Fundamental Cloud Security基本云安全

Basic Terms and Concepts

§ Information security protects the integrity of and access to computer systems and data.
資訊安全：保護計算機系統和資料的完整性和對它們的訪問，
§ IT security measures aim to defend against threats and interference that arise from both malicious intent and unintentional user error.
IT安全措施：防御由于惡意的企圖和無心的用戶錯誤造成的威脅和干擾

Confidentiality 保密性

• Confidentiality is the characteristic of something being made accessible only to authorized parties
  資訊只被授權用戶使用
• Within cloud environments, confidentiality primarily pertains to restricting access to data in transit and storage.

Integrity 完整性

• Integrity is the characteristic of not having been altered by an unauthorized party.

• a cloud consumer can be guaranteed that the data it transmits to a cloud service matches the data received by that cloud service.

Authenticity 真實性

• Authenticity is the characteristic of something having been provided by an authorized source.
  資訊是由經過授權的源提供的這一特性
• Authentication in non-repudiable(不可否認) interactions provides proof that these interactions are uniquely linked to an authorized source.

Availability 可用性

• Availability is the characteristic of being accessible and usable during a specified time period.
  在特定的時間段內可以訪問和可以使用的特性

Threat 威脅

• A threat is a potential security violation that can challenge defenses in an attempt to breach privacy and/or cause harm.
  一種潛在的安全性違反，企圖侵犯隱私和/或造成傷害，以此可以挑戰防御，

1.Both manually and automatically instigated（激起） threats are designed to exploit （利用 ）known weaknesses, also referred to as vulnerabilities(漏洞 ).
2.A threat that is carried out results in an attack.

Vulnerability 漏洞

A vulnerability is a weakness that can be exploited either because it is protected by ①insufficient(不足的) security controls, or because ②existing security controls are overcome by an attack.
漏洞是一種可能被利用的弱點

IT resource vulnerabilities can have a range of causes, including configuration deficiencies（缺陷）, security policy weaknesses, user errors, hardware or firmware（韌體） flaws, software bugs, and poor security architecture.

Risk 風險

Risk is the possibility of loss or harm arising from performing an activity.
風險是指執行一個行為帶來損失或危害的可能性，

Risk is typically measured according to① its threat level and the② number of possible or known vulnerabilities.

Two metrics(標準) :

the probability of a threat occurring to exploit vulnerabilities in the IT resource 威脅的可能性
the expectation of loss upon the IT resource being compromised損失預期

Security Controls 安全控制

Security controls are countermeasures（對策） used to prevent or respond to security threats and to reduce or avoid risk.

安全控制是用來預防或應對安全威脅，減少或避免風險的對策，

maximum protection of sensitive and critical IT resources.

Security Mechanisms 安全機制

Countermeasures are typically described in terms of security mechanisms, which are components comprising a defensive framework that protects IT resources, information, and services.

對策通常以安全機制的形式來描述，安全機制是構成保護IT資源、資訊和服務的防御框架的組件部分，

Security Policies安全策略

A security policy establishes a set of security rules and regulations.
安全策略建立了一套安全規則和規章，

For example, the positioning（定位） and usage of security controls and mechanisms can be determined by security policies.

Threat Agents 威脅作俑者

A threat agent is an entity that ①poses a threat because it is capable of ②carrying out an attack.
一個威脅作俑者是一個構成威脅的物體

Cloud security threats can originate either internally or externally①, from ②humans or software programs.

?Anonymous Attacker 匿名攻擊者
?Malicious Service Agent惡意服務作俑者
?Trusted Attacker 授信的攻擊者
?Malicious Insider 惡意的內部人員

Anonymous Attacker 匿名攻擊者

An anonymous attacker is a non-trusted cloud service consumer without permissions in the cloud .
云中沒有權限、不被信任的云服務用戶

It typically exists as
①an external software program that launches network-level attacks through public networks.（方式）
anonymous attackers often resort to（采取）
②committing acts like bypassing user accounts or stealing user credentials, while using methods that either
③ensure anonymity or require substantial resources for prosecution（檢舉）（匿名的含義）

Malicious Service Agent惡意服務作俑者

A malicious service agent is able to intercept and forward the network traffic that flows within a cloud . 能夠攔截和轉發云中的網路流量

It typically exists as①a service agent (or a program pretending to be a service agent) with compromised（損壞） or malicious logic.
It may also exist as ②an external program able to remotely intercept and potentially corrupt（破壞）message contents.

