Shulou(Shulou.com)06/02 Report--

This article will explain in detail the methods of combining products and OPS architecture experience to create cloud data security. The editor finds it very practical, so I share it for you as a reference. I hope you can get something after reading this article.

Applicable object

This document is applicable to individuals or SME users who have just come into contact with Aliyun.

Main content

Back up data regularly

Reasonable design of security domain

Security group rule settings

Login password settin

Server port security

System vulnerability protection

Application vulnerability protection

Back up data regularly

Data backup is the basis of disaster recovery, which aims to reduce the risk of data loss due to system failures, operational errors, and security problems. CVM ECS comes with snapshot backup feature, which can meet the needs of most users' data backup by using ECS snapshot feature reasonably. It is recommended that users make their own backup policy according to their own business conditions. You can choose to create a snapshot manually or create an automatic snapshot policy and apply this policy to the specified disk. It is recommended to take an automatic snapshot once a day, and each snapshot should be kept for at least 7 days. Develop a good backup habit, when a failure occurs, it is conducive to the rapid recovery of important data and reduce losses.

Reasonable design of security domain

The VPC proprietary network developed based on SDN (Software Defined Network) technology can be used for users to build a custom private network, isolate servers with different security levels within the enterprise, and avoid affecting other application servers after one server is infected in the interworking network environment.

It is recommended that users create a private network, choose their own IP address range, divide network segments, and configure routing tables and gateways. Users can store important data in an intranet environment completely isolated from the Internet network, and daily operation and maintenance can use flexible IP (EIP) or jumping machine to manage the data.

Security group rule settings

Security group is an important means of network security isolation, which is used to set network access control for one or more CVMs. By setting the instance-level firewall policy through the security group, users can filter the active / passive access behavior of the server at the network layer, limit the external / internal port access of the server, and authorize the access address, so as to reduce the attack surface and protect the server.

For example, Linux system defaults to remote management port 22, which is not recommended to open directly to the public network. You can configure ECS public network access control by setting security groups, and only local fixed IP is authorized to access the server. You can view other application cases to deepen your familiarity with security groups. Users who have higher requirements for access control may also be able to use third-party VPN products to encrypt login data, and more software is available in the cloud market.

Login password settin

Weak passwords have always been a major problem in data leakage, because weak passwords are one of the easiest and most exploitable vulnerabilities. The password of the server is recommended to be at least 8 bits, increase the password complexity in terms of character types, such as uppercase and lowercase letters, numbers and special characters, and update the password irregularly to develop good security operation and maintenance habits.

Server port security

As long as the server provides services to the Internet, it will expose the corresponding service ports to the Internet. From the perspective of security management, the more service ports open, the more insecure it will be. It is recommended to open only the necessary ports that provide services to the public, and modify the common ports to high ports (after 30000), and then do access control on the ports that provide services.

For example, the database service is used in the private network environment as far as possible to avoid exposure to the public network. If you must access it on the public network, you need to change the default connection port 3306 to a high port, and access the client address according to business authorization.

System vulnerability protection

The problem of system vulnerabilities, a long-standing security risk, can be solved through system patches or Anknight patch management. The patch update of the Windows system should be turned on all the time, and the Linux system should set up regular tasks to execute yum update-y to update the system package and kernel.

Cloud Shield's Anji products can also identify and defend against illegal password cracking, avoid being hacked many times to guess the password and invade, and maintain the security of the server in batch. Anknight also provides configuration detection and repair programs for server application software insecurity to help users successfully repair weaknesses and improve server security strength. Highly recommended for users.

Application vulnerability protection

Application vulnerability refers to a security flaw that illegally obtains data through the use of penetration attacks against Web applications, caching, databases, storage and other services. Common application vulnerabilities include: SQL injection, XSS cross-site, Webshell upload, backdoor isolation protection, command injection, illegal HTTP protocol requests, common Web server vulnerabilities, unauthorized access to core files, path traversal, and so on. This kind of vulnerability is different from the system vulnerability, and it is very difficult to repair. If the program cannot cover all aspects of these application security baselines at the beginning of the design and application, the fortress of server security will often be breached in the last kilometer. Therefore, we recommend accessing Web Application Firewall (Web Application Firewall, referred to as WAF) as a professional protection tool to easily deal with all kinds of Web application attacks and ensure the Web security and availability of the website.

Security intelligence collection

In today's undercurrent Internet security field, security engineers and hackers compete for time. Cloud Shield situation Awareness can be understood as a security service based on big data, that is, in a large-scale cloud computing environment, the elements that can cause changes in the network security situation are captured and analyzed comprehensively, quickly and accurately. Then the customer's current security threats are related to the past threats and big data analysis, and finally produce the possible future security risk events, and provide a systematic security solution.

Therefore, in addition to doing a good job in daily security operation and maintenance, technicians should also grasp comprehensive information as far as possible, improve their early warning capability, and repair and deal with security problems in a timely manner when security problems are found, so as to truly ensure the data security closed loop of CVM ECS.

This is the end of the method of combining product and operation and maintenance architecture experience to create cloud data security. I hope the above content can be helpful to you and learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.