Data Security Methods in Cloud Computing

Digital technology has become an important part of organizations due to the global spread of the internet and the increase in the number of smart devices, offering multiple benefits to users. The need for adapting to current requirements, has led to emergence of a new technology, cloud computing, developed for modern people needs, addicted to information and on the run. Information security is one of the main challenges for cloud developers, data loss causing damage in various fields and this is one of the reasons why some organizations do not adopt cloud migration. This paper analyzes the security of cloud computer technology, as well as the issues to ensure the security of the data in the cloud, according to the current technological methods and the specific architecture. The final part of the paper proposes a customized method for data security according to their importance to a particular organization, using current security methods.


Introduction
The evolution of digital technologies together with the global spread of the internet connection has led to a rapid change in the way of designing, elaborating and implementing the different tasks and daily activities, both within the organizations with economic profile and in the government institutions or for home users. Changes due to the convergence of multiple technologies, notably the Internet of Things, artificial intelligence, Big Data, 5G and cloud computing, have led to a digital transformation of adaptive organizations, aligning with the requirements of users who prefer online interaction for obtaining certain services. Digitalization of companies through new storage and processing technologies has eliminated the barriers imposed by geographic space and helped the industry to become more competitive with key processes: production, distribution, sales, communication and marketing in the digital environment [1]. A characteristic of organizations that use technology to optimize activities is the generation of large volumes of data and information. Thus, aside with tangible assets and human resources, information has become an important part of a company, becoming part of intangible assets, because it can be used to provide financial benefits and that is essential for having a competitive advantage in the market [2]. Inside an organization there are many types of important data, like customer contacts, financial transactions, contractual obligations to third parties, but also information belonging to the legal framework in force or regarding the confidentiality of personal data [3]. At the same time, the changing on the way of working in companies, the need for a flexible, reliable and easy to implement infrastructure, the extensible storage space in databases, the centralization of the computing and data processing power, associated with the increase of the number of intelligent devices used by consumers, has led to the need for a new technology that can meet current requirements -cloud computing technology. Most smart devices in the Internet of Things (IoT) field use cloud technology components to store and correlate data obtained through the sensors, perform backups to restore the system or use the cloud infrastructure service to provide technical support. Therefore, cloud computing is a model that should allow  as fast as possible, in a simple way, through the network connection, a wide range of computing resources, storage space, infrastructure with  minimal effort for management and maintenance from users or interaction with service distributors [4]. The advantages that have contributed to increase the users number of cloud technology are represented by the financial factors (by reducing the costs and minimum investments in the acquisition of equipment), the continuous availability of services and data, scalability, flexibility and reliability, rapid implementation and minimal effort for configuration the desired technologies or services [5]. Although there are many advantages of this type of technology, the usage of equipment configured and managed by a cloud service provider to process, transmit and store data may cause concern about maintaining an adequate level of security, so that important information for users is protected. According to a study carried out by CSA -Cloud Security Alliance, the customers main concern of regarding the migration to a public cloud platform is the security of the data along with the leakage risk and the regulatory compliance ( Figure 1) [6]. The main reasons for concern of cloud users [6] Therefore, the security of the information and data processed in the cloud is the main challenge for the developers of this technology. The data management must be performed in such a way that, for any stage of the data at a certain point of time -in transit, stored, processed -the minimum three properties of information security, the CIA triad (confidentiality, integrity, availability) are ensured. Thus, confidentiality can be ensured using encryption, access control and authorization, integrity through the use of mechanisms that prevent data alteration and availability using different methods to facilitate access at any time to the desired resources -load balancer, redundancy equipment. Other features can be pro-vided to increase the level of security, including non-repudiation and authenticity. The main issue of security in cloud computing is given by the existence of numerous and diversified technologies, interconnected through the same infrastructure, including networks, databases, operating systems, virtualization, etc. Within the software, firmware and hardware design and implementation processes, security breach errors can occur, which can be later exploited by opponents. Also, the vulnerabilities of on-premise technologies are applicable in the cloud environment, but the impact generated by a cyber-attack is at a higher level. Cyber-attacks have become complex, causing significant financial damage and their impact affects the image of brands for a long-term period. According to a study released by VMware, in 2018, security incident costs led to losses of $ 600 billion and 46% of them were caused by insiders [7]. The paper gradually addresses the issue of cloud security starting from the  current security methods used in cloud, taking into account two essential aspects -the virtualization mechanism and the service-oriented architecture, followed by  an analysis of the cloud data security according to the three states of digital data, as well as by its life cycle and ending with  the proposal of a method of data security, differentiated and personalized, depending on the impact that the loss of confidentiality, integrity and availability of information may have.

