Data Security and Compliance Controls in Cloud Environments
In this sample chapter from CompTIA Cloud+ CV0-003 Exam Cram, you will learn how to apply data security and compliance controls in cloud environments.
In this chapter you will learn about different data security and compliance controls that are available in cloud environments. You will learn about how encryption and integrity affect an organization’s data. You will also learn how to secure data by classifying and segmenting the data, as well as controlling access to the data.
Also discussed in this chapter is how laws and regulations impact data security, including the concept of a legal host. Lastly, you will learn about records management, a process in which rules are put in place to determine how long data is maintained and how to properly destroy the data when it is no longer needed.
Encryption is the process of transforming data from its original form to a form that, when viewed, does not reveal the original data. There are three different forms of encryption:
Data at rest: Data is encrypted when it is stored. This method can either be performed by you prior to uploading the data to storage, or in some cases, it can be performed by a function that is provided by the cloud provider. When you perform the data encryption, it is your responsibility to decrypt the data when the original data is needed. When the cloud provider encrypts the data, the decryption process must be performed by the cloud provider.
Data in transit: Data is encrypted before it is sent and decrypted when received. This form of encryption could involve several different techniques, but in most cases for cloud computing environments it means that the data is encrypted by a network device that then sends the data across the network.
Data in use: Data is encrypted when being actively used, which typically means while it is stored in random-access memory (RAM). Because some exploits may make data in RAM vulnerable, this form of encryption may be very important to ensuring data integrity.
Many different technologies can be used to encrypt data, and which technology you use will depend on several factors, including which cloud provider you utilize. These technologies fall into one of two methods of encryption:
Symmetric encryption: With this method you use the same key (a unique value of some sort) to both encrypt and decrypt the data.
Asymmetric encryption: With this method you use a different key to encrypt and decrypt the data. One key is referred to as the public key, and the other is called the private key. An example of using this encryption method would be if you wanted someone to send data to you across the network. You provide the public key to this person, and this person then encrypts the data. The only way to decrypt the data is to use the private key, which you would never share with anyone else.