雲安全性包含技術,控制項,流程和策略,這些技術,控制項,流程和策略結合起來可以保護基於雲的系統,數據和基礎架構。它是計算機安全性(更廣泛地說是信息安全性)的子域。
這是您和您的雲服務提供商之間的共同責任。您實施雲安全策略來保護您的數據,遵守法規要求並保護客戶的隱私。反過來又可以保護您免受數據泄露和數據丟失的聲譽,財務和法律影響。
雲安全共享責任模型(圖片來源:Synopsys)
雲安全性是所有組織的關鍵要求。尤其是根據(ISC)2的最新研究報告,有93%的組織對雲安全性有中等或高度關注,並且四分之一的組織確認了過去12個月中的雲安全事件。
只需移至Kinsta,即可將WordPress網站的速度提高200%。
今天免費遷移
在本文中,我們將創建有關雲安全性的綜合指南。您將探索遷移到雲的安全風險,了解為什麼需要雲安全,並發現雲安全最佳實踐。我們還將涵蓋諸如如何評估雲服務提供商的安全性以及如何確定認證和培訓以提高雲安全性等主題。
讓我們開始。
雲安全性是所有組織的關鍵要求。有了這份詳盡的指南,您可以了解更多有關它的內容,它如何工作,其風險以及最佳實踐的信息! ☁️?
點擊鳴叫
雲安全如何工作?
雲安全是技術,控制,流程和策略的複雜交互。高度個性化的做法可滿足您組織的獨特要求。
因此,沒有一個單一的解釋涵蓋雲安全「如何工作」。
確保雲工作負載的模型(圖片來源:HyTrust)
幸運的是,您可以使用一套廣泛建立的策略和工具來實現強大的雲安全設置,其中包括:
身份和訪問管理
所有公司都應具有身份和訪問管理(IAM)系統,以控制對信息的訪問。您的雲提供商將直接與您的IAM集成,或提供自己的內置系統。 IAM結合了多因素身份驗證和用戶訪問策略,可幫助您控制誰有權訪問您的應用程序和數據,他們可以訪問什麼以及他們可以對您的數據做什麼。
人身安全
物理安全性是雲安全性的另一個支柱。這是多種措施的組合,可防止直接訪問和破壞雲提供商的數據中心內的硬體。物理安全包括通過安全門,不間斷電源,閉路電視,警報,空氣和顆粒過濾,防火等來控制直接進入。
威脅情報,監視和預防
威脅情報,入侵檢測系統(IDS)和入侵防禦系統(IPS)構成了雲安全性的基礎。威脅情報和IDS工具可提供功能,以識別當前以您的系統為目標或將成為未來威脅的攻擊者。 IPS工具實現了減輕攻擊並向您發出警報的功能,因此您也可以做出響應。
加密
使用雲技術,您正在與雲提供商的平台之間來回發送數據,通常將其存儲在其基礎架構中。加密是雲安全的另一層,可以通過在靜止和傳輸時對其進行編碼來保護您的數據資產。如果沒有隻有您才能訪問的解密密鑰,這可以確保幾乎無法解密數據。
雲漏洞和滲透測試
維護和改善雲安全性的另一種做法是漏洞和滲透測試。這些做法涉及您-或您的提供商-攻擊您自己的雲基礎架構,以發現任何潛在的弱點或漏洞。然後,您可以實施解決方案來修補這些漏洞並提高安全性。
微細分
微分段在實施雲安全性中越來越普遍。這是將您的雲部署劃分為不同的安全段,直至各個工作負載級別的一種做法。
通過隔離單個工作負載,您可以應用靈活的安全策略以最大程度地減少攻擊者獲得訪問許可權後可能造成的損害。
下一代防火牆
下一代防火牆是雲安全難題中的另一部分。它們使用傳統的防火牆功能和較新的高級功能來保護您的工作負載。傳統的防火牆保護包括數據包篩選,狀態檢查,代理,IP阻止,域名阻止和埠阻止。
下一代防火牆增加了入侵防禦系統,深度數據包檢查,應用程序控制以及對加密流量的分析,以提供全面的威脅檢測和防禦。
Kinsta託管架構
在Kinsta,我們在Google Cloud Platform(GCP)防火牆後面保護所有WordPress網站。提供最先進的保護,並能夠與其他GCP安全解決方案更緊密地集成。
安全是所有企業都關心的問題,如果忽視它,則會嚴重影響聲譽和底線。查看雲計算的7種安全風險security️
點擊鳴叫
7雲計算的安全風險
無論您是否在雲中運營,安全都是所有企業關注的問題。您將面臨諸如拒絕服務,惡意軟體,SQL注入,數據泄露和數據丟失等風險。所有這些都會極大地影響您的企業聲譽和底線。
當您遷移到雲時,會引入一系列新的風險並改變其他風險的性質。這並不意味著雲計算並不安全。實際上,許多雲提供商都提供了對高級安全工具和資源的訪問許可權,而這些是您無法訪問的。
這只是意味著您需要了解風險的變化以減輕風險。因此,讓我們看一下雲計算的獨特安全風險。
1.失去可見性
大多數公司將通過多個設備,部門和地理位置訪問一系列雲服務。如果沒有適當的工具,那麼雲計算設置中的這種複雜性會使您失去對基礎架構訪問的可見性。
如果沒有正確的流程,您將看不到誰在使用您的雲服務。包括他們正在訪問,上傳和下載的數據。
如果看不到它,就無法保護它。增加數據泄露和數據丟失的風險。
2.違反合規性
隨著法規控制的增加,您可能需要遵守一系列嚴格的合規性要求。遷移到雲中時,如果不小心,會帶來違反合規性的風險。
這些法規中的許多要求您的公司知道您的數據在哪裡,誰可以訪問它,如何處理它以及如何對其進行保護。其他法規要求您的雲提供商擁有某些合規性憑證。
粗心地將數據傳輸到雲或轉移到錯誤的提供商,可能會使您的組織處於違規狀態。引入潛在的嚴重法律和財務影響。
