Unit 2

1. Hybrid Cloud Strategy::

Challenges in Hybrid Cloud Encryption Key Management

1. Complexity: Keys stored across on-premises and cloud platforms can be hard to sync
and standardize.

2. Security Risks: Inconsistent policies and unsecured data transfers increase

vulnerabilities.

3. Compliance Issues: Meeting data residency and audit requirements is challenging.

4. Operational Overhead: Scaling, rotating, and managing keys across environments

requires effort.

Responsibilities in a Hybrid Cloud Model:

1. Infrastructure as a Service (IaaS):

- Provider: Secures physical hardware, network, virtualization, and infrastructure.

- Customer: Manages operating systems, applications, data, and access controls on

virtual machines.

2. Platform as a Service (PaaS):

- Provider: Secures infrastructure, operating systems, and runtime environment.

- Customer: Manages applications, data, and access controls.

3. Software as a Service (SaaS):

- Provider: Secures the entire infrastructure, including applications.

- Customer: Manages user access, data within the application, and specific
configurations.
Strategies to Address Challenges

1. Centralized KMS: Use a unified system for managing keys in both environments.

2. Standardization: Adopt uniform policies and protocols like KMIP.

3. Encryption Practices: Use end-to-end encryption and separate keys for different data
types.

4. Automated Key Management: Automate key rotation and lifecycle processes.

5. Enhanced Security: Apply strong access controls, MFA, and monitoring.

6. Compliance Tools: Use automated tools for reporting and auditing.

2. Data Tokenization::

Concept of Data Tokenization

1. Tokenization Process:

- Replace sensitive data with unique tokens that have no value outside the
tokenization system.

- Store the link between sensitive data and tokens in a secure vault.

- Keep sensitive data in the vault, using tokens in systems instead.

2. Token Retrieval:

- Retrieve original data by sending the token to the vault through authorized requests.

Benefits of Data Tokenization

1. Protection of Sensitive Data:

- Minimizes exposure by using tokens instead of actual data.

- Supports compliance with regulations like PCI-DSS and GDPR.

2. Maintaining Usability:

- Tokens function in systems without affecting operations.

- Enables secure processes like billing with tokenized data.

3. Security Enhancements:

- Limits breach impact as only tokens are exposed.

- Simplifies data protection and management.

4. Encryption Complement:

- Adds an extra layer of security alongside encryption for data at rest and in transit.
Considerations for Implementing Data Tokenization

1. Token Vault Security:

- Use strong encryption, access controls, and monitoring.

2. Token Management:

- Develop policies for token creation, usage, and de-tokenization.

3. Integration with Systems:

- Ensure smooth operation with existing applications.

Conclusion

Tokenization protects sensitive data while maintaining usability, enhancing both security
and compliance.
3. Encryption::

Why Encryption is Important?

Data Confidentiality: Protects sensitive data from unauthorized access by making it

unreadable without a decryption key.

Regulatory Compliance: Ensures compliance with laws like GDPR and PCI-DSS to avoid
penalties.

Mitigates Data Breach Impact: Stolen encrypted data remains secure without the
decryption key.

Maintains Customer Trust: By demonstrating strong data security practices, which

enhances customer confidence.

Key Stages for Applying Encryption

1. Data at Rest:

- What It Is: Data stored on disks, in databases, or in cloud storage.

- How to Implement: Encrypt data before storing it using strong algorithms like AES-
256.

2. Data in Transit:

- What It Is: Data being transmitted between systems or users.

- How to Implement: Use secure protocols like TLS or HTTPS to protect data during
transmission from interception or tampering.

3. Data in Use:

- What It Is: Data being processed or accessed by applications.

- How to Implement: Use techniques like homomorphic encryption or secure multi-

party computation (SMPC) to protect data while it is actively being used.
4. Key Management:

- What It Is: The secure handling of encryption keys.

- How to Implement: Using hardware security modules (HSMs) or cloud key

management services to ensure proper generation, storage, rotation, and disposal of
keys

5. Backup and Archive Data:

- What It Is: Data stored for backup or archival purposes.

- How to Implement: Encrypt backup and archived data to protect it, even if backup
systems are compromised.

Types of Encryption:

1. Symmetric Encryption

2. Asymmetric Encryption
4. Data Classification