c# 向远程数据库增加数据_远程工作革命期间数据蔓延的危险增加-CSDN博客

c# 向远程数据库增加数据

“Identify a data security champion and start adding stringent access control policies in your organization to bring back control.”

“确定数据安全冠军，并开始在组织中添加严格的访问控制策略以恢复控制。”

In my experience working with Global 2000 enterprise companies, particularly those with active software development projects, I have noticed a troubling trend, writes Jason Truppi, co-founder of cybersecurity services firm ShiftState Security.

网络安全服务公司ShiftState Security的联合创始人杰森·特鲁皮(Jason Truppi)写道，根据我与全球2000强企业公司合作的经验，尤其是那些从事积极软件开发项目的公司，我注意到了令人担忧的趋势。

Whether the development project is being outsourced or completely in-house, the misuse of sensitive private data is overwhelmingly common and security requirements are often waived over the needs of the business.

不管开发项目是外包还是完全在内部，对敏感私人数据的滥用都是非常普遍的，安全要求通常会因业务需求而放弃。

As a security professional who has worked hundreds of breaches, I know what inevitably happens to that data. The unfortunate truth is that the data eventually gets leaked, exposed, stolen, and misused through processes of misconfiguration, mishandling, or direct exploitation. Last year the average cost of a data breach was approximately $4 million dollars, and there were plenty of breaches to point to that could have been mitigated or even prevented with proper data access control.

作为处理过数百次违规事件的安全专家，我知道这些数据不可避免地会发生什么。不幸的事实是，数据最终会通过配置错误，处理不当或直接利用而被泄漏，暴露，被盗和滥用。去年，一次数据泄露的平均成本约为400万美元，而且有大量的数据泄露可以指出，通过适当的数据访问控制可以缓解甚至防止这些泄露。

This isn’t just an overzealous hypothetical-it happens all the time. Facebook announced that around 100 developer partners had direct access to private, sensitive user data. Likewise, Twitter had a situation in which usernames and passwords were stored in plain text due to a logging bug. These sorts of breaches aren’t just issues for social media sites, though. Capital One, The Red Cross, Booz Allen, and countless others have fallen victim to similar issues. There are seemingly limitless examples of data being stored by third parties and/or cloud storage platforms, which are eventually breached.

这不仅是一个过分的假设，而且一直在发生。 Facebook 宣布，大约100个开发人员合作伙伴可以直接访问私有的敏感用户数据。同样，由于日志记录错误，Twitter的情况是用户名和密码以纯文本格式存储。但是，这类违规行为不仅仅是社交媒体网站的问题。首都一号，红十字会，布兹·艾伦和其他无数人已成为类似问题的受害者。第三方和/或云存储平台存储的数据似乎无穷无尽，最终被破坏。

As software eats the world, more and more companies are investing in outsourced development and cloud data storage (data warehouses and lakes) for quicker development cycles and broader business access. Both scenarios create a perfect storm for significantly increasing risk to the business. And as the needs of the business to access the data expands, it leads to less scrutiny and less control on the data. Here are a few observations I’ve made that open companies to additional data risk:

随着软件吞噬世界，越来越多的公司投资于外包开发和云数据存储(数据仓库和湖泊)，以加快开发周期并扩大业务访问范围。两种情况都将引发一场风暴，极大地增加了企业风险。随着企业访问数据需求的增长，它导致了更少的审查和对数据的控制。以下是一些我发现使公司面临额外数据风险的观察结果：

Production data used for development and testing — Software development inherently requires a minimum amount of production data during the building and testing process. Due to the demand, development teams frequently access sensitive data from internal corporate resources to meet development milestones and quality benchmarks. Unfortunately, developers have notoriously lax security controls on their work devices. If you talk to your dev teams they will argue that adding multiple endpoint security and systems management tools interferes with their applications’ communications or slows down their machines. In turn, many of these developers with whom private data rests, remove their security and operational controls, lobby for their removal, or circumvent corporate policies entirely. While I understand their reasoning behind pushing back on security controls, this means the industry overall leaves itself unnecessarily vulnerable in an effort to protect productivity.

用于开发和测试的生产数据-在开发和测试过程中，软件开发固有地需要最少的生产数据。由于需求，开发团队经常从公司内部资源访问敏感数据，以满足开发里程碑和质量基准。不幸的是，众所周知，开发人员在其工作设备上缺乏安全控制。如果您与开发团队交谈，他们会争辩称添加多个端点安全性和系统管理工具会干扰其应用程序的通信或降低其计算机的速度。反过来，这些拥有私有数据的开发人员中有许多开发人员会删除其安全性和操作控制，游说其删除或完全规避公司政策。尽管我了解他们推迟安全控制的原因，但这意味着整个行业不必要地处于脆弱状态，以保护生产力。

Given that most companies make these tradeoffs, this places them in the precarious position of sharing and storing sensitive data on a number of developer machines (connected not only to the corporate network, but also to partner networks and other third parties) without proper security controls or governance.

鉴于大多数公司都在做出这些折衷，这使它们处于不稳定的位置，无法在没有适当安全控制的情况下将敏感数据共享和存储在许多开发人员机器上(不仅连接到公司网络，还连接到合作伙伴网络和其他第三方)或治理。

Increased access to cloud data storage — The move to cloud storage is nothing new, but what is an alarming trend is how much data is being stored in data warehouses and data lakes, and how many more people in an organization have access to that data than ever before. Adding more people and more data in a centralized repository increases the risk that the data will not be governed properly. The question I usually ask companies is, Who is in charge of data security? The answers I usually receive usually result in pointing fingers between developers, security or compliance teams. What you will find is that there is no real champion with the right amount of cross-domain knowledge, security experience or enforcement power for the security of that data.

