很難找到比第一資本更積極使用所謂“公共云”的公司。按營(yíng)收計(jì)算，第一資本排名美國(guó)第七大銀行，多年來(lái)一直在逐步縮減其數(shù)據(jù)中心，利用亞馬遜網(wǎng)絡(luò)服務(wù)隨時(shí)可用的資源計(jì)算和存儲(chǔ)數(shù)據(jù)。2014年第一資本有八個(gè)數(shù)據(jù)中心，計(jì)劃到2020年底縮減到一個(gè)也不剩。但在影響到1.06億北美人的數(shù)據(jù)泄露事件發(fā)生以后，人們開(kāi)始質(zhì)疑第一資本的故事是否在警示網(wǎng)絡(luò)安全。

據(jù)說(shuō)，一名黑客利用“配置錯(cuò)誤的防火墻”攻破了第一資本的系統(tǒng)，基本上就相當(dāng)于小偷從敞開(kāi)的門(mén)溜進(jìn)去。第一資本和亞馬遜都強(qiáng)調(diào)稱(chēng)：“此類(lèi)漏洞不只云技術(shù)才有。”

但是，初創(chuàng)公司Cloudflare的安全經(jīng)理埃文·約翰遜等專(zhuān)家表示，亞馬遜網(wǎng)絡(luò)服務(wù)的技術(shù)設(shè)置導(dǎo)致黑客入侵的后果“嚴(yán)重得多”。約翰遜稱(chēng)，亞馬遜網(wǎng)絡(luò)服務(wù)特別容易受到“服務(wù)器端虛假請(qǐng)求”的影響，即黑客欺騙服務(wù)器接受錯(cuò)誤連接，從而實(shí)現(xiàn)數(shù)據(jù)竊取。應(yīng)該采取更好的風(fēng)險(xiǎn)減輕措施，他說(shuō)道。

盡管第一資本的因數(shù)據(jù)泄露案而備受批評(píng)，但這“并不能夠證明應(yīng)用云技術(shù)有錯(cuò)”，技術(shù)和市場(chǎng)研究公司Forrester的副總裁格倫·奧唐奈說(shuō)道，“該案例證明的是，從安全和治理的角度來(lái)看，必須采取正確的控制措施。”

AT&T的前首席安全官埃德·阿莫羅索也認(rèn)為，對(duì)于大多數(shù)企業(yè)而言，與其自行管理基礎(chǔ)設(shè)施，還是全盤(pán)轉(zhuǎn)向云服務(wù)更加安全：“不能苛求‘完美’，要跟‘自行管理’的成本比較。”（財(cái)富中文網(wǎng)）

本文另一版本登載于《財(cái)富》雜志2019年9月刊，標(biāo)題是《第一資本遭到攻擊》。

譯者：艾倫

審校：夏林

You’d be hard-pressed to find a company more committed to using the so-called public cloud than Capital One. America’s seventh-?biggest bank by revenue has spent years winding down its data centers—from eight in 2014 to zero planned by the end of 2020—and relying on the on-tap resources of Amazon Web Services for computing and data storage. But now, in the wake of a data breach affecting 106 million North Americans, people are questioning whether Capital One represents a cybersecurity cautionary tale.

To burrow inside Capital One’s systems, a hacker supposedly exploited a “misconfigured firewall.” Basically, the thief snuck in an open door. Both Capital One and Amazon stressed that “this type of vulnerability is not specific to the cloud.”

Yet some ?experts, such as Evan Johnson, a security manager at startup Cloudflare, say AWS’s technical setup made the breach “much worse.” AWS is particularly susceptible to “server side request forgery,” Johnson says, in which a hacker tricks a server into connecting where it shouldn’t, enabling data theft. Better mitigations ought to be in place, he says.

Despite the criticism, Capital One’s breach “doesn’t prove the cloud is wrong,” says Glenn O’Donnell, a Forrester VP. “What it does prove is you have to have the right controls in place from a security and governance perspective.”

Ed Amoroso, ex–chief security officer for AT&T, agrees that for most businesses, off-loading infrastructure to the cloud remains safer than managing one’s own: “You have to compare not against ‘perfect’ but against ‘on premises.’”

A version of this article appears in the September 2019 issue of Fortune with the headline “Capital Offense.”