CLOUD AND WEB SECURITY COURSEWORK

CLOUD DATA SECURITY – Group 2

Group 2
1. Ronald Sserugo VU-MCB-2407-0066-EVE
2. Andrew Katabarwa
3. Rodney Ndiwalana VU-MCB-2403-0679-EVE
4. Bazira Wilberforce

DATA ENCRYPTION IN THE CLOUD

Refers to the process of converting data into a coded format to protect it
from unauthorized access while it is stored or transmitted within cloud
environments. Encryption is a fundamental security measure that ensures
data confidentiality and integrity by transforming readable data
(plaintext) into an unreadable format (ciphertext) using cryptographic
algorithms and encryption keys. ensuring that even if data is intercepted
or accessed without permission, it remains unintelligible without the
correct decryption key.

Key Concepts of Data Encryption in the Cloud

1. Encryption at Rest

This refers to encrypting data stored on physical media, such as

databases, file systems, or storage devices. It protects data from
unauthorized access when the data is stored and not actively used.
full disk encryption, cloud asset encryption, and file system
encryption. These solutions typically involve key generation and
industry-standard algorithms such as the Advanced Encryption
Standard (AES)

Use Case:

Google Cloud Platform (GCP) - Encryption by Default:

Implementation: Google Cloud encrypts all data at rest by default using
AES-256 encryption.

The following diagram shows how data is uploaded to the Google

infrastructure and then broken into encrypted chunks for storage.
 2. Encryption in Transit

This involves encrypting data as it moves from one location to

another, such as data transfers between cloud services, from a
user’s device to the cloud, or between data centers. This prevents
interception and tampering during transmission.

3. Encryption Key Management

Effective encryption relies on secure key management practices,

which include generating, distributing, storing, and rotating
encryption keys. Poor key management can render encryption
ineffective.

4. Client-Side vs. Server-Side Encryption

o Client-Side Encryption: Data is encrypted by the client before
it is sent to the cloud. Only the client retains the decryption key,
making it inaccessible to the cloud provider.
o Server-Side Encryption: The cloud provider encrypts the data
after it has been uploaded to the cloud. The provider manages
the encryption keys, but some services allow customers to
manage their own keys.

Data encryption in the cloud is essential for protecting sensitive

information against unauthorized access, breaches, and compliance
violations. As cloud adoption continues to grow globally, cloud service
providers offer advanced encryption options and robust key management
tools to help organizations safeguard their data. These live examples
demonstrate how companies across various industries leverage cloud
 encryption to maintain data privacy and security while complying with
international data protection laws.

DATA CLASSIFICATION AND HANDLING

Data classification is the process of categorizing data based on its level of
sensitivity and the impact that could result from unauthorized access or
disclosure. This helps organizations determine the appropriate levels of security
and privacy controls for different types of data.
It’s used in organizations to build security systems that follow strict compliance
guidelines.

The most important use of data classification is to understand the sensitivity of

stored information to build the right cybersecurity tools, access controls, and
monitoring around it.

By classifying data, organizations can determine two key things:

 Who should be authorized to access it.

 What protection policies to apply when storing and transferring it.

Classification can also help determine applicable regulatory standards to protect

the data.

Types of Data Classification

Any stored data can be classified into categories. To classify your data, you must
ask several questions as you discover and review it. Use the following sample
questions as you review each section of your data:

 What information do you store for customers, employees, and vendors?

 What types of data does the organization create when generating a new record?

 How sensitive is the data using a numeric scale (e.g., 1-10, with 1 being the most
sensitive)?

 Who must access this data to continue productive operations?

Using these questions, you can loosely define categories for your data,
including:
 High sensitivity: This data must be secured and monitored to protect it from
threat actors. It often falls under compliance regulations as information that
requires strict access controls that also minimize the number of users who can
access the data.
 Medium sensitivity: Files and data that cannot be disclosed to the public, but a
data breach would not pose a significant risk could be considered medium risk. It
requires access controls like high-sensitivity data, but a wider range of users can
access it.

 Low sensitivity: This data is typically public information that doesn’t require
much security to protect it from a data breach.

Data Classification Levels

As you consider these levels, you can better classify your data. Data
classification typically is broken down into four categories:
Public Dat
This data is available to the public either locally or over the internet. Public data
requires little security because its disclosure would not violate compliance.

Internal-Only Data
Memos, intellectual property, and email messages are a few examples of data
that should be restricted to internal employees.

Confidential Data
The difference between internal-only data and confidential data is that
confidential data requires clearance to access it. You can assign clearance to
specific employees or authorized third-party vendors.

