Software development and data go hand-in-hand. When developing software solutions hosted through cloud service providers like Amazon Web Services (AWS) or Microsoft Azure, data security should be a priority. There are several frameworks and tools that provide structure around risk reduction and mitigation processes to enable peace of mind that sensitive enterprise data is secure. 

Securing Data in the Cloud

When using any cloud solution, an organisation may experience a decrease in or limited control over their data. Their data may be in a different physical location, with potential for foreign laws governing the physical data storage, and trusting a third party with sensitive enterprise data. 

This creates a need for enhanced visibility over the data through increased logging, auditing and monitoring of data activities to offset the potential security risk. However, there are also additional considerations and features of cloud services that directly satisfy security concerns. 

Cloud Management ISO Standards

The International Organisation for Standardisation (ISO) standard for Cloud Data Management Interface (CDMI) is intended for application developers who are implementing or using cloud storage. It documents how to access cloud storage and to manage the data stored there.

ISO/IEC 17826:2016 Information technology Cloud Data Management Interface (CDMI).

This provides an International Standard for how to access data through cloud services, enabling cloud providers and organisations with guidelines for good practice around data management. It also includes standards for metadata management, retention of data and hold management. These standards are useful for software development companies who are implementing software solutions that leverage cloud services and cloud storage.

User Permissions

An Access Control List (ACL) is a security list that contains a set of entries. Each ACL entry has a set of identified users that are assigned permitted access modes (i.e. read, write, delete, truncate, traverse or append) to ensure unidentified users are not permitted to access or modify any data object or data object container.

This also gives administrators control to easily add and remove users, ensuring only those critical to access the data at any given time are enabled to do so. 

OASIS IDCloud TC

The OASIS IDCloud TC is a set of standards and tools that target security issues in relation to identity provisioning, deployment and management. By performing risk and threat analysis on specific use cases, a set of standards for risk mitigation can be produced. There are twenty-nine (29) specific use cases used for analysis and include several different areas within cloud computing, such as Application and Identification Security, Identity Provisioning, Identity Auditing, Cloud Signature Services (digital signature tools) and Identity Privacy in a shared cloud environment.

Service Level Agreement

A Service Level Agreement (SLA) is a binding legal agreement that sets out to define the services that will be provided and how they'll be delivered by the cloud provider. This agreement will help identify the needs and expectations of both the user and cloud provider, and should cover some key areas in relation to data policies, privacy and security.

An SLA Data Policy should include some of the following key areas:

Data Location

Addressing any legal issues for data in a different country (it can be unlawful to take data outside of your own national boarders), where and how data will be stored, how data is accessible and if data is moved, how to ensure data quality and consistency.

Data Preservation and Redundancy

Regarding protection, quality and maintenance of data.

Data Seizure

Protection from illegal search and seizure, and protection if the cloud provider can no longer provide services (i.e. goes out of business).

Data Privacy 

Protection and compliance with related laws and regulations to satisfy organisation and consumer privacy.

The SLA agreement should set out to cover an exhaustive list of areas, and all avenues regarding security concerns should be included. 

A Disaster Recovery Plan should cover how data and services can be restored in the event of a disaster or related service outage. Essentially, and the SLA is a key risk mitigation document designed to protect an organisation and its data from security and privacy risks or concerns.

You can review Amazon Web Services (AWS) Service Level Agreements here, or Microsoft Azure Service Level Agreements here. The New Zealand Privacy Commissioner conducted a full report on the use of Microsoft Cloud Services and New Zealand privacy regulations here, but you should always check with your specific situation and data privacy requirements.

Data Encryption

Any software solution utilising cloud storage should secure data through multiple layers of encryption. Encryption is a process that takes legible data as input (often called plaintext), and transforms it into an output (often called ciphertext) that reveals little or no information about the plaintext. The encryption algorithm used is public, such as the Advanced Encryption Standard (AES), but execution depends on a key, which is kept secret. To decrypt the ciphertext back to its original form, you need to employ the key.

There are various types of encryption, including at minimum encryption at rest (on disk encryption), as well as the US standard Advanced Encryption Standard (AES). 

You can learn more about data encryption here.