云中数据安全
Organizations are increasingly using cloud computing technology to build, deploy, and migrate to cloud-based environments.
组织越来越多地使用云计算技术来构建,部署和迁移到基于云的环境。
While cloud service providers like Google Cloud Platform (GCP), Microsoft Azure, and Amazon Web Services (AWS) continue to expand cloud security services to protect their cloud infrastructures, it is ultimately the customer’s responsibility to implement proper cyber security in the cloud and secure their data stored within them.
尽管诸如Google Cloud Platform(GCP),Microsoft Azure和Amazon Web Services(AWS)之类的云服务提供商继续扩展云安全服务以保护其云基础架构,但最终客户有责任在云中实现适当的网络安全并确保安全。他们的数据存储在其中。
Despite an array of benefits, protecting an organization’s data in a cloud environment that is publicly hosted can easily expose the organization to many threat vectors.
尽管有很多好处,但是在公共托管的云环境中保护组织的数据可以使组织容易受到多种威胁。
A survey revealed that the top cyber security challenges in the cloud are data loss (64%), data privacy (62%), followed by accidental leakage of credentials (39%) tied with compliance issues (39%).
一项调查显示,云中最大的网络安全挑战是数据丢失(64%),数据隐私(62%),其次是凭据意外泄漏(39%)与合规性问题(39%)。
As data continues to move to the cloud, many cyber security professionals are struggling to maintain the security of their cloud environments.
随着数据继续转移到云中,许多网络安全专业人员正在努力维护其云环境的安全性。
Cloud computing is opening up new challenges.
云计算正在带来新的挑战。
When using cloud services, be it software-as-a-service (SaaS) or infrastructure-as-a-service (IaaS), the customer always has some level of responsibility for protecting their data from attackers.
当使用云服务时,无论是软件即服务(SaaS)还是基础架构即服务(IaaS),客户始终有一定程度的责任保护其数据免受攻击者的侵害。
With SaaS services, their control is primarily with restricting access and encrypting data if SaaS allows it. With platform-as-a-service (PaaS) and IaaS, the organization takes on significantly more responsibility for protecting data.
对于SaaS服务,如果SaaS允许,它们的控制主要是限制访问和加密数据。 借助平台即服务(PaaS)和IaaS,该组织在保护数据方面承担了更多的责任。
克服网络安全中的云安全挑战 (Overcoming Cloud Security Challenges in Cyber Security)
Security issues in the cloud are a major concern for many organizations that are considering cloud computing services. The rapid growth of the cloud has not only highlighted the benefits of the cloud but also focused on the cloud security challenges that exist in its environment.
对于许多正在考虑使用云计算服务的组织而言,云中的安全问题是一个主要问题。 云的快速增长不仅突出了云的优势,而且着重于其环境中存在的云安全挑战。
Is it true? Is cloud computing really insecure?
是真的吗 云计算真的不安全吗?
The answer is complicated.
答案很复杂。
Individual cloud computing services can be significantly secure by implementing the latest security measures. In fact, many cloud service providers do a great job of integrating security into the cloud infrastructure and making it more secure than many other organizations do.
通过实施最新的安全措施,各个云计算服务可以得到显着的保护。 实际上,许多云服务提供商在将安全性集成到云基础架构中并使其比许多其他组织更安全方面做得非常出色。
However, not every cloud service provider is like this, so care must be taken in reviewing the cloud provider’s security posture.
但是,并非每个云服务提供商都像这样,因此在检查云提供商的安全状况时必须格外小心。
Security in cloud computing is dependent on the users as well. Failing to properly adhere to the security standards and addressing security risks in a timely manner can lead to an otherwise preventable cyberattack or data breach. This requires that companies understand and mitigate cloud security risks in an effective manner.
云计算中的安全性也取决于用户。 如果未能正确遵守安全标准并及时解决安全风险,可能会导致本来可以避免的网络攻击或数据泄露。 这就要求公司有效地理解和缓解云安全风险。
Most security issues in the cloud are centered around data and access because the majority of shared responsibility models in cloud computing services leave those two aspects completely up to the customers.
云中的大多数安全问题都围绕数据和访问,因为云计算服务中的大多数共享责任模型都将这两个方面完全交给了客户。
As a result, attackers have been targeting their focus on this potential security vulnerability. There are several challenges associated with cloud security. The most common problems for cloud computing security include:
结果,攻击者一直将重点放在此潜在的安全漏洞上。 与云安全性相关的几个挑战。 云计算安全性最常见的问题包括:
- Identifying and maintaining the necessary security controls 识别和维护必要的安全控制
- Balancing the shared responsibility of maintaining security between the cloud service provider and the user 平衡云服务提供商和用户之间维护安全性的共同责任
- Compliance with regulatory requirements to secure data in the cloud environment. 符合法规要求以保护云环境中的数据。
In a nutshell, cloud security is quite dynamic, majorly depending on how well the end user understands and addresses the cloud computing security risks and vulnerabilities.
