Shulou(Shulou.com)06/02 Report--

Cloud computing is the general trend, according to the 2016 IDC statistical analysis report:

The compound growth rate of the total IT market from 2015 to 2020 is only 3%.

The compound growth rate of the global public cloud market is 19%

74% of Chinese enterprises think cloud can be trusted.

62% of enterprises believe that cloud has innate advantages in basic defense, platform stability, and team expertise.

Therefore, with the development of cloud platforms of major cloud manufacturers, more and more enterprises are trying to migrate their applications from the local computer room to the cloud.

When the public cloud first came to the fore in the domestic market four or five years ago, most companies were in a wait-and-see state. After all, with the rapid development of information technology, data is the lifeblood of an enterprise. Putting the data on the public cloud makes the managers of traditional enterprises nervous. However, with the testing of cloud applications in enterprises in recent years, more and more business managers are convinced that data will be more secure on the public cloud.

Recently, when I was chatting with a customer, I found a strange idea. The customer asked a question:

Now, aren't all cloud manufacturers advertising their public clouds that they are safe and reliable? why do we still need to buy security products?

In fact, there is a difference in understanding. Cloud manufacturers usually say that the public cloud is safe and reliable. I think it mostly refers to when we are in the local computer room.

It is safe and reliable for us to store servers or data in the cloud, because these resources, which used to be supported by physical conditions, are now made into SaaS for tenants. In fact, the risk will depend on the physical conditions of the computer rooms of the major cloud manufacturers, and the huge physical conditions of the major cloud manufacturers will of course be more stable than the localized small computer rooms.

The "Internet Network Security situation in China in the first half of 2019" released by the National Internet Emergency response Center on August 13 shows that the network security incidents on China's cloud platforms in the first half of 2019 have further intensified compared with 2018.

According to the monitoring data of the National Internet Emergency response Center, the proportion of various network security incidents on China's mainstream cloud platforms is still high. Among them, cloud platforms suffer from DDoS attack, accounting for 69.6% of the times of target attack in China, 63.1% of the total number of implanted backdoor links in China, and 62.5% of the total number of tampered web pages in China.

Our application systems, whether in the local computer room or in the public cloud, face the same risks. It's just that when our applications are placed on the public cloud, we don't need to buy our own security boxes, we need to prepare our own environment for defense. We can easily directly use the SaaS of security products provided by major cloud manufacturers to directly protect our applications.

What kind of risk will our application system face?

From the dimensions introduced in the figure, we can clearly divide the risks faced by the application system into four dimensions. They are: network security, business security, host security, APP security. In fact, these four types of risks, whether we put the application in the local computer room or on the public cloud, will be faced by our application system. Of course, if our application is based on Bripple S architecture, there will be no risk of APP security.

According to past experience, we know that offline computer rooms can play a role in security protection by purchasing a series of hardware boxes and combining these security hardware boxes with our local network and servers. So in our public cloud environment, what minimum configuration do we need to make the cloud applications better protected?

In order to more intuitively reflect the follow-up introduction, what security measures we need to adopt to ensure the security of the application, I will use the following simple architecture diagram examples to help illustrate.

1. Host level

Antivirus software: take the official website server as an example (the lower right corner of the architecture diagram), you need to install antivirus software on the server. General cloud factory chamber of commerce has self-developed antivirus software. Cloud manufacturers' antivirus software will be more powerful than traditional antivirus software. In addition to the antivirus function, it generally includes vulnerability scanning and repair, server security baseline scanning, asset management and other functions. It can better protect the system from the host level.

Cloud database audit: you can record and alarm database risk operations such as database SQL injection and risk operations. Support cloud database and self-built database to provide security diagnosis, maintenance and management capabilities for cloud database.

two。 Network access level

In the network path from the end user to the application in the architecture diagram, the application is protected from the network data transmission through a number of cloud security products. Here, we list three commonly used cloud security products:

Web Application Firewall:

Based on the capability of Cloud Security big data, it can effectively defend against all kinds of common OWASP Web attack and filter a large amount of malicious CC attack to prevent website tampering, avoid leakage of your website asset data, and ensure website business security and availability.

DDoS Protection:

Effective fireproof DDoS attack, protect the application from DDoS attack.

Certificate Services:

Convert your service from HTTP to HTTPS with minimum cost to authenticate the website and encrypt data transmission.

3. Safety management level of operation and maintenance

This preventive measure is easy for users to ignore, and many users may even think that these protective measures, which are commonly used in traditional IDC computer rooms, are not necessary in the cloud environment. In fact, this is a misunderstanding of the operation and maintenance work on the cloud. After going to the cloud, what is solved is our operation and maintenance of the physical environment, as well as reducing a lot of manual operation and maintenance work.

Fortress machine:

Centralized operation and maintenance identity identification, account management and control, system operation audit and other functions. Based on the protocol forward agent implementation, the forward agent can record the data flow of common operation and maintenance protocols such as SSH, Windows remote desktop, SFTP and so on, and then replay the video by the way of protocol data flow reorganization, so as to achieve the purpose of operation and maintenance audit.

Security reinforcement:

Through the fortress machine, configure the security parameters, including operating system, database, middleware, log audit, account audit, login audit, etc.

Vulnerability fixes:

Through the fortress machine, the loopholes including operating system, database, middleware, applications and so on are repaired.

Subnetting:

Through different subnets, standardize the management of cloud resources and control the access of cloud resources.

To sum up the above three security measures, when we release the application on the public cloud, in order to ensure application security and compliance. The minimum cloud security products we need to configure should include: antivirus software, DDoS protection, Web application firewall, certificate services, database audit, fortress machines and other cloud security products. At the same time, resources such as CVM, database and middleware are needed for security reinforcement and vulnerability repair and other operation and maintenance work.

Author: Lin Weidong

-/ END /

More discussion

How to practice agile development of Scrum based on TAPD?

Jiawei attended the GOPS global operation and maintenance conference: in the peak era of operation and maintenance, the research and operation center may be the only choice.

Error message: network connection problem? Try netstat monitoring network connection!

How to manage and define cloudy?

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.