“云”这个词在现代企业中已经变得很重要。云(Cloud)技术既经济又灵活,它使用户能够从任何地方访问数据。它被个人以及小型、中型和大型企业使用。基本上有三种类型的云服务,包括:
- 基础设施即服务 (IaaS)
- 软件即服务 (SaaS)
- 平台即服务 (PaaS)。
虽然云技术有很多优势,但它也存在安全挑战和风险。它在黑客和攻击者中同样受欢迎,就像在真正的用户和企业中一样。缺乏适当的安全措施和机制会使云服务面临多种威胁,这些威胁可能会对一个人的业务造成损害。在本文中,我将讨论在将云计算整合到您的业务中时需要解决和注意的安全威胁和问题。
什么是云安全挑战(Security Challenges)、威胁(Threats)和问题
云计算服务的主要风险是:
- DoS 和 DDoS 攻击
- 帐户劫持
- 数据泄露
- 不安全的 API
- 云恶意软件注入
- 侧信道攻击
- 数据丢失
- 缺乏可见性或控制力
1] DoS 和 DDoS 攻击
拒绝服务(Denial of Service)(DoS) 和分布式拒绝服务(Distributed Denial of Service)(Distributed Denial of Service)( DDoS ) 攻击是任何云服务中的主要安全风险之一。在这些攻击中,攻击者会用大量不需要的请求淹没网络,以至于网络无法响应真正的用户。此类攻击可能会导致组织收入减少、品牌价值和客户信任度下降等。
建议企业采用云技术的DDoS 防护服务。(DDoS protection services)实际上,防御此类攻击已成为当务之急。
相关阅读:(Related read:) 使用 Google Project Shield 为您的网站提供免费 DDoS 保护
2]帐户劫持
劫持(Hijacking)帐户是每个人都必须意识到的另一种网络犯罪。在云服务中,它变得更加棘手。如果公司成员使用了弱密码或重复使用其他帐户的密码,攻击者更容易破解帐户并未经授权访问他们的帐户和数据。
依赖基于云的基础架构的组织必须与其员工一起解决这个问题。因为这可能导致他们的敏感信息泄露。因此,请教员工强密码(strong passwords)的重要性,要求他们不要从其他地方重复使用他们的密码,提防网络钓鱼攻击(beware of phishing attacks),总体上要更加小心。这可以帮助组织避免帐户劫持。
阅读(Read): 网络安全威胁(Network Security Threats)。
3] 数据泄露
数据泄露在网络安全领域并不是一个新名词。在传统基础架构中,IT 人员对数据有很好的控制。但是,拥有基于云的基础架构的企业极易受到数据泄露的影响。在各种报告中,发现了一种名为Man-In-The-Cloud(Man-In-The-Cloud) ( MITC )的攻击。在这种对云的攻击中,黑客可以未经授权访问您的文档和其他在线存储的数据并窃取您的数据。这可能是由于云安全设置配置不当造成的。
利用云的企业必须通过合并分层防御机制来主动规划此类攻击。这种方法可以帮助他们避免未来的数据泄露。
4]不安全的API
云(Cloud)服务提供商向客户提供API(APIs)(应用程序编程接口(Application Programming Interfaces))以方便使用。组织与他们的业务合作伙伴和其他个人一起使用API(APIs)来访问他们的软件平台。但是,安全性不足的API(APIs)可能会导致敏感数据丢失。如果在没有身份验证的情况下创建API(APIs),则该接口变得容易受到攻击,互联网上的攻击者可以访问组织的机密数据。
为了防御,必须创建具有强身份验证、加密和安全性的API 。(APIs)此外,使用从安全角度设计的API标准,并利用(APIs)网络检测(Network Detection)等解决方案来分析与API(APIs)相关的安全风险。
5]云恶意软件注入
恶意软件(Malware)注入是一种将用户重定向到恶意服务器并控制他/她在云中的信息的技术。它可以通过将恶意应用程序注入SaaS、PaaS或IaaS服务并被诱骗将用户重定向到黑客的服务器来执行。恶意软件注入(Malware Injection)攻击的一些示例包括跨站点脚本攻击( Cross-site Scripting Attacks)、SQL 注入攻击(SQL injection attacks)和包装攻击(Wrapping attacks)。
6] 侧信道攻击
在旁道攻击中,攻击者使用与受害者物理机相同的主机上的恶意虚拟机,然后从目标机器中提取机密信息。这可以通过使用强大的安全机制来避免,例如虚拟防火墙、使用随机加密解密等。
7]数据丢失
数据意外(Accidental)删除、恶意篡改、云服务宕机等都会给企业造成严重的数据丢失。为了克服这一挑战,组织必须准备好云灾难恢复计划、网络层保护和其他缓解计划。
8]缺乏可见性或控制力
监控基于云的资源对组织来说是一个挑战。由于这些资源不属于组织本身,因此限制了它们监控和保护资源免受网络攻击的能力。
企业从云技术中获得了很多好处。但是,他们不能忽视随之而来的固有安全挑战。如果在实施基于云的基础设施之前没有采取适当的安全措施,企业可能会遭受很多损失。希望本文能帮助您了解云服务面临的安全挑战。解决风险,实施强大的云安全计划,并充分利用云技术。
现在阅读:(Now read:) 在线隐私综合指南。(A Comprehensive Guide to Online Privacy.)
