Organizations use cloud services for a wide variety of data storage needs. These cloud services offer tremendous flexibility and cost effectiveness but also come with security concerns that administrators must address. In this video, you will learn the importance of securing data stored in cloud services through the use of access controls and encryption.
- [Presenter] Organizations use cloud services for a wide variety of data storage needs. These cloud services offer tremendous flexibility and cost effectiveness but also come with security concerns that administrators must address. The basic principle that organizations should follow is that you should apply the same security controls to data stored in the cloud as you would data stored in your own data center. If you'd encrypt information in your own data center you should encrypt it in the cloud. If you'd restrict access in your own data center you should restrict it in the cloud.
The two main issues you should think about when handling cloud data security are encryption and access control. The way you'll implement encryption depends upon the type of service that you're using and the way that you use it. For example, when using an infrastructure as a service provider for servers you may be able to encrypt entire virtual disk volumes to prevent anyone, including the provider, from accessing the contents of the disk. Let's see how that works in Amazon web services. Here I am in the AWS console on the Elastic Block Store or EBS page.
EBS is Amazon's virtual disk service. I can use it to create storage volumes that my virtual machines can access. I'm going to create the Click Volume button to create a new EBS volume. And you can see here that I can set the details of this volume. Let's see, a general purpose solid state volume sounds fine. We have 100 gigabyte size, that's good. We have the US east availability zone, and then down here you can see a check box saying Encryption. It's defaulted to Off because encryption adds overhead and cost but I want to use that because maybe I'm going to put some sensitive data on this volume.
So I just click this check box and then I'm provided with a little more information about the encryption key that I'm going to use. I could pull this down and choose from a large variety of keys if I happen to have them, those are managed elsewhere in the AWS console, but I'm going to go ahead and just use this default key here and then there's some information about the key if I need it for later reference. I go ahead and click Create Volume and my new volume is created, it's in the creating process right now and when that finishes I'll have a hundred gigabyte encrypted volume for use in AWS.
If I look down at the attributes of this volume, down on the bottom of the screen in the Description you can see that it verifies for me that the volume is indeed encrypted and provides me with information about the key that's used to encrypt this volume. One thing that you need to think about when using cloud encryption is who has access to the encryption key. In the scenario I just set up I used a key managed by AWS. If I wanted to add even more security I would have created my own encryption key and then used that with a cloud-based hardware security module, preventing even the cloud provider from gaining access to my data.
The second issue that I need to consider when storing data in the cloud are access controls. You can often set access controls in the cloud the same way you would on a local file system. If you're directly mounting the service as a drive you can probably use the exact same access controls. Let's take a look at how we set access control permissions in a web-based file sharing service. Here I am logged into my Box.com account in a folder called Security Plus Demo. Over here on the right side of the screen you can see that there's a place to list folder collaborators.
Right now nobody else can access this folder. Let's say that I want to give another user access to this folder. I'll give access to my colleague Austin Finnegan. If I click Invite People I see a popup window where I'm able to type in the email addresses or names of people that I'd like to give access. I go ahead and start typing in Austin Finnegan and his email address is email@example.com and then I'm asked what permission I'd like to give him.
If I click the Learn More link here I get complete details on what each one of these permissions means. For example, the default permission here Editor would allow Austin to upload and download files from this folder, preview files, get links to access the files without going through the Box interface, edit the files, and delete the files. That's a lot of permission. I actually just want Austin to be able to look at the files in this folder. So I'm going to go ahead and give him the Download, Preview, and Get Link permissions and that corresponds to the Viewer role in Box.
So let's just pull this dropdown here and choose Viewer for Austin and it allows me to personalize the message if I'd like. Once I click Send Invites it tells me that a collaborator was successfully invited. I can clear that out and in just a moment that populates. It tells me the request here is pending because Austin has not yet accepted that request. If I change my mind I can use this dropdown arrow here and just click Remove and it tells me that I have removed Austin Finnegan as a collaborator on this folder and we're back to no open invitations.
The bottom line here is that it's very important to understand the specific encryption and access control mechanisms used for any cloud service that you use in your organization.
Members who take all eight courses in the series will be prepared to take and pass the CISSP exam. Find the companion study books at the Sybex test prep site and review the complete CISSP Body of Knowledge at https://www.isc2.org/cissp-domains/default.aspx.
- Understanding data security policies and roles
- Limiting data collection
- Developing security baselines
- Leveraging industry standards
- Restricting access to data with Windows and Linux file permissions
- Encrypting data
- Securing cloud storage