Trusted Attacker 授信的攻擊者

A trusted attacker shares IT resources in the same cloud environment as ①the cloud consumer and attempts to exploit legitimate credentials to ②target cloud providers and the cloud tenants with whom they share IT resources

trusted attackers usually launch their attacks from ①within a cloud’s trust boundaries by abusing legitimate credentials or via the appropriation（挪用） of sensitive and confidential information
Trusted attackers (also known as② malicious tenants)惡意租戶

Malicious Insider 惡意的內部人員

Malicious insiders are ①human threat agents acting on behalf of or in relation to ②the cloud provider.
惡意的內部人員是人為的威脅和云提供者有關的代理者
是試圖濫用對云資源范圍的訪問特權的人

They are typically current or former employees or third parties with access to the cloud provider’s premises.
現任或前任雇員或者能夠訪問云提供者資源第三方
This type of threat agent carries tremendous damage potential 會帶來巨大的破壞可能性

Note 注釋:
A notation(符號) used to represent a general form of human-driven attack is the workstation combined with a lightning(閃電) bolt

Cloud Security Threats云安全威脅

?Traffic Eavesdropping 流量竊聽
?Malicious Intermediary惡意媒介
?Denial of Service 拒絕服務
?Insufficient Authorization 授權不足
?Virtualization Attack 虛擬化攻擊
?Overlapping Trust Boundaries 信任邊界重疊

Traffic Eavesdropping 流量竊聽

Traffic eavesdropping occurs when data being transferred to or within a cloud (①usually from the cloud consumer to the cloud provider) is passively intercepted by a ②malicious service agent for illegitimate information gathering purposes .
資料在傳輸程序被動地被惡意的服務作用者截獲，非法的收集資訊

The aim of this attack is to directly compromise（破壞） the confidentiality .
it can more easily go undetected for extended periods of time.

Malicious Intermediary惡意媒介

The malicious intermediary threat arises when messages are intercepted and altered by a malicious service agent.
此威脅是指訊息被惡意服務作用者截獲并被篡改

compromising（破壞）the message’s confidentiality and/or integrity.
also insert harmful data into the message before forwarding it to its destination.

Denial of Service 拒絕服務

The ①objective of the denial of service (DoS) attack is to ②overload IT resources to the point where they cannot function properly.
IT資源陷于癱瘓或不可用 =>無法提供正常的服務

Insufficient Authorization 授權不足

The insufficient authorization attack occurs when access is granted to an attacker erroneously（錯誤地）or too broadly.
錯誤地授予了攻擊者的訪問權限或者授權太寬泛

Resulting in the attacker getting access to IT resources that are normally protected.

A variation of this attack, known as weak authentication(弱認證), can result when weak password or shared accounts are used to protect IT resources.
一種變種稱為弱認證

Virtualization Attack 虛擬化攻擊

A virtualization attack exploits ①vulnerabilities（漏洞）in the virtualization platform to jeopardize(危害) its confidentiality(保密性), integrity (完整性), and/or availability (可用性).

Overlapping Trust Boundaries 信任邊界重疊

If physical IT resources within a cloud are shared by different cloud service consumers, these cloud service consumers have overlapping trust boundaries.

Malicious cloud service consumers can target shared IT resources with the intention of compromising cloud consumers or other IT resources that share the same trust boundary.

--惡意的云服務用戶可以把目標設定為共享的IT資源，意圖損害其他共享同樣信任邊界的云服務用戶或IT資源
--重疊的信任邊界潛藏了一個威脅，攻擊者可以利用多個云用戶共享的基于云的IT資源，

Summary

Basic Terms and Concepts

• Confidentiality 保密性
• Integrity 完整性
• Authenticity 真實性
• Availability 可用性
• Threat 威脅
• Vulnerability 漏洞
• Risk 風險
• Security Controls 安全控制
• Security Mechanisms 安全機制
• Security Policies安全策略

Threat Agents 威脅作俑者

• Anonymous Attacker 匿名攻擊者
• Malicious Service Agent惡意服務作用者
• Trusted Attacker 授信的攻擊者
• Malicious Insider 惡意的內部人員

Cloud Security Threats云安全威脅

• Traffic Eavesdropping 流量竊聽→保密性
• Malicious Intermediary惡意媒介→保密性,完整性
• Denial of Service 拒絕服務→可用性
• Insufficient Authorization 授權不足→保密性,完整性
• Virtualization Attack 虛擬化攻擊→保密性,完整性,可用性
• Overlapping Trust Boundaries 信任邊界重疊→保密性,完整性,可用性

歡迎訪問我的個人博客：https://kohler19.gitee.io/

標籤：其他

上一篇：云原生時代的運維體系進化

下一篇：制藥企業廠MES網路時間同步（衛星時鐘系統）解決方案