How to ensure the security of information data in the era of cloud computing

One of the main goals of information security is to protect user data and information security. During the transition to cloud computing, the traditional data security methods will be challenged by the cloud model architecture. Resilience, multi-tenancy, new physical and logical architecture and abstract control require new data security strategies.

The specific protection of data and information security can be divided into the following aspects.

1. Data security isolation

In order to isolate data information between different users, physical isolation, virtualization, multi-tenancy and other methods can be adopted according to specific application requirements to realize the safe isolation of data and configuration information between different tenants, thus protecting the security and privacy of each tenant's data.

2. Data access control

In the aspect of data access control, the access control mode based on identity authentication can be adopted to carry out real-time identity monitoring, authority authentication and certificate inspection to prevent illegal unauthorized access between users. If the default "denyall" access control policy can be adopted, the corresponding ports or related access policies will be explicitly opened only when there is a data access requirement. In the virtual application environment, the logical boundary security access control strategy in the virtual environment can be set, for example, by loading the virtual firewall, the fine data access control strategy between virtual machines and within virtual units can be realized.

3. Data encryption storage

Data encryption is an important method to realize data protection. Even if the data is illegally stolen, it is just a bunch of garbled codes for them, and they can't know the specific information content. In the choice of encryption algorithm, we should choose symmetric encryption algorithm with high encryption performance, such as AES, 3DES and other international common algorithms, or our state-owned trade secret algorithm SCB2. In encryption key management, centralized user key management and distribution mechanism should be adopted to realize efficient and safe management and maintenance of user information storage. For cloud storage services, the cloud computing system should support the provision of encryption services to encrypt and store data to prevent data from being illegally snooped by others; For services such as virtual machines, users are advised to encrypt important user data before uploading and storing.

4. Data encryption transmission

In the application environment of cloud computing, the network transmission of data is inevitable, so it is also important to ensure the security of data transmission. Data transmission encryption can be realized in link layer, network layer and transport layer, and network transmission encryption technology is adopted to ensure the confidentiality, integrity and availability of data information transmitted by the network. For the encrypted transmission of management information, SSH and SSL can be used to provide a data encryption channel for the internal maintenance and management of the cloud computing system to ensure the security of the maintenance and management information. For the encrypted transmission of user data, VPN technologies such as IPSecVPN and SSL can be used to improve the network transmission security of user data.

5. Data backup and recovery

No matter where the data is stored, users should carefully consider the risk of data loss. In order to deal with sudden system failure or disaster of cloud computing platform, it is very important to quickly back up and restore data. For example, in a virtualized environment, it should be able to support disk-based backup and recovery, achieve rapid virtual machine recovery, support file-level full and incremental backups, and save incremental changes to improve backup efficiency.

6. Residual information protection

Because user data is stored in the cloud computing platform, the storage space allocated to one user today may be allocated to another user tomorrow, so measures need to be taken to protect the remaining information. Therefore, it is required that the cloud computing system must completely erase the data before redistributing the storage resources to new users, and after deleting the stored user files/objects, completely erase the corresponding storage area or mark it as write-only (it can only be overwritten by new data) to prevent it from being illegally and maliciously restored.