“My cloud is my fortress”: Trends of cloud security
Earlier, in one of the posts , we told how to ensure the safety of our customers' data in the cloud. Today we offer to consider world experience in this area. After all, the number of cyber threats throughout the world is not just increasing - at the same time their quality is increasing.
/ Pixabay / PublicDomainPictures / CC0
According to a Gartner study , by 2020, 80% of all information leaks from the cloud will be due to incorrect configuration or internal problems of the company, and not the vulnerability of the provider. Therefore, IT organizations will need to pay attention to internal business processes and staff training in basic security.
')
Today, 64% of companies consider cloud infrastructure more secure, but 75% take additional protective measures . For example, 61% of clients resort to data encryption, 52% have an identity and access management policy for information systems, and 48% conduct regular system checks.
However, attackers are not so important exactly where the data is located: on virtual or real machines, their goal is to get access at any cost. Therefore, to protect data in the cloud, you can use the same tools as in the company's data center. Experts identify three main areas of security: data encryption, data access restriction and the possibility of their recovery in case of an emergency.
In addition, experts advise to pay attention to the API. Open and unprotected interfaces can be a weak link in data protection and a major cause of cloud platform vulnerabilities.
As a solution, you can pay attention to the means of AI. The use of artificial intelligence and machine learning frameworks to automate data protection is to simplify routine tasks. However, they will soon be used to provide security in public and private cloud infrastructures.
An example of this approach today is the open-source project MineMeld, which allows you to use threat data obtained from external sources to form security policies with automatic configuration changes. This solution allows to take into account the specific needs of a particular company. Another example is the Gurucul Cloud Analytics Platform product , which uses behavioral analytics and machine learning to detect external and internal threats.
Forrester Research Vice President Andras Cser (Andras Cser) is sure that it does not make sense to encrypt absolutely all data. In order to ensure security, a specific policy must be introduced, for which it is possible to involve specialists. You need to find out what data is in the cloud, where the traffic is going, and only then decide what information should be encrypted.
Before enhancing security measures, it would be useful to consider their expediency: for example, compare the cost of introducing such measures and the possible losses from information leakage. In addition, you should consider how encryption or user access and authentication controls affect system performance.
Data protection can be carried out at several levels . For example, all data that users send to the cloud can be encrypted using the AES algorithm, which ensures anonymity and security. The next level of protection is data encryption in the cloud storage server. Cloud providers also often use several data centers to store data, which has a positive effect on the integrity of information.
Here are some tips on encrypting data in the cloud here and in this thread on the Stack Exchange.
We have already talked about what equipment is used in our centers. When migrating to the cloud, many customers are faced with the need to implement a new security strategy, because they have to change the settings of firewalls and virtual networks.
According to a study conducted by analyst firm SANS, customers are concerned about the vulnerability of systems to prevent unauthorized access (68%), application vulnerability (64%), malware infection (61%), social engineering and non-compliance with safety rules (59%) and internal threats (53%).
At the same time, Chandra Sekar, senior director of marketing at Illumio, believes that attackers will almost always be able to find a way to hack the system. Therefore, the main task is to ensure that the attack does not spread to other vulnerable links of the chain. This is possible if the security system blocks unauthorized communication between workloads and prevents illegitimate connection requests.
There are many products on the market for monitoring the infrastructure of data centers, for example, the Cisco line provides IT managers with the opportunity to get a complete picture of network activity. You can not only see who connects to the network, but also set rules for users: what specific people can do and what access rights they have.
Another approach that can improve data center reliability is the integration of security systems with DevOps practices. This allows you to accelerate the pace of application deployment and change implementation. An adaptive security architecture provides integration with automation and management tools, making changes to security settings part of a continuous deployment process.
In the cloud infrastructure, security is no longer considered separately from development and deployment and becomes an integral part of continuous integration and continuous deployment (CI / CD). Tools such as the Jenkins plugin, with which verification of code and security becomes a standard step for quality assurance, can provide this.
Other vendors offer DevOps tools for testing and monitoring security: for example, the SAST solution is used to analyze the source code of an application in a static state and identify security vulnerabilities, and the DAST solution to detect possible security vulnerabilities while the application is running. Several solutions for DAST and SAST can be found in this thread on the Stack Exchange.
The main thing is not to postpone the issues of security on the back burner. Previously, a separate team often dealt with product safety. But this approach increased the time for working on the product and could not guarantee the elimination of all vulnerabilities. Today, security integration occurs not only in practice, special terms have appeared - DevOpsSec, DevSecOps or SecDevOPs.
According to Chief Technology Officer for Cloud and SaaS at Intel Jamie Tischart (Jamie Tischart), between these terms there is a significant difference - the location of the part "Sec" reflects the importance of security. And correct, in terms of practical application, is SecDevSecOpsSec. You need to think about security at all stages of creating any product, including cloud infrastructure.
PS Another post on our blog today is a VPS digest .
