BACKGROUND IMAGE: iSTOCK/GETTY IMAGES
"When your only tool is a hammer, everything looks like a nail." This popular American proverb cautions against taking a uniform approach to solving every problem, underscoring the importance of using the right tool for the task at hand. While the adage has its roots in carpentry, its meaning is very much applicable to the world of cloud security.
Confronted with a diverse range of challenges, cloud security pros need to become well-versed in which data security technologies are best suited for each phase of the data lifecycle. While encryption, for example, is an extremely valuable tool, it isn't the only one at your disposal in the cloud. It's complemented by a host of other essential data security technologies, including data anonymization and access control.
In this video, expert Adam Gordon, author of The Official (ISC)2 Guide to the CCSP CBK, Second Edition, reviews several key categories of security tools and methods, as well as how they fit into the data lifecycles of the cloud.
Gordon also puts the importance of this into context for anyone operating a public, private or hybrid cloud. "Our customers benefit from the multiple layers of defense that we can put in place so that we have overlapping controls to provide that security," he says.
View the above video to learn more about data security technologies that, while not unique to the cloud, continue to play an important role in preventing data loss, combating security threats and ensuring privacy in every cloud environment.
The following is a full transcript of Adam Gordon's video.
CCSP® is a registered mark of (ISC)²
Transcript - These data security technologies are crucial in the cloud
With regards to the data lifecycle conversation we've been having, I want to take that to the next level quickly as we wrap up or begin to think about wrapping up our conversations around data lifecycle. And just to understand and look ahead a little bit at some of the relevant data technologies and the data security technologies that we're going to talk about, but also that we want to be aware of in regards to the data lifecycle. You could see on the screen in front of you. We have some potential controls that we may be able to implement in various phases of the data lifecycle.
Encryption and DLP
We have the ability to apply encryption to data, so we think about encryption and the need to be able to provide confidentiality, and encryption becomes a very important tool and the technology to do so. We have data leakage prevention, so a traditional DLP technologies that allow us to be able to prevent data from being exfiltrated or removed from our networks without our knowledge. We can filter the data stream, in effect, literally reach in and look at the individual bits of data, understand what they are, and using some basic business logic or rules associated with the traffic, we can say if the data has this information in it or it contains account numbers or a reference to this project or whatever it may be, that we want to remove that data. We don't want to allow it to be sent out of the system. We may not allow you to print it. We may not allow you to store it on removable media. There's different ways that data security technologies, particularly DLP technology, can be brought to bear. We may not allow you to email it, for instance, right? As another mechanism. So, DLP technology becomes very important for data security as well in the cloud.
Access monitoring and control
File and database access monitoring. Being able to look at database, and database activity associated with the usage of data and saving and removing of files associated with that. And being able, again, to look at the flow of data, the understanding of what the content of the data is. Are you transacting data in this way in this database with the right level of access? Are you trying to access information that you're not supposed to have access to? These are things we can do. Are you trying to change entries and tables, modify joins or connections between? What kind of access? What kind of usage are we seeing in the database? These are all important things that we want to monitor and better understand using data security technologies.
Alternate data security technologies
Then also, obfuscation, anonymization, tokenization, and masking. Non-traditional methods that may or may not be something that you have seen before. These were additional methods we can use for data security. They are not certainly specific to the cloud, although they are certainly heavily used in the cloud. But when we're not going to encrypt data to provide confidentiality but we still want to secure data and perhaps remove the data from the view of the individual that should not be seeing it, but we may not be able to use encryption to do so, these are alternate data security technologies and alternate methods, mechanisms, or approaches that will allow us to do so. So obfuscation, in effect hiding the data in some way, blinding us to it by not showing it to us or perhaps veiling it in some form. Anonymization, being able to effectively remove any references in the data that could identify an individual, so remove additional data, metadata, things like that that could potentially be used to aggregate information and maybe identify an individual from several different pieces of data that may be scattered around. So scrubbing or anonymizing the data traditionally.