3.缺乏雲安全戰略和架構
您可以輕鬆避免這種雲安全風險,但許多風險卻無法避免。為了將系統和數據遷移到雲中,許多組織早在安全系統和策略到位以保護其基礎結構之前就已開始運營。
在Kinsta,我們了解了遷移到雲時安全至上的心態的重要性。這就是為什麼Kinsta提供免費的WordPress遷移,以確保您向雲的過渡既安全又避免長時間停機的原因。
確保實施旨在使雲與系統和數據保持同步的安全策略和基礎架構。
4.內部威脅
您值得信賴的員工,承包商和業務合作夥伴可能是您最大的安全隱患。這些內部威脅不需要惡意意圖即可對您的業務造成損害。實際上,大多數內幕事件源於缺乏培訓或疏忽大意。
當您當前面臨此問題時,遷移到雲將改變風險。您可以將數據控制權交給雲服務提供商,並從提供商的員工那裡引入新的內部威脅層。
5.違約
您擁有的任何合同合作夥伴關係都將限制如何使用共享數據,如何存儲共享數據以及授權誰訪問共享數據。您的員工在未經授權的情況下不經意間將受限制的數據轉移到雲服務中可能會違反合同,從而可能導致法律訴訟。
確保您閱讀了雲提供商的條款和條件。即使您有權將數據移動到雲中,某些服務提供商也有權共享上傳到其基礎架構中的所有數據。由於無知,您可能無意間違反了保密協議。
6.不安全的應用程序用戶界面(API)
在雲基礎架構中的操作系統時,您可以使用API來實現控制。 Web或移動應用程序中內置的任何API都可以由員工內部提供,也可以由消費者外部提供。
面向外部的API可能會帶來雲安全風險。任何不安全的外部API都是網關,旨在為希望竊取數據和操縱服務的網路犯罪分子提供未經授權的訪問。
不安全的外部API的最突出示例是Facebook – Cambridge Analytica Scandal。 Facebook不安全的外部API賦予Cambridge Analytica對Facebook用戶數據的深度訪問許可權。
7.雲服務的配置錯誤
雲服務配置錯誤是另一個潛在的雲安全風險。隨著服務範圍和複雜性的增加,這是一個日益嚴重的問題。雲服務的配置錯誤會導致數據公開暴露,操縱甚至刪除。
常見原因包括保留高度安全的數據的默認安全性和訪問管理設置。其他措施包括不匹配的訪問管理,可提供未經授權的個人訪問許可權,以及損壞的數據訪問許可權,無需授權即可打開機密數據。
為什麼需要雲安全
雲技術的大規模採用以及不斷增長的網路威脅和複雜的網路威脅,共同推動了對雲安全的需求。反思上面概述的採用雲技術帶來的安全風險,若無法緩解這些風險可能會產生重大影響。
但這並不全都是消極的,雲安全也可以帶來巨大的好處。讓我們探討一下為什麼雲安全是至關重要的要求。
網路安全威脅持續增加
安全的雲實踐的驅動力是網路犯罪分子的數量和複雜程度不斷增加的威脅。為了量化威脅,來自(ISC)2的雲安全報告發現,有28%的企業在2019年經歷了雲安全事件。英國政府還報告說,在過去12個月中,有32%的英國企業遭受了系統攻擊。
防止數據泄露和數據丟失
這些日益增加的網路威脅的結果是數據泄露和數據丟失的頻率和數量的加速。僅在2019年的前6個月,諾頓新興威脅報告就概述了超過40億條記錄被泄露的情況。
丟失或破壞數據泄露可能會產生重大的法律,財務和聲譽影響。 IBM現在在其最新報告中估計,數據泄露的平均成本為392萬美元。
避免違反合規性
我們已經提到過雲安全如何帶來違規風險。為證明違規的含義,您只需要觀察德國聯邦隱私監管機構,該機構最近就違反歐盟《通用數據保護條例》(GDPR)向1&1電信公司處以955萬歐元的罰款。
維持業務連續性
良好的雲安全性有助於維持您的業務連續性。防禦諸如拒絕服務攻擊(DDoS攻擊)之類的威脅。計劃外中斷和系統停機會中斷您的業務連續性並影響您的利潤。 Gartner的一項研究估計,停機時間的平均成本為每分鐘5600美元。
雲安全優勢
除了威脅防護和避免不當行為帶來的後果外,雲安全還提供了使它成為企業必需的優勢。這些包括:
1.集中安全
與雲計算集中應用程序和數據的方式相同,雲安全也集中保護。幫助您提高可見性,實施控制並更好地防禦攻擊。將所有功能都集中到一處,還可以改善您的業務連續性和災難恢復。
信息
Kinsta為每個計劃提供安全保證,萬一發生不良情況,安全專家將修復您的站點。
2.降低成本
著名的雲服務提供商將提供內置的硬體和軟體,以全天候保護您的應用程序和數據。這樣就無需在您自己的設置中進行大量的財務投資。
3.減少管理
遷移到雲引入了安全性的共享責任模型。這可以大大減少投入用於管理安全性的時間和資源。雲服務提供商將負責跨存儲,計算,網路和物理基礎架構保護其基礎架構(以及您)。
4.更高的可靠性
領先的雲服務提供商將提供您可以依靠的尖端雲安全硬體和軟體。您將獲得連續服務的訪問許可權,您的用戶可以在任何設備上從任何地方安全地訪問數據和應用程序。
雲安全最佳實踐
將系統移至雲時,許多安全流程和最佳實踐保持不變。但是,為了維護基於雲的系統和數據的安全性,您將遇到一系列新的挑戰。
為了幫助您應對這一挑戰,我們針對基於雲的部署編製了一系列安全最佳實踐。
雲安全性是計算機安全性(更廣泛地說是信息安全性)的子域。查看這些基於雲的部署的最佳實踐! ☁️?