PPS A few more materials on the topic of security and data center operations:
/ Pixabay / PublicDomainPictures / CC0According to a Gartner study , by 2020, 80% of all information leaks from the cloud will be due to incorrect configuration or internal problems of the company, and not the vulnerability of the provider. Therefore, IT organizations will need to pay attention to internal business processes and staff training in basic security.
')
Today, 64% of companies consider cloud infrastructure more secure, but 75% take additional protective measures . For example, 61% of clients resort to data encryption, 52% have an identity and access management policy for information systems, and 48% conduct regular system checks.
However, attackers are not so important exactly where the data is located: on virtual or real machines, their goal is to get access at any cost. Therefore, to protect data in the cloud, you can use the same tools as in the company's data center. Experts identify three main areas of security: data encryption, data access restriction and the possibility of their recovery in case of an emergency.
In addition, experts advise to pay attention to the API. Open and unprotected interfaces can be a weak link in data protection and a major cause of cloud platform vulnerabilities.
Analytics and machine learning
As a solution, you can pay attention to the means of AI. The use of artificial intelligence and machine learning frameworks to automate data protection is to simplify routine tasks. However, they will soon be used to provide security in public and private cloud infrastructures.
An example of this approach today is the open-source project MineMeld, which allows you to use threat data obtained from external sources to form security policies with automatic configuration changes. This solution allows to take into account the specific needs of a particular company. Another example is the Gurucul Cloud Analytics Platform product , which uses behavioral analytics and machine learning to detect external and internal threats.
Encryption
Forrester Research Vice President Andras Cser (Andras Cser) is sure that it does not make sense to encrypt absolutely all data. In order to ensure security, a specific policy must be introduced, for which it is possible to involve specialists. You need to find out what data is in the cloud, where the traffic is going, and only then decide what information should be encrypted.
Before enhancing security measures, it would be useful to consider their expediency: for example, compare the cost of introducing such measures and the possible losses from information leakage. In addition, you should consider how encryption or user access and authentication controls affect system performance.
Data protection can be carried out at several levels . For example, all data that users send to the cloud can be encrypted using the AES algorithm, which ensures anonymity and security. The next level of protection is data encryption in the cloud storage server. Cloud providers also often use several data centers to store data, which has a positive effect on the integrity of information.
Here are some tips on encrypting data in the cloud here and in this thread on the Stack Exchange.
Infrastructure Monitoring
We have already talked about what equipment is used in our centers. When migrating to the cloud, many customers are faced with the need to implement a new security strategy, because they have to change the settings of firewalls and virtual networks.
According to a study conducted by analyst firm SANS, customers are concerned about the vulnerability of systems to prevent unauthorized access (68%), application vulnerability (64%), malware infection (61%), social engineering and non-compliance with safety rules (59%) and internal threats (53%).
At the same time, Chandra Sekar, senior director of marketing at Illumio, believes that attackers will almost always be able to find a way to hack the system. Therefore, the main task is to ensure that the attack does not spread to other vulnerable links of the chain. This is possible if the security system blocks unauthorized communication between workloads and prevents illegitimate connection requests.
There are many products on the market for monitoring the infrastructure of data centers, for example, the Cisco line provides IT managers with the opportunity to get a complete picture of network activity. You can not only see who connects to the network, but also set rules for users: what specific people can do and what access rights they have.
Automation
Another approach that can improve data center reliability is the integration of security systems with DevOps practices. This allows you to accelerate the pace of application deployment and change implementation. An adaptive security architecture provides integration with automation and management tools, making changes to security settings part of a continuous deployment process.
In the cloud infrastructure, security is no longer considered separately from development and deployment and becomes an integral part of continuous integration and continuous deployment (CI / CD). Tools such as the Jenkins plugin, with which verification of code and security becomes a standard step for quality assurance, can provide this.
Other vendors offer DevOps tools for testing and monitoring security: for example, the SAST solution is used to analyze the source code of an application in a static state and identify security vulnerabilities, and the DAST solution to detect possible security vulnerabilities while the application is running. Several solutions for DAST and SAST can be found in this thread on the Stack Exchange.
The main thing is not to postpone the issues of security on the back burner. Previously, a separate team often dealt with product safety. But this approach increased the time for working on the product and could not guarantee the elimination of all vulnerabilities. Today, security integration occurs not only in practice, special terms have appeared - DevOpsSec, DevSecOps or SecDevOPs.
According to Chief Technology Officer for Cloud and SaaS at Intel Jamie Tischart (Jamie Tischart), between these terms there is a significant difference - the location of the part "Sec" reflects the importance of security. And correct, in terms of practical application, is SecDevSecOpsSec. You need to think about security at all stages of creating any product, including cloud infrastructure.
PS Another post on our blog today is a VPS digest .
PPS A few more materials on the topic of security and data center operations:
Source: https://habr.com/ru/post/319398/
All Articles