Secure the cloud 保護雲端
Earlier in this course, you were introduced to cloud computing. Cloud computing is a model for allowing convenient and on-demand network access to a shared pool of configurable computing resources. These resources can be configured and released with minimal management effort or interaction with the service provider.
在本課程的早些時候,你已經接觸過雲端運算。雲端運算是一種模型,允許方便且按需地存取共享的可配置計算資源池。這些資源可以在最少的管理努力或與服務提供者互動下進行配置和釋放。
Just like any other IT infrastructure, a cloud infrastructure needs to be secured. This reading will address some main security considerations that are unique to the cloud and introduce you to the shared responsibility model used for security in the cloud. Many organizations that use cloud resources and infrastructure express concerns about the privacy of their data and resources. This concern is addressed through cryptography and other additional security measures, which will be discussed later in this course.
就像任何其他的 IT 基礎設施一樣,雲端基礎設施也需要被保護。本篇閱讀將探討一些雲端獨有的主要安全考量,並介紹雲端安全中使用的共享責任模型。許多使用雲端資源和基礎設施的組織對其數據和資源的隱私表示擔憂。這種擔憂是通過加密技術和其他額外的安全措施來解決的,這些內容將在本課程後續部分進行討論。
Cloud security considerations
雲端安全考量
Many organizations choose to use cloud services because of the ease of deployment, speed of deployment, cost savings, and scalability of these options. Cloud computing presents unique security challenges that cybersecurity analysts need to be aware of.
許多組織選擇使用雲端服務是因為這些選項的部署簡便、速度快、成本節省和可擴展性。雲端運算帶來了獨特的安全挑戰,網路安全分析師需要注意這些挑戰。
Identity access management
身份存取管理
Identity access management (IAM) is a collection of processes and technologies that helps organizations manage digital identities in their environment. This service also authorizes how users can use different cloud resources. A common problem that organizations face when using the cloud is the loose configuration of cloud user roles. An improperly configured user role increases risk by allowing unauthorized users to have access to critical cloud operations.
身份存取管理(IAM)是一套幫助組織管理其環境中數位身份的流程和技術。此服務還授權用戶如何使用不同的雲端資源。組織在使用雲端時常面臨的一個常見問題是雲端用戶角色的配置鬆散。不當配置的用戶角色會增加風險,因為它允許未經授權的用戶訪問關鍵的雲端操作。
Configuration 配置
The expanding cloud ecosystem introduces significant complexity to network management. Each cloud service necessitates precise configuration to uphold security and compliance standards. This challenge intensifies during cloud migrations, where ensuring accurate configuration for every migrated process is critical. Neglect in this area can expose the network to vulnerabilities. Misconfigured cloud services are a frequent source of security breaches, underscoring the importance of meticulous attention to detail by network administrators and architects during the migration and ongoing management of cloud services.
不斷擴展的雲端生態系統為網路管理帶來了顯著的複雜性。每項雲端服務都需要精確的配置以維持安全性和合規標準。這一挑戰在雲端遷移過程中更加嚴峻,確保每個遷移過程的準確配置至關重要。在這方面的疏忽可能會使網路暴露於漏洞之中。配置錯誤的雲端服務是安全漏洞的常見來源,這強調了網路管理員和架構師在雲端服務遷移和持續管理過程中對細節的細緻關注的重要性。
Attack surface 攻擊面
Cloud service providers (CSPs) offer numerous applications and services for organizations at a low cost.
雲端服務提供商(CSPs)為組織提供了眾多低成本的應用程式和服務。
Every service or application on a network carries its own set of risks and vulnerabilities and increases an organization’s overall attack surface. An increased attack surface must be compensated for with increased security measures.
網路上的每個服務或應用程式都帶有其自身的一套風險和漏洞,並增加了組織的整體攻擊面。增加的攻擊面必須通過增強的安全措施來補償。
Cloud networks that utilize many services introduce lots of entry points into an organization’s network. However, if the network is designed correctly, utilizing several services does not introduce more entry points into an organization’s network design. These entry points can be used to introduce malware onto the network and pose other security vulnerabilities. It is important to note that CSPs often defer to more secure options, and have undergone more scrutiny than a traditional on-premises network.
雲端網路使用許多服務會在組織的網路中引入許多進入點。然而,如果網路設計正確,使用多個服務並不會在組織的網路設計中引入更多的進入點。這些進入點可能被用來將惡意軟體引入網路,並帶來其他安全漏洞。需要注意的是,雲端服務提供商(CSP)通常會選擇更安全的選項,並且比傳統的內部部署網路經過更多的審查。
Zero-day attacks 零日攻擊
Zero-day attacks are an important security consideration for organizations using cloud or traditional on-premise network solutions. A zero day attack is an exploit that was previously unknown. CSPs are more likely to know about a zero day attack occurring before a traditional IT organization does. CSPs have ways of patching hypervisors and migrating workloads to other virtual machines. These methods ensure the customers are not impacted by the attack. There are also several tools available for patching at the operating system level that organizations can use.
