Topic Overview
云风险管理(CRM)是管理的实践, prioritizing, and acting on risks within the large scale of modern multi-cloud environments. Context is a critical driver of that prioritization; namely, understanding the potential impact of a particular risk and its likelihood of exploitation.
CRM can be an ephemeral concept – much like cloud operations themselves – to understand. At its core though, you should be able to leverage a single CRM solution to secure highly ephemeral, cloud-native apps, 以及您的整个内部部署足迹. It’s not an easy thing to find, 但在当今充满风险的运营和环境中,这种需求是存在的.
超过一半的受访者认为 recent survey 相信云操作比内部部署的风险更高, 很容易理解为什么对客户关系管理的需求如此旺盛. In fact, 暴露的五个关键风险领域:运行时, identity management, potential for misconfigurations, unaddressed vulnerabilities, and audits.
Each of those areas feature personnel and systems that must work hand-in-hand with one another – often at a fast pace – to remain productive. A single miscommunication or misconfiguration could create risk exposure analysts or developers aren’t even aware of until it’s too late. Yes, managing risk in the cloud is very complex, but there are frameworks in place 安全运营中心(SOC) 团队可以利用研究、补救和降低风险.
要评估云中的风险,首先要确定谁负责 cloud security 风险管理:您或您的云服务提供商(CSP)? The shared responsibility model (SRM) stipulates that CSPs are typically responsible for managing risks to the underlying cloud infrastructure on which your business’ operations are running.
Internal security teams are typically responsible for security of those operations in the cloud, meaning they are responsible for making sure their own data – and their customers’ data – is properly secured. Once a team determines where their responsibilities lie and what exactly they’ll need to take a hard look at, it’s important to take into account that the assessment will need to take place in real-time.
重要的是要选择一个CSP,它不仅支持SRM的末端, 但这也是一个有多年经验支持的决定, 可靠的法规和遵从性标准, 随时间变化的一致性能, 以及他们的服务/架构与您的需求的匹配程度. A security team must also ensure their scanning tools can fit into the workflow you define within that CSPs platform.
Things happen fast in the cloud, 风险通常在第一次暴露的两分钟内就被利用了, meaning you should be able to access real-time visibility into your environment at any given time instead of waiting for a scheduled scan.
Regularly conduct risk assessments via the steps outlined in the previous section. 从过程的前两个步骤收集的数据, however, 仍然面临着规模的现实, speed, and complexity of cloud environments creates a situation where the amount of risk signals/alerts is so vast you simply can't address everything at once.
As such, it’s imperative to prioritize the risk signals that present the most risk to the business and have the highest likelihood of exploitation. 这需要在完整的背景下实时完成, 因为风险信号本身并不能提供采取行动所需的全面细节.
Extend coverage into runtime and monitor for anomalous activity based on an established baseline of what "normal" looks like. Detecting anomalous behavior – and thus potential threats – into runtime helps to correlate behaviors across multiple logged activities. It’s best to target a solution that can consolidate runtime threat detections and provide context by associating the findings with the affected cloud resource.
调查结果和背景什么都不是, however, 如果没有人意识到这一事实,就会发生异常情况. Teams should calibrate notifications and alerts to go to specific personnel who can most quickly remediate the issue.
Data is sensitive at any state, so it’s important to implement risk- management tools as early in the development process as possible. 这有助于避免团队之间的摩擦, 还可以在关键构建和运行时过程中持续保护数据. Data should always be encrypted at rest by default.
In this way of protecting data at all times, it’s probably a good idea to also establish a least privilege access (LPA) protocol. This helps to set the minimum amount of access a person or machine will need to do the job, 同时在数据的整个生命周期中保护数据.
In the event of a significant cloud-security incident, it won’t be business as usual. However, business can and should certainly continue to whatever extent possible. Therefore, it’s critical to have a business-continuity plan in place in the event of just such an incident. 该计划的一些关键组成部分包括:
2022 Cloud Misconfigurations Report: Latest Cloud Security Breaches and Attack Trends