The five blind spots of the secret cloud security

Source: Internet
Author: User
Keywords Data center cloud security data center cloud security
When I read various blogs, IT industry analytics, and media coverage, I found many conflicting points of view. Some authors consider cloud computing to be safer, while others emphasize new security challenges in particular. As the concept of "cloud" is still in its infancy, there are many plausible arguments everywhere. Here are the top five cloud-computing blind spots I've heard: Blind 1 infrastructure services (Infrastructure-as-a-service, IaaS) The virtual private "cloud" provided by the vendor is as secure as the internal data center of the Enterprise virtual private "cloud" is an emerging concept in the field of IaaS that allows enterprises to connect to the "cloud" of resources through VPN, and the IaaS Factory Chamber provides a range of exclusive IP ranges for the enterprise. The problem with this approach is that you still share hardware resources and switched networks with other businesses, isolated only by virtual area networks (VLANs). However, the configuration set the wrong situation to hear. According to a recent study, 31% of information leaks in Australia are "the result of errors by third-party vendors such as cloud computing or SaaS providers". Blind Zone 2 You do not need more than one IaaS provider to put all the eggs in the same basket, in case the basket is overturned is dangerous, cloud computing is the same. Although the use of a single IaaS provider is easier to manage, it also forms a single point of failure. The risk of relying on a single IaaS vendor is that if a vendor is compromised by a decentralized DDoS attack, the operation of the enterprise may be interrupted, as in the case of BitBucket. Another example of a single point of failure (SPOF) is Rackspace, where a truck crashed into a transformer box and caused power outages in the Rackspace data center. Since accidents are unavoidable, it is necessary to have more than one IaaS provider to prevent a single point of failure. Setting up a backup stronghold is one of the main ways to achieve disaster recovery, as is the era of cloud computing. Companies may not need a hot standby failure point, but they should plan and test how to quickly switch operations to a second vendor when needed. Although such practices as Amazon's "availability interval" can reduce these risks, they do not completely eliminate the possibility of a single point of failure. Blind Zone 3 Private "cloud" also applies to the security scheme of the Entity Data Center The logic is that the original border defense of the data center has worked well, and the private "cloud" is similarly protected, so it should be OK. Unfortunately, this is not usually the case. Private "Cloud" has its new challenges that traditional static data centers do not have. Virtualization and cloud computing increase the attack surface, shared storage is an example. There are also new situations, such as a system administrator accidentally using VMotion to move a server from a security zone to a DMZ. In addition, VLAN configuration errors can cause information to be not properly quarantined. Also, the V in the same VShield areaWhat is the amount of information flow between m that is not monitored? In a hybrid "cloud" environment, what happens when an application moves to the cloud with no security protection around its virtual machine? Depending on the basic firewall rules provided by the IaaS vendor, and not even IPs, some businesses may feel uneasy. Blind Zone 4 "cloud" service providers will be held responsible for security although SaaS or PAAs service providers generally provide security in terms of service, not in the IaaS area. Although the IaaS manufacturer will take some security measures and emphasize its safety measures in Wen Xuanzhong, the security of the IAAS environment is ultimately the responsibility of the enterprise and the IaaS manufacturer, and ultimately the responsibility falls on the enterprise itself. The Security section in the service terms of the IaaS vendor should emphasize this. Not only that, although the supplier will assume the responsibility of security, but in case of information leakage incident, the enterprise itself still have to bear the ultimate responsibility. After all, that's your message. Blind zone 5 My "cloud" service provider has the SAS-type II program, so my information security is secure and the SAS type II kernel is a good security base and a tool to ensure that the security controls are working properly during inspections, but that does not amount to security. And it may give a semblance of security. The kernel is looking at past conditions, although past performance is an indicator of the future (at least in data center security) but not a guarantee for the future. Once the company has undergone large-scale or unintended changes in personnel, it is likely that the original solid integrity of the security measures overnight collapse. In addition, SAS 70 cannot prevent disgruntled employees from blaming the company or customers for retaliation. The SAS Type II kernel cannot check for items outside of the kernel scope. The items on the kernel checklist may be tightly controlled, but the vulnerabilities might be outside the scope of the inspection. Furthermore, the kernel of any process cannot cover the person who executes the process. What are the principles of employing companies? The SAS Type II kernel does not necessarily cover the employing principle. Mortals can make mistakes, and of course they are not perfect. The SAS 70 review does not have a standard set of practices. This type of kernel is a kernel that is designed with the kernel object to test the control measures of a particular business process. The control measures may not be able to hill the sea, so projects outside the original reservation, even if it is important for business services, are not within the scope of the test. Therefore, you should have doubts about the SAS 70 kernel before handing the critical business process to any service provider. Moreover, the ideal kernel should not only focus on information security, but should extend to service sustainability, vendor management, backup recovery, personnel system and other areas. Both the public "cloud" or private "cloud" can provide excellent corporate value in reducing costs and increasing the flexibility of the enterprise. However, it is recommended that you identify the security challenges before you select them. "Editorial Recommendation" cloudIntroduction to the concept of security--cloud security technology topics Oriental trends: Cloud Security to retrieve channel value "responsible Editor: Xu Fengli TEL: (010) 68476606" Original: Secret Cloud safety of the five major blind zone return to the network security home
Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.