now, in the realm of security, we continue to go back to the CIA. Try it.
Confidentiality, integrity and availability. And usually when we think about providing confidentiality for our daven, for a resource is we think about encryption, and that's no different in the cloud.
Now, when we're talking about protecting the privacy of our data, we have to think about the three states in which data can reside.
Data can be at rest,
in process or emotion. And to really protect our data, we have to consider how we're going to protect it in all three states. All right, So when we talk about data in motion data coming to and from the cloud as we access that in the cloud as we stork added to the cloud,
how are we gonna provide protection?
the way we provide encryption, our protection for data in transit is we use secure protocols, and usually these secure protocols revolve around created an encrypted channel boarding krypton tongue S s l and T. L s provide that encrypted tunnel.
You know, the negotiation from client to server
and the requesting of a public key
making the public he and encrypting it with, um uh are creating a session key and encrypting it with servers Public key. Ultimately, the weight SSL works as it does secure key distribution to both parties and then that symmetric session key would be used to provide encryption for the data.
But ultimately and a lot of times will refer to it is SSL
s s l N t l s p. Ellis having replaced us itself, but ultimately being kind of two birds of a feather. So to speak s o A lot of times you may hear me say ssl What? I'm really implying its SSL or T l s most likely t l s, But ultimately
s S l o A t l s create that encrypted tunneled
using ah, perhaps eight yeses their encryption algorithm and although others are available But the bottom line is when we're encrypting all the data in a stream, we refer to that as an encrypted tongue.
Say my deal with I P sec. Now I P sec can be used to create a tunnel between endpoints if you will also a good solution. But the bottom line is for data in transit. We have to be concerned about its privacy, and we use secure tunneling protocols or secure encryption protocols.
Now, when that is being processed, there's not a whole lot you can do currently because that is loaded into RAM. And while it's being processed, it has to be decrypted. So physical security mechanisms are really the best way to protect that. A wallet in process. So
locked doors controlling physical access to the system. Watching for,
shoulder surfing and elements like that
would be how we would protect Atta in process. Then, when it comes to data at rest,
where's the data stored? Well, it's gonna be stored on Dr In the Cloud. Most likely is what we're addressing here. So how does that daddy's confidentiality get protected? Well, it's encrypted as well.
Now the trick there is. Well, if it's encrypted with the key, where do there's keys? Get stored?
If we allow the Cloud service provider to have controller for keys,
there goes confidentiality, right, we've we've turned our keys over to somewhere else. Sometimes you'll hear of key escrow organizations where you pay them a certain amount and they store your keys for you. And ideally, you know, turning that over to 1/3
party. You know, the idea was that they don't have any, um,
stake in the game, so to speak, so they might be considered a trusted entity. But really, any time you turn your keys over to 1/3 party, there's always the potential for breach. So what we would like to do is we would like to keep key management handled by the client. That really is the best practice,
so we can do that through remote key management
or client side key management.
So when we talk about both of these entities, the customer owns three keys. The customer owns the key management service. It's on their premises, so we have a key management server that's on our premises. But with remote key management were still kind of handling the administration responsibilities.
Ah, handing that over to the provider that accesses the server
remotely again. It's sort of reduces the infrastructure, needs the support needs with client side key management. Again, the key management server is on the premises, but we're in control. We manage. We don't turn over any sort of access to anyone. It's fully under our control.
It really is just kind of a matter off. Do I want the administrative effort on ourselves and the benefit of greater confidentiality, or will I turn over some control for administration and configuration and set up in exchange
doesn't necessarily make me less secure. But any time I'm turning elements over to 1/3 party or allowing them to access
systems remotely, there is perhaps a greater potential for vulnerability.