Cryptography and cloud security
加密技術與雲端安全
Earlier in this course, you were introduced to the concepts of the shared responsibility model and identity and access management (IAM). Similar to on-premise networks, cloud networks also need to be secured through a mixture of security hardening practices and cryptography.
在本課程的早期階段,您已經了解了共享責任模型和身份與訪問管理(IAM)的概念。與內部網路類似,雲端網路也需要通過安全強化措施和加密技術的結合來確保安全。
This reading will address common cloud security hardening practices, what to consider when implementing cloud security measures, and the fundamentals of cryptography. Since cloud infrastructure is becoming increasingly common, it’s important to understand how cloud networks operate and how to secure them.
本閱讀材料將討論常見的雲端安全強化措施、實施雲端安全措施時需要考慮的事項,以及加密技術的基本原理。由於雲端基礎設施越來越普及,了解雲端網路的運作方式及如何保護它們是很重要的。
Cloud security hardening 雲端安全強化
There are various techniques and tools that can be used to secure cloud network infrastructure and resources. Some common cloud security hardening techniques include incorporating IAM, hypervisors, baselining, cryptography, and cryptographic erasure.
有多種技術和工具可以用來保護雲端網路基礎設施和資源。一些常見的雲端安全強化技術包括整合身份存取管理(IAM)、虛擬機管理程式、基準化、加密技術和加密抹除。
Identity access management (IAM)
身份存取管理(IAM)
Identity access management (IAM) is a collection of processes and technologies that helps organizations manage digital identities in their environment. This service also authorizes how users can leverage different cloud resources.
身份存取管理(IAM)是一組幫助組織管理其環境中數位身份的流程和技術。此服務還授權用戶如何利用不同的雲端資源。
Hypervisors 虛擬機管理程式
A hypervisor abstracts the host’s hardware from the operating software environment. There are two types of hypervisors. Type one hypervisors run on the hardware of the host computer. An example of a type one hypervisor is VMware®'s ESXi. Type two hypervisors operate on the software of the host computer. An example of a type two hypervisor is VirtualBox. Cloud service providers (CSPs) commonly use type one hypervisors. CSPs are responsible for managing the hypervisor and other virtualization components. The CSP ensures that cloud resources and cloud environments are available, and it provides regular patches and updates. Vulnerabilities in hypervisors or misconfigurations can lead to virtual machine escapes (VM escapes). A VM escape is an exploit where a malicious actor gains access to the primary hypervisor, potentially the host computer and other VMs. As a CSP customer, you will rarely deal with hypervisors directly.
虛擬機管理程式將主機的硬體從操作軟體環境中抽象出來。虛擬機管理程式有兩種類型。第一類型的虛擬機管理程式運行在主機電腦的硬體上。第一類型虛擬機管理程式的例子是 VMware®的 ESXi。第二類型的虛擬機管理程式運行在主機電腦的軟體上。第二類型虛擬機管理程式的例子是 VirtualBox。雲端服務提供商(CSP)通常使用第一類型的虛擬機管理程式。CSP 負責管理虛擬機管理程式和其他虛擬化組件。CSP 確保雲端資源和雲端環境的可用性,並提供定期的修補和更新。虛擬機管理程式中的漏洞或錯誤配置可能導致虛擬機逃逸(VM 逃逸)。VM 逃逸是一種利用漏洞的行為,惡意行為者可以獲得對主要虛擬機管理程式的訪問權限,可能影響主機電腦和其他虛擬機。作為 CSP 的客戶,您很少會直接處理虛擬機管理程式。
Baselining 基線化
Baselining for cloud networks and operations cover how the cloud environment is configured and set up. A baseline is a fixed reference point. This reference point can be used to compare changes made to a cloud environment. Proper configuration and setup can greatly improve the security and performance of a cloud environment. Examples of establishing a baseline in a cloud environment include: restricting access to the admin portal of the cloud environment, enabling password management, enabling file encryption, and enabling threat detection services for SQL databases.
雲端網路和操作的基準化涵蓋了雲端環境的配置和設置方式。基準是一個固定的參考點。這個參考點可以用來比較對雲端環境所做的變更。適當的配置和設置可以大大提高雲端環境的安全性和性能。在雲端環境中建立基準的例子包括:限制對雲端環境管理入口的訪問、啟用密碼管理、啟用文件加密,以及為 SQL 資料庫啟用威脅檢測服務。
Cryptography in the cloud
雲端中的密碼學
Cryptography can be applied to secure data that is processed and stored in a cloud environment. Cryptography uses encryption and secure key management systems to provide data integrity and confidentiality. Cryptographic encryption is one of the key ways to secure sensitive data and information in the cloud.
