Before architecting any system, foundational practices that influence security need to be in place. For example, data classification provides a way to categorize organizational data based on levels of sensitivity, and encryption protects data by way of rendering it unintelligible to unauthorized access. These methods are important because they support objectives for preventing financial loss or complying with regulatory obligations.
There are a number of different approaches to consider when addressing data protection:
- Data classification
- Protecting data at rest
- Protecting data in transit
- Data backup/replication/recovery
Data classification provides a way to categorize organizational data based on levels of sensitivity. This includes understanding what data types are available, where the data is located, access levels, and protection of the data (for example, through encryption access control). By carefully managing an appropriate data classification system along with each workload’s level of protection requirements, create and map the controls and level of access/protection appropriate to the data. For example, public-facing content is available for anyone to access, whereas important content is encrypted and stored in a protected manner that requires authorized access to a key for decrypting the content.
When considering a data classification methodology, balance usability versus access. Also consider the multiple levels of access and nuances for implementing a secure, but still usable, approach for each level. Always consider a defense-in-depth approach and reduce human access to data. For example, require users to strongly authenticate to an application. In addition, ensure that users come from a trusted network path and require access to the decryption keys. Use dashboards or automated reporting to give users information from the data rather than giving them direct access to the data.
Encryption and tokenization are two important but distinct data protection schemes. Tokenization is a process that allows a defined token to represent an otherwise sensitive piece of information. (For example, a token to represent a customer’s credit card number). A token must be meaningless on its own. Encryption is a way of transforming content in a manner that makes it unreadable without a secret key necessary to decrypt the content back into plain text. Both tokenization and encryption are used to secure and protect information as appropriate.
Carefully defining the tokenization approach provides additional protection for content, and ensures that compliance requirements are met. For example, narrow the scope of a credit card processing system when a token is used instead of a credit card number. Define the tokenization scheme by creating a look-up table in an encrypted database service or table, and issue tokens to the applications.
Defining an encryption approach provides protection for sensitive content against unauthorized users and against unnecessary exposure to authorized users. Encryption key services help manage encryption and integrate with many cloud systems and services, providing durable, secure, and redundant storage for master keys, with policies that define key aliases as well as key-level access. These policies help define key administrators as well as key users. For example, a secret management system is the only system that has access to the master key that encrypts the secrets for storage.
When defining an encryption/tokenization approach, consider the data classification model defined and the levels of access needed for each content. Consider the compliance requirements and needs around the content and how to strictly enable that approach. Also carefully consider the differences and different use cases for tokenization versus encryption. Consider the key policies and access levels that would be provided for the user.
Protecting Data at Rest
Data at rest represents any data that persists for any duration. This includes block storage, object storage, databases, archives, and any other storage medium on which data is persisted. Protecting data at rest reduces the risk of unauthorized access, when encryption and appropriate access controls are implemented. Multiple cloud services and tools provide built-in integration with an encryption service to allow easy encryption of data at rest. It is also possible, for example, to encrypt content before storing in a cloud service.
When implementing an encryption-at-rest protection method, consider the data classification model to ensure that the content’s protection reflects the business, legal, compliance, and regulatory requirements.
Finally, and most importantly, ensure the implementation of a least-privileged approach to control access to the keys, storage mediums, and any computer resources that have access to the content.
Protecting Data in Transit
Data in transit is any data that gets transmitted from one system to another. This includes communication between resources within the environment as well as communication between other services and end users. By providing the appropriate level of protection for data in transit, the application’s data confidentiality and integrity are protected. When protecting data in transit, selecting secure protocols that implement the latest in cryptography standards like Transport Layer Security (TLS) is a common best practice. Most cloud services provide HTTPS endpoints using TLS for communication, thus providing encryption in transit when communicating with cloud API’s.
Additionally, it is important to leverage VPN connectivity into the cloud private network, as well as cloud services and networks, to facilitate encryption of traffic.
When planning for an encryption-in-transit approach, consider possible use cases and the balance between encryption and ease of use. Consider the use of VPN connectivity into the cloud and look into HTTPS for application-to-application communication in a secure manner.
Data Backup / Replication / Recovery
Defining the approach for data backup, replication and recovery helps protect against deletion or destruction of data. A sound approach for data backup and replication helps protect data in case of a disaster. Properly secured and protected primary and secondary data sources ensure continued business operations.
The cloud provides with multiple features and capabilities for data backup and replication. It allows creation of copies of the content that are replicated to other locations and accounts for additional protection. Database services allows users to perform snapshots of database instances and allows replication of those instances to other locations. Storage volumes enable snapshots that are copied across geographic regions, if required. Additionally, Devek helps with automating tasks and scheduling jobs to perform backups of resources.
When defining the backup/replication/recovery approach, ensure review of the scenarios under which the data must be protected, as well as the nuances of each. For example, a database might replicate any accidental changes, so backups from multiple points in time protect from accidental errors, in addition to malicious actions. Ensure a process defined for the recovery of data content. Plan and run a game day scenario to test and ensure that the approach is effective in the event of a disaster. Moreover, consider storing backups in a different cloud account with a different set of credentials to protect against human error or a compromise of the primary account.
Join Devek in reducing Cloud complexity
Looking to reduce complexity of cloud infrastructure? Look no further, we are here to make it happen!
Please leave some details and we will get back to you when Devek is available for trying out.