點擊鳴叫
選擇受信任的提供商
雲安全最佳實踐的基礎建立在選擇可信賴的服務提供商上。您想與提供最佳內置安全協議並符合最高水平的行業最佳實踐的雲提供商合作。
為您擴展合作夥伴和解決方案市場的服務提供商,以進一步增強部署的安全性。
值得信賴的提供商的標誌體現在他們所擁有的一系列安全合規性和認證中。任何好的提供者都可以將其公開。例如,所有領先的提供商(例如Amazon Web Services,阿里雲,Google Cloud(為Kinsta提供支持)和Azure)都提供透明的訪問許可權,您可以在其中確認其安全合規性和認證。
除此之外,選擇受信任的提供者還有許多因素。我們將在本文後面的內容中介紹這十大清單,以評估任何雲提供商的安全性。
了解您的共同責任模式
與雲服務提供商合作時,將系統和數據移至雲中時,您將建立起共同承擔安全實施責任的夥伴關係。
最佳實踐的關鍵部分包括審查並了解您的共同責任。發現哪些安全任務將留在您的手中,以及哪些任務現在將由提供商處理。
這是一個浮動比例,具體取決於您選擇的是軟體即服務(SaaS),平台即服務(PaaS),基礎架構即服務(IaaS)還是本地數據中心。
Google Cloud Platform共同責任模式
AWS,Azure,Google Cloud Platform和阿里雲等領先的雲服務提供商發布了所謂的安全共享責任模型。確保透明度和清晰度。確保您查看了雲服務提供商的責任共擔模型。
查看您的雲提供商合同和SLA
您可能不應該考慮將雲合同和SLA視為安全最佳實踐的一部分。 SLA和雲服務合同僅是事件發生時提供服務和追索權的保證。
條款和條件,附件和附錄中有很多內容可能會影響您的安全性。合同可能意味著您的雲服務提供商負責您的數據和擁有它之間的區別。
根據McAfee 2019雲採用和風險報告,有62.7%的雲提供商未指定客戶數據歸客戶所有。這將創建一個合法的灰色區域,提供商可以在其中聲明對您所有上載數據的所有權。
如果終止服務,請檢查誰擁有數據以及數據將如何處理。另外,請弄清楚是否需要提供者提供對任何安全事件和響應的可見性。
如果您對合同的內容不滿意,請嘗試進行談判。如果有任何不可協商的內容,則需要確定同意對於企業而言是否是可接受的風險。如果不是,您將需要尋找其他選擇,以通過加密,監控甚至選擇其他提供商來降低風險。
培訓您的用戶
您的用戶是安全雲計算的第一道防線。他們的安全實踐知識和應用可能是保護系統或為網路攻擊打開一扇門的區別。
最佳做法是,確保對所有用戶(員工和利益相關方)進行培訓,這些用戶以安全的雲實踐訪問系統。讓他們知道如何發現惡意軟體,識別網路釣魚電子郵件以及不安全做法的風險。
對於直接參与實施雲安全性的更高級用戶(例如管理員),請考慮針對特定行業的培訓和認證。稍後,您會在指南中找到一系列推薦的雲安全認證和培訓。
控制用戶訪問
通過策略對用戶訪問進行嚴格控制是另一種雲安全最佳實踐。幫助您管理嘗試訪問您的雲服務的用戶。
您應該從零信任的位置開始,僅讓用戶訪問他們所需的系統和數據,僅此而已。為避免實施策略時的複雜性,請創建具有指定角色的定義明確的組,以僅授予對所選資源的訪問許可權。然後,您可以將用戶直接添加到組中,而不是為每個用戶自定義訪問許可權。
保護您的用戶端點
雲安全最佳實踐的另一個要素是保護用戶端點。大多數用戶將通過Web瀏覽器訪問您的雲服務。因此,至關重要的是,您必須引入高級客戶端安全性,以使用戶的瀏覽器保持最新狀態並保護其不受攻擊。
您還應該考慮實施端點安全解決方案以保護最終用戶設備。隨著移動設備和遠程工作的爆炸式增長,至關重要的是,用戶越來越多地通過非公司擁有的設備訪問雲服務。
尋找一種解決方案,其中包括防火牆,防病毒和Internet安全工具,移動設備安全性和入侵檢測工具。
保持雲服務的可見性
雲服務的使用可能多種多樣且短暫。許多組織在一系列提供商和地區中使用多種雲服務。研究表明,雲資源的平均壽命為2小時。
這種行為會在您的雲環境中造成盲點。如果看不到它,則無法保護它。
確保您實現了可提供整個生態系統可見性的雲安全解決方案。然後,您可以通過一個門戶監視和保護您所有不同資源,項目和區域中的雲使用情況。這種可見性將幫助您實施精細的安全策略並減輕各種風險。
實施加密
無論您身在何處,數據加密都是安全的最佳做法,這對您移至雲中至關重要。使用雲服務,您可以將數據存儲在第三方平台上並在網路和雲服務之間來回發送,從而使數據面臨更大的風險。
確保對傳輸中的數據和靜態數據實施最高級別的加密。您還應該考慮使用自己的加密解決方案,然後再將數據上傳到雲中,並使用自己的加密密鑰來保持完全控制。
雲提供商可能會提供內置的加密服務,以保護您的數據免受外界的攻擊,但是它使他們能夠訪問您的加密密鑰。
Kinsta採用完全加密的方法來進一步保護其安全的WordPress託管解決方案。這意味著我們不支持FTP連接,僅支持加密的SFTP和SSH連接。
實施強大的密碼安全策略
無論您要訪問的服務是什麼,強健的密碼安全策略都是最佳實踐。實施儘可能強大的策略是防止未經授權的訪問的重要因素。
作為最低要求,所有密碼都應包含一個大寫字母,一個小寫字母,一個數字,一個符號和至少14個字元。強制用戶每90天更新一次密碼並進行設置,以便系統記住最近的24個密碼。
這樣的密碼策略將阻止用戶跨多個設備創建簡單的密碼,並防禦大多數暴力攻擊。
作為安全性最佳實踐和保護的附加層,您還應該實現多因素身份驗證。要求用戶添加兩個或更多證據以驗證其身份。
使用雲訪問安全代理(CASB)
CASB的使用正迅速成為實現雲安全最佳實踐的中心工具。該軟體位於您和您的雲服務提供商之間,可以將您的安全控制擴展到雲中。
CASB為您提供了一套完善的雲安全工具集,以提供您的雲生態系統的可見性,實施數據安全策略,實施威脅識別和保護以及維護合規性。
您可以在本指南的後面部分中詳細了解CASB的工作方式,其中包括CASB排名前5位的提供商。
針對雲客戶的十大安全清單建議
遷移到雲中並選擇服務提供商時,您應考慮的最重要因素之一就是安全性。您將與所選的服務提供商共享和/或存儲公司數據。
您需要確信自己的數據是安全的。從分擔責任到提供商的安全標準是否達到極限,有無數的安全因素需要考慮。這可能是一個艱巨的過程,尤其是如果您不是安全專家。
安全永遠不應被忽略!評估雲服務提供商時,獲取此十大安全方面的清單??
點擊鳴叫
為了幫助我們評估雲服務提供商時,編製了十大安全檢查清單。
1.保護運輸中的數據和靜止數據
當遷移到雲服務時,安全性的關鍵要素是保護您(最終用戶)和提供商之間傳輸的數據。這對您和提供者都是雙重責任。您需要網路保護來防止數據被攔截,並且需要加密來防止攻擊者讀取任何被攔截的數據。
尋找可以為您提供一套工具的服務提供商,以幫助您輕鬆地加密傳輸中和靜止時的數據。這將確保對雲服務提供商內部的任何內部數據傳輸,或雲服務提供商與可能暴露API的其他服務之間的傳輸提供相同級別的保護。
2.資產保護
選擇雲服務提供商時,您需要了解存儲,處理和管理數據的物理位置。在實施政府和行業法規(例如GDPR)之後,這一點尤其重要。
為了確保您的資產受到保護,好的提供商將在其數據中心內提供高級物理保護,以保護您的數據免遭未經授權的訪問。他們還將確保在重新配置或處置任何資源之前先擦除您的數據資產,以防止其落入錯誤的人手。
3.可見性與控制
安全性的關鍵因素是查看和控制自己的數據的能力。優質的服務提供商將為您提供一種解決方案,無論您身在何處,都可以完全看到您的數據以及誰在訪問數據。
您的提供商應提供活動監控,以便您發現整個生態系統中配置和安全性的變化。以及支持對新舊解決方案集成的合規性。
4.可信安全市場和合作夥伴網路
保護您的雲部署將需要多個解決方案或合作夥伴。優秀的雲服務提供商將使您輕鬆地通過市場查找並與不同的合作夥伴和解決方案建立聯繫。