Security Methods Used in Cloud
Depending on the needs of the organizations that want to use the services offered through the cloud technology, there are several implementation models, defined according to the location of the infrastructure and the entity that has control over it. Choosing a cloud deployment model is one of the most important decision, as each model satisfies organizational needs in a different way, involves different associated costs and has different advantages and disadvantages (Table 1). From a data security point of view, it is recommended to use a private cloud, especially by institutions whose information has a higher classification level. Although the public cloud offers benefits in terms of cost and speed of implementation, there is a high risk of compromising stored and processed data, both as a result of cyber-attacks and human or technical errors. The hybrid cloud can be considered as a compromise, between limiting the costs required for implementation and ensuring an adequate level of security, being suitable for organizations that do not carry sensitive data or sensitive information. Cloud technology is based on two essential concepts, service-oriented architecture and virtualization mechanism. To ensure a safe environment, the two components must be properly configured. The main security methods and benefits to security are analyzed below through the two components: service-oriented architecture and virtualization mechanism.

Service oriented architecture
Service-oriented architecture offers various benefits, including agile network services that can be easily orchestrated and adapt to customer needs and requirements. By using this method of service delivery, the security of the processed data within the cloud platforms becomes a shared responsibility, between the users and the providers of cloud services, each having certain tasks to ensure the security. The model of security assurance through task sharing can be summarized as follows: the cloud provider is responsible for 'Security of the cloud' and the customer responsibility is 'Security in the cloud', with some shared responsibilities. [8] The responsibilities of the service provider and the client related to security differ depending on the requested service, IaaS (Infrastructure as a Service), PaaS (Platform as a Service) or SaaS (Software as a Service) ( Figure 2) [9].

Fig. 2. The matrix of shared responsibilities in Cloud [10]
Depending on the level of responsibility, certain tasks and methods for security assurance can be identified (Table 2). An important fact for users who implement appropriate security measures on their level of responsibility is that security management can also vary depending on the cloud service provider chosen. It is important that before signing a contract for the use of cloud services, to check whether the cloud provider has implemented a strategy for ensuring continuity, prevention and recovery in case of disastersbusiness continuity. Usually, security responsibilities are set when the contract is signed between the two contracting parties and are stipulated in a document that contains the agreed terms and expectations of each participant regarding the performance of the service contract -SLA -Service Level Agreement.

The virtualization mechanism
Virtualization offers many advantages, like flexibility through the ease of creating and destroying virtual components, increasing the level of resource utilization, thanks to the possibility of sharing them, simplified management for administration and cost reduction. Cloud technology is based on the virtualization mechanism through which an environ-ment is created and has the physical functionalities of some hardware devices, without having them exist individually (virtual machine -VM). There is also an innovative method of virtualization for running applications, in a simplified software environment (containers), which contains only the elements required for the application: libraries, source code, execution process. The main difference from virtual machines is the virtualization of the operating system, compared to the virtualization of the hardware. 2.2.1 Virtual machines. In order to ensure the security of the data processed in the machines created through the virtualization mechanism, certain solutions are needed to monitor the security events so any vulnerabilities or cyberattacks can be detected. A singular event detected by an ordinary security system may not create suspicion of a possible attack vector. There is a need for a system that correlates data from multiple virtual machines and provides information on possible distributed attacks. Table 3 identifies the minimum characteristics that a system for virtual machine monitoring must meet [11]. In order that the events generated by the individual security systems to be used effectively, it is proposed that the requirements described above should be added to the possibility of correlating and aggregating events, the rate of attack detection being improved.