Restricted Data
Restricted data usually refers to government information that only authorized
individuals can access. Disclosure of restricted data may result in irrefutable
damage to corporate revenue and reputation.
 DATA LOSS PREVENTION
Data loss prevention (DLP) is a set of tools and processes used to
ensure that sensitive data is not lost, misused, or accessed by
unauthorized users.

Data Loss Prevention (DLP) is a set of strategies, procedures, and tools

that help prevent the access or misuse of sensitive information like credit
card information by unauthorized users. VU-MCB-2403-0679-EV

Data loss prevention (DLP) helps organizations stop data leaks and losses
by tracking data throughout the network and enforcing security policies
on that data. Security teams try to ensure that only the right people can
access the right data for the right reasons.

Common Causes of Data Loss

The potential causes of data loss are innumerable, but tend to fall
into these four categories:

 Human Error

Accidental deletion of files, misplaced or stolen devices, communications

to unintended recipients, and inadvertent transfer of data in violation of
company policy.

 Cyberattacks

Spyware, malware, and ransomware all pose a constant threat to the

integrity of data and systems. Social engineering attacks such as phishing
scams can lead to significant data loss.

 Insider Threats

Malicious or negligent employees and contractors with privileged access to

sensitive systems can, unintentionally or intentionally, leak confidential
data.

 System Failure

Hardware malfunctions, buggy software, outages, and other damaging

events can disrupt systems and result in inadvertent exposure of data.

Understanding Data Loss Prevention Solutions

To get the most out of DLP, it’s vital to know about the different
kinds of DLP solutions available, how they work to safeguard data,
and the advantages they confer.

Types of DLP Solutions

Here are the most common types of DLP solutions:

 Network DLP: These systems monitor corporate network traffic,

inspecting packets sent and received, for sensitive data.
 Endpoint DLP: Systems and applications that protect individual devices,
including mobile phones, laptops, and desktops from data loss.
 Cloud DLP: Enforces data access policies, detects anomalies, and ensures
regulatory compliance of data stored in cloud environments.
 Email DLP: Content monitoring and filtering systems to prevent
accidental or intentional leakage of sensitive data sent via email.

Key Features of DLP Solutions

Here are the key features of DLP solutions:

 Data Discovery and Classification

DLP solutions feature configuration options to identify particular types of
data, such as PII, financial information, or intellectual property.

 Policy Enforcement
DLP administrators define rules which determine the access restrictions on
data that may be accessed, and what actions to take if restricted data is
identified.

 Real-Time Monitoring and Alerts

Continuous monitoring of systems and data activity generate alerts for
staff to further investigate suspicious behavior.

 Data Encryption
DLP solutions are capable of enforcing data encryption rules for data at
rest or in transit, proactively encrypting or removing data that violates
policy.

 Incident Response
DLP typically provides tools and procedures to aid in security incident
investigations and responses, enabling security teams to swiftly respond
to breaches and minimize damage.

Benefits of Implementing DLP Solutions

Here are the benefits of implementing DLP solutions:

 Reduced Risk of Data Breaches

DLP solutions reduce the likelihood of costly and damaging data breaches
by identifying and preventing data leakage before it happens.

 Improved Compliance with Regulations

Organizations that must meet regulatory requirements such as SOX, GDPR
or HIPAA can use DLP solutions to stay in compliance, reducing the risk of
violations.

 Enhanced Data Security

 DLP is a key component of a strong data security strategy, enabling
organizations to detect and prevent unauthorized data access, exfiltration
or misuse.

 Improved Visibility into Data Access and Usage

DLP reporting capabilities allow organizations enhanced visibility into data
accessed and usage, improving the identification of vulnerabilities.

 Cost Savings from Preventing Incidents

DLP solutions are used to reduce the potential for data breaches,
regulatory fines, and reputational damage, all of which pose massive risk
to business operations.

In summary, DLP is a security technology useful in a variety of contexts,

and offers organizations the ability to protect critical data assets from
both internal and external threats.

Conventional DLP: Why is it No Longer Enough?

Traditional data loss prevention tools were originally designed with
signature-based data detection capabilities in mind, relying on the
use of predefined patterns to identify sensitive data.

Unfortunately, attackers aren’t sitting still – they’re constantly developing

new strategies and techniques to evade signature-based detection
solutions. Leveraging generative AI, malicious actors now have a much
broader range of options available to develop new malware and novel
phishing attacks to infiltrate and disrupt business operations. Traditional
DLP therefore becomes less effective against evolving threats by the day.

In addition, employees are now making common use of publicly available

Generative AI applications (like ChatGPT and variants) for their everyday
work. If unmanaged, this can pose another source of inadvertent data loss
or leakage or breaches of company policies.