One Article Review
| Source |  taosecurity |
|---|---|
| Identifiant | 1068351 |
| Date de publication | 2019-03-13 16:15:01 (vue: 2019-03-13 22:01:25) |
| Titre | Thoughts on Cloud Security |
| Texte |  Recently I've been reading about cloud security and security with respect to DevOps. I'll say more about the excellent book I'm reading, but I had a moment of déjà vu during one section.The book described how cloud security is a big change from enterprise security because it relies less on IP-address-centric controls and more on users and groups. The book talked about creating security groups, and adding users to those groups in order to control their access and capabilities.As I read that passage, it reminded me of a time long ago, in the late 1990s, when I was studying for the MCSE, then called the Microsoft Certified Systems Engineer. I read the book at left, Windows NT Security Handbook, published in 1996 by Tom Sheldon. It described the exact same security process of creating security groups and adding users. This was core to the new NT 4 role based access control (RBAC) implementation.Now, fast forward a few years, or all the way to today, and consider the security challenges facing the majority of legacy enterprises: securing Windows assets and the data they store and access. How could this wonderful security model, based on decades of experience (from the 1960s and 1970s no less), have failed to work in operational environments?There are many reasons one could cite, but I think the following are at least worthy of mention.The systems enforcing the security model are exposed to intruders.Furthermore:Intruders are generally able to gain code execution on systems participating in the security model.Finally:Intruders have access to the network traffic which partially contains elements of the security model.From these weaknesses, a large portion of the security countermeasures of the last two decades have been derived as compensating controls and visibility requirements.The question then becomes:Does this change with the cloud?In brief, I believe the answer is largely "yes," thankfully. Generally, the systems upon which the security model is being enforced are not able to access the enforcement mechanism, thanks to the wonders of virtualization.Should an intruder find a way to escape from their restricted cloud platform and gain hypervisor or management network access, then they find themselves in a situation similar to the average Windows domain network.This realization puts a heavy burden on the cloud infrastructure operators. They major players are likely able to acquire and apply the expertise and resources to make their infrastructure far more resilient and survivable than their enterprise counterparts.The weakness will likely be their personnel.Once the compute and network components are sufficiently robust from externally sourced compromise, then internal threats become the next most cost-effective and return-producing vectors for dedicated intruders.Is there anything users can do as they hand their compute and data assets to cloud operators?I suggest four moves.First, small- to mid-sized cloud infrastructure users will likely have to piggyback or free-ride on the initiatives and influence of the largest cloud customers, who have the clout and hopefully the expertise to hold the cloud operators responsible for the security of everyone's data.Second, lawmakers may also need imp |
| Envoyé | Oui |
| Condensat | 1960s 1970s 1990s 1996 2003 2018 able about access acquire adding address ago all also answer anything apply are assets assume assumes average azure bad based because become becomes:does been being bejtlich believe better big blogspot book brief burden on but called can capabilities case centric certified challenges change cite cloud clout code com compensating components compromise compute consider contains control controls copyright core cost could countermeasures counterparts creating customers data decades dedicated derived described detection detection/respond devops disposal doing domain don duopoloy during déjà effective effectiveness elements employees encounter end enforced enforcement enforcing engineer ensure enterprise enterprises: environments equivalent escape eventually every everyone exact excellent excited execution experience expertise exposed externally facing fail failed fails failure failures far fast features feel finally:intruders find first following forward four fourth free from functions: furthermore:intruders gain generally government groups had hand handbook handle happen happening has have heavy hold hope hopefully how hypervisor implement implementation improved industries inevitably influence infrastructure initiatives internal intruder intruders jobs know large largely largest last late lawmakers least left legacy less like likely logging long main major majority make management mantras many material mature may mcse means mechanism mechanisms mention mid model moment monopoly more most moves need network new next not now once one ones only operational operators order other partially participating passage personnel piggyback plan planning/resistance platform players portion prevention process producing protection provider providers published puts question rbac read reading realization reasons recently regulators relies remember reminded requirements resilient resistance resources respect response responsible restricted return revealing richard ride robust role same say second section securing security see select sheldon should silently similar situation sized small smaller smattering sourced stop store studying sufficiently suggest survivable systems talked taosecurity tap than thankfully thanks the microsoft themselves then these things think third those thoughts threatened threats three time today tom traffic try two upon use users validate vectors virtualization visibility want way ways weakness weaknesses when which whistleblower who will windows wonderful wonders work worthy www years |
| Tags | |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.