2.2.2
Containers provide stability to the operating system and ease in orchestration, through the dedicated platforms, such as Kubernetes and Docker. Container security is based on the principle of process isolation at the top level of the kernel and the correct configuration of the network. Most applications run on the root account, thus creating a vulnerability for running malicious applications and increasing the risk of losing data and processed information. Another vulnerability of the containers is the improperly configured images that can hide different security breaches, such as the existence of unnecessary remote connection services, malicious files and few restrictions for authenticating and authorizing actions. Figure 3 shows the architecture of virtual machines (3.a) and containers (3.b).

Fig. 3. Architecture of virtual machines and containers [12]
Cloud technology uses both virtualization methods, containers and classic virtualization, presenting financial benefits, flexibility and minimal use of physical resources. The main features of these two types of virtualization (Table 4) can provide a stable and secure environment, if the requirements of the security strategies are properly respected and configured. Currently, virtual machines offer a higher level of security compared to container virtualization [13].

Table 4. Main characteristics of virtual machines and containers Virtual machines
Containers  provides security tools through the operating system used  lower performance  longer start-up time  fast duplicate, scalar  ideal for production  hardware level virtualization  reduced management resources  ideal for testing and development  small image size  reduced and simplified security updates  high processing speed  virtualization at the operating system level  efficient use of resources  high scalability and elasticity The current strategies for information protection are based on certain principles of implementation of security methods, taking into account the vulnerabilities of the hardware and software components of a computer system: in-depth defense, the principle of minimum privilege, task separation, minimalist design, fail-safe [14].

Ensuring the Data Security in Cloud
The strategies and methods of securitization offer a high level of security, if they are used according to the procedures and implemented correctly. Cloud data security control can be done by the following methods:  control of data that is uploaded from the 3.a 3.b cloud;  data protection and data management in the cloud through masking methods, access control, architecture configuration, security events monitoring;  information management throughout the data life cycle, ensuring the auditing process, managing the physical location of data centers and implementing strategies to ensure the availability and recovery of data in case of disasters.
Also, to ensure the security of data in the cloud must take into account several aspects, such as:  data state and data life cycle. The state of the data at a given time (in use, transit or at rest) implies the use of different security methods, as follows: a) Data at rest (stored in certain memory areas). The data in this state is stored in the cloud on different physical media devices (hard disks and tapes) or virtualized, in a structured or unstructured way: databases, file servers, network storage units (NAS) -Network Attached Storage (SAN), e-mail servers, restore images. Depending on the contracted service in the cloud, media storage can be provided adequate to the amount of data for the needs of organizations, with scaling possibilities. There are several masking methods to secure data at rest, like: encryption, tokenization, etc. [15] a.1) Data encryption -this method of data masking offers a very high level of data security if advanced encryption techniques are used (fully homomorphic encryption (FHE), attribute-based encryption (ABE), attributebased encryption are used Hierarchical (HABE)), strong encryption rates and ensure the proper management of the keys. Data encryption can be done in several ways depending on the file format and the needs of your organization:  encryption of files and directories -it is based on a security policy that sets what data needs to be encrypted and who has access to it;  full encryption of the virtualized disk -the virtualized disk is fully encrypted ensuring the confidentiality of the data (if the encryption keys are properly managed);  virtual machine encryption -encryption of the configuration files and disk belonging to the virtual machines (but the problem of encryption key management remains);  encryption of specific units: databases, email.
[16] a.2) Data tokenization -unlike encryption, the tokenization does not use a mathematical algorithm, but replaces the data with random values, and the original data and the token are stored in secure databases for later retrieval. Securing the data through tokenization has the advantage that, if the token is compromised, the real data is secure, only the substituted value is affected. [17] b) Data in transit (in the process of transmission through the communication channel). There are two situations when the data is in motion:  in transit through the communication channel that connects the client with the data center;  in transit inside the data center. c) Data in use (data is present in volatile memory, RAM -Random Access Memory, CPU -registers or cache). The data in use can be protected using total hard disk encryption or by using enclaves [18]. Another important aspect of data security that must be taken into considered is the life cycle of the data. The need for security is valid for every stage of the data life cycle, each with certain risks, and the omission of a stage can lead to substantial losses for organizations [19].
Depending on the stage at which the data is at a given time, there are specific requirements for security (table 5) [20]. The security strategies and methods analyzed and presented, offer a high level of security, if they are used according to the procedures and implemented correctly. Despite the fact that these methods can provide data security, numerous cyber security incidents occur every second, ransomware for financial blackmail, rootkeys for taking control, keylogger for clear information, phishing for ex-filtering of credentials, this being just a few examples of malicious applications. Mainly, cyber-attacks occur because the security devices are not properly configured, the operating systems do not have the security patches up to date, the users use weak authentication passwords, the attackers exploit the 0-day vulnerabilities, and the data encryption is used, on a large scale, just for communication channel encryption. Apart from these external causes, insiders can cause major damage, if the security policies applicable to the systems to which these users have access are not well established: to respect the principle of need to know, to have access only in certain physical areas, etc. In order to support the increase of the level of data and information security, in the last part of this study, is proposed an alternative method of automatically assigning an appropriate security mechanism, depending on the importance of the respective data for the organization.

