亿迅智能制造网
工业4.0先进制造技术信息网站!
首页 | 制造技术 | 制造设备 | 工业物联网 | 工业材料 | 设备保养维修 | 工业编程 |
home  MfgRobots >> 亿迅智能制造网 >  >> Industrial Internet of Things >> 云计算

减少安全风险、威胁和漏洞的云安全提示

您是否假设您在云中的数据已备份并且安全不受威胁?没那么快。

2018 年发生的网络安全攻击数量创历史新高,很明显所有数据都受到威胁。

每个人总是认为“这不可能发生在我身上”。现实情况是,没有任何网络是 100% 免受黑客攻击的。

根据卡巴斯基实验室的数据,勒索软件在 2018 年增长了 250% 以上,并且继续朝着非常可怕的方向发展。遵循此处提供的建议是针对云中重大数据丢失的严重影响的最终保险政策。

您如何开始保护云中的数据?在云中保护数据的最佳实践是什么?云计算有多安全?

为了帮助您快速启动安全策略,我们邀请了专家分享他们关于云安全风险和威胁的建议。

我们的专家在云保护和安全威胁方面的主要收获

1。在云端保持可用性

Dustin Albertson,Veeam 的高级云解决方案架构师

当大多数人想到基于云的安全主题时,他们往往会想到网络、防火墙、端点安全等。亚马逊将云安全定义为:

云中的安全性与本地数据中心的安全性非常相似——只是无需维护设施和硬件的成本。在云中,您不必管理物理服务器或存储设备。相反,您使用基于软件的安全工具来监控和保护进出云资源的信息流。

但一个经常被忽视的风险是保持可用性。我的意思不仅仅是地理冗余或硬件冗余,我指的是确保您的数据和应用程序被覆盖。云不是什么神奇的地方,你所有的烦恼都会消失;云是一个地方,你所有的恐惧往往更容易和更便宜地成倍增加。拥有强大的数据保护策略是关键。 Veeam 经常宣传由 Peter Krogh 创造的“3-2-1 规则”。

该规则规定,您应该拥有三份数据副本,将它们存储在两种不同的媒体上,并在异地保留一份。异地通常在“云”中,但是当您已经在云中时呢?

这是我看到大多数云问题出现的地方,当人们已经在云中时,他们倾向于将数据存储在同一个云中。这就是为什么在迁移到云时记住制定详细的策略很重要的原因。通过利用 Veeam 代理保护云工作负载和利用 Cloud Connect 将备份发送到异地以在同一数据中心或云之外保持可用性。不要认为保护您的数据是提供商的工作,因为事实并非如此。

2。云迁移正在超越安全控制的发展

Salvatore Stolfo,Allure Security 首席技术官

根据 ESG 进行的一项新调查,75% 的组织表示至少 20% 的存储在公共云中的敏感数据没有得到充分保护。此外,81% 的受访者认为本地数据安全性比公有云数据更成熟。

然而,企业正在以比以往更快的速度迁移到云以最大限度地提高组织利益:根据 LogicMonitor 的《2020 年云愿景》报告,到 2020 年,估计 83% 的业务工作负载将在云中。我们面临的情况越来越紧迫,组织出于生产力目的将其敏感数据迁移到云端的速度快于为保护这些数据而发展的安全控制措施。

公司必须考虑根据用户拥有的权限级别控制对云共享中数据的访问的解决方案,但他们还必须有办法在以不寻常或可疑的方式访问数据时发出警报,即使是通过看起来做一个值得信赖的用户。

请记住,许多黑客和内部泄密者都来自拥有被盗合法凭据的不良行为者,这些凭据允许他们在云共享中自由移动,以寻找要窃取的有价值数据。欺骗文件,称为诱饵,也可以成为检测这一点的绝佳工具。诱饵可以在云安全漏洞的早期阶段提醒安全团队注意异常行为,甚至可以欺骗潜在的网络窃贼,让他们认为他们偷了有价值的东西,而实际上,这是一份非常有说服力的假文件。然后,还有一个问题,即使文档已从云共享中取出,也可以对其进行控制。

这是许多安全解决方案开始崩溃的地方。从云存储库下载文件后,您如何跟踪它的传输位置和查看者?必须对地理围栏和遥测等技术进行更多投资才能解决这个问题。

3。通过安全计划最大限度地减少云计算威胁和漏洞

Nic O'Donovan,VMware 解决方案架构师和云专家

混合云在企业中越来越受欢迎——主要是因为部署速度、可扩展性和成本节约对企业更具吸引力。我们继续看到基础设施迅速演变为云,这意味着安全必须以类似的速度发展。企业必须与拥有可靠的云安全方法的云服务提供商合作。

