Authoritative release: The biggest threat to cloud security and its solutions

The "51cto.com exclusive translation" Cloud Security Alliance (Cloud) released its first concise report on cloud security risk and a more lengthy "critical regional Security Guide" for the CSA (download address: http:// cloudsecurityalliance.org/ Csaguide.pdf, for the largest threat listed in the report, CSA Condensed 76 pages of security guidance to 7 of the most common, most dangerous threats, according to the description of these threats, CSA also proposed a number of strategies to minimize losses. Users should also check whether the cloud service provider has a solution for each threat. CSA is an organization composed of security experts and researchers from different technology companies. 498) this.width=498 ' OnMouseWheel = ' javascript:return big (This) ' height=301 alt= ' "src=" http://images.51cto.com/ Files/uploadimg/20100309/1523390.jpg "width=406 border=0> Figure 1 Cloud security threats have not stopped the threat list: Threat 1: Misuse and malicious use of cloud computing threat 2: Unsafe interfaces and API Threats 3: Hostile Insider threats 4: Infrastructure sharing threat 5: Data loss or disclosure Threat 6: Account or Service hijacking threat 7: Unknown risk threat 1: Misuse and malicious use of cloud computing network crime Open tend to steal bank card passwords and credit card numbers, malware such as Zeus and Infostealing Trojan will become more powerful in the cloud, spammers and malicious code authors can use the cloud Services anonymous registration and cloud service model for cybercrime. Solution: Rigorously design the first registration and verification process, implement credit card fraud monitoring and coordination, monitor the public blacklist, and see if your own network is blocked as spam and malware sources. Threat 2: Unsafe interfaces and API unsafe APIs are often the result of recycling old code to improve development speed, quality and security are not guaranteed, Third-party Plug-ins on the API may also introduce more complexity and more risk. Workaround: Understand the dependency chain associated with the API and ensure strong access control in addition to encrypted transmissions. Threat 3: Hostile insiders. This is a well-known threat, when a person penetrates into the organization, attacks from within the organization, the harm is greater, if the company uses cloud services, the threat will be further amplified, as the cloud services continue to grow, leaving service providers to do background checks less time. Solution: Slow down, do a more thorough inspection, and define the employee's legal liability on the contract by HR, and is entitled to be sent to the judiciary in the event of a security breach. Threat 4: Infrastructure sharing problems IAAS vendors use shared, non-isolated infrastructure, and when an attacker succeeds, all servers open the door to attackers, and some client operating systems can gain access to the underlying platform without control, even with hypervisor. Solution: Develop a strong zoning and defense strategy, and IAAS vendors must monitor the environment for unauthorized modifications and activities. Threat 5: Data loss or growing data interaction in a leaking cloud magnifies the risk of data loss because it is difficult to monitor and control what is happening without proper security control and data monitoring, which increases the likelihood of misplaced context records, loss of encoding keys, and accidental deletion of data. Workaround: Have a well-defined, well-organized key generation, storage, management, and destruction strategy. Threat 6: Account or service hijacking many common attack methods can still obtain reusable credentials from the attacker, and in a cloud environment, if an attacker can get your credentials, they can see your activity, process the data, and cause problems to the cloud service provider client. Workaround: Disable credential sharing between users and services, and use powerful dual-factor authentication techniques to proactively check for unauthorized activity. Threat 7: Unknown risk unknown security vulnerabilities are real dangers in the cloud, software versions, security practices, code updates, vulnerability research, and intrusion attempts are important factors in eliminating security risks. Understanding this area requires more work and investigation, and doing well in this area is half the success. Solution: Identify your security status, provide maximum transparency to your customers, and let them know how to configure the system or patch the hosted software in a timely fashion. "51cto.com exclusive translation, reproduced please specify the source and the author!" "" "" Editorial Recommendation "rising Cloud security plan new card into the core of the Trojan Horse 200 million virus rampant network trends to ask" cloud security "" responsible editor: Xu Fengli TEL: (010) 68476606 "Original: Authoritative release: Cloud security biggest threat and solution return to network security home