尋找具有市場的提供商,該市場提供經過驗證的安全合作夥伴具有可靠合作夥伴關係的精選網路。市場還應該提供安全性解決方案,這些解決方案提供一鍵式部署,並且可以在公共,私有或混合雲部署中為保護數據提供補充。
5.安全的用戶管理
優秀的雲服務提供商將提供能夠對用戶進行安全管理的工具。這將有助於防止未經授權訪問管理界面和過程,以確保應用程序,數據和資源不會受到損害。
雲提供商還應提供功能來實施安全協議,以分隔用戶並防止任何惡意(或受感染)用戶影響另一個用戶的服務和數據。
6.合規與安全集成
在考慮雲服務提供商時,安全性和合規性是齊頭並進的。它們應滿足由第三方組織驗證的全球合規性要求。您需要一個雲服務提供商,該提供商遵循業界雲安全最佳實踐並理想地持有公認的認證。
雲安全聯盟的安全,信任和保證註冊表(STAR)計劃是一個很好的指標。此外,如果您在監管嚴格的行業中工作-可能適用HIPPA,PCI-DSS和GDPR-您還需要確定獲得特定行業認證的提供商。
為確保合規性工作具有成本效益和效率,雲服務提供商應為您提供將其安全控制繼承到您自己的合規性和認證程序中的能力。
7.身份和認證
您的雲提供商應確保對任何服務介面的訪問僅限於授權和認證的人員。
在查看提供程序時,您需要一種提供身份和身份驗證功能的服務,其中包括用戶名和密碼,兩因素身份驗證,TLS客戶端證書以及與現有身份提供程序的身份聯合。
您還希望能夠限制對專用線路,企業或社區網路的訪問。好的提供商只能通過安全通道(例如HTTPS)來提供身份驗證,以避免被攔截。
確保避免使用身份驗證做法較弱的服務。這將使您的系統遭受未經授權的訪問,從而導致數據盜竊,服務更改或服務被拒絕。還要避免通過電子郵件,HTTP或電話進行身份驗證。
這些漏洞極易受到社會工程和身份和身份驗證憑據的攔截。
8.運營安全
選擇雲服務時,請尋找能夠實現強大運營安全性以檢測並防止攻擊的提供商。這應該涵蓋四個核心要素:
配置和變更管理
您希望提供程序在組成服務的資產(包括任何配置或依賴項)中提供透明性。他們應將可能影響安全性的任何服務更改通知您,以確保不會發生漏洞。
漏洞管理
您的提供商應具有漏洞管理流程,以檢測和緩解對其服務的任何新威脅。您應隨時了解這些威脅,嚴重性以及計劃的緩解威脅時間表(包括解決方案)。
保護性監控
任何物有所值的提供商都將擁有高級監視工具,以識別服務的任何攻擊,濫用或故障。他們將採取快速果斷的措施來解決所有事件-使您隨時了解結果。
在Kinsta,我們為WordPress託管解決方案提供最高的操作安全標準而感到自豪。 This includes implementing the latest security updates, continuous uptime monitoring, automatic backups, and active and passive measures to stop any attack in its tracks.
Bottom line: your site is monitored and secured 24/7.
Incident Management
Your ideal provider will have a pre-planned incident management process in place for common types of attacks. They will be ready to deploy this process in response to any attack.
There will be a clear contact route to you to report any incidents, with an acceptable timescale and format in place.
9. Personnel Security
You need a cloud service provider whose personnel you can trust, as they will have access to your systems and data. Your chosen cloud service provider will have a rigorous and transparent security screening process in place.
They should be able to verify their personnel』s identity, right to work, and check for any unspent criminal convictions. Ideally, you want them to conform to your countries locally established screening standard, such as BS 7858:2019 for the UK or completion of form I-9 in the US.
In addition to screening, you want a service provider who ensures their personnel understand their inherent security responsibilities and undergo regular training. They should also have a policy to minimize the number of people who have access to and can affect your services.
10. Secure Use of the Service
You can choose a cloud provider with cutting edge security and still experience a breach through poor use of the service. It』s important to understand where security responsibilities lie when using the service.
Your level of responsibility will be influenced by your cloud deployment model, how you use any services and the built-in features of any individual service.
For example, you have significant security responsibilities with IaaS. Deploying a compute instance, responsibility would fall to you to install a modern operating system, configure security, and ensure ongoing patches and maintenance. The same is true of any application you deploy on that instance.
So, make sure you understand the security requirements of your chosen service and any security configuration options available to you. Ensure you also educate your staff in secure use of your chosen services.
What is the Cloud Security Alliance?
