A Data-Centric Approach to Cloud Security

An important study conducted by the International Data Corporation (IDC) indicates that from 2009 to 2014, US public cloud revenue will increase from $11.1 billion to $29.5 billion. Main areas that are projected to employ cloud computing in a more significant way include professional services, communications and media, and discrete and process manufacturing markets.

As previous articles on this blog have suggested, although the public cloud offers attractive advantages, it does come with considerable drawbacks, especially when considering data protection. Once data enters the public cloud, responsibility for security and governance is transferred – partially or totally – to the cloud provider. This should certainly make anyone think twice about placing sensitive data in the cloud.

A Data-Centric Approach

In the past, most organizations and enterprises have concentrated their IT security efforts on perimeter defense. This means that resources were largely channeled towards blocking threats before they are able to enter the network. This kind of approach is known as an outside-in approach to data security.

However, the reality of the cloud environment has necessitated data security that protects data in motion as well as data stored on a variety of devices. This means that many organizations will have to start considering an inside-out approach to security that effectively focuses on the data.

The Cloud Security Alliance (CSA) suggests in Domain 11 of its Security Guidance for Critical Areas of Focus in Cloud Computing, an excellent method of increasing data protection, confidentiality and integrity is to ensure that data is protected in transit and at rest within the cloud by using file-level encryption. According to the Security Guidance, “… encryption offers the benefits of minimum reliance on the cloud service provider and lack of dependence on detection of operational failure.”

Encryption-based data centric protection means that the data is useless to anyone without the correct decryption key. This essentially protects the data both in transit and at rest. Whoever is responsible for the decryption keys looks after the security of the data and can determine who should or should not access the data.

Essentially, a data-centric approach ensures that data is encrypted at the file level before leaving a trusted zone. This allows IT administrators and end-users to reclaim some control over their data, even if it is stored in the cloud. According to CSA experts, “Used properly, data centric encryption security prevents unauthorized access and tampering regardless of where the data travels, and means organizations can enjoy the business benefits of cloud computing without putting sensitive data at risk.”

In Theory: DMF

An AT&T Labs Research group, in conjunction with the University of Pennsylvania, suggested a Data-centric Management Framework (DMF) for cloud implementation. According to the researchers,

“DMF is a cloud orchestration programming and execution framework, in which cloud operations can be easily specified and executed while ensuring that service and engineering constraints are satisfied in a system-wide manner. DMF models resources and their state as structured data, and further separates this data into logical and physical layers. In particular, DMF can atomically commit a group of operations, maintain consistency between the logical and physical layers, prevent misconfiguration and illegal resource manipulations by evaluating constraints before physical deployment, and provide race-free concurrent transactions.”

With DMF, there is a conceptually-centralized data repository of all resources within the IT architecture, including the compute, storage and network devices. There are two copies of each resource object: a primary copy at the physical layer and a secondary copy at the logical layer. DMF offers a weak, eventual data consistency between the two layers.

In Practice: Trend Micro

In order to promote data-centric security, Trend Micro takes an approach which it calls the Smart Protection Network which integrates an outside-in and inside-out approach to data security.  According to Trend Micro, a data-centric security system should include the following five elements:

• Multi-platform support across physical, virtual and cloud environments
• Real-time threat intelligence
• Contextual awareness to enable security settings to adapt to specific contexts
• Intelligent integration of threat and data information to increase efficiency
• Unified management to improve visibility, ease of use and TCO

Summary

This article examines a data-centric, or inside-out, approach to data security in the cloud. Unlike traditional approaches to security, which focus on perimeter defenses, a data-centric approach ensures that data is protected from within, whether it is in transit or at rest. The article looks at how data-centric practices are recommended by the Cloud Security Alliance and how various industry experts have developed the data-centric security concept, in theory as well as practice.

CCSK Exam Preparation

In preparation for the Certificate of Cloud Security Knowledge (CCSK), a security professional should be comfortable with topics related to this post, including:

• Six phases of the Data Security Lifecycle (Domain 5)
• Encryption practices in S-P-I models (Domain 11)