
Cloud computing, big data, and other information technologies are profoundly changing people’s thinking, production, life, and learning methods, deeply penetrating into daily life. With the generation of big data in various industries such as social media, e-commerce, healthcare, intelligent transportation, telecommunications, finance, and smart cities, big data analytics technology and application research have revealed unlimited economic and social value and scientific research significance, sparking a research boom in academia and industry both domestically and internationally. Governments around the world are also paying high attention to this and continuously elevating it to a national strategic level. The security issues exposed by data information in many links are becoming increasingly prominent, becoming a bottleneck restricting the development of big data applications.
Today I want to talk about cloud data security in cloud security, as the development of cloud computing technology has led to escalating security threats faced during the collection, storage, sharing, and use of big data, with data breaches resulting in significant losses of personal privacy information for users.

1. Encryption and Key Management
Encryption is not a new technology, but in the past, encrypted data was stored on servers located within the company, which had direct control over them. Nowadays, many popular business applications are hosted in the cloud, and business executives either need to rely on contractual terms to protect their assets or choose a cloud service provider that allows customers to encrypt data before sending it to the cloud for storage or processing, or collaborate with a Software as a Service (SaaS) provider to manage the encryption and decryption of their enterprise data.
1. Client-Side Encryption
Client-side primarily focuses on data visibility, while the main security issues still lie on the server side, as all data is on the server. The server will verify the data upon receipt and check for replay attacks, etc.; the client’s job is merely to prevent decompilation and encrypt the transmitted data.
Generally, data transmission encryption is implemented, and some companies’ apps do not contain sensitive information, so they only use POST and GET methods. Previously, encryption methods used were DES and RSA; a DES Key was generated, then encrypted with the RSA public key, followed by encrypting the data with the DES Key, and finally transmitting the encrypted data along with the encrypted DES Key to the backend; the backend first decrypts the DES Key with the RSA private key, then uses the decrypted DES Key to decrypt the data.
This is the entire encryption and decryption process, but due to the backend decryption speed not meeting requirements (the backend decryption pressure is too high because RSA decryption is time-consuming, while the client may not feel much), improvements have been made: first, the DES Key is exchanged with the server (the encrypted DES Key is sent to the backend), upon successful exchange, the DES Key is used to encrypt the data sent to the backend. This way, the server can use the transmission gap to decrypt, alleviating server pressure appropriately.
PS: AES and DES encryption are symmetric encryption, while RSA is asymmetric encryption; differences and usage can be looked up in relevant materials~
2. Cloud Server Encryption Methods
Content-aware encryption and format-preserving encryption are common encryption methods in cloud computing:
Content-aware encryption: used in data loss prevention, content-aware software understands data or format and encrypts based on policy settings, such as automatically encrypting a credit card number sent to law enforcement via email; format-preserving encryption: the result produced after encrypting a message still resembles an input message, such as a 16-digit credit card number remaining a 16-digit number after encryption, a phone number still resembling a phone number after encryption, and an English word still resembling an English word after encryption;
Cloud server encryption services are encryption solutions in the cloud. The underlying service uses hardware security modules certified by the national password management bureau, utilizing virtualization technology to help users meet regulatory compliance requirements for data security and protect the privacy of business data in the cloud. With encryption services, users can securely and reliably manage keys and use various encryption algorithms for reliable encryption and decryption operations.
3. Cloud Hardware Security Module Services
Cloud server hardware security modules use virtualization technology to generate multiple virtual security modules (VSMs) on-demand within one hardware security module, each VSM provides key management and cryptographic computation services consistent with ordinary server security modules (supporting SM1/SM2/SM3/SM4 algorithms). At the same time, cloud server hardware security modules use secure isolation technology to ensure the secure isolation of keys between VSMs.
4. Key Management Services
Existing cloud service providers can offer basic encryption key solutions to protect cloud-based application development and services, or they may leave these protective measures to their users. As cloud service providers develop towards supporting robust key management solutions, more work is needed to overcome adoption barriers.
5. Data Encryption (Storage & Transmission)
Encryption technology is used to protect the security of data during storage and transmission (link encryption technology). For technical personnel involved in storage, common encryption solutions and technologies mainly include encryption supported by the storage backend, such as encrypted disks or storage encryption. However, encryption technology can generally be classified based on the data encryption location: application layer encryption (such as backup software, databases), gateway layer encryption (such as encryption servers, encryption switches, etc.), storage system encryption, and encrypted disk technology.
The most compatible is application layer encryption technology (many office software uses this encryption implementation method), as this encryption solution is imperceptible at the storage and network layers. Personally, I believe application layer encryption technology has greater significance and practical value, as it can ensure end-to-end security of data rather than just ensuring that the data is securely encrypted on the storage side or disk.