这意味着与您的云提供商的合作关系变得越来越重要,因为您要共同努力了解和实施安全计划以确保您的数据安全。

多重身份验证、数据加密以及您所需的合规级别等安全控制都是您在制定安全计划时需要关注的领域。

4。永远不要停止了解您最大的漏洞

Teramind 首席执行官 Isacc Kohen

越来越多的公司成为云的受害者,这与云配置错误和员工疏忽有关。

1. 对数据安全的最大威胁是您的员工。疏忽或恶意的员工是恶意软件感染和数据丢失的主要原因之一。恶意软件攻击和网络钓鱼电子邮件之所以成为新闻中的常用词,是因为它们是黑客访问数据的“简单”方式。通过社会工程,恶意犯罪分子可以“诱骗”员工将密码和凭据提供给关键的业务和企业数据系统。防止这种情况的方法:有效的员工培训计划和积极探索系统的员工监控

2.永远不要停止学习。在一个不断变化和适应的行业中,了解最新趋势和漏洞非常重要。例如,对于物联网 (IoT),在通过增加的 Wi-Fi 连接和在线数据存储服务保护数据方面,我们才刚刚开始看到“冰山一角”。这个故事还有更多的发展空间,它将对未来的小企业产生直接影响。

3. 研究并了解存储的工作原理,然后进行教育。我们听说过这样的故事——当数据通过云公开时,很多时候是由于云设置的错误配置造成的。员工需要了解应用程序的安全性质,并且设置可以很容易地被篡改并“打开”向外部公开数据。通过培训计划培养安全意识。

4. 限制您的接入点。缓解这种情况的一种简单方法是限制您的访问点。云暴露的一个常见错误是由于错误访问的员工启用了全局权限,从而允许数据暴露于开放连接。为了减轻影响,了解谁和什么可以访问数据云——所有接入点——并彻底监控这些连接。

5. 监控系统。进步和通过。为了长期保护云上的数据,请使用用户分析和监控平台更快地检测违规行为。监控和用户分析简化数据并创建用户的标准“档案”——员工和计算机。这些分析是集成的,并遵循您作为管理员在检测软件中指出的最重要的数据存储。当特定的云数据被篡改、移动或破坏时,系统会立即“ping”管理员,指示字符发生变化。

5。考虑混合解决方案

迈克尔 V.N. Hall,Turbot 运营总监

关于云中的安全性,有几件重要的事情需要了解:

1. 密码就是力量——80% 的密码泄露本可以通过多因素识别来阻止:通过手机短信或电子邮件向您的帐户验证您的个人身份,当有人试图访问您的账户时,您现在可以收到警报详情。

目前最大的罪魁祸首之一是削弱了凭据。这意味着密码、密码和密码短语会通过网络钓鱼诈骗、键盘记录和暴力攻击被盗。

密码短语是新密码。随机的、易于记忆的密码短语比密码要好得多,因为它们往往更长、更复杂。

MyDonkeysEatCheese47 是一个复杂的密码,除非您是驴主或奶酪制造商,否则与您无关。记住要使用大写和小写字母以及全范围的标点符号。

2. 与您的托管服务提供商保持联系。选择合适的托管服务提供商——一家具有高安全标准的知名公司。定期与他们沟通,因为频繁的互动可以让您及时了解任何变化或发展中的问题。

3. 考虑一个混合解决方案。混合解决方案允许安全的静态系统在内部存储关键数据,同时将优先级较低的数据开放给云的更多功能。

6。了解云安全系统的工作原理

Tom DeSot,Digital Defense, Inc. 的首席信息官

企业需要确保他们评估云计算安全风险和收益。这是为了确保他们在从在自己的数据中心运行系统取得重大飞跃之前,先了解迁移到云中意味着什么。

我经常看到企业迁移到云端,但没有计划或不知道这对他们意味着什么以及他们系统的安全性。他们需要认识到他们的软件将在与其他客户共享的系统上“运行”,因此如果其他客户的平台遭到破坏,攻击者也有可能破坏他们的系统。

同样,云客户需要了解他们的数据将存储在哪里,无论是仅在美国,还是提供商复制到不同大陆的其他系统。如果信息是敏感信息,如 PII 或受 HIPAA 或其他监管法规保护的信息,这可能会导致真正的问题。最后,云客户需要密切关注云提供商遵守的服务水平协议 (SLA),并确保它反映了他们自己的 SLA。