When we look at the cloud computing industry, it』s a disparate market without a central governing body where businesses can go for guidance. This can be frustrating, especially when approaching challenges like cloud security.
Thankfully, in the place of governing bodies, there are a number of organizations that dedicate themselves to supporting the industry. The Cloud Security Alliance is one such organization.
Cloud Security Alliance Logo
The Cloud Security Alliance (CSA) is a non-profit organization dedicated to developing and raising awareness of best practices to maintain a secure cloud computing environment.
It is a membership organization offering the industry cloud-specific security guidance in the form of education, research, events, and products. This guidance is harnessed directly from the combined subject matter expertise of industry practitioners, associations, governments, and the CSA』s individual and corporate members.
To give you a better understanding of the Cloud Security Alliance, let』s take a closer look at how they support the industry.
Membership
The CSA is built on the foundation of its members. Joining the CSA as a member opens a range of different benefits depending on whether you』re an individual, enterprise, or solution provider.
Primarily these fall into similar categories including access to their expert network of other members, a seat on the International Standardization Council, discounts on training, and access to exclusive events and webinars
Assurance
The CSA has developed one of the most renowned cloud security certification programs: the Security, Trust & Assurance Registry (STAR).
STAR is a provider assurance program providing transparency through self-assessment, third-party auditing, and continuous monitoring against standards. The program comprises of three levels, demonstrating the holder adheres to best practices whilst validating the security of their cloud offerings.
教育
To support continual improvement of cloud security in the industry, the CSA offers a range of education services. You can pursue a range of cloud security certifications developed by the CSA, access their knowledge center, and take part in their regularly scheduled educational webinars and events.
研究
The CSA continues to support the industry developing and innovating cloud-security best practice through its ongoing research. This is driven by their working groups which now span 30 domains of cloud security.
Most recent and cutting edge include the emergence of working groups for DevSecOps, the Internet of Things, Artificial Intelligence, and Blockchain. The CSA continually publishes its research – free of charge – ensuring the industry can keep up-to-date and informed of the ever-changing nature of cloud security.
Community
The CSA also supports the industry by continuing to maintain and develop the cloud security community. They have created and maintain a wide range of communities which allow minds from across the cloud security industry to connect, share knowledge and innovate.
The CSA blog
These growing communities come in many forms. There CSA chapters you can join to connect with local professionals and CSA summits where the best minds share their expertise with the masses. There is even the CSA blog that hosts a community of followers wanting to keep pace with the CSAs practices.
