Okay, so now we can go in and talk a little bit more about encryption, And again, encryption is gonna be kind of scattered throughout the entire lecture. So a little piece at a time.
So when we're talking about encryption, what we're looking at generally speaking, is we're looking to take plain text and translated into cipher text. So we've got valuable data, perhaps, and we want to make it unreadable to an attacker that simplest forms. So when we think about the data, we often refer to that. It's plain text,
clear text, whatever. Ah, then there's some form of encryption engine that mechanism, whether it's in the operate in the application or some sort of separate element. And then, of course, we have to have keys, encryption keys. And those were really the heart and soul to the secrecy of encryption.
Now we can use storage level encryption, or we can use volume encryption. You know, with storage level encryption were encrypting the entire storage element.
You know, if you're familiar with and and it's just a small level example, but if you're familiar with bit locker,
bid locker will encrypt the entire hard drive. The whole storage element is encrypted and on Lee, with the use of the key, can the entire hard drive be accessed?
So you lose that key, you can access anything on that hard drive.
Um, that key is usually stored on the motherboard on a chip called a T P M chip trusted platform module chip. And the purpose of it is, if the hard drive gets stolen, they still will not be able to access the hard drive.
Right? So it's kind of protection again that that protects that hard drive regardless of what happens to it.
So just the same way full drive, encryption or storage level encryption encrypts the entire entity
where instead we may choose volume encryption that just encrypts the necessary volume. We're just gonna encrypt the d drive or, you know, even smaller. We made just encrypt a specific folder or whatever's necessary. So you know the choice is ours. Depending on the degree of encryption, we won't.
Now, when we're looking at object encryption, we've got file level encryption, which we just talked about with IRA M information rights management in D. R E. Um, So again, we're kind of embedding
those rights and permissions into the file itself. Regardless of the operating system or the application,
those permissions are embedded into the file,
whereas instead, if we use application
encryption again, it's associated with that application you could even think of, like operating system based encryption and Windows are right. Click on a file and I choose to encrypted. Well, that's the operating systems encryption GFS that's being used to encrypt the file. So it's based on the operating system
with databases. Most databases have the encryption engine within the database, so it's seamless to the user. That's not something that they're aware of having to encrypt or decrypt.
Now. The best practices for encryption always want to know those best practices use open and validated formats. I C Square prefers openness.
When we talk about openness, we're talking about standards we're talking about, publicly known. We're talking about algorithms that are tried and true,
and that's as opposed to proprietary algorithms. Proprietary algorithms. I don't have the details to. I can't test in that, And a lot of times when we look at proprietary stuff, there's an element of security through through obscurity. If you can't see it, you can't crack it.
That's not really been the best, The most proved point throughout the history of various operating systems and so on. So the idea is open algorithms. We invite the community in to examine and also protect, also enhance.
So we like open validated formats.
The key should be stored within the enterprise.
I'm not ever gonna turn my keys over to anyone, right? The encrypted information resides at the cloud service provider, but I keep the keys,
keying material, any sort of king material initialization, vectors of keys themselves and initialization vectors, or just elements of the complexity of encryption. None of that should be stored on the same volume as the data itself. Hopefully, that goes without saying identity based key assignment,
protection of private keys.
So individual users, perhaps more so than individual systems, have keys associated with their identity. I can move from system to system to system, but my identity shouldn't change. So identity base keys.
You strong encryption.
Can't argue with that.
strong enough to provide the security that I need with the balance of performance.
Ah, separation of duties, different key management functions again are not turned over to the cloud service provider. The cloud service providers shouldn't have my keys. So just some best practices and some ideas with encryption not getting too deep, this exam doesn't get too deep in encryption.
Ideally, you've been exposed the ideas of encryption before and these air just kind of some reminders specifically in relation to the cloud.