Nowadays, cloud storage is becoming a popular product in any area, business or home. Just as services like Amazon S3, Box, Copiun, and Thru have feature-rich products that make it easy for users to back up, sync, and store documents and files. Although for ordinary consumers there is not much to worry about when using such services, there are many security issues that need to be addressed, from encryption to data lifecycle management, to organizations, when choosing cloud storage services . Emerging areas of the business focus on defining and controlling access methods and defining controls for implementing cloud-based storage. This article focuses on why cloud storage access control is an important issue, and what issues businesses should consider when developing and implementing cloud storage access control and architecture. We will also discuss how to assess access control in the context of cloud providers.
Cloud Storage Access Control Whether it's a cloud provider administrator or an enterprise user, managing access control should be a top priority. For example, Jacob Williams introduced Dropbox malware delivery, command and control issues at Black Hat Europe 2013 and explained that free access to cloud repositories is dangerous and could lead to data breaches. In 2012, Mat Honan's icloud account was hijacked and social engineering techniques were used in the spill and keyboard transcription may be involved. At the same time, access control issues remain a top priority due to the incident, many consumer-centric examples. Restrictions on who can access cloud storage, how to access cloud storage, and where to access cloud storage should all be considered as key issues when evaluating cloud storage solutions.
· The following are a series of questions companies should pay attention to about the access control mechanism when enterprises implement cloud storage services: · Are the user passwords stored in management tools and other management applications stored in encrypted format? If you use the encryption format, what type? Is the encryption format regularly tested? In addition, the storage management application allows the password length, type and duration of the setting and execution? · What type of secure connection does the cloud storage infrastructure support? Support general safety communication protocol? Such as SSLv3, TLS and SSH?
· Is the active user's session timed out? Without a reasonable timeout, there is a risk of session hijacking at idle client endpoints, which is pretty bad. Management tools to support multiple administrator configuration, to provide fine-grained level of security? Managing Application Access and Configuration Cloud storage administrators should be restricted access by configuring options based on time, date, and capabilities. All administrator operations should be documented for auditing and alerting and these should be provided to the organization's security team. Is Cloud Storage Management Applications Capable of Defining Fine-Grained Roles and Privileges? This ability should be considered mandatory in order to maintain proper segregation of duties and enforce the principle of least privilege. In addition to these key issues, the overall design and architecture of cloud storage infrastructure access methods should be carefully examined. One approach businesses can consider is CloudCapsule, a brand new approach to cloud storage access control proposed by the Georgia Institute of Technology Center for Information Security (GTISC) in Emerging Network Threats 2014. CloudCapsule leverages a local secure virtual machine, giving users access to cloud storage and encrypting data before it is sent. In this case, the user's local system and cloud services data exchange to some extent separated, but also makes any data sent to the cloud environment will be automatically encrypted. Following the model developed by GTISC, many organizations today require that all cloud storage services be accessible through the virtual desktop infrastructure virtual machines and that data loss prevention (DLP) policies can be used for control and scanning. Encrypted gateways that interface directly with cloud storage providers are also gaining in popularity. For example, the CipherCloud agent can automatically encrypt data sent to Amazon's S3, RDS, and EBS storage services, and can automatically encrypt data sent to storage providers, such as Box. Endpoint security tools such as whitelisting and DLP proxies can also be used to restrict cloud storage client installations and new web-based monitoring tools such as Skyhigh Networks can monitor and control cloud storage service access. Provider Control We've made it clear how an organization looks at cloud storage access control, but access control measures within a cloud provider environment should also be carefully evaluated. When assessing cloud storage providers, pay attention to some well-established access control and data protection policies: First, the management user, especially the storage administrator, should access the storage components and internal areas, as required, using strong authentication method. Provider storage environments should take full advantage of isolation and fragmentation technologies such as secure partitioning, fabric authentication of switches and hosts, exceeding global common name or iSCSI single-qualified names, and separate switch and overall fabric security management. Cloud service providers should also ensure that each customer's service system is separate from other networks, whether logically or physically, Internet access, production databases, development and transit areas, as well as internal application and component creation A separate firewall area. Conclusion Although cloud-based storage offers many advantages for enterprises, there are many security risks that can not be ignored before transferring valuable data to cloud storage providers. Fortunately, more and more security vendors can ensure that organizations have proper access control over cloud storage. As long as enterprises are prepared in advance, and to ensure that the above problems are well solved, cloud storage is a great advantage for enterprises. 【Editor: Iris Wei TEL: (010) 68476606】