迁移到云是释放计算资源和确保正常运行时间的好方法,但我总是建议我的客户逐步采取行动,以便他们有时间了解“在云中”意味着什么。 ”

7。尽职尽责地保护云

SecureState 首席执行官 Ken Stasiak

了解您要放入云中的数据类型以及围绕该数据的强制性安全要求。

一旦企业了解了他们希望存储在云中的数据类型,他们就应该对评估不同云提供商时所需的尽职调查水平有一个深刻的了解。例如,如果您选择云服务提供商来托管您的受保护健康信息 (PHI),则在将任何数据移入云端之前,您应该要求评估安全标准和 HIPAA 合规性。

在评估云服务提供商是否适合关注数据安全的组织时,需要问的一些好问题包括:您是否定期进行 SOC 审计和评估?您如何防范恶意活动?您是否对所有员工进行背景调查?您有哪些类型的系统用于员工监控、访问确定和审计跟踪?

8。设置访问控制和安全权限

Tie National, LLC 总裁 Michael R. Durante。

虽然云计算的灵活性因其可扩展以满足业务需求和加强跨地点协作而成为计算领域的一股强大力量,但它也引发了安全问题,因为它可能会暴露相对无法控制的漏洞。

例如,如果用户不定期应用安全补丁和更新,BYOD 可能会成为安全挑战。我的第一条建议是充分利用可用的访问控制。

企业需要利用访问控制来限制安全权限,只允许与员工工作职能相关的操作。通过限制访问,企业可以确保关键文件仅对需要它们的员工可用,因此,减少了他们暴露给错误方的机会。这种控制还可以更轻松地在终止雇佣关系后立即撤销访问权限,以保护任何敏感内容,无论员工尝试从何处远程访问。

9。了解供应商或供应商的血统和流程

Redstor 首席执行官 Paul Evans

云技术的使用使各种规模的企业都能够通过更多的远程工作、更高的可用性和更大的灵活性来推动性能改进并提高效率。

然而,随着越来越多的不同系统的部署和如此多的云供应商和软件可供选择,保持对数据安全的控制可能变得具有挑战性。在寻求实施云服务时,必须彻底了解将提供服务的供应商/供应商的血统和流程。行业标准安全认证是一个很好的起点。拥有 ISO 27001 认证的供应商已经证明他们符合国际信息安全管理标准,应该比没有认证的供应商更受重视。

全面了解您的数据在地理位置上的去向、谁可以访问它以及它是否会被加密是能够保护它的关键。在发生数据泄露或丢失或停机时,了解供应商的流程也很重要。应在签订的服务水平协议 (SLA) 中规定可接受的停机时间,这些协议应得到他们的财务支持以提供保证。

对于希望利用云平台的组织而言,存在云安全威胁 要知道,谁可以访问数据?数据存储在哪里?我的数据是否加密?但在大多数情况下,云平台可以回答这些问题并具有高水平的安全性。使用云的组织需要确保他们了解影响数据的数据保护法律和法规,并准确了解与云提供商的合同协议。如何保护数据?许多法规和行业标准将为存储敏感数据的最佳方式提供指导。

保留不安全或未加密的数据副本可能会使其面临更高的风险。了解云服务的安全级别至关重要。

保留政策是什么,我有备份吗?云平台的用途多种多样,这可能会导致(或防止)问题。如果数据存储在云平台中,它可能容易受到勒索软件或损坏等云安全风险的影响,因此确保保留或备份数据的多个副本可以防止这种情况发生。确保已采取这些流程可提高组织云平台的安全级别,并了解任何风险可能来自何处

10.使用强密码和多重身份验证

Fred Reck,InnoTek 计算机咨询公司

确保您要求所有云用户都使用强密码,并且最好使用多因素身份验证。

根据 2017 年 Verizon 数据泄露调查报告,81% 的与黑客相关的泄露利用了被盗和/或弱密码。云计算最显着的优势之一是能够在任何设备上从世界任何地方访问公司数据。另一方面,从安全的角度来看,任何拥有用户名和密码的人(也称为“坏人”)都可能访问企业数据。强制用户创建强密码会使黑客更难以使用暴力攻击(从多个随机字符中猜测密码)。

除了安全密码之外,当今的许多云服务还可以将员工的手机用作多因素策略中的二级物理安全身份验证部分,从而使组织能够以可负担的方式实施此功能。用户不仅需要知道密码,还需要物理访问他们的手机才能访问他们的帐户。

