As the number of users in cloud environments increases, ensuring compliance becomes a more complex task. This complexity is magnified when vast numbers of users are granted myriad permissions, enabling them to access cloud infrastructure and apps laden with sensitive data.
另外, organizations grapple with internal teams that, either due to lack of training or sheer indifference, overlook the potential pitfalls and inherent risk related to data privacy and regulatory compliance. 这种内部脱节不仅危及组织的数据安全立场,而且还增加了不遵守不断变化的法规的风险. 在这种情况下, educating and aligning teams with enterprisewide security and compliance goals becomes paramount.
幸运的是, 云工程和安全领导者可以实施简化的解决方案来保护他们的在线环境,而不会影响生产力,同时仍然实现合规性. There are 3 ways they can begin that process today.
1. Train staff to identify social engineering attempts.
Nearly three-quarters of cyberattacks involve the human element, including social engineering attacks, 错误或误用.1 Some recent examples include the attacks on MGM Resorts International and Caesars Entertainment.2 这些攻击是威胁参与者针对具有管理帐户的用户进行高级访问的主要示例. 就米高梅酒店而言, 攻击者利用社会工程作为最初的切入点,在领英上找到了一名美高梅度假村的员工, impersonated them and called the organization's service desk to ask for access to the account.
It is often said that security is comprised of processes, people and technology (i.e.、工具). People must be able to anticipate and identify social engineering incidents and phishing attacks, 它们越来越有说服力,目的是欺骗员工和其他内部利益相关者,让他们提供进入IT基础设施的大门. 因此,必须进行安全意识培训,以识别社会工程和网络钓鱼企图. 例如, if the goal is for employees to successfully identify malicious emails, IT人员应该进行模拟网络钓鱼攻击练习,以确定有多少员工上了诈骗电子邮件的当,点击恶意链接或提供敏感信息. Such exercises provide a low-cost, highly rewarding mechanism to improve cybersecurity and regulatory compliance.
2. 维护跨云的洞察力.
在多云环境中, 确保妥善治理, compliance and security requires knowledge of who can access which resource and from where. This is key to minimizing the risk tied to privileged access, 它还强调了跨各种云基础设施和应用程序的全面洞察的重要性.
Cloud platforms often function as informational and operational silos, 这使得组织很难查看用户使用其特权做了什么,或者确定哪些常设特权可能构成风险. 令人难以置信的, 14%的安全负责人表示,他们“不知道”他们的云平台上还有多少常设特权, 10%的组织表示,他们对多云环境中的特权访问“没有可视性”.3
对于很多澳门赌场官方下载来说, 单点登录, 多因素身份验证(MFA)和身份配置是他们在缺乏可见性时加强网络安全和合规性工作的第一反应. 然而, 这些工具通常缺乏显示有效访问级别的能力,因为它们不能提供促进网络安全和法规遵从性的见解. Compounding such challenges is the lack of deep visibility into user, group and role privileges within the dynamic nature of cloud infrastructure. 这导致对云基础设施和应用程序中的用户活动几乎没有监督和控制.
3. Implement JIT ephemeral access to cloud resources.
为跨多个云平台的所有用户(包括人员和服务身份)实现即时(JIT)短暂(非长期)访问是一个关键的初始措施. 令人遗憾的是, service identities are frequently overlooked during security audits, 拥有过多的权限通常只有在导致安全漏洞或业务中断时才会被认为是一个问题. 真正的多云JIT权限授予使用户能够轻松而安全地跨各种环境访问云资源. 统一的访问模型提供了一个集中的管理和控制台,并提供了一个健壮的方法来监督用户权限, 分配或撤销特权,并降低跨不同云服务提供商(csp)和软件即服务(SaaS)应用程序的整体风险.
Today’s cloud data breaches are often the result of excessive, unused or misconfigured permissions. Malicious actors can target privileged users with social engineering—real or virtual—and, once they have commandeered those users’ accounts, 设法利用为这些帐户提供的过多或未使用的权限渗透并在澳门赌场官方下载环境中造成破坏.
没有强制JIT访问的澳门赌场官方下载承担了更高的安全风险,并且使遵从性变得极其复杂和耗时, raising the likelihood of incurring serious compliance violation fees. 相反, 实现JIT临时访问的组织能够大量减少访问认证过程中必须审查的访问授权数量. 这有助于为管理人员以及基础设施和应用程序支持团队节省宝贵的时间,他们不再需要处理数百或数千个不必要的静态特权撤销.
Achieving Compliance Without Compromise
现在很明显,降低风险和满足法规遵从性并不是一个“是”或“否”的命题. 而, 这是一个持续的优先事项,需要有效的解决方案,这些解决方案要像它们支持的云工作流和环境一样敏捷.
多云采用的兴起为现代组织带来了巨大的机遇和重大的挑战. 众多云平台的融合使澳门赌场官方下载更加敏捷和高效,但同时也带来了复杂的安全和合规性问题.
As the cloud continues to evolve, 保护它的手段也必须通过同等或更好的措施来扩展,这包括对云资源的有效而安全的访问. 实现合规性不是一次性的成就,而是需要保持警惕的持续追求, 创新, 一致性和敏捷性. 满足这些需求需要在利用多云的好处和降低潜在风险之间取得微妙的平衡.
精心策划, 正在进行的教育, the right tools and enhanced governance frameworks, organizations can navigate this complex landscape without compromising security or compliance.
尾注
1 Verizon, 2023 Data Breach Investigations Report, 2023
2 Culafi,.;, “Okta: Caesars, MGM Hacked in Social Engineering CampaignTechTarget, 2023年
3 Britive, Data-Driven GCP Security Strategies for Multi-Cloud Landscapes, 2022
艺术Poghosyan
Is the chief executive officer (CEO) and co-founder of Britive.
