In cloud environment, multiple organizations share same resources. There is a chance for data misuse. So it is often necessary to protect data repositories, data in transit or process. This cannot be achieved with a single data protection technology or policy. Multiple techniques such as authentication, encryption, data encryption, data masking and data integrity should be combined to create a security model over cloud.

This article discusses about the available Data Security features in Amazon AWS and Microsoft Azure in comparison with CSA’s Cloud Control Matrix control framework.

Classification – (Sub Control)

Data and objects containing data shall be assigned a classification by the data owner based on data type, value, sensitivity, and criticality to the organization.

Data Objects/Resources can be classified by this tagging process but not data (i.e files in the storage). Data classification helps the organization to understand the value of data, risk associated and implement controls to mitigate it.

 AWS:

AWS supports data object tagging for AWS resources such as S3(Simple Storage Service) Buckets and EC2(Elastic Compute Cloud) instances. For example, if any particular S3 bucket has confidential data, that can be tagged with Data Classification = “Critical” tag. Based on the tags, access can be restricted for the resources or encryption can be applied to secure data.

Amazon recently launched Amazon Macie service for data security. Amazon Macie can automatically discover and classify data stored in Amazon S3.  Like traditional data classification, Amazon Macie uses keywords, regex and vector machine learning. But it doesn’t provide the freedom to use custom regex or keywords. The predefined regex, keyword can be either enabled/disabled. Custom regex or keywords cannot be created based on the organizational requirement. Amazon Macie assigns each matching object with severity such as low, medium or high. The severity scale/criteria is predefined and cannot be customized. Data classification can also be implemented by third party solutions hosted on AWS.

Azure:

Azure resources can be organized using tags. Tag can be applied based on resource environment (Production/Non Production), sensitivity (Confidential/Public). Resource policies can be created to ensure that the resources are tagged with appropriate value. Azure Information Protection service helps organization to classify and label data stored/accessed in Azure Cloud. Pre-defined patterns can be used for automatic classification. Azure Information Protection also supports custom string or regular expression for data classification. Policies can be set to apply classification automatically. Also, it can prompt users to apply recommended classification.

Handling / Labeling / Security Policy – (Sub Control)

Policies and procedures shall be established for the labeling, handling, and security of data and objects which contain data. Mechanisms for label inheritance shall be implemented for objects that act as aggregate containers for data.

AWS:

AWS Resources can be labeled using tags. These tags can be applied based on environment (Production/Non Production), Security or business. As discussed in the previous section, AWS supports data object tagging for AWS resources such as S3(Simple Storage Service) Buckets and EC2(Elastic Compute Cloud) instances.

If a resource is tagged, that tag is not applied to the dependent/attached resources automatically. These dependent resources should be identified and tagged manually. This process can be automated by third party tools (Ex: Graffiti Monkey).

Azure:

As mentioned in the previous sections Azure resources can be labeled using tags. These tags should be applied manually for dependent resources. It is not inherited automatically. Using resource policies one can ensure whether the tags are applied properly.

Non-Production Data – (Sub Control)

Production data shall not be replicated or used in non-production environments. Any use of customer data in non-production environments requires explicit, documented approval from all customers whose data is affected, and must comply with all legal and regulatory requirements for scrubbing of sensitive data elements.

In many organizations, production data is replicated and used for testing, leaving the sensitive data unprotected in test environment. It is often necessary to protect sensitive data in test environment to meet data security compliance. Sensitive data in test environment can be masked with dummy data to serve the testing purpose. At the same time, data is protected.

AWS:

AWS Cloud Database doesn’t provide data masking as default service. Third party tools can be used to achieve Data masking in AWS Cloud Environment.  DataGuise, HexaTier, Mentis and Camouflage are few available tools in the market for Data Masking in Cloud.

Azure:

Azure SQL Database as service is a relational database service provided by Azure. Azure supports Dynamic Data Masking for this SQL database service. It hides the sensitive data in the result set, while the data in database is not changed. DDM can be set in Azure SQL DB using Powershell cmdlets or Rest API. Particular user can be excluded from data masking and they can view original data.

DDM feature is only available for Azure SQL Database as service not for the databases configured in the Virtual Machines. Third party data masking solutions should be used to mask data in these databases.

Secure Disposal – (Sub Control)

Policies and procedures shall be established with supporting business processes and technical measures implemented for the secure disposal and complete removal of data from all storage media, ensuring data is not recoverable by any computer forensic means.

AWS:

When user deletes object from Amazon S3, first it removes the mapping from the public name. This restricts the remote access to the deleted data object. The storage area is user by the system for other purposes. Amazon EFS will never serve deleted data. If organization needs to follow the procedures mentioned in DoD 5220.22-M (“National Industrial Security Program Operating Manual “) or NIST 800-88 (“Guidelines for Media Sanitization”), AWS suggests to conduct a specialized wipe procedure before deleting the file system.

Azure:

Microsoft uses procedures and a media wiping solution that is NIST 800-88 compliant. It destroys the hard drives that cannot be erased. Destruction of hard drive renders the recovery of information impossible (e.g., shredding). Records of the destruction are retained

Supported Data Security features

Features	AWS	Azure
Data Classification	Data Classification is supported using Amazon Macie Service (Paid Service). Detection parameters such as RegEx and Keywords cannot be customized.	Supported by Azure Information Protection service.
Data Loss Prevention	Amazon Macie Service supports DLP for AWS Cloud	Azure Information Protection supports DLP for Azure Cloud
Labeling	While tagging a resource, the dependent resources should be tagged manually. Third party tools can tag  automate this process.	While tagging a resource, the dependent resources should be tagged manually.
Encryption	Data stored in AWS can be encrypted by both client side/server side encryptions. In traditional encryption organization will have the control of encryption key. In AWS the key is managed by the cloud provider.	Data stored in AWS can be encrypted by both client side/server side encryptions. In traditional encryption organization will have the control of encryption key. In Azure the key is managed by the cloud provider.
Data Masking	Data masking is not supported by default in AWS. Sensitive data in the test environment should be masked using Third Party masking tools	Data masking is supported only for Azure SQL Database as service.
Secure Disposal	Data deleted from AWS environment cannot be recovered. AWS suggests to conduct a specialized wipe procedure before deleting the file system to be NIST 800-88 compliant.	Data deleted from Azure environment cannot be recovered. Microsoft Azure uses a media wiping solution that is NIST 800-88 compliant.

 

 

 

Read complete blog