远程数据库链接安全性
By Cameron Albert-Deitch
卡梅伦·阿尔伯特·迪奇
Social Security numbers. Bank account information. Customer passwords. Every business needs to protect its most valuable data, and most offices have a common last-resort option: If you close and lock the doors, nobody’s going to access your system from the inside by, say, sticking a malicious USB drive into a computer.
社会安全号码。 银行帐户信息。 客户密码。 每个企业都需要保护其最有价值的数据,并且大多数办公室都有一个通用的最后处理选项:如果您关闭并锁上了门,则没人会通过将恶意USB驱动器插入计算机来从内部访问您的系统。 。
With remote workers, keeping your company’s data secure is a lot trickier. “When everyone’s in an office, it’s easy to turn someone’s computer off,” says Jerry Bennett, founder and CEO of Melbourne, Florida-based consulting firm Privateer IT. “But in a remote workforce, you’re dealing with things like HIPAA laws and cybersecurity laws. And you’re dealing with people’s real lives.”
使用远程工作者,确保公司数据的安全性变得非常棘手。 “当每个人都在办公室时,关闭某人的计算机很容易,”佛罗里达州墨尔本咨询公司Privateer IT的创始人兼首席执行官杰里·贝内特(Jerry Bennett)说。 “但是在远程员工队伍中,您正在处理诸如HIPAA法律和网络安全法律之类的问题。 您正在处理人们的现实生活。”
Bennett’s six-year-old startup, which ranked №295 on this year’s Inc. 5000 list of fastest-growing companies in America, has 20 employees. All but one of them work remotely. That presents a challenge for a company that gets paid to advise on cybersecurity issues — and with clients like the U.S. Department of Veterans Affairs and the Defense Intelligence Agency, maintaining data security is especially crucial.
贝内特(Bennett)成立6年,在20位员工中排名第295位,该公司在本年度美国成长最快的公司5000强中排名第295位。 除了其中一个以外,其他所有人都在远程工作 。 对于一家获得薪酬以就网络安全问题提供建议的公司而言,这是一个挑战,而对于像美国退伍军人事务部和美国国防情报局这样的客户,维护数据安全尤为关键。
Those concerns aren’t restricted to startups working with federal agencies. Mark Loveless, a senior security researcher at San Francisco-based GitLab, says data security is always a work in progress — especially for GitLab, a company that creates tools for software developers and has one of the world’s largest all-remote workforces. The nine-year-old company attained a $2.75 billion valuation in September, and currently employs more than 1,100 employees across 65 countries, meaning 65 different sets of cybersecurity laws and compliance regulations.
这些担忧不仅限于与联邦机构合作的初创公司。 总部位于旧金山的GitLab的高级安全研究员Mark Loveless说,数据安全性一直在发展之中-特别是对于GitLab来说,GitLab是一家为软件开发人员创建工具的公司,拥有全球最大的全远程员工队伍之一。 这家拥有9年历史的公司在9月获得了27.5亿美元的估值 ,目前在65个国家/地区拥有1,100多名员工,这意味着65套不同的网络安全法律和法规合规性。
Despite the ever-changing nature of remote data security, Bennett and Loveless agree that these two best practices can make a huge difference for any startup.
尽管远程数据安全性不断变化,但Bennett和Loveless认为,这两种最佳实践可以对任何初创企业产生巨大的影响。
1.软件冗余 (1. Software redundancies)
Bennett and Loveless agree: No one tool will ever be a perfect solution. Bennett says Privateer typically has three to five security tools running on each employee’s laptop, which feature capabilities like remote access, remote wiping or bricking, and secure channels for communication. His favorite, he notes, is fairly common: Microsoft 365 Enterprise, which has multi-factor authentication and the ability to restrict specific users’ access to individual files.
Bennett和Loveless同意:没有一种工具会是完美的解决方案。 Bennett说,Privateer通常在每位员工的笔记本电脑上运行三到五个安全工具,这些工具具有远程访问,远程擦除或砌块等功能以及安全的通信通道。 他指出,他的最爱很普遍:Microsoft 365 Enterprise,它具有多因素身份验证,并且能够限制特定用户对单个文件的访问。
Instead of worrying about security on 1,100 different employee devices, GitLab devotes its attention to properly restricting access to each individual piece of company data — all of which is stored in the cloud. Loveless’s preferred program to enable this: Okta, an identity and access management tool. He refers to the strategy as “fail-close,” enabling multiple layers of protection without burdening users.
