There are three basic strategies to accomplish this:
Subsection 5.1.2 of CSA Security Guidance for Critical Areas of Focus in Cloud Computing v4.0 is meant to show how each of these strategies works when moving—and using— data in the cloud. The idea is that you want to define your data governance strategy and understand the trade-offs of these methods, prior to implementation.
Section 11 of the guidance discusses the specific technologies to support each of these strategies. If you choose to encrypt prior to moving data to the cloud, or have an enterprise-wide encryption solution in place, you’ll either want to mirror on premise keys and encryption capabilities for data access in the cloud, blend on-premise with cloud-native services, or bring your existing encryption to the cloud in place of cloud-native services.
If you choose to encrypt at the services layer, for transport (e.g., TLS, VPN) and data storage (e.g., volume, object, database), you can leverage cloud native capabilities or your preferred encryption solution to secure each service that data comes into contact with. Data-centric security tools like masking and tokenization can transform data prior to cloud migration.
While some static masking solutions are non-reversible, if you need to reverse tokens into original data values, you will either need to do so on premise or bring your existing tokenization service to the cloud for de-tokenization requests. But any of these three approaches will provide secure transport and storage of data and can be used to replicate information to multiple cloud service models.
Note: This material is drawn from Thales eSecurity White Paper: “Best Practices for Secure Cloud Migration. Leveraging Cloud Security Alliance Security Guidelines.”