life and death in the cloud: a new take on security


Forget about flash drives: soon we’ll only talk about services like Dropbox, Google Drive and SkyDrive. But to ensure the best possible conditions for this huge migration of data to the cloud, I think a new take on security is in order.

data-centric security

Cloud computing is accelerating and generalizing the dematerialization of data storage, and security has to adapt to this new situation. Data-centric security is a model that goes back to the fundamentals. The idea is that security should track data throughout its entire life cycle. 
Here, “track data” means that each phase in the data life cycle is analyzed to identify and implement security measures and controls.

a six-phase cycle

The data life cycle can be split into six phases: creation, storage, usage, sharing, archiving and finally destruction. Although the cycle is sequential, data can certainly take a non-sequential path. 

This approach can also be used for a "classic” (non-cloud) system. In this case, security controls would be different.

1. creation

This phase involves generating new data or making significant changes to existing data. “Classification” (assigning a label and security level) and setting associated access rights are the security controls used for this phase.

2. storage

Storage refers to saving data in a structure or system (files, databases, etc). Here, controls include things like access management (access control lists, file rights, etc), encryption and techniques for data discovery and monitoring.

3. usage

The usage phase includes all actions that a user performs on data. It is distinct from the sharing phase because only one user is manipulating data. As for controls, there are the classics such as rights management, user activity monitoring, and application programming interface (API) security.

4. sharing

Sharing includes all activity designed to share data with other users, customers or partners. Controls include rights management, activity monitoring, encryption, API security and techniques for data discovery and monitoring.

5. archiving

The archiving phase consists in transferring data to a storage platform for conservation over a certain period of time (eg, backup). The main controls here are encryption and platform assets management.

6. destruction

Destruction consists in permanently erasing data that is no longer useful. During this phase, controls include the physical destruction of magnetic storage drives, secure deletion, and content discovery techniques to make sure nothing is overlooked.

in the meantime...

For those of you who don’t want to wait for the next articles on this model and its various phases, I suggest you (re)read the "Domain 5: Information Management and Data Security" article in the "Security Guidance for Critical Areas of Focus in Computing v3.0" guide by the Cloud Security Alliance. You can also peruse the articles on the Securosis blog.


Jean-François Audenard

Au sein de la direction sécurité du Groupe Orange, je suis en charge de la veille sécurité et de la sensibilisation à la sécurité. Franchise, optimisme et bonne-humeur sont mes moteurs quotidiens