第一资本数据泄露，大企业该担心公共云吗？

很难找到比第一资本更积极使用所谓“公共云”的公司。按营收计算，第一资本排名美国第七大银行，多年来一直在逐步缩减其数据中心，利用亚马逊网络服务随时可用的资源计算和存储数据。2014年第一资本有八个数据中心，计划到2020年底缩减到一个也不剩。但在影响到1.06亿北美人的数据泄露事件发生以后，人们开始质疑第一资本的故事是否在警示网络安全。

据说，一名黑客利用“配置错误的防火墙”攻破了第一资本的系统，基本上就相当于小偷从敞开的门溜进去。第一资本和亚马逊都强调称：“此类漏洞不只云技术才有。”

但是，初创公司Cloudflare的安全经理埃文·约翰逊等专家表示，亚马逊网络服务的技术设置导致黑客入侵的后果“严重得多”。约翰逊称，亚马逊网络服务特别容易受到“服务器端虚假请求”的影响，即黑客欺骗服务器接受错误连接，从而实现数据窃取。应该采取更好的风险减轻措施，他说道。

尽管第一资本的因数据泄露案而备受批评，但这“并不能够证明应用云技术有错”，技术和市场研究公司Forrester的副总裁格伦·奥唐奈说道，“该案例证明的是，从安全和治理的角度来看，必须采取正确的控制措施。”

AT&T的前首席安全官埃德·阿莫罗索也认为，对于大多数企业而言，与其自行管理基础设施，还是全盘转向云服务更加安全：“不能苛求‘完美’，要跟‘自行管理’的成本比较。”（财富中文网）

本文另一版本登载于《财富》杂志2019年9月刊，标题是《第一资本遭到攻击》。

译者：艾伦

审校：夏林

You’d be hard-pressed to find a company more committed to using the so-called public cloud than Capital One. America’s seventh-¬biggest bank by revenue has spent years winding down its data centers—from eight in 2014 to zero planned by the end of 2020—and relying on the on-tap resources of Amazon Web Services for computing and data storage. But now, in the wake of a data breach affecting 106 million North Americans, people are questioning whether Capital One represents a cybersecurity cautionary tale.

To burrow inside Capital One’s systems, a hacker supposedly exploited a “misconfigured firewall.” Basically, the thief snuck in an open door. Both Capital One and Amazon stressed that “this type of vulnerability is not specific to the cloud.”

Yet some ¬experts, such as Evan Johnson, a security manager at startup Cloudflare, say AWS’s technical setup made the breach “much worse.” AWS is particularly susceptible to “server side request forgery,” Johnson says, in which a hacker tricks a server into connecting where it shouldn’t, enabling data theft. Better mitigations ought to be in place, he says.

Despite the criticism, Capital One’s breach “doesn’t prove the cloud is wrong,” says Glenn O’Donnell, a Forrester VP. “What it does prove is you have to have the right controls in place from a security and governance perspective.”

Ed Amoroso, ex–chief security officer for AT&T, agrees that for most businesses, off-loading infrastructure to the cloud remains safer than managing one’s own: “You have to compare not against ‘perfect’ but against ‘on premises.’”

A version of this article appears in the September 2019 issue of Fortune with the headline “Capital Offense.”