What is Kaspersky Security Cloud?
When talking about cloud security, it』s easy to focus on enterprises and forget about the need for individual consumers.
If you』re accessing cloud services for your own personal use – photos, files, life admin – you need to think about the security of your data: Kaspersky Security Cloud, the new adaptive cloud-based security solution from Kaspersky.
Kaspersky Security Cloud
Combining the very best features and applications from Kaspersky Lab』s anti-virus software, it creates responsive protection for users』 devices against digital threats.
The platform was designed for individual users, not businesses.
Kaspersky Security Cloud protects your devices against malware and viruses, adding functionality to adapt how you use each device to provide maximum protection at all times. It offers features including antivirus, anti-ransomware, mobile security, password management, VPN, parental controls, and a range of privacy tools.
The platform is available on Windows, macOS, Android, and iOS. The Kaspersky Security Cloud Family plan offers protection for up to 20 devices.
Core Functionality in Kaspersky Security Cloud
To help you better understand the Kaspersky Security Cloud offering, we』ve taken a closer look at the core functionality within the platform which is split into four sections:
Scan
The critical functionality you want from any security solution, Kaspersky Security Cloud can scan your devices and remove any malware or viruses found. You can choose from a number of scanning options including individual files, quick scan, whole system, and scheduled.
Privacy
You can protect your privacy using built-in functionality to check your online accounts to ensure they are not compromised, block your webcam from being accessed, and block website traffic to prevent your browsing activities being monitored.
You can extend your privacy with additional downloads of Kaspersky Secure Connection and Kaspersky Password Manager. Secure Connection encrypts all data you send and receive while also hiding your location, while Password Manager stores and secures your passwords.
Home Network
Home Network gives you the visibility of all devices that are connected to your home network. Identifying those that are protected by Kaspersky Security Cloud. The functionality allows you to be notified when a new device connects and also block any unknown devices.
HD Health
Useful, yet simple, the HD Health functionality gives you a rating of you Hard Drives disk condition and disk temperature. Giving information on error rates, power cycles, power-on hours, total data read, and total data write.
Kaspersky Security Cloud is a great example of how the adoption of cloud services has created the need for new security solutions.
In the next section, we look at a similar example in the enterprise world with the arrival of Cloud Access Security Brokers.
What is a Cloud Access Security Broker (CASB)?
A Cloud Access Security Broker (CASB) is software that sits between you, the cloud service consumer, and your cloud service provider(s). A CASB extends your security controls from your on-premises infrastructure into the cloud. Helping to enforce security, compliance, and governance policies for your cloud applications. It typically sits on-premises or hosted in the cloud.
Cloud Access Security Broker Model (Image source: Gartner)
A CASB will help you defend against high-level cloud security risks and support ongoing monitoring and mitigation of high-risk events. It does this by securing the data moving between your on-premise and cloud environment using your organization』s security policies.
A CASB will protect you from cyberattacks with malware prevention and secure your data using end-to-end encryption preventing outside users from deciphering the content.
How does a CASB work?
A CASB can be deployed in three separate ways: as a reverse proxy, forward proxy, or in an 『API mode』. Each has its own unique advantages and disadvantages, with many industry experts recommending a multimode deployment.
Let』s take a closer look at the different deployment modes of a CASB:
Reverse Proxy
A reverse proxy sits in front of the cloud service, providing inline security capabilities by sitting in the path of the network traffic. The connection of the reverse proxy broker runs from the internet to your application server, hiding information behind it that is coming from the original source.
Forward Proxy
A forward proxy sits in front of the user, with the CASB proxying traffic to multiple cloud platforms. The connection of the forward proxy runs from you, sat behind your firewall, to the internet. Like the reverse proxy, it also provides inline security capabilities.
API Mode
Unlike the proxy deployments, using the Application Program Interface (API) allows for direct integration of the CASB and a cloud service. This allows you to secure both managed and unmanaged traffic.
Depending on the cloud service providers』 API functionality, you can view activity, content, and take enforcement action.
The Pillars of Functionality in CASBs
A CASB delivers functionality which falls under four 『pillars』, these include:
1. Visibility
When a cloud application sits outside the view of your IT department, you create information that is uncontrolled by your business』 governance, risk, and compliance processes.
A CASB gives you visibility of all cloud applications and their usage. Including vital information on who is using the platform, their department, location, and the devices used.
2. Data Security
Using a cloud platform creates an increased risk of inadvertently sharing data with the wrong people. If you』re using cloud storage, a typical data loss prevention (DLP) tool won』t be able to track or control who is accessing your data.
A CASB helps you to enforce data-centric security within a cloud platform combining encryption, tokenization, access control, and information rights management.
3. Threat Protection
One of the most difficult security threats to protect against is your own staff. Even former employees who』ve been disabled from your organization』s core systems may still be able to access cloud apps containing business-critical information.
CASBs allow you to detect and respond to malicious or negligent insider threats, privileged users, and compromised accounts within your cloud infrastructure.
4. Compliance
When your data moves to the cloud, you』ll need to ensure you maintain data security and privacy to comply with industry and governmental regulations. A CASB will do this for you, identifying and enforcing DLP policies on sensitive data in your cloud deployment. Helping you to maintain compliance with regulations including SOX and HIPAA.
A CASB will also help benchmark your cloud security configuration against core regulatory requirements like PCI DSS, NIST, CJIS, MAS and ISO 27001.