最后,考虑实现一个功能,在预定数量的不成功登录后锁定用户的帐户。

11.启用 IP 位置锁定

Chris Byrne 是 Sensorpro 的联合创始人兼首席执行官

公司应启用双重身份验证和 IP 位置锁定,以访问他们使用的云应用程序。

使用 2FA,您可以通过短信向通常的电子邮件/密码组合添加另一个挑战。通过 IP 锁定,您可以从您的办公室 IP 或远程工作人员的 IP 中隔离访问。如果平台不支持此功能,请考虑要求您的提供商启用它。

关于实际的云平台供应,提供静态数据加密选项。在某些时候,这将变得像 https (SSL/TLS) 一样无处不在。如果发生不可想象的事情并且数据最终落入坏人之手,即设备被盗或遗忘在火车上,那么静态数据加密是防止任何人在没有正确加密密钥的情况下访问您的数据的最后一道防线。即使他们设法窃取它,他们也无法使用它。例如,这将缓解最近的 Equifax 违规事件。

12.使用 VPN 的云存储安全解决方案

GeekTek 总裁兼首席执行官 Eric Sc​​hlissel

每当您连接到云时,请使用 VPN(虚拟专用网络)。 VPN 通常用于对网络流量进行半匿名化,通常由访问流媒体服务(如 Netflix USA 或 BBC Player)的观众使用。它们还为连接到云的任何设备提供了至关重要的安全层。如果没有 VPN,任何具有数据包嗅探器的潜在入侵者都可以确定哪些成员正在访问您的云帐户,并可能获得对他们登录凭据的访问权限。

加密静态数据。如果出于任何原因,您的公共、私有或混合云上的用户帐户遭到入侵,明文数据与加密格式数据之间的差异可以衡量为数十万美元——特别是 229,000 美元,这是由保险公司 Hiscox 进行的一项调查的受访者。正如最近发生的事件所表明的那样,对这些数据进行加密和解密的过程将证明比忍受替代方案要轻松得多。

对所有基于云的帐户使用双因素身份验证和单点登录。 Google、Facebook 和 PayPal 都使用双因素身份验证,这要求用户在登录他/她的帐户之前将唯一的软件生成代码输入到表单中。无论您的企业是否渴望达到自己的地位,它都可以而且应该效仿其安全战略的这一核心组成部分。单点登录简化了访问管理,因此一对用户凭据将员工登录到所有帐户。这样一来,系统管理员只需删除一个帐户,而不是几个可以忘记并被​​前员工重新访问的帐户。

13.谨防人为因素风险

史蒂文·J.J. Weisman,律师和宾利大学教授

套用莎士比亚的话,错不在云端;责任在我们。

将敏感数据存储在云中是多个级别的数据安全的不错选择。然而,无论技术有多安全,人为因素总是会带来潜在的安全危险,被网络犯罪分子利用。许多过去的云安全漏洞已被证明不是由于云技术的安全漏洞,而是由于云的个人用户的行为。

他们在不知不觉中向网络犯罪分子提供了用户名和密码,这些犯罪分子通过鱼叉式网络钓鱼电子邮件、电话或短信说服人们提供访问云帐户所需的关键信息。

避免此问题的最佳方法以及对员工进行更好的教育以识别和防止鱼叉式网络钓鱼是使用双因素身份验证,例如在尝试访问云帐户时将一次性代码发送到员工的手机。

14.确保从云供应商处检索数据

Bob Herman,联合创始人兼 IT Tropolis 总裁。

1. 双重身份验证可防止帐户欺诈。许多用户未能通过电子邮件网络钓鱼尝试使受害者失败,其中不良行为者欺骗受害者在虚假网站上输入他们的登录信息。然后,不良行为者可以作为受害者登录到真实站点,并根据站点应用程序和用户访问权限进行各种破坏。 2FA 确保在登录应用程序时必须输入第二个代码。通常是发送到用户手机的验证码。

2. 确保您拥有自己的数据,并且在您不再想与云供应商开展业务时可以检索这些数据是必不可少的。大多数合法的云供应商应该在他们的条款中指定客户拥有他们的数据。接下来,您需要确认您可以提取或导出某种可用格式的数据,或者云供应商会根据要求提供给您。

15.实时连续监控

Threat Stack 首席安全官 Sam Bisbee

1. 创建实时安全可观察性和持续系统监控

尽管监控在任何数据环境中都是必不可少的,但必须强调的是,现代云环境中的变化,尤其是 SaaS 环境中的变化往往发生得更频繁;立即感受到它们的影响。

由于弹性基础设施的性质,结果可能非常显着。在任何时候,某人的意外或恶意行为都可能严重影响您的开发、生产或测试系统的安全性。

在没有实时安全可观察性和持续监控的情况下运行现代基础设施就像盲目飞行。您无法洞察环境中正在发生的事情,也无法在出现问题时立即开始缓解。您需要监控应用程序和基于主机的访问,以了解您的应用程序在一段时间内的状态。

