There are many technologies that can be used to mitigate the various threats associated with cloud-based storage solutions. We will look at a few such technologies in detail in the following sections.

Encryption

Encryption is a vital technology that ensures the confidentiality of data in the cloud is maintained. When implementing encryption capabilities for your cloud computing environment, you must ensure that the technologies deployed support:

• Your specific cloud platform
• Organizational policies and rules
• Business and mission objectives
• Regulatory requirements

Encryption use cases:

• Data in transit: Encryption should be used when data is moved inside and outside of the cloud
• Data at rest: Data that resides on cloud storage should be encrypted when stored to ensure that the data cannot be removed
• Data destruction: Once the useful life of cloud resources has been reached, encryption can be used to make data unrecoverable
• Multitenancy: Encryption can be used to ensure that separations between different customers in a multitenant cloud are better maintained
• Compliance with regulatory requirements: Many compliance standards require encryption at rest and in transit

Encryption challenges:

• Encryption key management:
  • In many cases, the encryption capability of a cloud infrastructure is fully managed by the CSP, including the encryption keys.
  • If the CSP manages your encryption keys, you will not be able to completely trust your encryption mechanisms as the CSP would retain the ability to unencrypt your organization's data.
  • You should manage your own encryption keys if your CSP allows you to perform this function. Additionally, you should establish customer key management as a requirement when selecting a cloud service provider.
  • It is important to note that managing your own encryption keys does add an administrative burden to the IT organization and will need to be accounted for from a resources perspective.
• Data in use: Generally, when data is in use it is unencrypted somewhere in the information systems. The unencrypted data may reside in memory or physical/virtual storage. While this data is being processed, it is vulnerable to unauthorized disclosure to individuals with elevated privileges within the cloud computing infrastructure.
• Performance:
  • Encryption may negatively affect performance depending on the cloud computing implementation
  • Special attention will need to be given to high-performance and mission-critical applications to ensure that encryption technologies do not cause a denial of service due to the performance impact associated with encryption
• Complexity:
  • Encryption may have an impact regarding how data replication, backups, and disaster recovery occurs
  • Encryption must be developed that properly secures the information while ensuring that business/mission processes continue to function

Data loss prevention

The data loss prevention (DLP) tools are used to ensure that organizational data is properly maintained and controlled. Access to information being managed by a DLP system has the following features and arrangements:

• Tightly controlled with access controls
• Extensive logs are maintained to ensure visibility
• Rule sets are developed to generate alerts
• Data is prevented from being accessed in an unauthorized manner

The data loss prevention life cycle supports both the organization's requirement to protect intellectual property and the technical implementation of a data loss prevention tool as part of the enterprise network. The following are the stages of the life cycle:

1. Discovery and Classification:
   • This is the first and most important stage of the DLP process
   • Without properly understanding your information, you have no means to understand which rules should be applied to your information
   • Utilize the guidance in this book related to data categorization
   • You will be mapping your internal information (intellectual property) to cloud computing architecture components (hardware/software)
2. Monitoring:
   • Your DLP system will monitor data usage from both an inbound and outbound perspective
   • Usage policies will be defined based on business requirements and data criticality
   • The DLP system must be architected to monitor all available ingress and egress options for your data

3. Enforcement:
   • This is where the DLP policies you previously established are enforced. Here, your DLP system will either allow or restrict access, and alert you to data requests
   • When a violation of a predefined policy occurs, the DLP system will then engage an enforcement action to protect organizational information
   • Enforcement actions include:
     • Alerting: Alerts can be sent to the administrator of the DLP system, managers, or the security operations center
     • Logging: Logging can be maintained for forensics purposes and forwarded to the SIEM for analysis by the security operation center
     • Blocking: Requests for information can be blocked
     • Request additional permissions: Workflow can be triggered to either positively identify the requesting user or required permission from someone else to access the information

Cloud computing DLP considerations

As you develop your architecture around DLP in your cloud computing environment, you will need to consider the following as regards policy:

• When is data allowed to leave the cloud environment?
• How should organizational data be stored and what precautions should the DLP system put in place related to storage?
• What kind of data should be stored in the cloud?
• Does your organization have information that should never be in the cloud environment?
• How should data be accessed?
  • Which networks?
  • Which devices?
  • Which applications?
• What compliance requirements, rules, and laws need to be enforced?