简而言之,云安全性是相当动态的,主要取决于最终用户对云计算安全性风险和漏洞的理解和处理程度。
Fortunately, cloud security risks can be largely mitigated by following cloud security best practices. Below, we’ve listed the top cyber security best practices in the cloud that can help you build and maintain a secure cloud environment.
幸运的是,遵循云安全最佳实践可以大大减轻云安全风险。 下面,我们列出了云计算中的顶级网络安全最佳实践,可以帮助您构建和维护安全的云环境。
网络安全:云中的最佳实践 (Cyber Security: Best Practices in the Cloud)
Want to leverage cloud computing in a secure manner? Here are some of the best cyber security practices in the cloud:
是否想以安全的方式利用云计算? 以下是云中一些最佳的网络安全实践:
实施强大的用户访问控制/最低权限 (Implement Strong User Access Control / Least Privilege)
Similar to the traditional software security process, administrators should implement strong user access control to define who can access the data and to what extent users can access it. This will help ensure that only authorized users can gain access to data in the cloud infrastructure.
类似于传统的软件安全过程,管理员应实施强大的用户访问控制,以定义谁可以访问数据以及用户可以访问数据的程度。 这将有助于确保只有授权用户才能访问云基础架构中的数据。
Using the least privilege model, you can also ensure that users can only access data that they need to complete their tasks. This process of implementing user access control and least privilege can be easily automated to increase accuracy and save time as existing users and new users onboard to access new servers.
使用最小特权模型,您还可以确保用户只能访问完成任务所需的数据。 实施用户访问控制和最低特权的过程可以很容易地实现自动化,以提高准确性并节省时间,因为现有用户和新用户可以访问新服务器。
使用SSH密钥和安全存储密钥 (Use SSH Keys and Securely Store Keys)
Secure Socket Shell (SSH) keys help establish secure server connections with private and public key pairs. Since they are used to access sensitive data and perform critical, privileged activities, it’s important to properly manage SSH keys and securely store them.
安全套接字外壳(SSH)密钥可帮助使用私钥和公钥对建立安全的服务器连接。 由于它们用于访问敏感数据并执行关键的特权活动,因此正确管理SSH密钥并安全地存储它们非常重要。
Companies should create special cloud computing and key management policies to monitor how these keys are created, managed, and removed when they reach their expiring period. For instance, any privileged session via SSH keys should be monitored and analyzed to meet both regulatory and cyber security needs.
公司应创建特殊的云计算和密钥管理策略,以监控这些密钥在到期时如何创建,管理和删除。 例如,应该监视和分析通过SSH密钥进行的任何特权会话,以满足法规和网络安全需求。
在云端实施加密 (Implement Encryption in the Cloud)
Data encryption in cloud computing is essential for organizations as it helps ensure that the data moving to and from the cloud is encrypted and secure.
云计算中的数据加密对于组织至关重要,因为它有助于确保往返于云中的数据被加密和安全。
While choosing a cloud service provider, you need to be vigilant about your security needs for cloud deployment and data that will be stored in the cloud. Many cloud service providers offer cloud encryption services; many times you may want to manage your own encryption keys and not completely rely on your provider. Just manage this based upon your risk tolerance.
选择云服务提供商时,您需要警惕云部署和将存储在云中的数据的安全性需求。 许多云服务提供商提供云加密服务。 很多时候,您可能想要管理自己的加密密钥,而不是完全依赖您的提供程序。 只需根据您的风险承受能力进行管理即可。
Encryption combined with other security protocols such as the principle of least privilege (PoLP) enables organizations to meet stringent regulatory policies such as PCI DSS, HIPAA, and GDPR.
加密与其他安全协议(如最低特权原则(PoLP))相结合,使组织能够满足严格的监管政策,例如PCI DSS,HIPAA和GDPR。
执行例行渗透测试 (Perform Routine Penetration Tests)
Cloud penetration tests help identify security vulnerabilities in the cloud infrastructure.
云渗透测试有助于识别云基础架构中的安全漏洞。
For cloud computing, pen tests are often a shared responsibility which means that both your organization and your cloud service provider can perform penetration tests to detect security vulnerabilities in the cloud.
对于云计算,笔测试通常是共同的责任,这意味着您的组织和云服务提供商都可以执行渗透测试以检测云中的安全漏洞。
Is pen testing in the cloud different from other pen tests?
云中的笔测试是否与其他笔测试不同?
Typically, a pen test in the cloud computing environment does not differ much from other pen tests. While there are key differences in the way the cloud applications and infrastructure are set up, the principles of the pen test remain the same — identifying and mitigating security vulnerabilities.
通常,云计算环境中的笔测试与其他笔测试相差无几。 尽管云应用程序和基础架构的设置方式存在关键差异,但笔测试的原理仍然相同-识别并缓解安全漏洞。
硬化和受控图像 (Hardened and Controlled Images)
A hardened virtual server image is basically an image devoid of anything unnecessary to the specific task at hand and has its configuration secured tightly. These images are built in accordance with appropriate cloud security standards with the lowest access privileges and admin permissions, and only the ports and services that are required.
