Cloud Security: Five Lessons from Black Hat Conference

To some extent, the outbreak of the economic crisis brought cloud computing to the hottest topic. Start-up companies and small companies began to use virtual machines on the Internet in order to save costs. Large companies also applied various applications like customer relationship management systems Into the cloud created by cloud service providers such as Salesforce.com. But experts warn that security mounts must always be on the alert when migrating infrastructure to the cloud.

Haroon Meer, technical director at SensePost, a world-renowned security firm, stated at Black Hat that "while low-end customers in cloud computing can save costs, it is for high-end users to use it without any review Extremely dangerous. "He said his team conducted an in-depth research survey of Amazon's EC2. However, experimental results show that most companies do not scan machines provided by third parties, making it easy for malicious instances to use Trojans to access these companies' internal networks.

With these traps in mind, the next five lessons come from the Black Hat presentation.

1, cloud computing rarely provide legal protection

Companies that use cloud computing need to recognize that data in the cloud needs to be subject to laws and regulations and that the government may search and copy the data without a summons. According to Alex Stamos, chief security adviser at iSec, cloud providers are more concerned with protecting themselves Not customers, so do not overly pin their hopes on legal protection clauses written in service agreements.

Stamos said: "All cloud service providers have a well-trained legal team. When you sign a service agreement, you basically have nothing at all. If the service provider can not use the service properly, you can not complain about the service provider. If Service providers do not assume any responsibility for data loss due to errors in the data center. " It looks like an unequal treaty. But at the same time, he added, cloud service providers find security issues that are often replenished instantly, and get some help if the language is fine.

2, the hardware is not yours

Stamos warns that if you want to audit and test your service providers, keep in mind that the hardware is not your own, and that you need to be explicitly licensed by the cloud service provider for vulnerability scanning and penetration testing, or customers will be considered vulnerable system. As Amazon's service agreement clearly pointed out, customers can test on the system, it is very important. Because there is a clear agreement to allow the use of those machines for testing is subject to legal protection.

3, need a strong strategy and user education

Because cloud computing offers huge benefits to businesses, such as allowing access to data from anywhere, solving a major problem for IT maintainers, always on-line service also means being more vulnerable to phishing attacks. Therefore, risk education for end-users is particularly important, not only for themselves but also for the needs of the company. However, it is very difficult to educate those non-technical staff members who are not involved in phishing attacks. In the SaaS model, phishing attacks are not only a personal issue, but also a big problem that enterprises face.

4, do not believe the virtual machine instance

SensePost's Meer said "Companies should not trust these systems when using service-provided virtual machines, such as instances created by third-party vendors on the Amazon EC2 platform."

The company's researchers scanned a large number of preconfigured instances and found that the authentication key was in the cache, credit card data and malicious code were hidden in the system, but they found that most users did not care about security issues.

Meer recommends that companies should establish their own internal certification mechanisms to protect themselves technically and legally.

5, reconsider your assumption of cloud computing

When considering security, enterprise information managers need to rethink their previous assumptions about cloud security. For example, when deploying a computer instance that is applied to a virtual data center, virtual systems have far less average available resources than physical systems and are generally not as good as you expect, so you can guess that when resources are randomly assigned Limited

Source: http://www.infoworld.com/d/cloud-computing/5-lessons-dark-side-cloud-computing-669? Source = rss_infoworld_news
Original text: 5 lessons from the dark side of cloud computing
Author: Robert Lemos