密碼學可以應用於保護在雲端環境中處理和存儲的數據。密碼學使用加密和安全密鑰管理系統來提供數據的完整性和機密性。密碼加密是保護雲端中敏感數據和信息的關鍵方法之一。
Encryption is the process of scrambling information into ciphertext, which is not readable to anyone without the encryption key. Encryption primarily originated from manually encoding messages and information using an algorithm to convert any given letter or number to a new value. Modern encryption relies on the secrecy of a key, rather than the secrecy of an algorithm. Cryptography is an important tool that helps secure cloud networks and data at rest to prevent unauthorized access. You’ll learn more about cryptography in-depth in an upcoming course.
加密是將信息轉換為密文的過程,沒有加密密鑰的人無法閱讀。加密最初源於手動使用算法編碼信息,將任何給定的字母或數字轉換為新的值。現代加密依賴於密鑰的保密性,而非算法的保密性。密碼學是一個重要的工具,有助於保護雲端網絡和靜態數據,以防止未經授權的訪問。在即將到來的課程中,您將深入學習密碼學。
Cryptographic erasure 加密抹除
Cryptographic erasure is a method of erasing the encryption key for the encrypted data. When destroying data in the cloud, more traditional methods of data destruction are not as effective. Crypto-shredding is a newer technique where the cryptographic keys used for decrypting the data are destroyed. This makes the data undecipherable and prevents anyone from decrypting the data. When crypto-shredding, all copies of the key need to be destroyed so no one has any opportunity to access the data in the future.
加密刪除是一種刪除加密數據的加密密鑰的方法。在雲端銷毀數據時,更傳統的數據銷毀方法並不那麼有效。加密粉碎是一種較新的技術,通過銷毀用於解密數據的加密密鑰來實現。這使得數據無法解讀,並防止任何人解密數據。在進行加密粉碎時,所有密鑰的副本都需要被銷毀,以確保未來沒有人有機會訪問數據。
Key Management 密鑰管理
Modern encryption relies on keeping the encryption keys secure. Below are the measures you can take to further protect your data when using cloud applications:
現代加密依賴於保持加密密鑰的安全。以下是使用雲端應用程式時可以採取的措施,以進一步保護您的數據:
Trusted platform module (TPM). TPM is a computer chip that can securely store passwords, certificates, and encryption keys.
可信平台模組(TPM)。TPM 是一種電腦晶片,可以安全地存儲密碼、證書和加密密鑰。Cloud hardware security module (CloudHSM). CloudHSM is a computing device that provides secure storage for cryptographic keys and processes cryptographic operations, such as encryption and decryption.
雲端硬體安全模組(CloudHSM)。CloudHSM 是一種計算設備,提供加密金鑰的安全存儲,並處理加密操作,如加密和解密。
Organizations and customers do not have access to the cloud service provider (CSP) directly, but they can request audits and security reports by contacting the CSP. Customers typically do not have access to the specific encryption keys that CSPs use to encrypt the customers’ data. However, almost all CSPs allow customers to provide their own encryption keys, depending on the service the customer is accessing. In turn, the customer is responsible for their encryption keys and ensuring the keys remain confidential. The CSP is limited in how they can help the customer if the customer’s keys are compromised or destroyed. One key benefit of the shared responsibility model is that the customer is not entirely responsible for maintenance of the cryptographic infrastructure. Organizations can assess and monitor the risk involved with allowing the CSP to manage the infrastructure by reviewing a CSPs audit and security controls. For federal contractors, FEDRAMP provides a list of verified CSPs.
組織和客戶無法直接訪問雲服務提供商(CSP),但可以通過聯繫 CSP 來請求審計和安全報告。客戶通常無法訪問 CSP 用來加密客戶數據的特定加密密鑰。然而,幾乎所有 CSP 都允許客戶根據所使用的服務提供自己的加密密鑰。相應地,客戶需對其加密密鑰負責,並確保密鑰保持機密。如果客戶的密鑰被洩露或損壞,CSP 能提供的幫助有限。共享責任模型的一個主要優勢是客戶不必完全負責加密基礎設施的維護。組織可以通過審查 CSP 的審計和安全控制來評估和監控允許 CSP 管理基礎設施所涉及的風險。對於聯邦承包商,FEDRAMP 提供了一份經過驗證的 CSP 名單。
Key takeaways 關鍵要點
Cloud security hardening is a critical component to consider when assessing the security of various public cloud environments and improving the security within your organization. Identity access management (IAM), correctly configuring a baseline for the cloud environment, securing hypervisors, cryptography, and cryptographic erasure are all methods to use to further secure cloud infrastructure.
雲端安全強化是評估各種公共雲環境安全性以及提升組織內部安全性時需要考慮的一個關鍵組成部分。身份存取管理(IAM)、正確配置雲環境的基準、安全保護虛擬機管理程式、加密技術以及加密擦除,都是進一步保護雲端基礎設施的方法。