Due to the nature of cloud computing, it is more difficult to determine when security incidents, data corruption, or other need to investigate and take action. In order to meet the changing needs of the same reporting responsibilities, the standard security incident response mechanism needs to be modified. This article provides guidance on how to handle these events.
For customers, applications deployed to the cloud don't always put data integrity and security design first. This can lead to the deployment of vulnerable applications into the cloud environment, which can lead to security incidents. In addition, defects in infrastructure, errors in hardening procedures, and simple operational negligence can pose a significant threat to the operation of cloud services. Of course, similar vulnerabilities can also jeopardize the operation of traditional data centers.
Obviously, event processing requires technical expertise, but privacy and legal experts can make a significant contribution to cloud security. In the incident response, they also play a key role in notifications, remedies, and subsequent legal actions that may be taken. If an organization considers the use of cloud services, then it needs to review whether the mechanisms for employee access to data that are not subject to user agreements and privacy policies have been implemented. In the IaaS and PaaS architecture, the cloud service provider's own application does not manage application data, which is different from the SaaS provider's application control data.
The complexity of delivering large SaaS, PaaS, and IaaS services to large cloud service providers creates a potential incident in response to a major incident, and potential customers must assess the acceptable level of the corresponding SLA. When evaluating cloud service providers, it's important to realize that vendors may host hundreds or thousands of application instances. From the perspective of event monitoring, any external application will broaden the responsibility of the Security Operations Center (SOC). Typically, SOCs monitor metrics that generate warnings and other events from intrusion detection systems and firewalls, but the number of sources and announcements that must be monitored in an open cloud environment will grow exponentially, for example, SOC may require Monitor activities between consumers and external events.
An organization needs to understand the incident response strategy of the cloud service provider of their choice. This strategy must address identification and notification, as well as remediation options for unauthorized access to application data. More complicated is that application data management and access have different meanings and regulatory requirements in different data storage locations. For example, if the data involved is in Germany, there is an event, but how the data is in the US may not be considered an “event.” This makes event identification challenging.
Suggestions
Before the service is deployed, cloud customers need to be clearly defined and communicate with the cloud service provider what they think is the incident (such as data corruption), what is just an event (event).
Cloud customer engagement with cloud service providers may have very limited incident response activities. Therefore, it is critical that customers understand the established communication path with the cloud service provider's incident response team.
Cloud customers should investigate which event detection and analysis tools are used by cloud service providers to ensure they are compatible with their systems. In joint investigations, especially those involving legal investigations or government interventions, a private or very generic log of a cloud service provider is often a major obstacle. Designing and protecting inappropriate applications and systems can easily “flood” everyone's event responsiveness. Proper risk management of the system and the use of defense-in-depth practices are key to reducing the chances of a security incident in the first place.
The Security Operations Center (SOC) often assumes that there is only a single governance model for incident response, but this is not appropriate for multi-tenant cloud service providers. A robust and well-maintained Security Information and Event Management (SIEM) process to identify available data sources (application logs, firewall logs, IDS logs, etc.) and incorporate them into SOC to detect cloud computing environment events Universal analysis alarm platform.
For the most convenient and detailed offline analysis, you can look at cloud service providers that provide the ability to take snapshots of the entire customer's virtual environment, including firewalls, networks (switches), system applications, and data.
Containment is a race between destruction control and evidence gathering. The Trinity containment approach based on confidentiality-integrity-availability (CIA) is effective. ?
Remediation highlights the importance of being able to restore a system to a previous state, and even needs to go back to a known configuration that was 6 months or 12 months ago. Keeping in mind the legal choices and requirements, remediation may also require a "forensics" record that supports event data.
All data classified as "private" due to data leakage supervision should be encrypted to reduce the consequences of leakage events. Customers should specify the relevant encryption requirements in the contract, see D11.?
Some cloud service providers may have a large number of customers with unique applications. In order to be able to provide fine-grained events to each specific customer, these cloud service providers should consider the application layer logging framework. These cloud service providers should also build a registry that records the application owner by application interface (URL, SOA service, etc.). ?
In a multi-tenant environment, application-level firewalls, proxy servers, and other application logging tools are key capabilities that are currently available to assist with incident response.
Summary
For customers, applications deployed to the cloud do not always put data integrity and security design first. This can lead to the deployment of vulnerable applications into the cloud environment, which can lead to security incidents. In addition, defects in infrastructure, errors in hardening procedures, and simple operational negligence can pose a significant threat to the operation of cloud services. Of course, similar vulnerabilities can also jeopardize the operation of traditional data centers.
WebDA-based (Web-based Distributed Authoring and Versioning) A communication proto
Let your website open second, enable for IIS "content expiration&&&;quo; Wha
As the business transitions to next-generation virtualization technologies, the system consolidation
Since our defense is from the perspective of intruders, we first need to know the way intruders inva
What is the difference between 1U/2U rack servers?
System Center Virtual Machine Manager 2008 R2 (SCVMM 2008 R2) Features and Installation Requirements
Seven server maintenance skills to create security barriers
What permissions do I need to join the domain?
How to make Windows 2003 system more secure
How much has the status quo and future of virtualization technology changed?
Three Ways of Dialysis Server Testing
Proxy server some special types of applications
The solution to the infinite loop in IIS (Dllhost.exe takes up CPU100% solution)
How to change the performance of the web application server?
Wget operation under CentOS can not resolve (resolution) problem solution
Win10 right-click management can not open how to do
Remove Windows 8 sync to cloud personal settings
Teach you to have a command prompt window also have transparency effects
Mozzila is ready to launch a new browser for Windows 8
.NET framework 4.0 installation failure solution
How to backup the registry in Win10 system? Win10 method of recovering the registry
After the win10 update, the computer blue screen can not open the machine and the solution
Windows 8 Metro Edition touch gestures and shortcuts