增加对云数据存储的访问—迁移到云存储并不是什么新鲜事，但是一个令人震惊的趋势是，数据仓库和数据湖中存储了多少数据，并且组织中有多少人可以访问该数据？以前。在集中式存储库中添加更多的人员和更多的数据会增加无法正确管理数据的风险。我通常会问公司的问题是，谁负责数据安全？我通常收到的答案通常会导致开发人员，安全或合规团队之间相互指责。您会发现，没有真正的拥护者拥有足够数量的跨域知识，安全经验或执行能力来保证数据的安全。

Data exposed to newly remote workers in response to COVID-19 — Essential business functions need to continue during this pandemic, but that means that employees will be accessing more data through untrusted devices than ever before. Companies have scrambled to buy new software and hardware to support the rapid shift to remote work, but many were not prepared and were forced to allow employees to access corporate resources from their personal devices. This can lead to unnecessary exposure of data onto devices that are outside the security boundaries of a company.

响应COVID-19，新近暴露给远程工作人员的数据-在这种大流行期间，基本业务功能需要继续，但这意味着员工将通过不受信任的设备访问比以往任何时候都更多的数据。公司争先恐后地购买新的软件和硬件，以支持快速转移到远程工作，但是许多公司并没有做好准备，被迫允许员工从其个人设备访问公司资源。这可能导致不必要的数据泄露到公司安全范围之外的设备上。

如果有缓解这些风险的方法怎么办？ (What If There Was A Way To Mitigate These Risks?)

Of course there are mitigations to these problems. It just depends on what problem you are trying to solve.

当然，可以缓解这些问题。这仅取决于您要解决的问题。

Data synthesis: There’s no way around the fact that developers need realistic data during their development phases, but time and time again the practice has proven a dangerous one, often exposing your organization to risk unnecessarily. This is where data synthesis comes in. Real production data can be transformed into synthesized data which functions exactly like real data with none of the associated risk. This means that the synthetic data can be transferred to any part of your organization, or third parties, without concerns over potential exposure or violating data regulations. This is a great way to mitigate data sprawl for development projects on critical data sets.

数据综合：不能绕开开发人员在开发阶段就需要现实数据这一事实，但是这种实践一次又一次被证明是一种危险的做法，通常会使您的组织面临不必要的风险。这就是数据综合的来源。真实的生产数据可以转换为综合数据，其功能与真实数据完全一样，没有任何相关的风险。这意味着可以将综合数据传输到组织的任何部分或第三方，而无需担心潜在的风险或违反数据法规。这是减轻关键数据集上的开发项目数据泛滥的好方法。

Data security as a service: There are data access brokers and data security as a service tools that focus on securing the data flow and access. They can work in cloud environments and/or protect on-prem and legacy applications, depending on your configuration. These software tools can give you very granular access and control of your data down to the specific hosts, users, queries, data fields and data types. These technologies are everything we ever wanted from our databases that we never received from database engineers or IT teams. Be sure to baseline your configurations before implementing any particular solution, so you can have quality metrics to show your boss or compliance team post implementation.

数据安全即服务：有数据访问代理和数据安全即服务工具，它们专注于保护数据流和访问。它们可以在云环境中工作和/或保护本地和旧版应用程序，具体取决于您的配置。这些软件工具可以使您对特定主机，用户，查询，数据字段和数据类型的数据进行非常细致的访问和控制。这些技术是我们从未想过从数据库工程师或IT团队那里获得的数据库所需的一切。在实施任何特定解决方案之前，请确保将配置基线化，以便您可以使用质量指标来显示您的老板或合规团队在实施后的情况。

Differential privacy: This is a field that has been evolving rapidly over the last several years. The idea is to give business units access to data, or metadata, good enough to give them the insights they need to grow their business, but not granular enough to expose the individual private records. Companies such as Google and Facebook have pioneered these techniques and provide open source projects to help in this process.

差异性隐私：这是一个在过去几年中Swift发展的领域。这样做的目的是使业务部门能够很好地访问数据或元数据，以给他们提供发展业务所需的见解，但又不够细化以暴露单个私人记录。诸如Google和Facebook之类的公司率先采用了这些技术，并提供了开源项目来帮助这一过程。

It may seem like a data breach simply couldn’t happen to you, but after working hundreds of breaches globally, I assure you that it can. If you continue to feed into the current development process which pressures developers to perform rapidly without regard for security, it’s only a matter of time before you suffer the consequences. Identify a data security champion and start adding stringent access control policies in your organization to bring back control.

看来您根本不可能发生数据泄露，但是在全球范围内处理了数百次数据泄露之后，我向您保证。如果您继续采用当前的开发流程，这迫使开发人员在不考虑安全性的情况下Swift执行，那么后果就只是时间问题了。确定数据安全冠军，并开始在组织中添加严格的访问控制策略以恢复控制。

At the end of the day, most attackers get in the door through social engineering, email and endpoint vulnerabilities, but they are ultimately targeting your data. How do you plan to protect it?

归根结底，大多数攻击者都通过社会工程，电子邮件和终结点漏洞进入了大门，但最终他们的目标是您的数据。您打算如何保护它？

Originally published at https://www.cbronline.com on May 4, 2020.

最初于 2020年5月4日 在 https://www.cbronline.com 上发布。