Despite a race to the cloud, progression towards cloud security maturity has been slow...but it’s not too late.
尽管有一场云竞赛,但云安全成熟度的进展缓慢。。。但现在还为时不晚。
By MacKenzie Brown
Sep 2
作者:麦肯齐·布朗
2023年9月2日
(Image by Gerd Altmann from Pixabay)
(图片来源:来自Pixabay的GerdAltmann)
Groundbreaking innovations, those that shape history, often introduce immeasurable opportunity as well as profound risk. The recent release of the film “Oppenheimer” underscores this truth. The film centers on physicist J. Robert Oppenheimer, who in 1945 led his team to achieve the detonation of the world’s first nuclear weapon. In what is known as the Manhattan Project’s Trinity test, a distinct mushroom-shaped cloud exploded over the New Mexico desert almost 40,000 feet into the atmosphere, ushering in the nuclear age.
开创性的创新,即那些塑造历史的创新,往往会带来不可估量的机会和深刻的风险。最近上映的电影《奥本海默》强调了这一事实。这部电影围绕着物理学家J。·罗伯特·奥本海默,他在1945年领导他的团队引爆了世界上第一枚核武器。在被称为曼哈顿计划的三位一体测试中,一个明显的蘑菇状云在新墨西哥沙漠上空爆炸,进入大气层近4万英尺,开启了核时代。
Since then, nuclear energy has driven advancements in power generation, medicine, and various scientific fields, yet humanity has also suffered its catastrophic effects. Thereafter known as the father of the atomic bomb, Oppenheimer grappled with the complexities of his innovation, famously quoting a Hindu scripture in saying, “I am become death, the destroyer of worlds.”
从那时起,核能推动了发电、医学和各种科学领域的进步,但人类也遭受了灾难性的影响。此后,奥本海默被称为原子弹之父,他努力应对自己创新的复杂性,引用了一句著名的印度教经文:“我变成了死亡,世界的毁灭者。”
The mushroom cloud became a symbol of the potential of technological advancements for both great promise and great peril.
蘑菇云成为了技术进步潜力的象征,它既有巨大的希望,又有巨大的危险。
The concept of racing for innovation to harness power brings to mind another transformative technology: cloud computing. As the internet began to drastically reshape how businesses operate and scale, we created a new reality in tech, one of rapid consumption, access, and storage of data.
竞相创新以利用动力的概念让人想起了另一项变革性的技术:云计算。随着互联网开始大幅重塑企业的运营方式和规模,我们在技术领域创造了一个新的现实,即快速消费、访问和存储数据。
Cloud computing has enabled business transformation and ushered in massive economic growth. It has revolutionized entire computing frameworks—but not without exponentially expanding the attack surface and redefining the front lines of existing and emerging threats.
云计算实现了业务转型,并带来了巨大的经济增长。它彻底改变了整个计算框架,但同时也成倍地扩大了攻击面,重新定义了现有和新出现的威胁的前线。
In many ways, the cloud is the cyber version of the Trinity mushroom cloud. A cloud attack can fracture digital infrastructures, compromising sensitive information and disrupting business operations. The fallout extends beyond data loss; it can have far-reaching impacts on users and customers, eroding trust. The cloud is a weapon of our own creation that we are racing to understand.
在许多方面,这个云是三位一体蘑菇云的网络版本。云攻击可能会破坏数字基础设施,泄露敏感信息并扰乱业务运营。后果不仅限于数据丢失;它可能对用户和客户产生深远影响,侵蚀信任。云是我们自己创造的武器,我们正在竞相理解它。
The cloud conundrum
云难题
Organizations often prioritize growth over security. And truly, we have benefited from the cloud’s capacity to scale our businesses. But without training our people, implementing sufficient controls, or allocating necessary resources, we are leaving our cloud environments vulnerable to intruders. We are competing against resourceful and motivated adversaries who consistently carry out activities such as identity-based attacks and exploitation of trust in enterprise applications.
组织机构通常将增长置于安全之上。事实上,我们已经从云扩展业务的能力中受益。但是,如果不培训我们的员工、实施足够的控制或分配必要的资源,我们的云环境就会容易受到入侵者的攻击。我们正在与足智多谋、积极进取的对手竞争,这些对手一直在进行基于身份的攻击和利用企业应用程序中的信任等活动。
This is the unfair fight we face: While security capabilities for the cloud have improved and best practices have been defined, the onus is still on organizations to enable the settings that ensure security—settings that are sometimes ignored in the name of efficiency. The choice to accept this risk is often made by those tasked with driving revenue rather than those well-versed in cloud security. What’s more, the latter are in short supply.
这是我们面临的一场不公平的斗争:虽然云的安全功能已经改进,最佳实践已经定义,但组织机构仍有责任启用确保安全的设置——这些设置有时会以效率的名义被忽视。接受这种风险的选择往往是由那些负责推动收入的人做出的,而不是那些精通云安全的人。更重要的是,后者供不应求。
Nearly 80 years after the Trinity test, a new form of warfare has emerged: cyber warfare. We have recently seen it in the attacks on Ukraine’s critical infrastructure. But in a more general sense, we as defenders, are also in an ongoing battle. Are we witnessing the explosion of technical innovation as Oppenheimer did, without a strategic acknowledgment of the risk?
三位一体测试近80年后,一种新的战争形式出现了:网络战。我们最近在对乌克兰关键基础设施的袭击中看到了这一点。但从更普遍的意义上讲,我们作为捍卫者,也在进行一场持续的战斗。我们是否像奥本海默那样目睹了技术创新的爆发,而没有从战略上承认风险?
Frameworks for a secure horizon
安全视野的框架
Cloud attack tactics and techniques will continue to advance. But attackers needn’t work that hard—in environments with poor cloud hygiene, basic attack techniques persist.
云攻击的战术和技术将继续进步。但攻击者不必那么努力——在云卫生较差的环境中,基本的攻击技术仍然存在。
Guidelines and standards such as the Cloud Security Alliance’s (CSA) Cloud Controls Matrix (CCM), the National Institute of Standards and Technology’s (NIST) Cloud Computing Security Reference Architecture, and the Center for Internet Security’s CIS Controls Cloud Computing Guide provide organizations with a systematic approach to aligning their cloud practices with regulatory requirements and security best practices. By offering clear pathways to assess, implement, and monitor security measures, these frameworks can play an important role in helping organizations navigate the cloud landscape.
诸如云安全联盟(CSA)的云控制矩阵(CCM)、美国国家标准与技术研究所(NIST)的云计算安全参考架构、以及互联网安全中心的CIS控制云计算指南为组织提供了一种系统的方法,使其云实践与监管要求和安全最佳实践相一致。通过提供明确的途径来评估、实施和监控安全措施,这些框架可以在帮助组织驾驭云环境方面发挥重要作用。
Just as Oppenheimer grappled with the profound impact of nuclear energy, we are at a crossroads with cloud computing. The cloud, much like the Trinity test, symbolizes both great potential and substantial risk. It is the new frontier for security practitioners to level set, demanding us to elevate the level of cloud security across the board. By leveraging what we already know and advancing our collective understanding of what we don’t, we can take back the cloud and more fully realize its promise.
就在奥本海默努力应对核能的深远影响时,我们正处在云计算的十字路口。云,很像三位一体的测试,象征着巨大的潜力和巨大的风险。这是安全从业人员级别设置的新前沿,要求我们全面提升云安全的水平。通过利用我们已经知道的东西,并推进我们对我们不知道的东西的集体理解,我们可以夺回云计算,并更充分地实现它的承诺。