在最近广为流传的名人盗窃案之后’ private data from iCloud, many business decision makers are thinking hard about how much they can trust the 云. I’我不会在这里讨论iCloud漏洞的更卑鄙的细节;那里’s been enough of that elsewhere, but I do want to address the issue of 云 security in general and consider the questions that businesses should be asking 云 vendors before entrusting them with data.

What does the 违反iCloud tell us about 云 security?

那里 are two things to consider here. The first is the way in which the data was stolen, and the second is a vulnerability that occurred around the same time but was not the cause of that breach.

iCloud数据盗窃不是特别高科技,它依赖于相关用户的社交工程,暴力破解和较差的密码管理。不能怪受害者:设计云系统时应考虑用户行为。弱点在于iCloud如何处理用户验证。苹果必须在安全性和便利性之间走一条很好的路线,因此他们的身份验证协议很弱。潜在的云客户应该向供应商询问的第一个安全问题是有关其身份验证协议和用户验证的信息,因为如果云帐户被黑客入侵,这将是可能的媒介。

第二个漏洞是由于一个简单的开发错误。 API的一部分’由于没有适当的速率限制,因此从理论上讲,恶意方可以反复尝试使用该API进行身份验证,尝试数千种用户名和密码组合,以试图强行破解有效凭据。概念证明称为 iBrute 是为了利用此漏洞而创建的,但苹果很快就解决了该问题’没有证据表明使用此方法会窃取任何数据。

iBrute 问题是任何供应商都可能发生的问题。苹果’是行业中最好的,但他们’还不够完善,其他开发团队也没有。什么’重要的不是服务中出现漏洞,而是’re dealt with swiftly and transparently when they do. Of course, if a 云 vendor has a reputation for sloppy coding and inadequate testing, then clients should steer clear.

It’s important to note that neither of these vulnerabilities are specifically 云 issues. Bad coding and poor authentication practices can make any service vulnerable, whether its hosted in the public 云 or within a company’的私有数据中心。

What else do 云 clients need to ask about?

防火墙

The 云 is not a magical realm divorced from the reality of networking and information technology. The same principles apply in the 云 that apply everywhere else: there must be strict separation between networks internal to the 云 and the open Internet. Ask your 云 vendor about the firewall systems they have in place.

数据主权

在理想的世界中,我们可以将云视为简单的计算和存储源,而不必担心底层硬件及其位置。但是在现实世界中,不同的司法管辖区具有截然不同的隐私权和安全法以及允许访问诸如政府机构之类的第三方的不同标准。公司需要确保将数据保存在何处,以便可以实施将当地法律考虑在内的流程。

VPN访问

那里’s little point having an incredibly secure 云 platform if authentication credentials can be snatched from the air 通过 anyone with a WiFi connection. Providing VPN access and SSL encrypted connections ensures that communication between 云 services and clients cannot be snooped 上 .

最后,那里’教育用户安全性无可替代。如果用户无法安全地管理其凭据,那么即使是最聪明的安全系统’不会帮助。俗话说,经常在椅子和键盘之间发生错误。

网络的安全性与网络是否安全无关’s a “cloud” service or not. In-house networks do no better than 云 networks when it comes to security, and often they do worse. A 云 provider is strongly incentivized to provide strong security because a serious breach will destroy their reputation and their revenue streams. In businesses with in-house networks, different priorities influence security decisions, as we’看过最近的违规行为 就像Target的那个. Provided businesses choose their vendor wisely, the 云 is a safe and secure place to keep data.

关于John- John Mack是Datarealm的技术作家,Datarealm是最古老的网络托管公司之一。您可以在Twitter上关注Datarealm, @datarealm,喜欢他们 脸书 ,并在其博客上查看更多有关网络托管的文章, http://www.datarealm.com/blog.

标签: 云数据安全云安全 iBrute 违反iCloud密码黑客VPN访问

发表回应