Securing Data Using CIA Properties
The proposed method is based on the principle of choosing a data security method depending on the importance of data for an organization. An algorithm can be developed to detect the real impact of losing properties of the information (confidentiality, integrity and availability), which can be integrated into a complex system of personalized information security. This system can be used to choose the right methods of securing resources and ensuring the adequate level of protection. The algorithm can use file metadata, employee databases, keywords commonly used in different file types, classification levels present in some cases in the header and footer of documents etc. However, certain information is part of different classification categories, depending on the organization which uses them. In this case, an automatic adaptability of the algorithm is needed, which can be acquired over time through the dynamic learning process. In order to test the functionality of this method, values assigned to the mission information from NIST standard 800-60 were used, according to table 6, which shows the potential impact caused by loss of each attribute. The potential impact caused by the loss of confidentiality, integrity or availability can be LOW, MODERATE or HIGH according to FIPS 199 standard. The steps required for the automatic choice of the mechanism are shown in Figure 4. To test the proposed method, two sets of data were created, each of them with 500 elements. The first data set has assigned CIA properties randomly, using a generator of pseudo-random numbers created in Python, to simulate data processing in the same way, without taking into account the higher importance of some data. The second set of data was created based on the attributes of the NIST standard 800-60, exemplified in data are treated differently. For a mathematical analysis, the three levels of impact (low, moderate, high) received random numeric values per level, from the following intervals: LOW in the range [1,3], MODERATE in the range [4.7], HIGH in the range [8.10]The two data sets have the number of the element in the first column, followed by the impact of confidentiality, integrity and availability, as presented below.

Dataset1 -Random impact
Dataset2 -Impact according to NIST 800-60 The proposed method is based on the calculation of a value, called Security Priority -Pr, using two variables: R and Cr. R -the risk of losing the CIA attributes; For the calculation of the risk, are used the values of the potential impact of loss one of the CIA attribute and the probability to occur: P -the probability that a event to occur I -the potential impact of the event The probability of event occurrence was randomly generated and used for both datasets. A probability generation method, according to hardware and software equipment used for data protection, can be developed and adapted according to each individual organization. In the proposed method, because the values of the probabilities were used uniformly, we consider that they did not influence the results in the wrong way. Cr -criticality of information (the importance of information for the organization that uses it  From the comparative analysis, it can be observed that, for the data set number 1 whose impact was assigned randomly, the values of the variable Pr1 are higher than the values of Pr2. Thus, if we did not use a custom security method, for a larger number of data, we should use more complex equipment and methods, without having to, because not all data have the same level of importance for a company. Generating, automatically and correctly, CIA properties for all data processed in the cloud could provide a first step in the different choice of security methods, reducing costs, simplifying current security steps, while obtaining a security level higher than present one.

Conclusions
Data and information security is one of the main challenges in all areas of technology reference and the cloud computing environment is no exception to this rule. The variety of technologies used in data centers and cloud architecture and the increasing number of cyberattacks make this requirement difficult to meet. Although there are numerous methods of data security, cyber security incidents and data loss frequently occur, so innovative and automated methods are needed to minimize the loss and occurrence of security breaches. The proposed security method can be improved and integrated into mechanisms that use machine learning algorithms, in order to develop a customizable mechanism for each organization, through the dynamic learning process, adapting to the type and the real needs of data security.