2.设置并持续监控配置设置

Amazon Direct Connect 等云环境中的安全配置可能很复杂,而且很容易在不经意间将您的系统和数据的访问权限向全世界开放,最近有关 S3 泄漏的所有故事都证明了这一点。

鉴于 SaaS 环境的多变(有时是易变的)性质,服务可以在持续的基础上实时创建和删除,未能正确配置服务以及未能监控设置可能会危及安全。最终,这将削弱客户为保护他们的数据而对您的信任。

通过根据已建立的基线设置配置并持续监控它们,您可以避免设置服务时出现问题,并且可以在发生配置问题时更快地检测和响应。

3. 调整云安全解决方案和基础架构的安全和运营优先级

良好的安全性与正确的操作没有区别。这些团队在组织内部经常存在分歧。安全有时被视为减缓业务发展——过度专注于监管开发和运营团队的活动。但安全性可以成为业务推动力。

安全应利用组织内部的自动化测试工具、安全控制和监控——跨网络管理、用户访问、基础设施配置和跨应用层的漏洞管理——将推动业务向前发展,降低整个攻击面的风险并保持运营可用性.

16.使用审计工具保护云中的数据

Jeremey Vance,美国云

1. 使用审计工具,以便您了解您在云中拥有的所有内容以及所有用户在云中使用的内容。你无法保护你不知道的数据。

2. 除了了解您的网络上正在运行哪些服务之外,还要了解这些服务的使用方式和原因、由谁以及何时使用。

3. 让审计过程成为网络监控的常规部分,而不仅仅是一次性事件。此外,如果您没有足够的带宽,请将该审计程序外包给 US Cloud 等合格的第三方。

17.大多数违规行为始于简单的不安全点

Marcus Turner,Enola Labs 首席架构师兼首席技术官

云非常安全,但为了确保您的公司数据安全,正确配置云非常重要。

特别是对于 AWS,AWS Config 是最适合执行此操作的工具。如果配置正确,AWS 是世界上最安全的云计算环境之一。然而,大多数数据泄露并不是黑客利用复杂的程序来访问关键数据,而是简单的不安全点、唾手可得的果实使公司数据易受攻击。

即使拥有最好的云安全性,人为错误也常常是最关键的漏洞或保护漏洞的罪魁祸首。拥有验证连续配置准确性的例程是确保公司数据在云中安全的最未被充分利用和低估的指标。

18.询问您的云供应商关键安全问题

Brandan Keaveny,教育学博士,Data Ethics LLC 创始人

在探索迁移到基于云的解决方案的可能性时,您应该确保在发生违规时提供足够的支持。在与基于云的提供商签署协议之前,请务必提出以下问题:

问题:提供商使用多少第三方来促进他们的服务?

问题原因(原因):需要更新流程和文档,以包括程序保障和与基于云的解决方案的协调。此外,应清楚了解基于云的提供商提供的安全级别。需要添加更高级别的安全性以满足所存储数据的隐私和安全要求。

问题:如果他们的系统遭到破坏,您将如何收到通知?他们会协助贵公司通知您的客户/客户吗?

Reason:By adding a cloud-based solution to the storage of your data also adds a new dimension of time to factor into the notification requirements that may apply to your data should a breach occur. These timing factors should be incorporated into breach notification procedures and privacy policies.

When switching to the cloud from a locally hosted solution your security risk assessment process needs to be updated. Before making the switch, a risk assessment should take place to understand the current state of the integrity of the data that will be migrated.

Additionally, research should be done to review how data will be transferred to the cloud environment. Questions to consider include:

Question:Is your data ready for transport?

Reason:The time to conduct a data quality assessment is before migrating data to a cloud-based solution rather than after the fact.

Question:Will this transfer be facilitated by the cloud provider?

Reason:It is important to understand the security parameters that are in place for the transfer of data to the cloud provider, especially when considering large data sets.

19. Secure Your Cloud Account Beyond the Password

Contributed by the team at Dexter Edward

Secure the cloud account itself. All the protection on a server/os/application won’t help if anyone can take over the controls.

Secure access to the compute instances in the cloud.

Use as much of the private cloud network as you can.

Take advantage of monitoring, file auditing, and intrusion detection when offered by cloud providers.

20. Consider Implementing Managed Virtual Desktops

Michael Abboud, CEO, and Founder of TetherView

Natural disasters mixed with cyber threats, data breaches, hardware problems, and the human factor, increase the risk that a business will experience some type of costly outage or disruption.

