云计算对个人信息安全的影响

云计算对个人信息安全的影响北京化工大学 经济管理学院 信管0901 班 孙鼎华摘要：云计算的横空出世给IT行业注入了新鲜的血液，云计算不断地深入人心，其新颖、先进的服务理念和运作模式，似乎是给人们带来了巨大的好处。但是，随着云计算的不断发展，其衍生技术或者服务必然会带来更多的问题。比如云存储，比如云协作。云计算的发展必然面对安全、电子化搜索、计算机取证等方面的威胁，这对于我们来说，是一种挑战，更是一种机遇。本文针对云计算在实际应用过程中所面临的几种安全问题进行了简要描述，并提出了部分解决方案和期望。关键词： 云计算 信息安全 存储 服务器0.前言：这个世界上只要有网络的存在，就没有绝对的安全，就拿杀毒软件和病毒来说，道高一尺魔高一丈，我们永远不能说是安全专家厉害还是黑客厉害，因为他们本来就没有区别。云计算的产生虽然产生了一种新的网络运作模式，迎来了一场云端的风暴，但是，究其根本，没有人哪个云计算的大头公司敢说他们的云就一定是最安全的，国际上很多大公司也对于云计算表示谨慎的态度。Forrester Research公司首席分析师Chenxi Wang在其报告你的云有多安全？中指出，云计算经常会使数据安全和隐私变得复杂。我们不得不说，云计算在其光明的未来来临之前，必不可少的将迎来一场安全风暴。1.正文：一、 云计算的概念没有任何一个专家可以对云下一个正式的定义，到底什么是云，本文中我们暂且下如下定义：所谓“云”计算就是一种计算平台或者应用模式，在“云”中，集聚大量服务器或应用软件，或者存储设备，用户通过访问这些“云”，就可以方便获取自己所需要的服务，如数据访问、特定计算服务。从另一个方面来说，云的真正意义在于把复杂的运算量从机房转移，而将其以服务形式提供。归根结底，云的核心是其性价比和简单性。相对来说，对于如何进行云定义，科学家们往往更关注云计算的到底能带给人类社会如何的变化，各种各样的云概念让很多不明所以的人很糊涂，最后甚至产生了厌恶感，但是云计算依然会存在，云存储依然会出现。但事实上，人们想的更多的是，假如我把自己的文件存储到了一个虚无缥缈的远程服务器上面，他能否比存储在我的电脑上面更加安全，更加好用。Chenxi Wang 在其报告中指出，很多企业会担心企业失去了可见性和控制，因为公司数据可能存在于其他网络上。这也就从另一个方面告诉我们，无论云计算如何强势的出现在人们的视野中，我们难免要对其持有谨慎的态度，这对于云计算的发展是一种挑战，同时也是云计算不断完善的动力。二、 云计算的几种实现机制：由于各大巨头公司对其各自的云计算的应用方式及使用领域各有不同，使得云计算的实现机制出现了多样化，正因如此，云计算必然走向产业化，在传统的IT行业中占领巨大的分量。现对几种常见的实现机制介绍如下：2 . 1 基于软件即服务（ S a a S ）“云”计算在“云”计算下，传统软件形式将逐渐发生新的变化，软件变成一种服务形式，即软件即服务(S a a S)，特别是应用软件的形式打包装成虚拟应用(Virtual appliances)，通过这种形式用户可以无需要安装软件，就可以使用这种软件服务，就如同购买某种器具，购买就可使用。2 . 2 基于效用计算 ( U t i l i t y computing) “云”计算效用计算的想法是提供一种服务，能够按需满足用户的计算要求。目前A m a z o n .c o m、S u n、I B M 等公司按需提供存储和虚拟服务器访问服务。A m a zo n g 公司通过E C2 计算云，可以让客户通过WEB Service 方式租用计算机来运行自己的应用程序。2.3 基于 WEB服务“云”计算同S a a S 类似，服务提供者利用Web 服务，通过Internet 给软件开发者提供A PI 应用接口，而不是整个应用程序。在各种实现机制之下，我们都不难看出，无论哪种实现方式，都需要一个云平台来统一管理这些游离于网络之中的服务器。首先基于软件即服务的实现方法中，我们必须有一个统一的存放软件的地方，这虽然很大程度上节约了用户本身计算机的存储空间，但是这样对于用户的网络同样有很高的要求，如果我使用了这种即用即购买的方式，那么我的网络宽带能否允许我远程使用，或者下载那些远在云端的服务呢？从这个方面来说，要实现云计算的商业化和普遍化，必须解决网络宽带问题。3、 云计算下的安全隐患 3.1 安全对于许多企业来说，信息的安全性是最主要的风险。这或许是受到了保护知识产权、商业秘密、个人可识别信息或其他敏感信息这些需要的驱动。要使这些敏感信息在互联网上可用，就需要在安全控制以及内容访问和信息途径的监测上有重大的投资。一些供应商提供的日志记录和审计控制还不能像企业内部及企业应用程序所提供的日志记录一样健全。在这个方向上的困难是，要确保在事故发生后，企业能够知道是谁访问了文件以及可能对文件所做的操作是什么（如编辑，下载，更改访问等）。 3.2 电子化搜寻（E-discovery）电子化搜寻当前的趋势大多是假设企业已经明确知道它的信息存储在哪里，这些信息如何备份，以及如何保护。这些规则也假设企业能够实际地检查存储设备，并且在必要时，能够检查存储介质来获取擦除或删除文件的证据。在云环境中，企业可能很少或者根本不知道存储和备份的过程，也很少或根本不会亲自去访问存储设备。而且，由于来自多个客户的数据可能存储在单个存储库中，对存储介质的取证检查以及对文件存取和删除的正确认识将是一个重大的挑战。 3.3 计算机取证（Computer forensics）对许多企业来说，计算机取证是电子化搜寻和内部调查的关键组成部分，而且经常需要实际地访问存储设备或计算资源。从计算机操作系统存储在物理和易失性存储器里的信息中，我们可以了解到很多东西：存储在计算机的随机存取存储器中的信息在关闭计算机后几乎会立即消失。当数据和应用程序脱离本地个人计算机时，取证调查人员可能就不能再访问某个案例的关键信息。一个特定的文件或此文件最后被访问时的地点，通常在决定该文件如何被使用以及被谁访问时起着关键性的作用。假设数据存储转移到云，而数据又没有完全消除的话，那么获得未受污染的证据数据副本的能力可能会降低。另一方面，在“云”计算环境下，网络犯罪人员利用租用的虚拟机以隐藏犯罪行为。当关闭虚拟机运行，虚拟机状态信息可能随着用户使用后消失，因此网络犯罪在虚拟机上的证据就可能消失。因此，获取虚拟机犯罪证据成为新的难题。这对于企业信息安全和个人隐私保密都是一个极大地挑战。虽然这些问题可能不会是云环境中移动数据存储和应用的绝对障碍，但它们已明显妨碍了工作的正常运行，这导致企业需要认真审查其合同义务、风险预测、安全基础设施和监督能力。企业应该准备好向供应商提出适用于自己商业需要以及存储和交易信息种类方面详细的安全和法律要求。 云计算一方面为人们提供了更多的便利和好处，但是另一方面，云计算的发展必然带来黑客技术的一次革命，这对于安全人士来说绝对是一件值得重视的问题。虽然全球各大安全厂家在云计算出现之后纷纷抛出了各具特色的云安全计划，比如先知先觉的瑞星，连续发布云安全系列的1.0,2.0甚至3.0版本的安全软件，再比如一度极为看轻云安全技术的江民，却突然转变态度，声称其早在06年就推出了云安全反病毒系统。但是，归根到底，云安全并不是一种多么先进的技术，只是在病毒产业不断地网络化的刺激下应运而生的一种全新的互联网化的安全理念。利用“ 云安全” 体系, 杀毒软件能够更快地收集病毒样本, 更快地对病毒进行处理, 并能在网络威胁到达用户电脑前就对其进行阻止, 反病毒的效率大大提升, 而且将更为智能化, 带来更完善的用户体验, 最终目的可让互联网时代的用户都能得到更快、更全面的安全保护。正是这种理念，逐步实现了防病毒产业的互联网化，而使得安全问题逐渐的成为了各大安全厂商硬件硬件实力的比拼，用户越多，云服务器越多，谁就能在安全产业站稳脚跟。而用户所需要做的只是加强防病毒理念。但是无论如何，依然改变不了安全产业先发现后解决的滞后性，安全损失一旦发生只能挽救却不能挽回的尴尬局面依然未能得到改善。只有安全软件更加智能化，才能真正的为信息安全插上一把大锁。 四、信息安全问题41 客户端信息安全云计算是以现有的分布式网络为基础的，网络上的计算被认为是一个节点。计算机一旦接入互联网，就可能成为云计算的一部分。如果我的隐私数据被泄露了怎么办？ 