Cloud storage access control measures combat experience

Although ordinary consumers do not need to worry too much when using such services, there are many security issues that need to be addressed when choosing a cloud storage service from encryption to data lifecycle management. The emerging areas of enterprise focus on defining and controlling access methods and defining the implementation of control based on cloud storage.

In this article, we will explain why cloud storage access control is an important issue and what enterprises should consider when developing and implementing cloud storage access control and architecture. We will also discuss how to evaluate access control in the cloud provider context.

Cloud storage access control measures

Managing access control should be a primary concern, whether it is a cloud provider administrator or an enterprise user. For example, Jacob Williams presented at the Black Hat Europe Meeting in 2013 about Dropbox malware delivery, command and control issues, as well as the dangers of free access to the cloud repository, which could lead to data leaks.

In 2012, Mat Honan's icloud account was hijacked, using social engineering techniques in the spill and possibly involving a keyboard profile. At the same time, due to the events, many consumer-centric examples, access control issues remain in the first and central locations. Restricting who can access cloud storage, how to access cloud storage, and where to access cloud storage should be considered as a key issue when evaluating cloud storage scenarios.

The following is a series of issues that enterprises should pay attention to when implementing cloud storage services, regarding access control mechanisms:

Do the user passwords for administrative tools and other administrative application stores use encrypted format? If the encryption format is used, what type is it? is the encryption format tested regularly? In addition, the Storage management application allows password length, type, and duration settings and execution?

What types of secure connections are supported by the cloud storage infrastructure? Support for general secure communication protocols? such as SSLv3, TLS, and SSH?

Does the active user's session timeout? Without a reasonable timeout, there is a risk of session hijacking at the end of the idle client, which is rather bad.

Management tools support multiple administrator configurations to provide fine-grained security levels? Manage access and configuration of applications cloud storage should configure options based on time, date, and functionality to limit administrator access. All admin actions should be documented for auditing and alerting, and these records should be provided to the security team of the enterprise.

Does the cloud storage management application have the ability to define fine-grained roles and privileges? This ability should be considered mandatory in order to maintain proper segregation of duties and to enforce the principle of least privilege.

In addition to these key issues, you should carefully review the overall design and architecture of the cloud storage infrastructure access methodology. One approach that companies can consider is "cloudcapsule," a new approach to cloud storage access control, presented by the Georgia Tech Information Security Center (GTISC) in the 2014 Emerging Network Threat report. Cloudcapsule uses a local security virtual machine that allows users to access cloud storage, which is automatically encrypted before data is sent. In this way, the user's local system is separated from the cloud service data exchange to some extent, and any data sent to the cloud environment is automatically encrypted. Following the model developed by GTISC, many organizations now require all cloud storage services to be accessible through virtual desktops of virtual desktop infrastructure, and can be controlled and scanned using data loss Protection (DLP) policies.

The cryptographic gateways directly docking with cloud storage providers are also gaining popularity. For example, the CipherCloud agent can automatically encrypt data sent to Amazon's S3, RDS, and EBS storage services, and can automatically encrypt data sent to a storage provider, such as box. Endpoint security tools, such as whitelisting and DLP agents, can also be used to limit the installation of cloud storage clients, and new web-based monitoring tools, such as Skyhigh Network, can monitor and control access to cloud storage services.

Provider control

We have identified how the organization examines cloud storage access control, but the access control measures within the cloud provider environment should also be carefully evaluated. When evaluating cloud storage providers, be aware of some of the access control and data protection policies that have been properly set:

1. First, managing users, especially storage administrators, should use powerful authentication methods when accessing storage components and internal zones.

2. The provider storage environment should take full advantage of isolation and segmentation techniques, such as security zoning, switch and host structure authentication, exceeding the global common name or iSCSI individually qualified name value, as well as separate switches and the entire structure of security management.

3. Cloud service providers should also ensure that each customer's service system is separate from other network areas, whether logically or physically, Internet access, production databases, development and staging areas, and internal applications and components create separate firewall zones.

Conclusion

While cloud storage offers many advantages for the enterprise, there are a number of security risks that cannot be overlooked before migrating data to a cloud storage provider. But fortunately, more and more security vendors can ensure that the organization to the cloud storage for appropriate access control. As long as the enterprise is prepared in advance, and ensure that the above problems are well resolved, cloud storage is a good tool for the enterprise.

Free Subscription "CSDN cloud Computing (left) and csdn large data (right)" micro-letter public number, real-time grasp of first-hand cloud news, to understand the latest big data progress!

CSDN publishes related cloud computing information, such as virtualization, Docker, OpenStack, Cloudstack, and data centers, sharing Hadoop, Spark, Nosql/newsql, HBase, Impala, memory calculations, stream computing, Machine learning and intelligent algorithms and other related large data views, providing cloud computing and large data technology, platform, practice and industry information services.