2. Data Backup and Recovery
1. Data Backup
According to Baidu: Data backup is the foundation of disaster recovery, referring to the process of copying all or part of a data set from the main application host’s hard disk or array to other storage media to prevent data loss due to operational errors or system failures.
With the continuous development of technology and the massive increase in data, many enterprises have begun to adopt network backup. Network backup is generally achieved through specialized data storage management software combined with corresponding hardware and storage devices. Enterprises can also extend mirrored disks to locations away from the production machine using high-speed fiber channel lines and disk control technology, with mirrored disk data completely consistent with the main disk data, and the update method can be synchronous or asynchronous.
2. Data Recovery Drills
When storage media is damaged or data becomes invisible, unreadable, or lost due to human errors or operating system failures, engineers read data that is normally invisible and unreadable through special means.
Hardware failures account for more than half of all unexpected data failures, often caused by circuit failures from lightning strikes, high voltage, high temperatures, etc., mechanical failures from high temperatures, vibrations, collisions, and physical bad sector failures caused by aging of storage media, as well as unexpected loss or damage of firmware BIOS information. Data recovery from hardware failures requires first diagnosing the issue, then addressing it; first fixing the relevant hardware fault, and then repairing other soft faults, eventually leading to successful data recovery.
By the way, data recovery is a highly technical industry, requiring data recovery technicians to possess skills in assembly language and software applications, as well as electronic and mechanical repair and hard disk technology.
3. Backup Encryption
(1) Data Disaster Recovery
Data disaster recovery refers to establishing a remote data system to protect data security and improve data availability; enterprises must consider RAID protection, redundant structures, data backup, fault warning, and other aspects to copy necessary database files to storage devices. Backup is one of the most important considerations in system planning, although they are part of the overall system.
(2) Data Masking
Data masking refers to transforming certain sensitive information through masking rules to achieve reliable protection of sensitive privacy data. In cases involving customer security data or some commercially sensitive data, data transformation is performed on real data for testing purposes without violating system rules, such as personal information like ID numbers, phone numbers, card numbers, customer numbers, etc., all of which need data masking.
(3) Data Deletion
Baidu states that if there are errors or duplicate data in a table, a simple and quick method is to select the data and delete it. Data deletion can be divided into two types: common data deletion methods and pseudocolumn data deletion methods.
Pseudocolumn value deletion data:

Sensitive Data Processing:
Encryption to ensure data privacy, using approved algorithms and longer random keys; encrypt first, then transfer from the enterprise to the cloud provider; encryption should be maintained whether in transmission, static, or in use; cloud providers and their staff should not have access to the decryption key;
Although encryption is a fundamental technology that privacy experts unanimously agree is the cornerstone of security, there are numerous difficulties with cloud encryption. How to construct a manageable, controllable, and trustworthy data security system around the entire lifecycle of cloud big data, deeply integrate big data security with cloud data applications, formulate top-level planning, and ensure the healthy development of the cloud security industry has become a major scientific issue in the field of big data application and security research.