业务数据被竞争对手盗用了怎么办？比如医疗数据、选民数据等等，如果没有可信的隐私保护，那么攻击者将利用多个数据之间的联系来获取个人隐私信息。4.2 服务器端信息安全如果用户把自己的数据连同这些程序放在别人的硬件上，就会对常常很敏感的信息失去一度的控制。比方说，一家投资银行的员工使用Google Spreadsheets 来组织管理员工社会保障号码清单。那么，保护这些信息远离黑客及内部数据泄密事件的责任就落在了谷歌的肩上，而不是银行的肩上。所以一旦你决定了让别人来保存自己的信息，已经越过了第一道安全闸门。那么，你对现在拥有你信息的那家公司有多信任?4.3 解决方案4.3.1 保护云API 密钥确保自己的云API(应用编程接口)密钥安全。如果有人弄到了你的访问密钥，就能访问你的一切数据。所以要求提供商为你提供多把密钥，用于保护不同风险类别的各组数据。4.3.2 采用加密技术加密技术对文件进行加密，那样只有密码才能读取该文件。加密让你可以保护数据，即时数据上传到远处的数据中心。对于电子邮件还可采用Hushmail 这种具有加密功能的网络程序来进行加密。Hushmail 可对传输中的电子邮件进行加密，那样它们无法被人截获及读取。它还能自动对用户收件箱中的邮件进行加密， 那样保存在Hushmail 服务器上的电子邮件历史记录就很安全，不会被不法分子偷窥到。4.3.3 使用信誉良好的服务建议使用名气大的服务， 它们不大可能拿自己的名牌来冒险，不会任由数据泄密事件发生，也不会与营销商共享数据。4.3.4 考虑商业模式在设法确定哪些互联网应用值得信任时，应当考虑它们打算如何盈利。收取费用的互联网应用服务可能比得到广告资助的那些服务来得安全。广告给互联网应用提供商带来了经济上的刺激，从而收集详细的用户资料用于针对性的网上广告，因而用户资料有可能落入不法分子的手里。4.3.5 使用多少付多少为了避免竞争对手积欠账款，需要多少云服务、就付多少费用。如果使用量急剧增加，就设定阈值。4.3.6 复制数据谷歌公司的 Feigenbaum 强调了跨多个数据中心进行数据复制的重要性。比方说,万一东北部出现了灾难，仍可以从其他地区访问数据。4.3.7 阅读隐私声明在将数据存储到云计算环境中的时候， 一定要阅读隐私声明，因为几乎有关互联网应用的每项隐私政策里面都有漏洞，以便在某些情况下可以共享数据。这样你就可以确定应该把哪些数据保存在云计算环境，哪些数据保存在自己的电脑中。4.3.8 使用过滤器Vontu、Websense 和Vericept 等公司提供一种系统，目的在于监视哪些数据离开了你的网络，从而自动阻止敏感数据。2.结论 云计算给互联网产业乃至整个IT产业都带来了新的契机，这句话一点都没有错，不仅仅是存储、安全、信息共享更多的在于人们的理念的变化给IT产业带来了一股新的潮流。不得不说，云计算必将带来一个伟大的时代。但是正如本文介绍，云计算处于起步阶段，仍然面临着诸多问题，如果信息安全问题得不到保证，那么用户对于云计算的信任程度必将大打折扣，这对于云计算的发展必将带来巨大的影响。3.参考文献1 蒋建春，文伟平，云计算环境下的信息安全问题 J 中国学术期刊电子出版社 2010 2 Robert Westervelt ,Forrester建议谨慎采用云计算服务EB/OLTech Target中国/showcontent_20734.htm3云计算面临众多安全问题.TT 数据中心./ ShowContent_18070.htm4 张力 云时代的信息安全 J 求是杂志 2009年12月 55-57页5 云安全真的安全吗？J 中国传媒科技 2009年2月6 Chenxi Wang How secure is your cloud? R May 8 20097 百川 存储在云端 J 中国制造业信息化 2011年2月8 SUN. 云计算架构介绍 白皮书 2009年6月第一版The Influence of Cloud computing to the Personal Information Security Beijing University of Chemical and Technology Dinghua SunAbstract: The arise of Cloud calculative inject fresh blood to IT industry , cloud computing continuously become popular and popular . Their new, advanced service concept and operation mode, seems to bring people lots of good. But, with the continuous development of cloud computing, and its derivative technology or service brings more problems. Such as cloud storage, such as cloud collaboration. The development of Cloud computing will inevitably face security, electronic search, computer forensics, and other aspects of the threat, this for us, is a challenge, but also an opportunity. This article described briefly the several security problems cloud computing faces in practice, and put forward some part of solutions and expectations. Keyword: Cloud calculative Information security Cloud collaboration ServerForeword: As long as there is the existence of the network in this world, there is no absolute safety, took the anti-virus software and for a virus, a foot high civil zhangs, we can never say security experts severe or hackers bad, because they have no difference. Cloud calculatives produce although produced a new network operation mode, ushered in a storm clouds, but, actually, there is no one which cloud computing head company dare say their cloud must be the most safe, many large international companies have an cautiously attitude to cloud computing . Forrester Research company chief analysts Chenxi Wang in the report Is your cloud safe? points out, the computing clouds may often make data security and privacy become complicated. We have to say, before the bright future of cloud computing comes,there must have a safety storm. Body:One. The Concept of Cloud computingNo experts can make an