Protection Tips for Cloud Computing (Germany)
My topic at the seminar was the protection of Cloud Computing Applications. Finding something worthwhile under this topic was quite difficult. The cloud is a new technology whose reputation no one wants to harm, and it only recently begins to acquire standards. Whether the availability of standards is good or bad does not matter for this post.
One very good paper containing a lot of information about how companies offering cloud computing should organize the protection of these calculations and the stored data has become the Eckpunktepapier "Sicherheitsempfehlungen für Cloud Computing Anbieter".
This paper was written in collaboration with the Ministry of Safety of Information Technology of Germany with suppliers and consumers / potential consumers of cloud services. This is one of the first attempts to introduce clarity in the standardization of protection when working in the cloud.
Of course, it is clear from the outset that all the risks associated with the transmission of data via the Internet are also characteristic of cloud technology. Here you need to take into account all the risks from OWAP, but much has already been said about them and I would not like to repeat. Therefore, I will try to consider those security points that are specific to clouds.
')
The first problem for consumers is that they do not have enough information from suppliers about how data and computing inside the cloud will be protected. This opacity discourages many potential users. Almost all companies that provide these services write that user data will be reliably protected. In this case, about what methods it will be done do not indicate.
One of the offers to cloud computing providers is the clear description of the protection provided. It is also recommended to enter several levels of information protection provided, since data from different users have different sensitivity. For some customers, round-the-clock availability and support may be extremely important and necessary, while for other users, standard support from the supplier during the working day is sufficient. Such a distinction will allow not only for each specific consumer to prescribe in his contract the protection mechanisms provided to him, but also make it possible to make prices flexible. Everyone will pay only for what he really needs.
One of the important topics is the verification of the identity of consumers. This is recommended to protect providers from unscrupulous customers who can use cloud resources to crack passwords or create botnets.
Also, one of the suppliers' tasks will be not only to check their own infrastructures for vulnerabilities, but also to check the infrastructures of the users of the system in order to promptly notice weaknesses or incorrect configuration of security systems. It is also recommended to create opportunities for users to conduct such checks themselves or delegate such checks to third-party IT companies.
It is also very important that the cloud service providers are obliged to inform consumers about the country in which the computing centers are located, in which information will be stored. This is due to the fact that in many states, government structures have the opportunity to request stored data. Accordingly, opportunities for espionage / industrial espionage appear.
Eckpunktepapier "Sicherheitsempfehlungen für Cloud Computing Anbieter"
www.bsi.bund.de/DE/Themen/CloudComputing/Eckpunktepapier/Eckpunktepapier_node.html
One very good paper containing a lot of information about how companies offering cloud computing should organize the protection of these calculations and the stored data has become the Eckpunktepapier "Sicherheitsempfehlungen für Cloud Computing Anbieter".
This paper was written in collaboration with the Ministry of Safety of Information Technology of Germany with suppliers and consumers / potential consumers of cloud services. This is one of the first attempts to introduce clarity in the standardization of protection when working in the cloud.
Of course, it is clear from the outset that all the risks associated with the transmission of data via the Internet are also characteristic of cloud technology. Here you need to take into account all the risks from OWAP, but much has already been said about them and I would not like to repeat. Therefore, I will try to consider those security points that are specific to clouds.
')
The first problem for consumers is that they do not have enough information from suppliers about how data and computing inside the cloud will be protected. This opacity discourages many potential users. Almost all companies that provide these services write that user data will be reliably protected. In this case, about what methods it will be done do not indicate.
One of the offers to cloud computing providers is the clear description of the protection provided. It is also recommended to enter several levels of information protection provided, since data from different users have different sensitivity. For some customers, round-the-clock availability and support may be extremely important and necessary, while for other users, standard support from the supplier during the working day is sufficient. Such a distinction will allow not only for each specific consumer to prescribe in his contract the protection mechanisms provided to him, but also make it possible to make prices flexible. Everyone will pay only for what he really needs.
One of the important topics is the verification of the identity of consumers. This is recommended to protect providers from unscrupulous customers who can use cloud resources to crack passwords or create botnets.
Also, one of the suppliers' tasks will be not only to check their own infrastructures for vulnerabilities, but also to check the infrastructures of the users of the system in order to promptly notice weaknesses or incorrect configuration of security systems. It is also recommended to create opportunities for users to conduct such checks themselves or delegate such checks to third-party IT companies.
It is also very important that the cloud service providers are obliged to inform consumers about the country in which the computing centers are located, in which information will be stored. This is due to the fact that in many states, government structures have the opportunity to request stored data. Accordingly, opportunities for espionage / industrial espionage appear.
Eckpunktepapier "Sicherheitsempfehlungen für Cloud Computing Anbieter"
www.bsi.bund.de/DE/Themen/CloudComputing/Eckpunktepapier/Eckpunktepapier_node.html
Source: https://habr.com/ru/post/184518/
All Articles