The Top 5 Cloud Access Security Brokers in 2020
The mass migration of services to the cloud paired with the need to implement cloud security due to the significant risks of data breach and loss has created an explosion in the CASB market.
As a next-generation technology, CASBs have become an essential element of cloud security strategy. With one in five large enterprises uses a CASB to secure or manage their cloud services, according to Gartner』s 「Magic Quadrant for Cloud Access Brokers」 report:
Gartner 2019 Cloud Access Security Broker (CASB) Magic Quadrant
Gartner has identified five the leaders in the CASB market using their 『Magic Quadrant』, these include:
McAfee
McAfee entered the CASB market in January 2018, with its high profile its acquisition of Skyhigh Networks. Now known as MVISION Cloud, the platform provides coverage across all four CASB pillars for a broad range of cloud services.
The platform provides a comprehensive DLP engine and offers advanced controls including encryption, and tokenization of structured and unstructured data. The CASB can be deployed for API inspection with reverse-proxy-mode capabilities, and forward proxy.
McAfee has also made an on-premises virtual app available for those that require it.
Microsoft
Microsoft』s CASB offering is called Microsoft Cloud Application Security. The platform supports multiple deployment modes including reverse proxy and API connectors. Microsoft continues to develop the CASB solution with enhanced visibility, analytics, data control, and innovative automation functionality.
Microsoft Cloud Application Security also natively integrates with Microsoft』s growing portfolio of security and identity solutions including Azure Active Directory and Microsoft Defender Advanced Threat Protection.
This allows Microsoft to offer customers a fully integrated solution across their Microsoft platforms with single-click deployments.
Netskope
Unlike many players in the space who are simply acquiring CASB solution providers, Netskope remains an independent company. The provider is renowned for excellence in application discovery and SaaS security assessments.
Netskope supports thousands of cloud services through published APIs and inline decoding of unpublished APIs. The CASB offers DLP and identifies threats in real-time using combined threat intelligence, static and dynamic analysis and machine learning-based anomaly detection.
Symantec
Symantec』s CASB offering is called CloudSOC, enhanced in 2016 with the acquisition and integration of Blue Coat Systems』 Perspecsys and Elastica products.
CloudSOC offers DLP using automated data classification and multimode oversight using native cloud APIs, real-time traffic processing, and input from multiple data feeds. You can automatically identify and nullify threats from inside and outside your organization with advanced user behavior analytics (UBA).
Bitglass
Bitglass Cloud Security is referred to as a next-generation CASB, designed to integrate with any app, device, or network.
The platform runs natively from the cloud and is renowned as the only provider securing corporate data on mobile devices without using agents or profiles. Bitglass rose to prominence by introducing a zero-day approach focussed on trust ratings, trust levels and at rest encryption.
A Look at the Top 10 Cloud Security Certifications in 2020
To successfully protect your cloud platform, you』re going to need advanced cloud security skills and knowledge. You』ll also need to learn platform-specific skills so you can configure access, network security and ensure data protection all within your chosen cloud provider.
Thankfully, the cloud training and certification market continues to evolve and offer up a number of solutions. You can now choose from a wide range of platform-specific and vendor-neutral certifications to help you develop and prove the skills you need. Whether you』re looking to develop foundation knowledge or tailor your skillset to a specific job role, there is a certification for you.
To help in your search, we』ve compiled a list of the top 10 cloud security certifications to achieve in 2020.
Earning just one of these certifications will not only help you better secure your cloud deployment, but it』ll also make you more employable, and advance your salary.
(ISC)2 – Certified Cloud Security Professional (CCSP)
The CCSP is a globally recognized cloud security certification aimed at IT and Information Security leaders.
Earning the CCSP demonstrates you have the advanced technical skills and knowledge to design, manage and secure data, applications, and infrastructure in the cloud. You will do this using the best practices, procedures, and policies developed by cybersecurity experts at (ISC)2. The CCSP is ideal if you』re an Enterprise Architect, Systems Engineer, Security Administrator, Architect, Engineer, or Manager.
Before training and attempting the CCSP exam, you』ll need to meet some strict experience requirements. You』ll need five years full-time experience working in IT, including three years in cybersecurity and one year in one or more of the six domains of the CCSP CBK. You can substitute the experience requirements you hold the equally advanced (ISC)² CISSP credential – titled 『The World』s Premier Cyber Security Certification.
Cloud Security Alliance – Certificate of Cloud Security Knowledge (CCSK)
The CCSK certificate is a widely-recognized entry-level certification in cloud security. It was developed by the Cloud Security Alliance, a member organization helping to ensure secure cloud computing environments by defining and raising awareness of industry best practice.
Earning the CCSK certification will prove you have the foundation skills and knowledge required to secure data in the cloud. You』ll learn how to build a baseline of security best practices mapped to a range of responsibilities from configuring technical security controls to cloud governance.
By becoming CCSK certified, you will also meet some prerequisite experience required if you intend to pursue the more advanced CCSP certification from (ISC)².
AWS Certified Security – Specialty
The AWS Certified Security – Speciality credential is ideal if looking to develop your career working with the AWS cloud platform.
By achieving the AWS Certified Security, you』ll validate your skills across data classifications, encryption methods, secure Internet protocols, and the AWS mechanisms required to implement them.
Working towards the certification, you can choose from a diverse learning pathway to shape your knowledge and skills across security fundamentals, architecting and security engineering on AWS. By the end of the pathway, you』ll have developed the control and confidence to securely run applications in the AWS Cloud.
To start working towards the credential, you should be in a security role and have at least two years of hands-on experience securing AWS workloads.
