Shulou(Shulou.com)06/02 Report--

Click to download "different double 11 Technologies: cloud Native practice in Alibaba economy"

This article is excerpted from the book "different double 11 Technologies: cloud Native practice in Alibaba economy". Click on the picture above to download it!

Author

Li Peng (Zhuang Huai) Senior Technical expert of Aliyun Container Service

Senior Technical expert of Huang Ruirui Aliyun Technical Architecture Department

Guide: for cloud customers, the proper security protection of their cloud data is their most important security requirement, and it is also the most concrete embodiment of the comprehensive security capability on the cloud. In this paper, the author will sort out the full-link encryption from the cloud security system, to the cloud data security system, and then to the cloud native security system, so as to answer: what does full-link encryption need to do in the cloud native era? How do you do that? And what to do in the future?

What is cloud native full-link encryption

The requirements of data security in the cloud can be summarized by "CIA", the three basic elements of information security, namely, confidentiality (Confidentiality), integrity (Integrity) and availability (Availability).

Confidentiality means that protected data can only be accessed by legitimate (or expected) users, and its main implementation means include data access control, data disclosure prevention, data encryption and key management. Integrity ensures that only legitimate (or expected) users can modify data, which is mainly achieved through access control. At the same time, the integrity of user data can be ensured by checking algorithms in data transmission and storage. The availability of data is mainly reflected in the overall security capability, disaster recovery capability and reliability of the cloud environment, as well as the normal work guarantee of various related systems on the cloud (storage system, network access, authentication mechanism and authority verification mechanism, etc.).

Among the three elements, the most common and most frequently required technical implementation means of the first element confidentiality (Confidentiality) is data encryption. As for the cloud native dimension, what needs to be realized is the cloud native full-link encryption capability.

"full link" refers to the process of data transmission (in Transit, also known as in-motion), Runtime (also known as in-process), and storage (in storage, also known as at-rest), while "full link encryption" refers to end-to-end data encryption protection, that is, the transfer process from cloud to cloud and between units in the cloud, to the computing process of data at application runtime (use / exchange). And the ability to encrypt the stored process in which the data is eventually persisted.

Data transmission (data communication encryption, micro-service communication encryption, application certificate and key management)

Data processing (runtime security sandbox runV, trusted computing security sandbox runE)

Data storage (CMK/BYOK encryption support for cloud native storage, storage management of ciphertext / key, storage encryption of container image, container operation / audit log security).

The technical description in this article is aimed at the existing and future technical goals in cloud native full-link encryption.

Cloud security > cloud data security > cloud native full-link encryption

Cloud Security

According to different user groups, there are different levels of definition of secure links. Cloud security covers the security of cloud customer security and cloud vendor security in IaaS software, hardware and physical data centers.

Cloud native customer (Cloud Native Customer) security application security operation security commercial security container network security container data security container runtime security cloud customer (Cloud Customer) security cloud vendor (Cloud IaaS DevOps) security cloud native security

Cloud native security first needs to follow cloud data security standards, under the premise of reusing the security capabilities of cloud infrastructure, and at the same time, there is further security support in the software supply chain when it is running safely.

Cloud native storage describes the life cycle of cloud data through declarative API and does not reveal the data encryption details of the underlying IaaS to users. Different cloud native storage is generally used as the carrier of cloud data, reusing cloud IaaS basic security capabilities, including image security in software supply chain, container runtime root file system security and container network security.

Cloud native security runtime = computing security, memory security, file system security and network security in data processing, cloud native software supply chain security = executable file / user code security cloud native infrastructure security = cloud data storage security cloud data security

Cloud user data security includes the following three aspects:

Data protection: RAM ACL controls access to fine-grained data; sensitive data protection (Sensitive

Data Discovery and Protection (SDDP for short), data desensitization, data classification.

Data encryption: CMK encrypts data; BYOK encrypts data.

Key / ciphertext management: cloud services such as KMS/HSM; three-party Vault services. Life cycle of data security

In order to better understand data protection, you need to have an understanding of the life cycle of data security, because data protection runs through the entire data life cycle:

Data collection, data transmission, data processing, data exchange, data storage, data destruction

For the lifecycle of cloud native data, take ACK (Container Service Kubernetes) mounting Ali Cloud disk as an example:

The declaration and creation of the cloud disk PV defines the data, and the encryption of the cloud disk data needs to be reflected in the declaration definition. The selection of secret keys and encryption algorithms can be declaratively supported, and the fine granularity of RAM permissions follows the minimum permissions. The cloud disk is mounted to the virtual machine and is triggered and implemented through the PVC Pod reference in the container group. The decryption of cloud disk data is transparently encrypted and decrypted on the block device by the user CMK/BYOK. The change of Pod life cycle causes the Detach/Attach; of PVC associated cloud disk on different host ECS to trigger the creation of cloud disk Snapshot to the Snapshot life of PV. The deletion of PV can be associated with the termination of cloud disk and the deletion of data through OnDelete. Full-link data security

In a narrow sense, it is end-to-end encryption of data, which focuses on three stages of the data life cycle:

Data transmission data processing data storage data transmission phase

Secure communication design, secure management and transmission of ciphertext / key, not only to meet the cloud environment security transmission, cloud native introduced container network, micro-service, block chain scenario, but also put forward further requirements for cloud native data security transmission.