Tokenization removes the data itself. Prevents people from interacting directly with the data but rather generates a token that represents the data and access to it and then uses that token to effectively proxy for the data. The token is then given to the individual that has to access the data, and then if they have the right authorization after authentication applied, they can use the token to effectively go get the data. But because we don't describe and provide the data directly, we're blocking the view, in effect creating the awareness of the data but not allowing you to see the data. We are, in effect, hopefully preventing people from seeing the data without the appropriate authorization, so we're enforcing some level of confidentiality.
And then masking is going to be a mechanism that is used with storage and storage systems where we are going to effectively use an access control list or a mechanism for access control that is going to authenticate a user or authenticate a service request that's looking to see data. And once that authentication takes place, we will expose the data for the successful authentication request. But if the authentication request is not successful, we won't expose the data. So what effectively that does is it allows us to use a very simple method but a very effective one to grant access to data if you're authorized but to block or prevent access to data if you're not.
Cloud security in context
This is traditionally used with access to storage mechanisms on the backend in cloud environments when we have multi-tenant scenarios. So, for instance, if multiple customers are storing data in shared common storage arrays or SAN or NAS devices, storage area network or network attached storage devices that a cloud provider may be using to store large volumes of data for multiple customers, we will mask the logical unit numbers or mask the ability to be able to see the data through the presentation of that storage and allow customer A just to see customer A's data by masking customers B and C, and not providing their data and not seeing their data from customer A's access point. And the same thing with customers B, and of course, customer C. So masking data allows us to be able to do effectively what we would do with an access control list and simply allow or deny access but to do this based on and focused around storage to, again, enforce confidentiality, provide availability, and ensure integrity around the data.
So these are some relevant data security technologies that could be brought to bear in the storage conversation. We'll have some more to say about one or more of these a little later on in some of our additional conversations, but you should begin to be thinking about these particular technologies. If you are already using them, great. If you're familiar with them, that's wonderful. If you're not, maybe a good point for you to make a note, stop and perhaps think a little bit about them. Take a look in the book at the courseware and see the information we've provided there. You may want to go out on the web and do a little searching to further understand these technologies in context to the things you may be doing.
You may, if you are a private cloud provider, for instance, or work on or in a system that has private cloud capabilities but you're not necessarily involved with storage and the storage elements, you may want to see if you could go back to work and interact with the people that are driving storage. See if you can talk to the storage team, in other words, and maybe get an insight into what kinds of technologies are being used there. Are they using one or more of these data security technologies today inside the private cloud that the organization you're a member of is actually deploying? Is masking or tokenization or obfuscation being used? And if they are, great. If not, okay. No problem at all. But thinking about that and understanding that is something to consider because you may be able to get some additional insight into that as well.
You know, most of us see obfuscation on a regular basis although we may not realize it. But when you get a bill from a credit card company or a bill from a utility provider or any vendor that may send you a bill in the mail, they're usually using obfuscation to "X," out your account number. So normally, when you look at the account number on the bill, and it's got a bunch of "X's" there and maybe the last three or four digits usually are displayed, that is an example of obfuscation. So just be thinking about the kinds of things that you see around you. The kinds of things that you may actually understand and interact with even though you might not have identified them on this list. And these are all mechanisms that could be used to provide data security. And the technologies that are deployed around that will then be helpful to the security provider because we can make better choices around the way in which we can provide security for our storage needs inside of the cloud today. Our customers benefit from the multiple layers of defense that we can put in place so that we have overlapping controls to provide that security. And our storage providers can offer a wide array of opportunities and services and selections of services to be able to then form, or at least allow the customer to make an informed decision about the best possible solution and the combination of those controls that may bring to bear the appropriate level of security and focus around storage. And obviously, the data for the data security associated with storage at the end of the day is going to become very important for them. They want to make sure they're doing that effectively and efficiently in the cloud.
So think about those things as we wrap up our conversation here, and then as we continue our conversations in some of the next sections that will come up, see how these themes repeat and ultimately become part of the broader conversation around data security architecture in the cloud.