随着云环境中用户数量的增加, 确保遵从性成为一项更加复杂的任务. 当大量用户被授予无数权限时,这种复杂性会被放大, 使他们能够访问云基础设施和承载敏感数据的应用程序.
另外, 组织与内部团队的斗争, 要么是由于缺乏培训,要么是纯粹的冷漠, 忽略与数据隐私和法规遵从性相关的潜在陷阱和固有风险. This internal disconnect not only jeopardizes the organization's data security stance but also increases the risk of noncompliance with ever-evolving regulations. 在这种情况下, 根据澳门赌场官方下载范围的安全性和遵从性目标教育和调整团队变得至关重要.
幸运的是, cloud engineering and security leaders can implement streamlined solutions to protect their online environments without compromising productivity—while still achieving compliance. 他们今天可以通过三种方式开始这个过程.
1. 培训员工识别社会工程尝试.
近四分之三的网络攻击涉及人为因素, 包括社会工程攻击, 错误或误用.1 最近的一些例子包括对米高梅国际度假村(MGM Resorts International)和凯撒娱乐(Caesars Entertainment)的攻击.2 These attacks are prime examples of threat actors targeting users with administrative accounts for elevated access. 就米高梅酒店而言, the threat actors used social engineering as the initial entry point and found an MGM Resorts employee on LinkedIn, 冒充他们,打电话给该组织的服务台,要求访问该帐户.
人们常说,安全是由流程、人员和技术组成的.e.、工具). 人们必须能够预测和识别社会工程事件和网络钓鱼攻击, which are increasingly convincing and aim to trick employees and other internal stakeholders into providing front-door access to IT infrastructure. Security awareness training is therefore imperative to identify social engineering and phishing attempts. 例如, 如果目标是让员工成功识别恶意电子邮件, IT staff should run simulated phishing attack exercises to determine how many employees fall for scam emails and click on a malicious link or provide sensitive information. 这种演习提供了一种低成本的方法, 提高网络安全和法规遵从性的高奖励机制.
2. 维护跨云的洞察力.
在多云环境中, 确保妥善治理, 遵从性和安全性需要知道谁可以从哪里访问哪个资源. 这是最小化与特权访问相关的风险的关键, and it emphasizes the importance of comprehensive insight across various cloud infrastructure and applications.
云平台的功能通常是信息和操作孤岛, making it challenging for organizations to see what users do with their privileges or determine what standing privileges might pose a risk. 令人难以置信的, 14% of security leaders say that they have “no idea” how many standing privileges remain in their cloud platforms, and 10% of organizations say that they have “no visibility” into privileged access in their multi-cloud environments.3
对于很多澳门赌场官方下载来说, 单点登录, multifactor authentication (MFA) and identity provisioning are their first response to strengthening cybersecurity and compliance efforts when visibility is lacking. 然而, these tools often lack the capability to show effective access levels because they do not provide insights that promote cybersecurity and regulatory compliance. 使这些挑战更加复杂的是缺乏对用户的深入了解, 云基础设施动态特性中的组和角色特权. This results in very little oversight and control over users' activities within cloud infrastructure and applications.
3. 实现对云资源的JIT临时访问.
Implementing just-in-time (JIT) ephemeral (non-standing) access for all users—both human and service identities—across multiple cloud platforms is a crucial initial measure. 令人遗憾的是, 在安全审计期间,服务标识经常被忽略, and having too many permissions is often only recognized as an issue when it leads to a security breach or business disruption. True multi-cloud JIT permission granting enables users to access cloud resources easily yet securely across varied environments. A unified access model offers a centralized management and control console with a robust method to oversee user permissions, assign or withdraw privileges and reduce overall risk exposure across different cloud service providers (CSPs) and Software-as-a-Service (SaaS) apps.
今天的云数据泄露通常是过度、未使用或配置错误的权限造成的. 恶意行为者可以利用社会工程(真实的或虚拟的)攻击特权用户, 一旦他们霸占了这些用户的账户, find ways to exploit excessive or unused permissions provisioned for those accounts to infiltrate and wreak havoc within an enterprise’s environment.
澳门赌场官方下载s that have not enforced JIT access assume a much higher security risk and make compliance exceedingly complex and time consuming, 提高严重违规罚款的可能性. 相反, organizations that implement JIT ephemeral access are able to massively reduce the amount of access entitlements that must be reviewed during access certification processes. This helps free up valuable time for managers and infrastructure and application support teams who no longer need to process hundreds or thousands of unnecessary static privilege revocations.
在不妥协的情况下实现合规
It is now evident that reducing risk and meeting regulatory compliance is not a “yes” or “no” proposition. 而, it is an ongoing priority that requires effective solutions that are as agile as the cloud workflows and environments they support.
The rise of multi-cloud adoption presents both immense opportunities and significant challenges for modern organizations. The convergence of numerous cloud platforms has empowered enterprises to be more agile and efficient yet has simultaneously cast a complex web of security and compliance concerns.
随着云的不断发展, the means to secure it must also expand by equal or better measure—and that includes effective yet secure access to cloud resources. Achieving compliance is not a one-time accomplishment but a continuous pursuit that demands vigilance, 创新, 一致性和敏捷性. Meeting those demands requires striking a delicate balance between leveraging the benefits of the multi-cloud while mitigating potential risk.
精心策划, 正在进行的教育, 正确的工具和增强的治理框架, 组织可以在不损害安全性或遵从性的情况下驾驭这种复杂的环境.
尾注
1 Verizon, 2023年数据泄露调查报告, 2023
2 Culafi,.;, “Okta:凯撒,米高梅在社会工程运动中被黑客攻击TechTarget, 2023年
3 Britive, 多云环境下数据驱动的GCP安全策略, 2022
艺术Poghosyan
首席执行官(CEO)和联合创始人是 Britive.