What are Cloud Security Challenges, Threats and Issues
The term “cloud” has become eminent in modern-day businesses. Clоud technology is economical аnd flexible and it enables users to access data from anywhere. It is used by individuals as well as small, medium, and large size enterprises. There are basically three typеs of clоud services that inclυde:
- Infrastructure as a Service (IaaS)
- Software as a Service (SaaS)
- Platform as a Service (PaaS).
While there are a lot of advantages to cloud technology, it also has its share of security challenges and risks. It is equally popular amongst hackers and attackers as it is amongst genuine users and businesses. The lack of proper security measures and mechanisms exposes cloud services to multiple threats that can cause damage to one’s business. In this article, I am going to discuss the security threats and issues that need to be addressed and taken care of while incorporating cloud computing in your business.
What are Cloud Security Challenges, Threats, and Issues
The main risks with cloud computing services are:
- DoS and DDoS attacks
- Account Hijacking
- Data Breaches
- Insecure APIs
- Cloud Malware Injection
- Side Channel Attacks
- Data Loss
- Lack of Visibility or Control
1] DoS and DDoS attacks
Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks are one of the major security risks in any cloud service. In these attacks, adversaries overwhelm a network with unwanted requests so much that the network becomes unable to respond to genuine users. Such attacks may cause an organization to suffer less revenue, lose brand value and customer trust, etc.
Enterprises are recommended to employ DDoS protection services with cloud technology. It has actually become a need of the hour to defend against such attacks.
Related read: Free DDoS protection for your website with Google Project Shield
2] Account Hijacking
Hijacking of accounts is another cybercrime that everyone must be aware of. In cloud services, it becomes all the more tricky. If the members of a company have used weak passwords or reused their passwords from other accounts, it becomes easier for adversaries to hack accounts and get unauthorized access to their accounts and data.
Organizations that rely on cloud-based infrastructure must address this issue with their employees. Because it can lead to leak of their sensitive information. So, teach employees the importance of strong passwords, ask them to not reuse their passwords from somewhere else, beware of phishing attacks, and just be more careful on the whole. This may help organizations avoid account hijacking.
Read: Network Security Threats.
3] Data Breaches
Data Breach is no new term in the field of cybersecurity. In traditional infrastructures, IT personnel has good control over the data. However, enterprises with cloud-based infrastructures are highly vulnerable to data breaches. In various reports, an attack titled Man-In-The-Cloud (MITC) was identified. In this type of attack on the cloud, hackers get unauthorized access to your documents and other data stored online and steal your data. It can be caused due to improper configuration of cloud security settings.
Enterprises that utilize the cloud must plan proactively for such attacks by incorporating layered defense mechanisms. Such approaches may help them avoid data breaches in the future.
4] Insecure APIs
Cloud service providers offer APIs (Application Programming Interfaces) to customers for easy usability. Organizations use APIs with their business partners and other individuals for access to their software platforms. However, insufficiently secured APIs can lead to the loss of sensitive data. If APIs are created without authentication, the interface becomes vulnerable and an attacker on the internet can have access to the organization’s confidential data.
To its defense, APIs must be created with strong authentication, encryption, and security. Also, use APIs standards that are designed from a security point of view, and make use of solutions like Network Detection to analyze security risks related to APIs.
5] Cloud Malware Injection
Malware injection is a technique to redirect a user to a malicious server and have control of his/ her information in the cloud. It can be carried out by injecting a malicious application into SaaS, PaaS, or IaaS service and getting tricked into redirecting a user to a hacker’s server. Some examples of Malware Injection attacks include Cross-site Scripting Attacks, SQL injection attacks, and Wrapping attacks.
6] Side Channel Attacks
In side-channel attacks, the adversary uses a malicious virtual machine on the same host as the victim’s physical machine and then extracts confidential information from the target machine. This can be avoided using strong security mechanisms like virtual firewall, use of random encryption-decryption, etc.
7] Data Loss
Accidental data deletion, malicious tampering, or cloud service being down can cause serious data loss to enterprises. To overcome this challenge, organizations must be prepared with a cloud disaster recovery plan, network layer protection, and other mitigation plans.
8] Lack of Visibility or Control
Monitoring cloud-based resources is a challenge for organizations. As these resources are not owned by the organization themselves, it limits their ability to monitor and protect resources against cyberattacks.
Enterprises are gaining a lot of benefits from cloud technology. However, they can’t neglect the inherent security challenges it comes with. If no proper security measures are taken before implementing cloud-based infrastructure, businesses can suffer a lot of damage. Hopefully, this article helps you learning security challenges that are faced by cloud services. Address the risks, implement strong cloud security plans, and make the most out of cloud technology.
Now read: A Comprehensive Guide to Online Privacy.