第一資本數據泄露，大企業該擔心公共云嗎？

很難找到比第一資本更積極使用所謂“公共云”的公司。按營收計算，第一資本排名美國第七大銀行，多年來一直在逐步縮減其數據中心，利用亞馬遜網絡服務隨時可用的資源計算和存儲數據。2014年第一資本有八個數據中心，計劃到2020年底縮減到一個也不剩。但在影響到1.06億北美人的數據泄露事件發生以后，人們開始質疑第一資本的故事是否在警示網絡安全。

據說，一名黑客利用“配置錯誤的防火墻”攻破了第一資本的系統，基本上就相當于小偷從敞開的門溜進去。第一資本和亞馬遜都強調稱：“此類漏洞不只云技術才有。”

但是，初創公司Cloudflare的安全經理埃文·約翰遜等專家表示，亞馬遜網絡服務的技術設置導致黑客入侵的后果“嚴重得多”。約翰遜稱，亞馬遜網絡服務特別容易受到“服務器端虛假請求”的影響，即黑客欺騙服務器接受錯誤連接，從而實現數據竊取。應該采取更好的風險減輕措施，他說道。

盡管第一資本的因數據泄露案而備受批評，但這“并不能夠證明應用云技術有錯”，技術和市場研究公司Forrester的副總裁格倫·奧唐奈說道，“該案例證明的是，從安全和治理的角度來看，必須采取正確的控制措施。”

AT&T的前首席安全官埃德·阿莫羅索也認為，對于大多數企業而言，與其自行管理基礎設施，還是全盤轉向云服務更加安全：“不能苛求‘完美’，要跟‘自行管理’的成本比較。”（財富中文網）

本文另一版本登載于《財富》雜志2019年9月刊，標題是《第一資本遭到攻擊》。

譯者：艾倫

審校：夏林

You’d be hard-pressed to find a company more committed to using the so-called public cloud than Capital One. America’s seventh-?biggest bank by revenue has spent years winding down its data centers—from eight in 2014 to zero planned by the end of 2020—and relying on the on-tap resources of Amazon Web Services for computing and data storage. But now, in the wake of a data breach affecting 106 million North Americans, people are questioning whether Capital One represents a cybersecurity cautionary tale.

To burrow inside Capital One’s systems, a hacker supposedly exploited a “misconfigured firewall.” Basically, the thief snuck in an open door. Both Capital One and Amazon stressed that “this type of vulnerability is not specific to the cloud.”

Yet some ?experts, such as Evan Johnson, a security manager at startup Cloudflare, say AWS’s technical setup made the breach “much worse.” AWS is particularly susceptible to “server side request forgery,” Johnson says, in which a hacker tricks a server into connecting where it shouldn’t, enabling data theft. Better mitigations ought to be in place, he says.

Despite the criticism, Capital One’s breach “doesn’t prove the cloud is wrong,” says Glenn O’Donnell, a Forrester VP. “What it does prove is you have to have the right controls in place from a security and governance perspective.”

Ed Amoroso, ex–chief security officer for AT&T, agrees that for most businesses, off-loading infrastructure to the cloud remains safer than managing one’s own: “You have to compare not against ‘perfect’ but against ‘on premises.’”

A version of this article appears in the September 2019 issue of Fortune with the headline “Capital Offense.”