official definition on what is cloud, in this paper we put down the following definition: the so-called cloud computing is a kind of computing platform or application mode in cloud, a cluster server or application software, or storage devices, users access to these cloud, it can be easy access to your needs of services, such as data access, specific calculation service. On the other hand, the real meaning of cloud lies on transferring the complex computation from the computer room to providing the service form. In the final analysis, the clouds are the core of its price and simplicity. Relatively speaking, compared to the definition of cloud, the scientists often pay more attention to the change the cloud computing can bring to human society, so many people were confused by different kinds of cloud concept, and finally even produced the animosity to the cloud , but cloud computing will still exist, cloud storage still can appear. But in fact, people want more is, if I save my own file to a disembodied remote server ,whether it keep my file safer and more to use than in my computer ,Chenxi Wang said in her report, a lot of enterprises often worry about whether their enterprise will lost visibility and control, because the company data may exist on other networks. This show another aspect to us , no matter how strong the cloud computing appeared in the people s visual field, we must hold the cautious attitude, this is not only a challenge to the development of the cloud computing , but also the power to the constant improvement of computing clouds. Two . Several realization mechanism to Cloud calculative It is all because big companies have their special applications ways of cloud computing and use it in different fields, that makes the realization mechanism of cloud computing appeared diversification, because of this, cloud computing is destined to industrialization, and in the weight of the great occupation in the traditional IT industry . Now of several kinds of common realization mechanism is introduced as follows:2.1 The cloud computing base on the Software As A Service(SAAS)In cloud computing, the traditional software form will gradually occur the new change, the software will change into a service form, that is, software as a service (S a a S), especially the form which hit the application software packing into Virtual application (Virtual appliances), by this form users can not need to install the software, you can use this software services in a long-distance, like to buy some appliances, buy ,and you can use it .2.2 The cloud computing based on utility computing The idea of Utility computing is to offer a service, which could meet users requirements based on the needs of the calculation. At present some company such as Amazon, Sun, IBM provide storage and virtual server access services by the need of customers. Amazon company can allow customers running their own applications by rent computer on the WEB Service way by the EC2 cloud computing, 2.3 The cloud computing based on web servicesThe same as SaaS, service providers API application interface to software developers use web services by the Internet, but not the entire application. In all kinds of realization mechanism, we could easily find that each kind of realization, need a cloud platform to manage these free servers in the network. At first, in the cloud computing based on SaaS, we must have an unified place to save this software, though this largely save the storage space