Eight requirements for cloud computing services security

If you are an engineer who is building a new cloud computing service, or a potential user who is evaluating a security policy for a service provider, the following eight commandments will help you avoid security breaches in cloud services that have resulted in theft of account information and disclosure of sensitive information.


　　


don't expect to get a full list of commandments, now this list will only help you narrow the hole to the minimum. If the service requirements are higher than the standard security measures such as HIPAA or PCI specifications, then the manufacturers who cannot comply with these simple rules should be expelled or challenged.


　　


, don't forget to add salt to the password


　　


encrypted salt is a string that is added to a password before it is encrypted with a single function. This is a very important element to protect the password. This June, LinkedIn was surprised to find that 6.5 million users ' passwords were posted on a Russian user forum. These passwords are not salt-free, using a simple dictionary attack or similar techniques to instantly invade a 60% password. In the implementation and operation of the code to add salt is a trivial matter, people often ignore the modern system to add salt to the password.


　　


Two, do not use the MD5 hashing algorithm to encrypt the password


　　


, a chipmaker, admits that 400,000 users on its forum had their passwords stolen at the beginning of July, which were not salted and encrypted with a MD5 hash algorithm. As early as 7 years ago, the famous computer security expert Bruceschneier announced the MD5 failure, at present people generally believe that MD5 "inadequate, bull". The best approach is to require encryption using Cross-platform file encryption tools such as more complex bcrypt.


　　


third, the bad design scheme will also expose sensitive data


　　


New user interface architecture is loose and may become unconscious information disclosure platform. As Ajax technology usage increases, network and mobile applications can often "push" large amounts of data onto end user devices to support multiple views and operations without making new requests. This leads to a better user experience and faster application responsiveness.


　　


However, improper use of these technologies can lead to the disclosure of sensitive information and make systems that appear to be effectively protected more vulnerable.


　　


Four, do not use universal key to encrypt multiuser data


　　


if every room in an office building uses the same lock, the key to each tenant's collar is the same, and no one will hire the office. Similarly, when encrypting sensitive data in cloud computing, you should persist in encrypting it with its own specific key. The use of common encryption keys for multi-user data makes all these users exposed to additional risk of exposure. If there is a successful attack on an object that is encrypted with a common key, then every other object that uses the same common key encryption will be a potential victim.


　　


on a multi-tenant platform, this is particularly important because it is likely that one or more users or tenants intentionally disclose the common key and thus obtain data from other tenants.


　　


Amazon's server-side encryption Support (Serversideencryptionsupport), which uses a common key for storing information for each object, is a reasonably designed paradigm. But not every manufacturer who pays for encrypting sensitive information insists on this stance.


　　


Five, do not use the reset token indefinitely


　　


each individual user and password-related service requires some form of password reset. Password resets generally use the "Reset link" or send a "temporary password" method to the email address of the user who made the Reset password request. Best practice is to make temporary vouchers for state-owned enterprises over time, but most services cannot adhere to this principle.


　　


this month, Yahoo's leaked events show that e-mail accounts are the main targets of virus and malware transmission, identity theft. Design a scientific cloud service should avoid saving a valid password in an e-mail message longer than the necessary password reset time. 15 minutes after the password failure is a good way.


　　


Vi. do not save user passwords on a mobile device or shared workstation


　　


Security issues often give way to end-user requirements for availability in terms of security versus availability. When cloud computing services are installed on a shared workbench or mobile device application, users often want to be able to log on to the cloud service only once. However, if an application allows users to authenticate indefinitely, the user's password must be persisted in an insecure way, making the security of the service dependent on the security of the device.


　　


if the application can save and read the password after restarting or exiting the login, the attacker who accesses the device can do the same. There is a lot of evidence that the actual possession of the equipment should not be equated with the authorized service.


　　


Seven, do not persist identity authentication token


　　


The last commandment solves the problem of user password retention, ensuring that passwords are not stolen because a malicious user accesses the same workstation. This commandment is similar to the last one, but it is a reminder that while we protect our passwords through other persistent methods that allow validation, both of these methods may "delay the time".


　　


Dropbox web site also because of the inability to adhere to this practice, and the media has been negative reports. Dropbox website users found that copying only one file from the victim's computer could secretly get all the files in anyone's account.


　　


eight or one fixed support and the latest process integration


　　


there is a safe old adage that says, " If you make something safer, it becomes more unsafe. "Why?" Because if security gets in the way, well-meaning users will come up with alternative ways to break security. As a result, the password and Recycle Bin glued to the front of the monitor can result in an unmanageable outcome.


　　


We apply these lessons to cloud computing services, meaning that new tools and workflow integrations are needed to support user needs. If you don't want users to load sensitive files from cloud computing services and send sensitive files to co-workers, cloud services must provide a convenient way to distribute and collaborate. If you don't want users to share a common set of credentials, make the authentication and authorization process as simple as possible.


　　


This is only the beginning for cloud computing service providers. Many providers cut corners on safety when entering the market. Today, a proactive approach can be achieved if due diligence is done in assessing the security policies of cloud computing service providers. If you're building cloud services, sticking to these eight commandments will make a good start.