| REVIEW | With the development of hybrid cloud cloudy and trends, past traditional cloud security strategy is clearly no longer meet the new cloud environment. Although many companies have attached great importance to cloud security issues, but did not get a lot of risk points and practical solutions. Most companies are still using the past cloud security measures in the local environment, leading enterprises have cloud security policy violations and vulnerabilities increase risk of application situation! The most serious problem is that many security issues in private cloud deployment environment, do not need master hacker intrusion, but the lack of safety knowledge! |
Many security problems are hard to detect! Even under ideal circumstances, but also easy to major accidents occur, not to mention your system itself is a problem, it is tantamount to the attacker opened the door. Therefore, in order to ensure foolproof in the cloud, in addition to our efforts in cloud security measures, but also on security issues of common sense, be vigilant!
Many companies tend to ignore running on the system architecture zombie load. Especially in the enterprise application peak period in the event of serious security concerns, it will be the first to "zombie load" excluded, ignored.
In fact, many people with ulterior motives is the use of zombie resources to steal passwords. Although zombies workload is not important, but it is built on top of the overall enterprise infrastructure, once poor management, will be more vulnerable to invasion. SkyBoxSecurity a report in 2018 showed that password hijacking is a major network attacks. Hosted Encryption DevOps team should be like, like money, resources to ensure that the application is not threatened, and to adopt effective security means to prevent all malicious behavior.
AWS cloud services, especially S3 Buckets years is one of the longest local cloud services, but also maintained a way past security and rule, it became the main target of extortion software attacks. Statistical data show that 7% of the Amazon S3 bucket neither do limit public access, 35% of the bucket neither do encryption, which means that the entire Amazon S3 servers are common this problem.
Malicious participants can only access sensitive corporate customer data through S3 bucket, but also access to the cloud credentials. Many have disastrous data leaks, are due to visit the unrestricted S3 bucket caused, so to check the public cloud storage field on the AWS platform on a regular basis is very important work.
Each team has a DevSecOps inertia of thinking that the system updates through CI / CD piped, the deployment of such a system was more secure, but that does not mean that each run should enforce this policy. Accelerate the speed of deployment, avoid security problems, open personnel often bypassed CI / CD piping through the use of open source in the form of libraries.
Although this way for developers to publish and update the system saves time, but it brings a greater burden on the security team, they have to be extra scan abnormal workload. Over time, the development team will consider the security team there is no way to prevent unauthorized work load, simply accepted and implemented. Ultimately, the security system will gradually deteriorate, so that malicious intruders harmful workloads can run without attention, but go there only to find it was too late.
Many DevOps team did not spend a lot of time with in a separate segment and access rights, but instead relies on a complete set of network configuration, while these configurations can not meet the necessary access restrictions, they usually will all work loads are placed in a separate VPC, so that you can access through a third party process.
There is no set limit on the public network access, security teams in order to identify and isolate malicious behavior, it takes a long time. Even in a short time, DevSecOps team found some serious flaws, can not be timely processing of security vulnerabilities in the security profile!
When DevOps team uses micro-services in the container, it may face greater challenges, more detailed sub, which means more likely you are wrong set of rules appears.
Even the most familiar with the rules and clusters, will produce a large number of vulnerabilities due to negligence. For example, if the developer is allowed to use a particular IP connection to the production environment remotely via SSH, it may unwittingly allow unrestricted access to sensitive areas of public access network. Sometimes, these errors rule configuration will be ignored for several months. To avoid mistakes rules support the use of Amazon Inspector of Agentless monitoring, or the use of other network assessment tools, regular audits, is necessary.
This switched: https://www.linuxprobe.com/cloud-security-knowledge.html