of users computer, but there also have high requirements for the users network , if I use the use after purchase way, what if broadband network doesnt allow me to use it remotely, or download the clouds away from the service? In this way, to realize the commercialization and generalization of cloud computing, people must solve the problem that how to broaden the broadband of network.Three .The safety problems of Cloud computing3.1 SafetyFor many enterprise , the security of information is the main risk. This may have been influenced by the protection of intellectual property rights, commercial secrets, personal identifiable information or other sensitive information. To make these sensitive information on the Internet available, it need to have a major investment in safety control ,content access and the way of information monitoring. The audit log records and control some suppliers provides is not perfect as the log records provided by the enterprise internal and enterprise application. the difficultyIn the direction is to ensure that the enterprise can know who visit the files, and may do to file operation is what (such as editor, download, change access, etc.)after the accident . 3.2 E-discovery Electronic search current trends are mostly based on the hypothesis that we hava clearly know where does the enterprise information stored, how to backup the information, and how to protect. The rules also based on the hypothesis that enterprise can actually check storage equipment, and to check storage medium to get the evidence of the files erasion or delete . In the cloud environment, the enterprise may know little about how the information is storage and backup, and little or not to access storage devices. Due to the data from multiple clients may be stored in a single store in the library, it must be a significant challenge to the accurate understanding of testing for storage media and accessing or deleting the documents.3.3 Computer forensicsFor many enterprise, it is a key component of electronic search and internal investigation, and often need to actually access storage device or computing resources. We can learn a lot of things from the storage of computer operating system in physics and the volatile memory: The information stored in the random access memory almost immediately disappear after computer closing. When data and applications lost the connection with local personal computer, forensic investigators may cant be visited the key information in a case. A specific file or the place where the file was last visited,will play a key role in making the decision on how and who can visit the file. If the data storage transferred to the cloud, and data is not completely eliminate, then there is no doubt that the ability to get the copies of uncontaminated evidence may reduce.On the other hand, in cloud computing environment, the network crime researchers may rent the virtual machine to hide their crime. The using log record may disappear after use when closed virtual machine operation,so the evidence of network crime in the virtual machine may disappear. Therefore, how to get the virtual machine criminal evidence become new problems. This is a great challenge for enterprise information security and privacy . Although these problems may not be the absolutely barrier on mobile data storage and application under cloud environment, but they have significantly interfere with the normal operation of the work, this make enterprise be much carefully