Cloud secure transmission

In the cloud environment, the use of VPC/ security group, the security management of ciphertext / key KMS north-south traffic through SSL certificate service to obtain trusted and effective CA, north-south traffic to achieve HTTPS encryption and unload, and the use of SSL encryption for RPC/gRPC communications, reduce the * area of VPC, through * * / SAG Gateway to achieve secure access to the link.

Cloud native secure transmission

In cloud native scenario, single cluster allows multi-tenancy to share network, system component permission control, data communication encryption, certificate rotation management, network isolation and network cleaning of east-west traffic in multi-lease scenario; cloud native micro service scenario, communication encryption and certificate management between application / micro services; independent management of key and ciphertext and tripartite integration in cloud native scenario, integration of KMS and Vault CA, fabric-ca, istio-certmanager, etc.

Data processing stage

In the data processing stage, trusted computing at the memory level requires not only the secure operation of cloud security virtualization, but also the requirements of container security sandbox and trusted security sandbox.

Cloud Security Virtualization trusted Computing: TEE SGX;ARM Trust Zone; Cloud native container security sandbox: runV Kata security container sandbox; runE Graphane/Occlum trusted security sandbox.

Data storage phase

There are cloud security requirements for cloud storage encryption, cloud data service encryption, container image storage encryption, audit log, application log encryption and tripartite integration, as well as non-falling disk storage support for ciphertext passwords.

Cloud storage encryption method:

Data + encryption algorithm + user key or master key; client encryption / server encryption.

Cloud storage data is mainly server-side encryption; secure key management KMS/HSM; secure encryption algorithm, fully support domestic algorithms and some international common cryptographic algorithms, to meet the needs of users of various encryption algorithms:

Symmetric cryptographic algorithms: support SM1, SM4, DES, 3DES, AES; asymmetric cryptographic algorithms: support SM2, RSA (1024-2048); digest algorithms: support SM3, SHA1, SHA256, SHA384.

Aliyun can only manage device hardware, including monitoring device availability indicators, activating, stopping service, and so on. The key is completely managed by the customer, and Aliyun has no way to obtain the customer key.

Cloud storage encryption supports:

Block storage EBS cloud disk: supports data storage encryption of block storage devices (cloud disks) used internally in virtual machines, ensures that block storage data is encrypted and stored in distributed systems, and supports data encryption using service key and user-selected key as master key; object storage OSS: supports storage encryption capabilities of server and client. In server-side encryption, data encryption is supported using service key and user-selected key as master key; in client-side encryption, user self-management key is supported, and client-side encryption is also supported using master key in user KMS; data encryption of RDS database: multiple versions of RDS database are encrypted through transparent encryption (Transparent

Data Encryption (TDE) or cloud disk instance encryption mechanism, which supports data encryption using service key and user's optional key as master key; table storage OTS: supports using service key and user's choice key as master key for data encryption; file storage NAS: supports using service key as master key for data encryption; MaxCompute big data calculation: supports data encryption using service key as master key Secure storage of operation logs, audit logs, and three-party log system integration.

Cloud native storage encryption: currently, Alibaba Cloud Container Service ACK can host block storage, file storage and object storage, while other types of RDS, OTS and other data services are supported by Service Broker.

User container image / code (enterprise container image service, OSS CMK/BYOK encryption); cloud original survival volume PV (declarative CMK/BYOK supporting cloud storage and encryption support at data service layer); operation log and audit log (ActionTrail OpenAPI/Kubernetes AuditLog: SLS log encryption); ciphertext password (KMS/Vault supports three-party encryption and memory storage of ciphertext, non-etcd persistence).

Conclusion

Cloud native full-link data security and full-link encryption under cloud security system have become basic configurations. Changes in new containerized infrastructure and application architecture, combined with the characteristics of cloud native technology architecture, in the stages of data transmission, data processing and data storage, it is necessary to increase the corresponding cloud native environment full-link encryption requirements for network, runtime, and storage.

It not only needs to meet the secure transmission in the cloud environment, the container network, micro-services and block chain scenarios introduced natively by the cloud, but also puts forward further requirements for the secure transmission of cloud native data; there are not only the requirements for the secure operation of cloud security virtualization, but also the requirements of container security sandbox and trusted security sandbox. There are not only cloud security requirements for cloud storage encryption and cloud data service encryption, but also requirements for container image storage encryption, audit log, application log encryption and tripartite integration, as well as support for non-dropping storage of ciphertext passwords.

The highlight of this book

In the practice of Shuang 11 super large K8s cluster, the problems and solutions encountered are described in detail. The best combination of Yunyuan biochemistry: Kubernetes+ container + Shenlong, to achieve the technical details of the core system 100% on the cloud. Double 11 Service Mesh super large-scale landing solution

"Alibaba Cloud Native focus on micro-services, Serverless, containers, Service Mesh and other technology areas, focus on cloud native popular technology trends, cloud native large-scale landing practice, to be the best understanding of cloud native developers of the technology circle."

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.