Cloud Security: Technology, procedures, responsibility

From foreign media sources, Thoran Rodrigues the discussion of cloud security and overthrew the three essential elements of working together to achieve a comprehensive security strategy.

The security issue of cloud computing is one of the topics that the company is most concerned about. The question of cloud security is much more complex than simply "cloud computing security". A cloud computing application can be hosted in a secure environment where data is properly encrypted, but attackers can still access your information through social engineering. On the other hand, you can have the safest password protection in the world, but once the hosting environment is compromised, you will still lose data. Any appropriate way to address the cloud security issues that exist today must address three aspects of security: technology, process, and responsibility. Another important factor to consider is that the details and key points of the three are closely related to each other, and the change depends on where we are in the cloud stack. Whether it's a security level requirement for the cloud platform, or a cloud infrastructure build, creating secure cloud software requirements is very different.

The first step in technology is to use the right technology to secure applications and data. "Appropriate technology" depends to a large extent on the kind of cloud we are talking about. For cloud applications, security can be as simple as deploying appropriate security certificates and encrypting them. All sensitive information needs to be properly encrypted so that when an attacker enters your system, the information he steals will still need to be decrypted before it can be used. But just having encrypted passwords is far from enough: as you know, people often use birthday dates as passwords, as well as encrypt passwords. Technology should protect users from harm as much as possible.

One of the most interesting solutions in this space is the Porticor virtual private data. It is essentially an encryption layer that is transparently positioned at the top of any cloud data store and performs cryptographic decryption of dynamic data, such as access data. I suggest that if you are interested in cloud computing applications, look at their solutions.

At the lower level of the cloud stack, cloud security is exactly the same as before the advent of the cloud computing era. The security that the cloud platform needs is just the security of the operating system--avoid hacking into other malicious code that performs sessions or steals data, and so on. In the infrastructure layer, security requires not only the maintenance of virtualized environments, but also the security of the person. Fortunately, most of the top cloud infrastructure providers have a strong sense of security and are reducing the risk from this.

Program if an attacker calls your receptionist and uses her network administrator password to install malicious code on your corporate network, then none of the technologies will save you. In the case of cloud technology, this might actually be true in a private network, and that would not happen in a large enterprise, but it could happen in a staggering number of small and medium-sized enterprises.

For example, if a company is using a Windows Cloud server from Rackspace, it takes a fairly complex password and an activated, updated firewall, and so on. In many cases, people often use passwords such as "password" and "Pass1234" to facilitate memory when setting passwords. (because a secure password must contain uppercase letters and numbers)--and creates an unprotected, linked FTP channel to the server, "just to replicate a small amount of information." Its original intention was to become a secure server, but now it has become a precarious security vulnerability. Having the right security tools is far from enough. Companies need to build a process to put these tools into practice.

The company also underestimated the importance of informing the entire workforce of the right information security policy. Real security can come faster when everyone in the company has a sense of security. The process of security does not begin with technology, but in human beings, and the proper and continuous communication is fundamental.

Responsibility so far, the two aspects that we are talking about are very conventional. However, cloud applications require greater security awareness than traditional internal applications, and the development of this technology requires fairly standard additional security. The same is true for cloud security servers. On the responsibility, cloud security and traditional security have great differences. When a company develops traditional software, it knows its responsibilities. Data centers operate and control software, but anything can happen-data is stolen, servers are attacked, and so on. That is their responsibility. Since it has full control over the environment, they naturally take responsibility for it.

When all this is on cloud computing, the IT department loses control of the environment. That's a good idea. Then they were unwilling to take responsibility for the impending problem. A clear division of responsibilities can help the hosting provider to secure the underlying platform (virtualization layer, personal security, and so on). The rest of the responsibility will fall on the client. But that's not enough. Suppliers need to provide risk assurance, understand the origins of internal IT departments and improve relationships to ease their anxiety.

All these factors need to be considered together, otherwise we have to assume the risk of creating a more complex environment than we do now. In a way, the cloud has the ability to make everything safer by providing benefits or automating conventional security management. On the other hand, data concentration in the hands of a few service providers can increase the attractiveness of the project and increase the sense of responsibility of these companies.

Instead of focusing on technology, programs, or a contract, you can eliminate the cloud's security risks, and everyone who cares about the cloud should see the entire security plan instead of a link.

(Responsible editor: The good of the Legacy)