Moving towards managed virtual desktops delivered via a private cloud, provides a unique opportunity for organizations to reduce costs and provide secure remote access to staff while supporting business continuity initiatives and mitigating the risk of downtime.

Taking advantage of standby virtual desktops, a proper business continuity solution provides businesses with the foundation for security and compliance.

The deployment of virtual desktops provides users with the flexibility to work remotely via a fully-functional browser-based environment while simultaneously allowing IT departments to centrally manage endpoints and lock down business critical data. Performance, security, and compliance are unaffected.

Standby virtual desktops come pre-configured and are ready to be deployed instantaneously, allowing your team to remain “business as usual” during a sudden disaster.

In addition to this, you should ensure regular data audits and backups

If you don’t know what is in your cloud, now is the time to find out. It’s essential to frequently audit your data and ensure everything is backed up. You’ll also want to consider who has access to this data. Old employees or those who no longer need access should have permissions provoked.

It’s important to also use the latest security measures, such as multi-factor authentication and default encryption. Always keep your employees up to speed with these measures and train them to spot potential threats that way they know how to deal with them right away.

21. Be Aware of a Provider’s Security Policies

Jeff Bittner, Founder and President of Exit technologies

Many, if not most, businesses will continue to expand in the cloud, while relying on on-premise infrastructure for a variety of reasons, ranging from a simple cost/benefit advantages to reluctance to entrust key mission-critical data or systems into the hands of third-party cloud services providers. Keeping track of what assets are where in this hybrid environment can be tricky and result in security gaps.

Responsibility for security in the cloud is shared between the service provider and the subscriber. So, the subscriber needs to be aware not only of the service provider’s security policies, but also such mundane matters as hardware refresh cycles.

Cyber attackers have become adept at finding and exploiting gaps in older operating systems and applications that may be obsolete, or which are no longer updated. Now, with the disclosure of the Spectre and Meltdown vulnerabilities, we also have to worry about threats that could exploit errors or oversights hard-coded at the chip level.

Hardware such as servers and PCs has a limited life cycle, but often businesses will continue to operate these systems after vendors begin to withdraw support and discontinue firmware and software updates needed to counter new security threats.

In addition to being aware of what their cloud provider is doing, the business must keep track of its own assets and refresh them or decommission them as needed. When computer systems are repurposed for non-critical purposes, it is too easy for them to fall outside of risk management and security oversight.

22. Encrypt Backups Before Sending to the Cloud

Mikkel Wilson, CTO at Oblivious.io

1. File metadata should be secured just as vigilantly as the data itself. Even if an attacker can’t get at the data you’ve stored in the cloud, if they can get, say, all the filenames and file sizes, you’ve leaked important information. For example, if you’re a lawyer and you reveal that you have a file called “michael_cohen_hush_money_payouts.xls” and it’s 15mb in size, this may raise questions you’d rather not answer.

2. Encrypt your backups *before* you upload them to the cloud. Backups are a high-value target for attackers. Many companies, even ones with their own data centers, will store backups in cloud environments like Amazon S3. They’ll even turn on the encryption features of S3. Unfortunately, Amazon stores the encryption keys right along with the data. It’s like locking your car and leaving the keys on the hood.

23. Know Where Your Data Resides To Reduce Cloud Threats

Vikas Aditya, Founder of QuikFynd Inc,

Be aware of where their data is stored these days so that they can proactively identify if any of the data may be at risk of a breach.

These days, data is being stored in multiple cloud locations and applications in addition to storage devices in business. Companies are adopting cloud storage services such as Google Drive, Dropbox, OneDrive, etc. and online software services for all kind of business processes. This has led to vast fragmentation of company data, and often managers have no idea where all the data may be.

For example, a confidential financial report for the company may get stored in cloud storage because devices are automatically synching with cloud or a sensitive business conversation may happen in cloud-based messaging services such as Slack. While cloud companies have all the right intentions to keep their customer data safe, they are also the prime target because hackers have better ROI in targeting such services where they can potentially get access to data for millions of subscribers.

So, what should a company do?

While they will continue to adopt cloud services and their data will end up in many, many locations, they can use some search and data organization tools that can show them what data exists in these services. Using full-text search capabilities, they can then very quickly find out if any of this information is a potential risk to the company if breached. You cannot protect something if you do not even know where it is. And more importantly, you will not even know if it is stolen. So, companies looking to protect their business data need to take steps at least to be aware of where all their information is.

