Cloud security issues and precautionary measures inventory

Problems faced by cloud security

The first is the technology and management problem under the virtualization environment.

Traditional protection mechanism based on physical security boundary is difficult to effectively protect user application and information security based on shared virtualization environment. In addition, the cloud computing system is so large, and mainly through the virtual machine to calculate, in the event of failure, how to quickly locate the problem is also a major challenge.

Secondly, it is the problem that the service model of cloud computing separates the ownership, management and right of use of the resources.

Cloud computing, a new service model, separates the ownership, management, and use of resources, so users lose direct control of their physical resources and face some security issues (mainly trust issues) that collaborate with cloud providers, such as whether users will face cloud service exit barriers, Incomplete and unsafe data deletion can cause harm to users, and how to define the different responsibilities of users and service providers is a big problem.

Third, the security problems caused by cloud computing platforms.

Cloud computing platform has gathered a large number of user applications and data resources, more easily attract hacker attacks, and failure once occurred, the impact of more scope, the consequences more serious. In addition, its openness to the security of the interface also put forward some requirements. In addition, the cloud computing platform integrates a number of tenants, how the information resources between the tenants of the security isolation, the service specialization caused by multiple layers of subcontracting caused by security issues.

How to solve cloud security problems

I. Establishment of security measures

The fundamental challenge of application security already exists before the cloud is implemented. Therefore, there is considerable research on how to improve the deployment of safe and robust applications. Having a technology that provides direct support is called application Threat modeling. Some good points are the Owasp Threat Modeling page and the Microsoft Security Development Lifecycle Resource page. From a tool's point of view, it is free cross-site scripting (XSS) and SQL injection. An enterprise with internal tools can apply it to the security of the cloud, or many cloud vendors offer customers a tool with similar functionality at a free or discounted price. And when companies want to use a broader scanning strategy, they can also use free tools such as Google's skipfish.

Second, scanning network applications

Many companies have accepted application scans, a network application scanning tool that addresses common security issues such as Cross-platform scripting (XSS) and SQL import. An enterprise with internal tools can apply it to cloud security measures, or many cloud vendors offer customers a tool that provides similar functionality at a free or discounted price. And when companies want to use a broader scanning strategy, they can also use free tools such as Google's skipfish.

III. Training of Developers

It is critical that application developers fully master the principles of application security. This can include language-level training, which they currently use to build the security coding principles in the language used by the application, as well as broader issues such as security design principles. Because of the downsizing and mobility of developers, which often require that training be repeated regularly and maintained as normal, the security training costs of developer applications may be more expensive. Fortunately, there are some free resources, such as the Texasa&m/fema domestic Preparedness Campus program, which provides free e-learning materials for security software development. Microsoft also offers free training through its Clinic2806: Microsoft Developer Security Knowledge Training, which is an entry-level training material to start your own custom program.

Four, has the specialized test data

This is always happening: developers use production data for testing. This is a problem that needs to be understood correctly because confidential data, such as customer-identifiable data, can leak during testing, especially if the same security measures are not implemented in the development or commissioning environment as in the production environment. The cloud is more environmentally sensitive, and many cloud services make it easier to deploy, test-run, and database sharing between production to simplify deployment. Tools such as open source databenebenerator can produce high-capacity data that matches the specific structure of your database, and data format adjustments help to have dedicated production data. Typically, these processes belong to a specific framework, so you need to be aware of finding a job that works in your particular environment.

V. Re-aligning priorities

This last step is the most important step you can implement. Since the cloud may mean a cultural and priority adjustment, then accept the adjustment accordingly and incorporate it into your own mental and behavioral system. With the cloud, all are related to the application, which means that the organization's security will be highly dependent on the development team in the organization. If this is not a cloud problem, it will be a nightmare, because at the infrastructure level you cannot implement measures to mitigate the identified risks. If you have been relying on infrastructure-level control to meet security challenges at the application level, it is time to reconsider.