Cloud security literacy in the five blind spots of cloud security

When I read various blogs, IT industry analytics, and media coverage, I found many conflicting points of view. Some authors consider cloud computing to be safer, while others emphasize new security challenges in particular. As the concept of "cloud" is still in its infancy, there are many plausible arguments everywhere. Here are the five cloud computing blind spots I hear most often:

Blind 1 infrastructure Services (Infrastructure-as-a-service, IaaS) The virtual private "cloud" provided by the vendor is as secure as the Enterprise internal data Center

Virtual Private "cloud" is an emerging concept in the field of IaaS, allowing enterprises to connect to the "cloud" of resources through VPN, and the IaaS Factory chamber provides an exclusive IP range for the enterprise. The problem with this approach is that you still share hardware resources and switched networks with other businesses, isolated only by virtual area networks (VLANs). However, the configuration set the wrong situation to hear. According to a recent study, 31% of information leaks in Australia are "the result of errors by third-party vendors such as cloud computing or SaaS providers".

Blind Zone 2 You do not need more than one IaaS provider

Putting all the eggs in one basket is dangerous if the basket is overturned, as is cloud computing. Although the use of a single IaaS provider is easier to manage, it also forms a single point of failure. The risk of relying on a single IaaS vendor is that if a vendor is compromised by a decentralized DDoS attack, the operation of the enterprise may be interrupted, as in the case of BitBucket.

Another example of a single point of failure (SPOF) is Rackspace, where a truck crashed into a transformer box and caused power outages in the Rackspace data center. Since accidents are unavoidable, it is necessary to have more than one IaaS provider to prevent a single point of failure.

Setting up a backup stronghold is one of the main ways to achieve disaster recovery, as is the era of cloud computing. Companies may not need a hot standby failure point, but they should plan and test how to quickly switch operations to a second vendor when needed. Although such practices as Amazon's "availability interval" can reduce these risks, they do not completely eliminate the possibility of a single point of failure.

Blind area 3 Private "cloud" also applies to Entity Data Center security Solutions

The logic is that the original border defense of the data center has worked well, and the private "cloud" is similarly protected, so it should be OK. Unfortunately, this is not usually the case. Private "Cloud" has its new challenges that traditional static data centers do not have. Virtualization and cloud computing increase the attack surface, shared storage is an example.

There are also new situations, such as a system administrator accidentally using VMotion to move a server from a security zone to a DMZ. In addition, VLAN configuration errors can cause information to be not properly quarantined. And what about the amount of information that is not monitored between VMS within the same VShield zone? In a hybrid "cloud" environment, what happens when an application moves to the cloud with no security protection around its virtual machine? Depending on the basic firewall rules provided by the IaaS vendor, not even IPs May make some businesses uneasy.

Blind Zone 4 "cloud" service providers will be responsible for security

Although SaaS or PAAs service providers usually provide security in terms of service, they are not in the IaaS sector. Although the IaaS manufacturer will take some security measures and emphasize its safety measures in Wen Xuanzhong, the security of the IAAS environment is ultimately the responsibility of the enterprise and the IaaS manufacturer, and ultimately the responsibility falls on the enterprise itself. The Security section in the service terms of the IaaS vendor should emphasize this.

Not only that, although the supplier will assume the responsibility of security, but in case of information leakage incident, the enterprise itself still have to bear the ultimate responsibility. After all, that's your message.

Blind zone 5 My "cloud" service provider has SAS Type II program, so my information is secure

The SAS Type II kernel is a good security base and a tool to ensure that the security controls are working properly during inspection, but that does not amount to security. And it may give a semblance of security. The kernel is looking at past conditions, although past performance is an indicator of the future (at least in data center security) but not a guarantee for the future. Once the company has undergone large-scale or unintended changes in personnel, it is likely that the original solid integrity of the security measures overnight collapse. In addition, SAS 70 cannot prevent disgruntled employees from blaming the company or customers for retaliation.

The SAS Type II kernel cannot check for items outside of the kernel scope. The items on the kernel checklist may be tightly controlled, but the vulnerabilities might be outside the scope of the inspection. Furthermore, the kernel of any process cannot cover the person who executes the process. What are the principles of employing companies? The SAS Type II kernel does not necessarily cover the employing principle. Mortals can make mistakes, and of course they are not perfect.

The SAS 70 review does not have a standard set of practices. This type of kernel is a kernel that is designed with the kernel object to test the control measures of a particular business process. The control measures may not be able to hill the sea, so projects outside the original reservation, even if it is important for business services, are not within the scope of the test. Therefore, you should have doubts about the SAS 70 kernel before handing the critical business process to any service provider. Moreover, the ideal kernel should not only focus on information security, but should extend to service sustainability, vendor management, backup recovery, personnel system and other areas.

Both the public "cloud" or private "cloud" can provide excellent corporate value in reducing costs and increasing the flexibility of the enterprise. However, it is recommended that you identify the security challenges before you select them.

(Responsible editor: The good of the Legacy)