GitLab不必担心1100种不同员工设备上的安全性,而是将注意力集中在适当地限制对每个公司数据的访问上,所有这些数据都存储在云中。 Loveless首选的实现此目的的程序:Okta,一种身份和访问管理工具。 他称该策略为“失败关闭”,可在不增加用户负担的情况下实现多层保护。
Access to each piece of data requires specific access credentials, which Okta automates so employees don’t have to constantly reenter passwords. The company also monitors other data access metrics — so, for example, an administrator can be immediately notified if a sensitive piece of data is accessed from an unfamiliar location. Loveless also says that when GitLab last upgraded its security protocols, it kept the old protocols — a more tightly restricted system, with access based on both user credentials and IP address locations — as a “break-the-glass” option to keep the business up and running during emergencies.
访问每条数据都需要特定的访问凭据,Okta会自动执行这些访问凭据,因此员工不必不断重新输入密码。 该公司还监视其他数据访问指标-例如,如果从不熟悉的位置访问了敏感数据,则可以立即通知管理员。 Loveless还说,当GitLab上次升级其安全协议时,它保留了旧协议(一个受到更严格限制的系统,可以同时基于用户凭据和IP地址位置进行访问)作为保持企业业务的“轻巧”选择。在紧急情况下启动并运行。
2.员工培训 (2. Employee training)
The human element can undermine even the world’s strongest security systems. Bennett says he’s constantly training his employees, including a monthly all-hands conference call dedicated specifically to maintaining data security. His company policy: If anything ever smells fishy, for any reason, contact him and wait for a response before proceeding.
人为因素甚至可以破坏世界上最强大的安全系统。 Bennett说,他正在不断地培训他的员工,包括每月一次专门用于维护数据安全性的全体电话会议。 他的公司政策:如果出于任何原因闻到任何腥味,请与他联系并等待响应,然后再继续。
Not all CEOs are security experts, so Bennett recommends hiring one. “You don’t need to hire someone full-time to do it,” he says. “Find someone you have vetted, that you trust, that you can pick up the phone and call. And they’re the smart person that goes and solves the problem.”
并非所有CEO都是安全专家,因此Bennett建议雇用一名。 他说:“您不需要雇用专职人员就可以做到这一点。” “找到您所审查,信任的人,您可以接听电话并打电话。 他们是能够解决问题的聪明人。”
GitLab loads most of its data security training into its onboarding process, which is heavily documented in the company’s sprawling (and publicly available) employee handbook. The goal is for new workers to internalize best practices at their own pace, and each potential change to those protocols is measured by a simple litmus test: Will the increased security be worth the additional hassle to employees?
manbetx客户端打不开将大部分数据安全培训加载到其入职过程中,该文件在公司庞大(且可公开获得)的员工手册中有大量记录。 目标是让新员工按照自己的节奏内部化最佳实践,并且通过简单的石蕊测试来衡量对这些协议的每次潜在更改:增强的安全性是否值得员工额外的麻烦?
The company also works to educate employees on new protocols by holding regular company-wide meetings, which Loveless says are “thoroughly documented” for anyone who misses. “As an all-remote company, we try to really be accommodating of users and team members,” he says. “We try not to make it a dictatorship — you must do this, you must do that. We try to give them choices.”
该公司还通过定期举行公司范围内的会议来对员工进行新规程的教育,洛夫莱斯说,对所有错过的人都“进行了充分的记录”。 他说:“作为一家远程公司,我们试图真正容纳用户和团队成员。” “我们试图不使其成为独裁国家,您必须做到这一点,您必须做到这一点。 我们试图给他们选择。”
翻译自: https://medium.com/inc./remote-work-has-a-hidden-challenge-data-security-heres-how-experts-overcome-it-7fa9f2e3d04c
远程数据库链接安全性