With the rapid development of cloud computing, virtualization and other technologies, the evolution of data centers to virtualization and cloudization has become a trend. Some experts predict that 90% of large enterprises and government agencies will use virtualization in the future. In this process, the security risks faced by data centers are also evolving and changing.
Virtualized data centers face greater security challenges than traditional data centers. Server virtualization also introduces new security threats on the basis of various benefits, such as mutual attacks between virtual machines, intermittent protection that starts at any time. Enterprises must consider various potential threats before moving to the cloud model.
The following are cloud security issues that ten enterprises should pay attention to:
1. Who has access?
Access control is indeed a problem. How is cloud identity authentication managed? Insider attacks are a constant threat. Anyone who gains access to the cloud platform may become a potential problem. To give an example: An employee may leave or be fired, and as a result he or she is the only person with an access code. In other words, perhaps this employee is the only person responsible for paying the cloud provider. You must know who has access rights, how he or she handed over work, and how access rights were suspended?
2. What are your regulatory requirements?
Companies in the US, Canada, or EU countries must comply with various regulatory requirements, including ISO / IEC 27002, EU-US Privacy Shield Framework, IT Infrastructure Library, and COBIT. You need Determine a framework that is recognized by both parties, such as ISO 27001. In addition, you must ensure that the cloud provider can meet the requirements of these regulations and is willing to undergo certification, authentication and review.
3. Do you have auditing authority?
This issue is not a minor issue, but is one of the most important cloud security issues. The cloud provider may agree to comply with an audit standard in writing, such as SSAE 16. However, for auditors and assessors, it has proved to be an increasingly difficult task to verify and verify whether cloud computing meets regulatory requirements. Among the many regulations that IT has to face, almost none are specifically aimed at cloud computing. Auditors and evaluators may not be familiar with cloud computing or a specific cloud service.
4. What kind of training does the cloud provider provide to employees?
This is indeed a very noteworthy issue, because people are always vulnerable groups in front of security. Understanding what training a cloud provider provides to employees is an important project to be carefully reviewed. Most attacks involve both technical and social factors. Providers should take measures to deal with social engineering attacks from various sources, including emails, malicious links, phone calls, and other methods, which should all appear in training and awareness programs.
5. Which data classification system does the provider use?
Issues of concern in this regard include the standards used to classify the data, and whether the provider supports these standards. Token technology is now increasingly replacing encryption, which helps ensure that companies meet various regulatory requirements, such as the Health Insurance Portability and Accountability Act (Payment Card Industry Data Security) Standard (Payment Card Industry Data Security Standard), Gramm-Leach-Bliley Act (Financial Services Act) and European data retention regulations
6. Have you used encryption?
Encryption methods should also be considered. Are raw data allowed to leave the enterprise, or should they be kept internally to comply with regulatory requirements? Will encryption be used during data at rest and / or moving? In addition, you should also understand the type of encryption used. For example, DES and AES have some important differences. In addition, make sure you know who is maintaining the key before signing the contract. The encryption method must appear in the list of cloud security issues.
7. How is your data separated from other people's data?
Is the data on a shared server or a dedicated system? If you use a dedicated server, it means that only your information is on the server. If you are on a shared server, resources such as disk space, processing power, and bandwidth are limited because there are others sharing the device together. You need to determine whether you need a private cloud or a public cloud, and who is hosting the server. If it is a shared server, then the data may be mixed with other data.
8. What guarantees do providers have for long-term availability?
How long has the cloud provider been in this business? How has it performed in the past? If it has problems with this business, what problems will your data face? Will your data be returned to you in the original format?
9. What will happen if there is a security breach?
If a security incident occurs, what support can you get from a cloud provider? Although many providers claim that their services are foolproof, cloud-based services are extremely vulnerable to hacker attacks. Attacks such as side channels, session hijacking, cross-site scripting, and distributed denial of service are all common attacks that cloud data encounters.
10. What is the disaster recovery and business continuity plan?
Although you may not know the physical location of the service, they are ultimately located in a physical location. All physical locations are exposed to threats such as fire, storms, natural disasters, and power outages. If these unexpected events occur, what response measures will the cloud provider have, and how will they guarantee their uninterrupted service?
According to forecasts, more than 80% of data center traffic in the next three years will come from cloud services. This means that even if you haven't done a cloud migration now, you will do so by 2020. Therefore, it is necessary to use this period of time to ensure that you adopt the correct migration method. Define contract requirements in advance, and then not just copy the security policies originally used in the local environment. On the contrary, we must improve it from the perspective of migration.
Communication Cable,Screen Communication Cable,Pair Cable,Intrinsic Safety Cable
Baosheng Science&Technology Innovation Co.,Ltd , https://www.bscables.com