24. Patch Your Systems Regularly To Avoid Cloud Vulnerabilities

Adam Stern, CEO of Infinitely Virtual

Business users are not defenseless,  even in the wake of recent attacks on cloud computing like WannaCry or Petya/NotPetya.

The best antidote is patch management. It is always sound practice to keep systems and servers up to date with patches – it is the shortest path to peace of mind. Indeed, “patch management consciousness” needs to be part of an overarching mantra that security is a process, not an event — a mindset, not a matter of checking boxes and moving on. Vigilance should be everyone’s default mode.

Spam is no one’s friend; be wary of emails from unknown sources – and that means not opening them. Every small and midsize business wins by placing strategic emphasis on security protections, with technologies like clustered firewalls and intrusion detection and prevention systems (IDPS).

25. Security Processes Need Enforcement as Staff Often Fail to Realize the Risk

Murad Mordukhay, CEO of Qencode

1. Security as a Priority

Enforcing security measures can become difficult when working with deadlines or complex new features. In an attempt to drive their products forward, teams often bend the rules outlined in their own security process without realizing the risk they are putting their company into. A well thought out security process needs to be well enforced in order achieve its goal in keeping your data protected. Companies that include cloud security as a priority in their product development process drastically reduce their exposure to lost data and security threats.

2. Passwords &Encryption

Two important parts of securing your data in the cloud are passwords and encryption.

Poor password management is the most significant opportunity for bad actors to access and gain control of company data. This usually accomplished through social engineering techniques (like phishing emails) mostly due to poor employee education. Proper employee training and email monitoring processes go a long way in helping expose password information. Additionally, passwords need to be long, include numbers, letters, and symbols. Passwords should never be written down, shared in email, or posted in chat and ticket comments. An additional layer of data protection is achieved through encryption. If your data is being stored for in the cloud for long periods, it should be encrypted locally before you send it up. This makes the data practically inaccessible in the small chance it is compromised.

26. Enable Two-factor Authentication

Tim Platt, VP of IT Business Services at Virtual Operations, LLC

For the best cloud server security, we prefer to see Two Factor Authentication (also known as 2FA, multi-factor authentication, or two-step authentication) used wherever possible.

这是什么? 2 Factor combines “something you know” with “something you have.” If you need to supply both a password and a unique code sent to your smartphone via text, then you have both those things. Even if someone knows your password, they still can’t get into your account. They would have to know your password and have access to your cell phone. Not impossible, but you have just dramatically made it more difficult for them to hack your account. They will look elsewhere for an easier target. As an example, iCloud and Gmail support 2FA – two services very popular with business users. I recommend everyone use it.

Why is this important for cloud security?

Because cloud services are often not protected by a firewall or other mechanism to control where the service can be accessed from. 2FA is an excellent additional layer to add to security.  I should mention as well that some services, such as Salesforce, have a very efficient, easy to use implementation of 2FA that isn’t a significant burden on the user.

27. Do Not Assume Your Data in the Cloud is Backed-Up

Mike Potter, CEO &Co-Founder at Rewind

Backing up data that’s in the cloud:There’s a big misconception around how cloud-based platforms (ex. Shopify, QuickBooks Online, Mailchimp, WordPress) are backed up. Typically, cloud-based apps maintain a disaster recovery cloud backup of the entire platform. If something were to happen to their servers, they would try to recover everyone’s data to the last backup. However, as a user, you don’t have access to their backup to restore your data.

This means that you risk having to manually undo unwanted changes or permanently losing data if:

Having access to a secondary backup of your cloud accounts gives you greater control and freedom over your own data. If something were to happen to the vendor’s servers, or within your individual account, being able to quickly recover your data could save you thousands of dollars in lost revenue, repair costs, and time.

28. Minimize and Verify File Permissions

Randolph Morris, Founder & CTO at Releventure

1. If you are using a cloud-based server, ensure monitoring and patching the Spectre vulnerability and its variations. Cloud servers are especially vulnerable. This vulnerability can bypass any cloud security measures put in place including encryption for data that is being processed at the time the vulnerability is being utilized as an exploit.

2. Review and tighten up file access for each service. Too often accounts with full access are used to ensure software ‘works’ because they had permission issues in the past. If possible, each service should use its own account and only have restricted permission to access what is vital and just give the minimum required permissions.

29. When Securing Files in the Cloud,  Encrypt Data Locally First

Brandon Ackroyd, Founder and Mobile Security Expert at Tiger Mobiles 

Most cloud storage users assume such services use their own encryption. They do, Dropbox, for example, uses an excellent encryption system for files.

