Cloud Data Security Domain

Intellectual Property

• Copyright for expressions of ideas (books, movies, music). See "fair use" exceptions (e.g., class uses pages from a book)
• Trademark for specific words and logos
• Patent for inventions, processes, materials
• Trade secrets for things that can't be patented (recipes, client and supplier lists, etc)
• DMCA has been abused, "takedown notice" used to harass or DoS a site

Data Rights Management / Information Rights Management

• Can work via:
  • Rudimentary Reference Check: enter a phrase or number from manual
  • Online Reference Check: enter product key at installation, OS will check online later
  • Local Agent Check: install a tool that does this, used with games
  • Presence of Licensed Media: is CD in tray?
  • Support-Based Licensing: pay annual support to get updates and patches
• DRM should provide:
  • Persistent Protection — follow the content
  • Dynamic Policy Control — allow creators and owners to modify permissions
  • Automatic Expiration
  • Continuous Auditing — allow for monitoring of use and access history
  • Replication Restrictions — including screen-capture, screen-scraping, print, electronic copy
  • Remote Rights Revocation
  • Might provide more: control printing, add watermark if printed, prohibit copy/paste, prohibit screenshot

Data Storage Models

• Volume storage — like an attached disk, often associated with IaaS
  • File storage — the usual file system hierarchy
  • Block storage — block device like a blank disk (e.g., AWS EC2)
• Object-based storage — like AWS S3, metadata describing content, usually associated with PaaS. Accessible through an API. Often described as part of a hierarchy, but not a file system as with volume storage.
  • Structured — easy to include in a database
  • Unstructured — messy pile of multimedia, email messages, photos, audio files, presentations
• Databases — usually with PaaS and SaaS
• CDN — Content Delivery Network, stream data to SaaS apps
• Raw storage — concept for provider — RDM (Raw Device Mapping) in VMware, or Pass-Through Disks in Microsoft Hyper-V

Database encryption

• File-level encryption (encrypt the DB file)
• Transparent encryption (runs within database)
• Application-level encryption (part of application accessing the DB)

Data Masking — hide, replace, or omit sensitive data

Approaches:

• Random substitution
• Hashing — replace with hash, which will distort format and other characteristics, cannot be reversed
• Algorithmic substitution (allows for two-way substitution, so this is very low-security encryption!)
• Shuffle (shuffle values within the same column)
• Masking (hide content with characters, credit card becomes XXXX XXXX XX65 4321). This is for internal use, for testing and training, not for printing receipts.
• Deletion (null value or delete it)

Methods:

• Static — new copy is created with masking
• Dynamic — on-the-fly, hide some data when records are accessed

Data Anonymization

Similar to masking, also remove indirect identifiers to prevent analysis figuring out what PII would have directly shown.

Used to analyze statistics on large collection containing PII.

Data Tokenization

Replace a sensitive data element with a token, a random value with shape and form of original. A tokenization application maps between the tokens and actual values. Needs a second database.

PCI DSS requires either encryption or tokenization of PII and card data.

Bit Splitting

Encrypt, split ciphertext and key across storage locations. With redundancy, your data survives individual drive failures, or seizures of some media by law enforcement.

• SSMS (Secret Sharing Made Short) — encrypt data, use IDA (information dispersal algorithm) to split the data into fragments using erasure coding. Split the key, sign and distribute fragments of ciphertext and key to different cloud storage services. User must have m out of n fragments of data and key.
• AONT-RS (All-Or-Nothing Transform with Reed-Solomon) — similar approach

Responsibility depending on type of cloud service