Microsoft Certified: Azure Security Engineer Associate
Recently, Microsoft transformed their certification pathways to be role-based. By earning one of their certifications, you are now proving you have the required skills and knowledge to perform a specific job role.
So, earning the Azure Security Engineer Associate certification shows you have the skills to be a Security Engineer on the Azure Cloud Platform. This includes the ability to protect data, applications, and networks in a cloud environment. Implementing security controls and threat protection as well as managing identity and access.
There are no prerequisite skills requirements before you attempt the AZ-500: Microsoft Azure Security Technologies exam.
Google Cloud – Professional Cloud Security Engineer
Earning Google』s Professional Cloud Security Engineer credential proves you can design, develop, implement, and manage secure infrastructure on the Google Cloud Platform. You』ll do this using Google security technologies aligned to security best practices and industry requirements.
By pursuing the Professional Cloud Security Engineer certification, you』ll need to learn how to configure access, network security and ensure data protection within the Google Cloud Platform. You』ll also need to develop knowledge to ensure compliance and managed operations.
Like the Azure and AWS certifications, this credential is ideal if you』re looking to develop cloud security skills specific to the Google Cloud Platform. Advancing your career with this leading cloud provider.
Alibaba ACA Cloud Security Certification
This ACA Cloud Security certification is the first in a certification pathway from Alibaba. Gaining this certification will prove you have the foundation knowledge to apply cloud security principles in an Alibaba cloud deployment.
You』ll develop fundamental skills with Linux and networking operations. While also learning about hosting, application, network and data security solutions all within the Alibaba Cloud Platform. You』ll cover several key security products from Alibaba including Server Guard, WAF, Anit-DDoS basic, and Pro.
After achieving the associate level certification, you can then pursue the Alibaba ACP Cloud Security certification.
Alibaba ACP Cloud Security Certification
The ACP Cloud Security certification is the second certification in the Alibaba cloud security pathway. It is a more advanced certification aimed at architects, developers and O&M professionals working with Alibaba Cloud security products.
Building on the foundation skills and knowledge achieved in the ACA Cloud Security certification, you』ll learn about Alibaba Cloud』s core products in security, monitoring, and management.
Once you have achieved the Professional level certification, you can then pursue the Alibaba ACE Cloud Security certification. Though the expert level certification is still in development and is expected to launch soon.
Cloud Credential Council – Professional Cloud Security Manager Certification (PCS)
The CCC Professional Cloud Security Manager credential is an advanced certification from the Cloud Credential Council. It』s ideally suited if you』re a governance and risk professional, auditor compliance specialist, or a cloud computing specialist.
Working towards the certification you will learn the skills and knowledge to apply best practices in a cloud environment for security and governance. Covering key topics like cloud service management, governance, and strategy. You』ll also learn how to design, deploy, and migrate a cloud service in a secure environment.
Due to the advanced nature of the certification, it is recommended you already hold the CCC Cloud Technology Associate and CCC Cloud Virtualization Essentials delivered by EXIN.
Oracle Cloud Platform Identity and Security Management 2019 Certified Associate
The title of Oracle』s cloud security certification is self-explanatory, you will learn about identity and security management on the Oracle Cloud Platform. Ideal if you』re a security professional looking to demonstrate their expertise in implementing cloud solutions.
Preparing for the certification, you』ll cover core security functionality in the Oracle cloud platform. Building knowledge and skills to implement Oracle Identity Cloud Service, Oracle CASB Cloud Service, services Architecture and Deployment, and Identity Security Operations Center Framework
Passing the 1Z0-1070 exam will certify you as an Oracle Certified Associate (OCA), a globally recognized credential. You will validate your capabilities with the Oracle Cloud Security portfolio, including configuration of the services. Before getting started, you』ll need up-to-date and hands-on experience with Cloud Security implementations in an administrator role.
SANS SEC524: Cloud Security and Risk Fundamentals
The SEC524: Cloud Security and Risk Fundamentals is a course, not a certification. I』ve included it regardless as it teaches vital skills and knowledge not covered by the other certifications listed.
Most importantly, you』ll learn how to evaluate the security of different cloud providers. Covering the cloud computing delivery models – SaaS, PaaS, and IaaS – and their unique security requirements. As well as additional security considerations when operating in a public, private, or hybrid cloud scenario.
Finishing the course you』ll come away with a range of key abilities. How to assess cloud contracts, adapt security architecture, tools, and processes for use in cloud environments and perform vulnerability assessments of your cloud setup.
Cloud security is a complex interaction of technologies, processes, and policies. Get to know the top 10 security recommendations for cloud customers (and best practices) ☁️?
Click to Tweet
Summary
Moving to the cloud, you need to be ready to implement a comprehensive cloud security strategy from day one. This starts with identifying the right cloud service provider(s) and then implementing a strategy combining the right tools, processes, policies and best practices.
It is fundamental you understand your shared responsibility and focus on compliance.
In cloud security, your staff — or your cloud provider』s — are among the most critical and often overlooked aspects of defense against cybercriminals.
It』s important to remember that cloud computing is no less secure than deploying your services on-premises. In fact, many cloud providers offer advanced security hardware and software you would otherwise not have access to.
Choosing the right provider will improve your security stance and reduce your risks, regardless of those introduced by cloud computing.
If you enjoyed this article, then you’ll love Kinsta』s WordPress hosting platform. Turbocharge your website and get 24/7 support from our veteran WordPress team. Our Google Cloud powered infrastructure focuses on auto-scaling, performance, and security. Let us show you the Kinsta difference! Check out our plans