The problem, however, is because you’re not the one encrypting, you don’t have the decryption key either. Dropbox holds the decryption key so anyone with that same key can decrypt your data. The decryption happens automatically when logged into the Dropbox system so anyone who accesses your account, e.g., via hacking can also get your now non-encrypted data.

The solution to this is that you encrypt your files and data, using an encryption application or software, before sending them to your chosen cloud storage service.

30. Exposed Buckets in AWS S3 are Vulnerable

Todd Bernhard, Product Marketing Manager at CloudCheckr

1. The most common and publicized data breaches in the past year or so have been due to giving the public read access to AWS S3 storage buckets. The default configuration is indeed private, but people tend to make changes and forget about it, and then put confidential data on those exposed buckets.

2. Encrypt data, both in traffic and at rest. In the data center, where end users, servers, and application servers might all be in the same building. By contrast, with the Cloud, all traffic goes over the Internet, so you need to encrypt data as it moves around in public. It’s like the difference between mailing a letter in an envelope or sending a postcard which anyone who comes into contact with it can read the contents.

31. Use the Gold-standard of Encryption

Jeff Capone, CEO of SecureCircle

There’s a false sense of privacy being felt by businesses using cloud-based services like Gmail and Dropbox to communicate and share information. Because these services are cloud-based and accessible by password, it’s automatically assumed that the communications and files being shared are secure and private. The reality is – they aren’t.

One way in which organizations can be sure to secure their data is in using new encryption methods such as end-to-end encryption for emailing and file sharing. It’s considered the “gold standard” method with no central points of attack – meaning it protects user data even when the server is breached.

These advanced encryption methods will be most useful for businesses when used in conjunction with well-aligned internal policies. For example, decentralizing access to data when possible, minimizing or eliminating accounts with privileged access, and carefully considering the risks when deciding to share data or use SaaS services.

32. Have Comprehensive Access Controls in Place

Randy Battat, Founder and CEO, PreVeil

All cloud providers have the capability of establishing access controls to your data. This is essentially a listing of those who have access to the data. Ensure that “anonymous” access is disabled and that you have provided access only to those authenticated accounts that need access.

Besides that, you should utilize encryption to ensure your data stays protected and stays away from prying eyes. There is a multitude of options available depending on your cloud provider. Balance the utility of accessing data with the need to protect it – some methods are more secure than others, like utilizing a client-side key and encryption process. Then, even if someone has access to the data (see point #1), they only have access to the encrypted version and must still have a key to decrypt it

Ensure continuous compliance to your governance policies. Once you have implemented the items above and have laid out your myriad of other security and protection standards, ensure that you remain in compliance with your policies. As many organizations have experienced with cloud data breaches, the risk is not with the cloud provider platform. It’s what their staff does with the platform. Ensure compliance by monitoring for changes, or better yet, implement tools to monitor the cloud with automated corrective actions should your environment experience configuration drift.

33. 5 Fundamentals to Keep Data Secure in the Cloud

David Gugick, VP of Product Management at CloudBerry

34. Ensure a Secure Multi-Tenant Environment

Anthony Dezilva, CISO at PhoenixNAP

When we think of the cloud, we think of two things.  Cost savings due to efficiencies gained by using a shared infrastructure, and cloud storage security risk.

Although many published breaches are attributed to cloud-based environment misconfiguration, I would be surprised if this number was more than, the reported breaches of non-cloud based environments.

The best cloud service providers have a vested interest in creating a secure multi-tenant environment.  Their aggregate spending on creating these environments are far more significant than most company’s IT budgets, let alone their security budgets.  Therefore I would argue that a cloud environment configured correctly, provides a far higher level of security than anything a small to medium-sized business can create an on-prem.

Furthermore, in an environment where security talent is at a grave shortage, there is no way an organization can find, let alone afford the security talent they need.  Resulting in the next best thing, create a business associate relationship with a provider that not only has a strong secure infrastructure but also provides cloud monitoring security solutions.

Cloud Computing Threats and Vulnerabilities:Need to know


云计算

  • 嵌入式
  • 传感器
  • 云计算
  • 物联网技术

    1. 充电、重置、重新配置
    2. 在将数据迁移到云之前要考虑的三个关键领域
    3. 5 个让时间(和金钱)在您身边的云计算技巧
    4. 宝贝,外面多云
    5. 什么是云安全以及为什么需要它?
    6. 云计算提示和技巧
    7. 每个公司都面临的云安全风险
    8. 云安全是网络安全的未来
    9. 如何成为云安全工程师
    10. 为什么云中数据安全的未来是可编程的
    11. AWS 备份的 5 大安全实践
    12. 网络和云:克服多云兴起中的关键安全挑战