https://s27389.pcdn.co/wp-content/uploads/2017/02/AdobeStock_119317881-1024x768.jpeg.webp

Cloud Data Security

This blog describes aspects of Data Security at different levels in the lifecycle of a Cloud-hosted application.

Data security is the practice of protecting digital information from unauthorized access, corruption, or theft throughout its entire lifecycle. It’s a concept that encompasses every aspect of information security from the physical security of hardware and storage devices to administrative and access controls, as well as the logical security of software applications. It also includes organizational policies and procedures.

A Cloud Hosted Application is a software program where cloud-based and local components work together. This model relies on remote servers for processing logic that is accessed through a web browser with a continual internet connection.

Cloud application servers typically are located in a remote data center operated by a third-party cloud services infrastructure provider. Cloud-based application tasks may encompass email, file storage, and sharing, order entry, inventory management, word processing, customer relationship management (CRM), data collection, or financial accounting features.

https://s7280.pcdn.co/wp-content/uploads/2017/09/saas-vs-paas-vs-iaas.png

Cloud hosting is by its nature a shared environment — your virtual machines (VMs) are sharing infrastructure, hardware, and software with other cloud tenants. You have no idea of the identity or even the number of customers with whom you share your environment. Therefore, you should closely research your cloud provider to check whether all applicable security cloud computing mechanisms are implemented and working as designed.

Potential Threat Vectors and Exposures for Data Security Cloud Hosted Application:

• Data Security at Rest represents any data that you persist in non-volatile storage for any duration in your workload. This includes block storage, object storage, databases, archives, IoT devices, and any other storage medium on which data is persisted. Securing your data at rest reduces the risk of unauthorized access when encryption and appropriate access controls are implemented.
• Data Security at Network(Transit) is important for protecting the integrity and usability of hosted networks and data. It comprises both software as well as hardware technologies integrated into the hosting platform. An effective network security deals with access over a network. It aims at a variety of attacks and restricts hackers from entering or performing their intended threats over the network and gaining access to the application data.
• Data Security at Compute, When an application is in use, the user or application-specific data may be stored in Cloud Host (RAM/Disk) and not properly cleared when the user logs out or the session times out. Application may store usage data in memory/disk (even after use) until the memory/disk is reclaimed, even encryption keys may remain in memory. An attacker can gain access and attach a debugger to dump the memory from the application or load a kernel module to dump the entire contents of RAM. This can be a security threat for the application may cause a buffer overflow, format string, data leak, and other vulnerabilities.

Remediation of Potential Threat Vectors

Securing Data at Rest

• Encryption at Rest, Always ensures that the only way to store data is by using encryption. Secure data at rest via tools such as ecryptfs to implement encryption, whenever data is not loaded it should stay encrypted with some key.
• Implement Tokenization, is the process of turning a meaningful piece of data, such as an account number, into a random string of characters called a token that has no meaningful value if breached. Tokens serve as a reference to the original data, but cannot be used to guess those values. That’s because, unlike encryption, tokenization does not use a mathematical process to transform the sensitive information into the token. There is no key or algorithm, that can be used to derive the original data for a token. Instead, tokenization uses a database, called a token vault, which stores the relationship between the sensitive value and the token. The real data in the vault is then secured, often via encryption.
• Save Your Key used for encryption and keep on rotating the keys for encryption. Never store/hard-code encryption keys.
• Access to Keys used for encryption should be monitored and restricted.
• Encrypt Critical PII, Identify all Critical PII(Social Security Number, PIN, Password, Health Records, etc.) and ensure that they are not stored as plain text into the system. Always encrypt/hash the Critical PII and store. Also do not log Critical PII.

Securing Data in Network (Motion)

• Protect Data in Network, Use secure ways of data transit, instead of plain-text transmit data from source to destination in encrypted form using TLS, SSL, etc.
• Protected Network Instead of using the Internet prefer VPN networks or Private LAN hosted in the cloud.
• Identify Threat Vectors such as critical PII(Personal Identification Information), and provides mechanisms such as hashing, encryption before transmitting Critical PII over the network.
• Data Loss Prevention (DLP) Tools may use several different technologies and tools in order to protect data so that it cannot be accidentally or maliciously shared with people outside the company or uploaded to private cloud storage. Data loss prevention (DLP) software uses rules set up by the organization to determine which data should be kept confidential, and can detect activities that may risk the security of this data.
• Be Security Aware, Always be up-to-date with the latest trends and tech to secure the data in motion. If there is a new threat identified you need to adapt to the change to secure data from that threat.

Securing Data at Compute:

• Data in Use is Secure, Wright code in such a way that no Critical PII is persisted into the cache, as at OS level cache could be manipulated. (Eg. Dirty Cow vulnerability)
• Audit and Monitor, Do continuous Auditing and Monitoring for security-related events, in case of a critical breach raise alarm immediately and take automated corrective measures.
• Secret Rotation, Ensure one strategy is commonly deployed for secret key rotation. If a credential, password, or key is ever compromised, then the company must rely on the ability to revoke it and prevent further access. Rotation keys regularly ensure that stolen keys cannot be used for long.
• Implement Authentication, is the process of determining the identity of a security principal to access a resource/host.
• Implement Authorization, is the act of granting an authenticated principal permission to perform an action or access a resource/host.
• Apply Firewalls devices or programs that control the flow of network traffic between networks or hosts that employ differing security postures.
• Implement Network Policies which are an application-centric construct that allows you to specify how a workload is allowed to communicate with another network “entities” over the network.
• Workload Security Policies are configurations that define which security-related conditions an application workload has to meet in order to be accepted into a cloud host. They regulate how the workload can interact with host resources such as networks and storage. They can also be used to configure role-based access control for hosted infrastructure.
• Cloud Application Scanners are tools that allow organizations to discover and remediate security weaknesses in their cloud deployments. Scanners are an integral part of a holistic cloud security strategy and must be included in DevSecOps practices.
• Rate Limiting is the identification of hostile traffic sources by the rates at which they are attempting to access resources within a network. A web security solution monitors the frequency and timing of incoming requests from each requestor. When a given requestor exceeds the specified rate limit, that requestor is blocked from further access for a specified length of time. Rate limiting is crucially important in the modern threat environment as there are numerous forms of attack which are primarily detectable through monitoring the rates of incoming requests.
• Application whitelisting is a form of application control that takes a trust-centric approach at the server-side to allow only the known good. Essentially, authorization is granted only to applications, files, directories, or processes that are classified as required and safe to execute. Everything else is denied by default. Application whitelisting is done using attributes like file name, Source IP, file size, and/or directory path. Several advanced whitelisting solutions also provide the flexibility of adding rules which determine who and how a particular application or process is accessed.
• Runtime Application Self-Protection (RASP) is a technology that runs on a server and kicks in when an application runs. It’s designed to detect attacks on an application in real time. When an application begins to run, RASP can protect it from malicious input or behavior by analyzing both the app’s behavior and the context of that behavior. By using the app to continuously monitor its own behavior, attacks can be identified and mitigated immediately without human intervention.

Cloud Data Security Quick Reference:

If this post was helpful, please click the clap 👏 button below a few times to show your support for the author 👇