Cloud computing (Cloud Computing) is an internet-based computing method by which shared hardware and software resources and information can be supplied to computers and other devices on demand. Users access cloud services through browsers, desktop applications, or mobile applications. Advocates believe that cloud computing enables companies to deploy applications more quickly, reduce the complexity and maintenance costs of management, and allow IT resources to quickly redistribute to respond to rapid changes in enterprise demand. It should be noted, however, that even though cloud computing has many advantages, it is still necessary to consider the security issues associated with deploying applications.
The inherent threat of cloud computing
According to the 2013 RSA International Information Security Conference, there are nine threats to cloud computing in 2013, respectively, as follows:
First place: Data hazard
Putting data on the cloud is a risk of leaking out, and if the company's internal sensitive information is leaked to its opponents, the impact on the company is enormous.
Data can be stored and distributed through the cloud
Second place: Lost data
Data stored in the cloud may be lost as a result of malicious attacks, or may be accidentally deleted by service providers or due to physical damage such as earthquakes or fires.
Third place: Account or service traffic hijacked
Attackers may use fishing, scams or software vulnerabilities are subject to user access credentials, which may then eavesdrop on your trading activities and information, manipulate your data, and even turn your service into a new base for attackers, and Amazon has XSS problems in 2010 of April, Allow attackers to intercept credentials from their web site, and more than 2009 Amazon systems were intercepted as a node of the Zeus Zombie Network.
Fourth place: unsafe interface or APIs
Cloud services must interact with users using interfaces and APIs, which can increase risk if these parts of the cloud do not have enough protection.
Fifth place: Denial of service (DoS)
Denial of service attacks use a large amount of traffic to attack a particular service, and there is usually no way to access the services you want but wait.
Sixth place: Malicious internal staff
Cloud provider employees may be able to access sensitive data for certain reasons, or attack their own data centers, and large companies like Google have experienced employees violating user privacy.
Seventh place: Misuse of cloud services
Cloud computing can provide users with powerful computing power, but not everyone is doing good, and may be used by attackers to crack passwords or launch DDoS attacks.
Eighth Place: Insufficient research
In the absence of sufficient knowledge of cloud services, a large number of cloud services are used, which is likely to cause harm.
Nineth Place: The weakness of shared science and technology
Many of the resources in cloud services are shared, but they can also expose the entire environment to threats.
So how can you get away from the dangers of data security when you understand the threat of cloud computing?
Establish a perfect data security system
In order to keep cloud or cloud technology away from data security risks, it is necessary to set up a systematic and effective protection system for all kinds of complex and changeable environments.
First of all, do a good job of evaluation. When migrating from the traditional internet to the cloud, the benefits of sharing and reducing costs also face a more complex ecological environment. Security vulnerabilities must be evaluated to ensure that all controls are in place and functioning properly. At the same time, research needs to be done before the cloud service provider is selected, and the service provider is required to disseminate the capabilities of the same type of control as physical security, logical security, encryption, change management and business continuity, and disaster recovery.
Second, there are planned risk controls. Develop a formal risk mitigation plan, including risk documentation, response to these risks, education and training. It is also important to look at flexible requirements to develop an elastic plan that, if you want to recover quickly in the event of a disaster or attack, be careful to ensure that the workload recovers at any time and minimizes the impact of business continuity.
Data protection will then be the core focus. People's concerns about information security are often considered in terms of equipment and links, as well as protection and interdiction. In fact, the content or the data itself security protection is the core. This is especially true in cloud computing environments, where security can be truly achieved by protecting the data itself.
Also, the Critical foundation control process. Nearly 60 security base controls that protect the most important assets are key to all information security, including the cloud environment. must be validated to ensure that cloud technology complies with security controls for your system, business, and operations.
Mixed mode is an effective deployment scenario. such as the use of a mixed security service model, the cloud services and out-of-the-way services mixed together, a variety of models at the same time, to help reduce stress, on the other hand, the combination of increased protection of the variable, so that protection more effective.
At the same time, anomaly detection should be done as early as possible. Even confidentiality is not helpful if an attacker acquires account information. Therefore, cloud vendors must deploy good anomaly detection systems and share their information and audit records with customers. Using different tools to ensure that cloud vendors meet customer needs is a tiered approach.
There can be a full range of protection of the life cycle, such as in a comprehensive, all-round, full life cycle of the "three-full protection", to launch effective protection. Comprehensive, omni-directional mainly through all kinds of information security technology to achieve, and the whole life cycle needs awareness, technology, systems integrated in place, continuous, depending on the cloud technology management and regular security review.
Of course, a more general encryption operation. The encryption here is not just terminal to terminal encryption, but also includes the ability to encrypt data within the enterprise before it is transferred to the cloud. Cloud vendors need to develop powerful cryptographic solutions that allow businesses to secure their data. At the same time using a good professional cloud security services, like independent security services consulting, hosting and other types of service providers have gradually developed, the use of these specialized institutions or service providers, the implementation of long-term protection and even proactive monitoring and protection, both to reduce their own pressure and fixed costs, but also to be more proactive.
Then pay attention to the status of the workload, through the equipment and applications, such as the focus of information workload, fully consider its uniqueness, the development of more targeted security plans, than the traditional operation to provide a more secure protection.
Security responsibilities need to be clarified. Many users will think that the cloud service provider should be responsible for the data, while the supplier is apt to blame the customer's own measures are not effective. According to the survey, more than One-third of customers still expect their software, the service provider, to secure applications and data. In fact, means are important, how to effectively use the means is equally important. Only the supply and demand of both sides to assume their own responsibility for the security is an unassailable fundamental guarantee.
Finally, it is important to establish a perfect log system. It is important to maintain an audit of the management access log, that is, a certain amount of log information can be offered to all enterprises that need to be tracked for various analyses. But most small cloud services do not provide this information.
To sum up, cloud security is not a short-term problem, cloud computing want long-term sustainable development, data security issues should not be underestimated, this article of these methods, the fundamental data source of security protection is the most important. Therefore, when adopting cloud technology, it should be an effective choice to use the encryption technology with pertinence and flexibility to protect the core data. This requires us to enjoy the information provided by the cloud integrity, open, good user experience and other advantages, but also to ensure data security. Without security, the value of cloud applications will be greatly compromised and more likely to lead to losses and disasters.