强化的虚拟服务器映像基本上是一个映像,其中没有手头特定任务所需的任何内容,并且其配置得到了严格保护。 这些映像是根据具有最低访问权限和管理员权限的适当云安全标准构建的,并且仅包含所需的端口和服务。
Hardening and controlling images is a key component to a Defense-in-Depth strategy that limits cloud security vulnerabilities and protects your organization.
强化和控制映像是深度防御策略的关键组成部分,该策略可限制云安全漏洞并保护您的组织。
实施多重身份验证 (Implement Multi-Factor Authentication)
Multi-factor authentication (MFA) protects your company data and user accounts using an array of authentication methods such as one-time passwords, biometrics, security questions, and many others.
多因素身份验证(MFA)使用一系列身份验证方法(例如一次性密码,生物特征识别,安全性问题等)来保护公司数据和用户帐户。
How will MFA help ensure better cloud computing security?
MFA将如何帮助确保更好的云计算安全性?
By implementing MFA in your cloud computing environment, you can limit the access to data in the cloud to only authorized users and prevent the risk of lost, stolen, or compromised credentials.
通过在您的云计算环境中实施MFA,您可以将对云中数据的访问限制为仅授权用户,并防止丢失,被盗或凭据受损的风险。
扫描漏洞和未经批准的强化过程 (Scanning for Vulnerabilities and Unapproved Hardening Processes)
Misconfigurations in the cloud computing environment can create exploitable security weaknesses.
云计算环境中的错误配置会造成可利用的安全漏洞。
According to a report, companies have, on average, at least 14 misconfigured IaaS events running at any given time, leading to an average of about 2,300 cloud misconfiguration incidents per month.
根据一份报告 ,公司平均在任何给定时间运行至少14个配置错误的IaaS事件,每月平均导致约2300次云配置错误事件。
To avoid such cyber security vulnerabilities, you’ll need to audit your IaaS configurations for access management, encryption, and network configuration.
为避免此类网络安全漏洞,您需要审核IaaS配置以进行访问管理,加密和网络配置。
Further, consider automatic scanning of hardened images, docker containers, and all newly deployed servers to identify security vulnerabilities that might have been introduced in the cloud computing environment while deployment or management.
此外,考虑自动扫描强化的映像,泊坞窗容器和所有新部署的服务器,以识别在部署或管理时可能已在云计算环境中引入的安全漏洞。
Don’t just look for existing cyber security vulnerabilities, continually scan your environment for any items that are not in the proper hardened configuration. If something has shifted from the hardened configuration, replace it with the approved hardened image. Remember, cattle not pets!
不仅要查找现有的网络安全漏洞,还要连续扫描您的环境以查找未进行适当强化配置的任何项目。 如果硬化配置发生了变化,请用认可的硬化图像替换。 记住,牛不是宠物!
总结并展望未来 (Wrapping Up and Looking Ahead)
Cloud computing comes with its fair share of benefits as well as challenges. While cyber security in the cloud is a shared responsibility of both the cloud service provider and the user, many organizations don’t properly fulfill their responsibilities, at the expense of their clients.
云计算具有其应得的利益和挑战。 尽管云服务提供商和用户都应共同承担云中的网络安全责任,但许多组织并未适当履行其职责,却以牺牲客户为代价。
Whether due to negligence or lack of knowledge, misuse of your cloud environment can have severe consequences. Make sure you implement stringent cloud computing security policies to ensure your data in the cloud is secure.
无论是由于疏忽还是缺乏知识,滥用云环境都会造成严重后果。 确保实施严格的云计算安全策略,以确保云中的数据安全。
Running a cloud infrastructure isn’t an easy task and we get it.
运行云基础架构并不是一件容易的事,我们可以做到。
Our security team consists of top security and subject matter experts on AWS, Azure, Google Cloud, as well as knowledgeable security trainers who can help you with questions you should ask your cloud service provider before buying cloud services.
我们的安全团队由AWS,Azure,Google Cloud上的顶级安全和主题专家以及经验丰富的安全培训师组成,他们可以为您提供在购买云服务之前应咨询您的云服务提供商的问题的帮助。
We also offer security audits to detect and mitigate security vulnerabilities in cloud infrastructure to make it easy for you to secure your cloud environment.
我们还提供安全审核,以检测和缓解云基础架构中的安全漏洞,从而使您轻松保护云环境。
About Author:
关于作者:
Steve Kosten is a Principal Security Consultant at Cypress Data Defense and an instructor for the SANS DEV541 Secure Coding in Java/JEE: Developing Defensible Applications course.
Steve Kosten是赛普拉斯数据防御部门的首席安全顾问,并且是Java / JEE:开发防御性应用程序课程中SANS DEV541安全编码的讲师。
翻译自: https://towardsdatascience.com/what-you-need-to-know-about-cyber-security-in-the-cloud-63621f128417
云中数据安全