and products in this space include Gladnet, Nasuni Cloud Storage Gateway, StorSimple, and Emulex. The product and solutions that are available are seeing rapid changes and new functionality. Figure 5.7 depicts a typical cloud storage gateway application as it is used to augment local storage by acting as an onsite secondary copy and as an intermediary to the CSP storage service.
FIGURE 5.7 Cloud storage gateway appliance.