Topic Overview
云网络安全是网络安全的一个领域,其重点是尽量减少恶意行为者访问的机会, change, 或者破坏公共或私有云网络上的信息. 尽管保护云网络的原则与保护本地网络的原则相似, unique aspects of cloud environments mean different tactics are required.
Cloud network security is important because sensitive information is migrated to the cloud, 它在哪里变得更脆弱. 这些信息需要保护, but the cloud also introduces new challenges that can make security tricky.
云网络安全面临的挑战也是使云操作变得如此强大的原因. For starters, deploying new assets in a cloud network is very easy. 在本地网络中,IT和 SOC 团队对所有新的基础设施进行监督. 这意味着扩展网络是缓慢而费力的, but it also means that all new infrastructure is configured by security experts.
In a cloud network, new infrastructure can be instantly added by any person or system with the right credentials, 没有IT或安全团队的直接参与. 这使得扩展网络变得容易得多, 但也增加了新基础设施配置不安全的可能性,从而容易受到攻击.
云计算中网络安全的另一个独特挑战是云环境的变化速度. 自动缩放和无服务器计算等技术意味着云网络中的资产不断出现和消失.
像漏洞扫描这样的传统安全措施已经不够用了,因为一个易受攻击的资产可能只存在几分钟——这对恶意行为者来说已经足够找到并利用它了, but not nearly enough time for a weekly or even daily scan to detect it.
易于部署和高变化率使得安全团队很难维护其云环境的全貌. 这在混合环境(包括内部部署和云网络的IT环境)中变得更糟。, where different information is stored in different systems and protected by different security tools.
在这些环境中, the security team needs to bounce back and forth between various systems to manage their security efforts. 缺乏统一的数据使得很难(如果不是不可能的话)准确地了解组织的整体安全状况,或者跟踪在云和本地网络之间移动的恶意行为者.
Last but not least, when dealing with a network on a public cloud service provider like AWS or Azure, the network’s owner shares responsibility with the provider for securing it. 虽然这个的细节 责任分担模式 根据提供商的不同而有所不同, in general they are responsible for securing the cloud itself, 比如数据中心的物理安全, 硬件的维护和更新, etc. The network owner, on the other hand, is responsible for securing anything they put on that cloud environment.
Many people worry about giving up control of securing the hardware and data centers, 而是像亚马逊这样的公共云服务提供商, Microsoft, and Google can devote more resources to things like physical security. The real risk in the 责任分担模式 is the confusion it can create within an organization. 由于人们错误地认为他们不需要担心,所以发生了不少安全事件 cloud security because it was in the cloud, and their cloud provider would take care of everything.
Beyond embracing DevSecOps and educating employees on how to use a cloud network in a secure manner, 为了将云网络中的风险降至最低,组织可以做的最有效的事情是为云环境定义安全基线. Ideally, this baseline should be established before an organization starts using a cloud network, 但创造一个永远不会太迟.
The baseline lays out what the cloud network should look like from a security perspective. The objective is to make sure everyone—security, IT, engineering, DevOps, etc.—is aligned on what needs to be done to keep the network secure on an ongoing basis. A properly defined baseline can help address a number of challenges in cloud network security, 包括易于部署, speed of change, 分担责任.
There are some cloud network security best practices organizations can follow to establish this baseline. First, the baseline should specify the architecture of the cloud environment, 每种类型的资产应该如何配置, and who should have read or write access to each part of the environment. Guides like the CIS Benchmarks and the AWS架构良好的框架 也应该用来帮助定义基线吗.
Make sure the baseline applies to pre-production and test environments. In many cases, these environments have been used as an entry point for an attack. 基线是否指定了测试的策略和控制, such as which (if any) production databases can be used or duplicated for testing.
基线也应该绘制出来 事件响应计划, 以及明确定义组织中谁负责云安全的哪些方面. It should also be revisited and updated regularly to reflect emerging threats and new best practices.
一旦基线被创建或更新, it needs to be communicated to everyone who will touch the cloud network. In addition, the security team needs to work with DevOps and implement ways to enforce the baseline. 这意味着创建云基础架构模板(使用来自云提供商或Terraform等供应商的基础架构作为代码解决方案),其中所有内容都已正确配置. 它还意味着实现持续的监控,以检测何时某些东西已经过时或在部署后进行了更改,并且不再遵循基线.
虚拟机模板应该包含一个嵌入式代理,以便在部署某些内容时进行持续监控和漏洞检测.
When it comes to the challenges around visibility into cloud networks, 安全团队应该首先确保他们(至少)对组织的所有云帐户具有只读访问权限. 试图保护和维护对混合云或多云环境的可见性的组织应该确保一个团队负责保护IT足迹的所有部分.
一个团队负责本地安全,另一个团队负责云安全,另一个团队负责云安全,通常会导致孤岛, blind spots, and difficulty tracking a malicious actor who moves between the networks.
处理混合云或多云环境安全性的团队也应该考虑重新评估他们使用的工具. Many legacy security solutions are not optimized to support cloud networks. This results in teams using different tools to secure its on-premises and cloud environments. Instead, 团队应该寻找能够让他们在一个地方管理组织整个IT足迹的安全性的工具.
大多数团队将受益于以下工具:
Security teams should also consider leveraging a security automation tool to help secure cloud networks. Automation can help the team keep up with the rapid pace of change in cloud networks, 通过在系统之间共享数据来增强可见性, 消除繁琐的工作,提高工作效率, and minimize the damage from an incident by instantly responding to detected threats.
利用自动化的一种方法是使用Chef或Puppet等工具自动部署云基础架构模板(来自您的安全基线). This can simplify the creation of complex architecture as well as minimize the chances of human error. Another way to leverage automation is by using a security orchestration, automation, and response (SOAR) solution.
这样的工具可以让团队轻松地在系统之间交换数据,而不必花时间使用api对它们进行集成. Even better, SOAR解决方案可以自动执行许多手动流程,这些流程可能会占用安全分析师一天的时间或减慢调查的速度. For example, 安全团队可以在SOAR工具中构建工作流,自动调查可疑的网络钓鱼电子邮件, 当检测到恶意软件时包含它, 提供/去除用户, streamline patching, and much more.
除了到目前为止所提到的一切, 对于希望在云网络上构建和部署web应用程序的组织,还有一些其他的最佳实践. 这些组织应该寻求“向左转移”,并尽可能早地将安全性纳入其软件开发生命周期(SDLC). In other words, 安全问题应该作为代码部署前测试的一部分进行评估,并像对待其他错误一样对待.
这不仅确保了部署的代码不受 安全漏洞, 而是通过在测试期间标记安全问题, 开发人员有机会了解他们的代码中存在哪些漏洞,以及如何在将来避免这些漏洞. 目前部署在云网络上的现代web应用程序的类型通常相当复杂, so organizations looking for a way to test these sorts of apps should make sure that whatever SAST, DAST, or IAST solution they’re considering can handle the codebase of their apps.
The best way to confirm this is by putting the tool to the test via a free trial. 虽然不是针对云网络的, 值得一提的是,任何部署web应用程序的组织都应该认真考虑额外的保护措施,比如 Web应用防火墙(WAF) 防止恶意行为者访问应用程序和运行时应用程序安全保护(RASP)解决方案,以响应设法通过WAF的实时攻击.
2022 Cloud Misconfigurations Report: Latest Cloud Security Breaches and Attack Trends