云从算法负责人
Imagine you’re the owner of a brand new app or software program, built on one of the world’s most common and popular cloud technologies, and you’re happy to let your provider handle day-to-day maintenance and security.
假设您是基于全球最常见和最受欢迎的云技术之一的全新应用程序或软件程序的所有者,并且很高兴让您的提供商处理日常维护和安全性。
The advent of full-service cloud providers makes your job easier, but there might (should) be one question that still bothers you: How secure is my data in the cloud and who is responsible for protecting it?
全方位服务的云提供商的出现使您的工作变得更轻松,但是(应该)仍然有一个问题困扰您: 我的数据在云中的安全性如何?谁负责保护它?
If a security-related incident happens, who will be responsible for addressing the consequences? In the majority of cases, the answer is you, and not your Cloud Service Provider (CSP), as some might think.
如果发生与安全相关的事件,谁将负责解决后果? 在大多数情况下,答案是您,而不是某些人认为的云服务提供商(CSP)。
The first and the most important concept to understand is that for Cloud Based Systems, responsibility is shared between you — as the owner of your application — and the CSP that owns part of the technologies beneath it. Depending on the collaboration model (IaaS, PaaS or SaaS), there will be a different distribution of zones of responsibility between you as an Application Owner and Cloud Service Provider. In any case, you should understand how the data is protected, even at layers beyond your personal involvement.
要理解的第一个也是最重要的概念是,对于基于云的系统,责任由您(作为应用程序的所有者)与拥有其下部分技术的CSP之间共同承担。 根据协作模型(IaaS,PaaS或SaaS),您作为应用程序所有者和云服务提供商之间的责任区将有所不同。 无论如何,您都应该了解如何保护数据,即使是超出您个人参与范围的数据保护也是如此。
The good news is that most CSPs are well-versed in security, but that doesn’t mean you shouldn’t ask them what has been actually done to mitigate threats. Focus your questions on these four areas:
好消息是,大多数CSP在安全方面都非常精通,但这并不意味着您不应该问他们为减轻威胁而实际采取的措施。 将您的问题集中在以下四个方面:
If you’re working within a highly regulated domain like Healthcare or Finance, you might already know all the certifications that your CSP has, as you would need them as a part of your own application audit. But even if you do not need to get certified on your own, requesting information on available certificates from your CSP is a very good idea.
如果您在医疗保健或金融等受严格监管的领域中工作,那么您可能已经知道CSP拥有的所有认证,因为在您自己的应用程序审核中需要使用它们。 但是,即使您不需要自己获得认证,从CSP请求可用证书的信息也是一个很好的主意。
The most indicative certificates that I recommend looking for are Service Organization Controls certifications (inquire about the so called SOC 2 or SOC 3). While SOC 3 will be a publically available summary of the Security Controls, the SOC 2 report, which contains details, usually can be requested on demand.
我建议寻找的最具指示性的证书是服务组织控制证书(查询所谓的SOC 2或SOC 3 )。 尽管SOC 3是安全控制的公开摘要,但通常可以根据需要索取SOC 2报告,其中包含详细信息。
CSA is a “not-for-profit” organization with the goal of encouraging and advocating for best practices for providing security assurance within cloud computing. The CSA Consensus Assessments Initiative Questionnaire provides a set of questions the CSA anticipates a cloud consumer and/or a cloud auditor would ask of a cloud provider. It provides a series of security, control, and process questions, which then can be used for a wide range of purposes, including cloud provider selection and security evaluation. As one of the goals of the CSA is to educate cloud consumers about security in the cloud, I would also highly encourage you to fill in their questionnaire on your own as a checklist to ensure that you’re protecting your assets effectively.
CSA是一个“非营利”组织,旨在鼓励和倡导在云计算中提供安全保证的最佳实践。 《 CSA共识评估倡议调查表》提出了一系列问题,CSA预期云消费者和/或云审计师会向云提供商询问。 它提供了一系列安全性,控制性和过程性问题,然后可以用于多种目的,包括云提供商的选择和安全性评估。 由于CSA的目标之一是教育云消费者有关云中的安全性,因此我也强烈建议您自己填写他们的调查表作为清单,以确保您有效地保护资产。
As a part of the cloud services provided by CSPs, there is usually a set of best practices you can follow to use their services safely and most effectively. I highly recommend reviewing them. Keep in mind all of the available mechanisms when building the security architecture of your application. Within this area, it is also wise to mention Security as a Service products that could be delivered by 3rd party companies via a CSP marketplace. Usually, such services provide a very useful and cost effective way to add extra security levels for your application, if needed by your security requirements.
作为CSP提供的云服务的一部分,通常可以遵循一组最佳实践,以安全有效地使用其服务。 我强烈建议您对其进行审查。 构建应用程序的安全体系结构时,请记住所有可用的机制。 在这一领域,明智的做法是提及可以由第三方公司通过CSP市场提供的安全即服务产品。 通常,如果您的安全需求需要,此类服务提供了一种非常有用且经济高效的方式来为您的应用程序添加额外的安全级别。
A CSP should be open to your initiatives for conducting Penetration Testing, or any other type of Security Testing (some details on the types of testing can be found here), as one of the mechanisms for verification of your application’s security at the final stages of its development. It could also serve as an indirect indication of the CSP’s confidence in their security measures. When planning Incident Response, it is worth it to map what information can be requested from your CSP, and how they can support you during this process.
CSP应该对您进行渗透测试或任何其他类型的安全性测试(可以在此处找到有关测试类型的一些详细信息)的计划开放,作为在最终阶段验证应用程序安全性的机制之一。它的发展。 它也可以间接表明CSP对他们的安全措施的信心。 在计划事件响应时,值得映射您可以从CSP请求哪些信息,以及在此过程中它们如何为您提供支持。
Responsibility for the security level of a Cloud Based Application is shared between a CSP and an Application Owner. However, the Application Owner is the one primarily accountable, thus the Application Owner needs to be aware of all security measures adopted in house, as well as by a CSP.
CSP和应用程序所有者之间共同承担基于云的应用程序安全级别的责任。 但是,应用程序所有者是主要负责的人,因此应用程序所有者需要知道内部以及CSP采取的所有安全措施。
When verifying the security practices used by a CSP, the available compliance regulations might be the most effective way to get insights into what these security practices are and how they are executed. Look for certifications like SOC 2, SOC 3 and CSA.
在验证CSP使用的安全实践时,可用的合规性法规可能是了解这些安全实践是什么以及如何执行的最有效方法。 寻找类似SOC 2,SOC 3和CSA的认证。
Make sure that you’re using all the available mechanisms provided by your CSP to protect your application, and that you’re using the recommended best practices to achieve your security goals.
确保使用CSP提供的所有可用机制来保护应用程序,并使用推荐的最佳实践来实现安全目标。
Clarify your strategy for handling security incidents before they happen. Check how your CSP can help you with incident forensics.
在事件发生之前弄清处理事件的策略。 检查您的CSP如何帮助您进行事件取证。
Last, but not least, don’t hesitate to talk to your CSP if you have any concerns about the security of your Cloud based applications. Even you’re accountable for security, a good CSP will be happy to support you in the complex process of building a truly secure Cloud Application.
最后但并非最不重要的一点是,如果您对基于云的应用程序的安全性有任何疑问,请立即与CSP交流。 即使您对安全负责,优秀的CSP也很乐意在构建真正安全的云应用程序的复杂过程中为您提供支持。
翻译自: https://www.sitepoint.com/protecting-your-cloud/
云从算法负责人