零日攻擊是使用雲端或傳統本地網路解決方案的組織需要考慮的重要安全問題。零日攻擊是一種先前未知的漏洞利用。CSPs(雲端服務提供商)比傳統 IT 組織更有可能提前知道零日攻擊的發生。CSPs 有方法修補虛擬機管理程式並將工作負載遷移到其他虛擬機器。這些方法確保客戶不會受到攻擊的影響。還有幾種可用於操作系統層級修補的工具,組織可以使用這些工具。
Visibility and tracking 可見性和追蹤
Network administrators have access to every data packet crossing the network with both on-premise and cloud networks. They can sniff and inspect data packets to learn about network performance or to check for possible threats and attacks.
網路管理員可以存取每個穿越網路的數據包,無論是在本地還是雲端網路。他們可以嗅探和檢查數據包,以了解網路性能或檢查可能的威脅和攻擊。
This kind of visibility is also offered in the cloud through flow logs and tools, such as packet mirroring. CSPs take responsibility for security in the cloud, but they do not allow the organizations that use their infrastructure to monitor traffic on the CSP’s servers. Many CSPs offer strong security measures to protect their infrastructure. Still, this situation might be a concern for organizations that are accustomed to having full access to their network and operations. CSPs pay for third-party audits to verify how secure a cloud network is and identify potential vulnerabilities. The audits can help organizations identify whether any vulnerabilities originate from on-premise infrastructure and if there are any compliance lapses from their CSP.
這種可見性也可以透過流量日誌和工具(如封包鏡像)在雲端中提供。雲端服務供應商(CSP)負責雲端中的安全性,但他們不允許使用其基礎設施的組織監控 CSP 伺服器上的流量。許多 CSP 提供強大的安全措施來保護其基礎設施。然而,這種情況可能會讓習慣於完全訪問其網路和操作的組織感到擔憂。CSP 支付第三方審核,以驗證雲端網路的安全性並識別潛在的漏洞。這些審核可以幫助組織識別任何源自內部基礎設施的漏洞,以及其 CSP 是否存在任何合規性問題。
Things change fast in the cloud
雲端中的變化速度很快
CSPs are large organizations that work hard to stay up-to-date with technology advancements. For organizations that are used to being in control of any adjustments made to their network, this can be a potential challenge to keep up with. Cloud service updates can affect security considerations for the organizations using them. For example, connection configurations might need to be changed based on the CSP’s updates.
CSP 是大型組織,努力跟上技術進步。對於習慣於掌控其網路調整的組織來說,這可能是一個潛在的挑戰。雲端服務的更新可能會影響使用它們的組織的安全考量。例如,可能需要根據 CSP 的更新更改連接配置。
Organizations that use CSPs usually have to update their IT processes. It is possible for organizations to continue following established best practices for changes, configurations, and other security considerations. However, an organization might have to adopt a different approach in a way that aligns with changes made by the CSP.
使用 CSP 的組織通常需要更新其 IT 流程。組織可以繼續遵循既定的最佳實踐來進行變更、配置和其他安全考量。然而,組織可能需要採取不同的方法,以符合 CSP 所做的變更。
Cloud networking offers various options that might appear attractive to a small company—options that they could never afford to build on their own premises. However, it is important to consider that each service adds complexity to the security profile of the organization, and they will need security personnel to monitor all of the cloud services.
雲端網路提供了各種選項,這些選項對於小公司來說可能顯得很有吸引力——這些是他們無法在自己的場地上建設的選項。然而,重要的是要考慮到每項服務都會增加組織安全概況的複雜性,他們將需要安全人員來監控所有的雲端服務。
Shared responsibility model
共享責任模型
A commonly accepted cloud security principle is the shared responsibility model. The shared responsibility model states that the CSP must take responsibility for security involving the cloud infrastructure, including physical data centers, hypervisors, and host operating systems. The company using the cloud service is responsible for the assets and processes that they store or operate in the cloud.
一個普遍接受的雲端安全原則是共享責任模型。共享責任模型指出,CSP 必須對涉及雲端基礎設施的安全負責,包括實體數據中心、虛擬機管理程式和主機操作系統。使用雲端服務的公司則負責他們在雲端中存儲或運行的資產和流程。
The shared responsibility model ensures that both the CSP and the users agree about where their responsibility for security begins and ends. A problem occurs when organizations assume that the CSP is taking care of security that they have not taken responsibility for. One example of this is cloud applications and configurations. The CSP takes responsibility for securing the cloud, but it is the organization’s responsibility to ensure that services are configured properly according to the security requirements of their organization.
共享責任模型確保雲端服務提供商(CSP)和使用者雙方同意其安全責任的起始和結束位置。當組織假設 CSP 負責其未承擔責任的安全部分時,就會出現問題。這方面的一個例子是雲端應用程式和配置。CSP 負責保護雲端,但組織有責任確保服務根據其安全需求正確配置。
Key takeaways 關鍵要點
It is essential to know the security considerations that are unique to the cloud and understanding the shared responsibility model for cloud security. Organizations are responsible for correctly configuring and maintaining best security practices for their cloud services. The shared responsibility model ensures that both the CSP and users agree about what the organization is responsible for and what the CSP is responsible for when securing the cloud infrastructure.
了解雲端特有的安全考量以及理解雲端安全的共享責任模型是至關重要的。組織有責任正確配置和維護其雲端服務的最佳安全實踐。共享責任模型確保 CSP 和使用者雙方同意在保護雲端基礎設施時,組織和 CSP 各自的責任範圍。