to review its contractual obligation, risk prediction, security infrastructure and supervision ability. Enterprise should be ready to put forward to their applicable business needs , and safety and legal requirements of storage and variety of detailed trading information to the supplier . On one hand cloud computing provide more convenient and good, but on the other hand, the development of cloud computing will inevitably bring a revolution about hackers technical, it is absolutely that security expert should pay much attention to this problem. Although many big security manufacturers make an unique cloud security plan after the computing clouds appear. For example,Kingsoft has released series of cloud security software include 1.0, 2.0 or 3.0 version continuously, and Jiangmin,a enterprise who have ever looked down on cloud, suddenly change his attitudes, they claims that they have the released cloud security anti-virus system early. But in fact, cloud security even is not a advanced technology, but a brand-new of Internet security concept under the constantly stimulating by virus industrys developement. Use cloud security system, antivirus software can collected virus samples more quickly , process the virus faster , and can stop the broken before it reach users computer, the efficiency of defeating virus is greatly improved, and it also will be more intelligent, bring more perfect user experience. The final purpose is let users in the age of the Internet get faster and more comprehensive safety protection. It is this philosophy,which gradually realize the anti-virus industry to Internet, so that the security problem gradually become the wars on the strength of hardware between major security enterprises ,more users and more cloud servers they have they can have a firm foothold in the security industry. And what the users need to do is to strengthen the anti-virus concept. But anyway, it still cant change the situation of security industry that it must be solved only after the first was found , the awkward situation of still fail to improve safety loss once it happened. Only security software be more intelligent, a large lock.can make the information security.Four.Information security41 Information security on client Cloud computing is based on the existed distributed network, the calculation of the network is considered as a node. Once the computer access the Internet, it will be likely to become a part of the cloud computing. What if my privacy data leak out?and what if my business data is theft by rival? There exist many data on the Internet such as medical data, voters data, if there was no credible privacy protection, the attacker will use the connection between all kinds of data to obtain the personal privacy information. 4.2 Information security on serviceIf users put their own data along with these program in other peoples hardware,people will often lost control of some sensitive information. For example, an investment bank employees use Google Spreadsheets to organization management staff social security Numbers list. So, the responsibility to protect the information away from hackers and internal data leak falls on Googles shoulder, not the banks shoulder. So you have over the first safety valve once you decide to let others to preserve your information. So, the key point is how trust do you have for which company who have your information 4.3 Solutions to these problems4.3.1 To protect your cloud API keyEnsure that their