cloud computing concept was officially proposed by Google in 2006. The cloud computing model has become the development trend of the information communication (ICT) industry worldwide. In essence, cloud computing is a computing model characterized by services. By abstracting various computing resources, providing high-performance and low-cost continuous computing, storage space and various software services with new business models, supporting various information applications, it can reasonably allocate computing resources, improve the utilization rate of computing resources, reduce costs, promote energy conservation and emission reduction, and achieve truly ideal "green" computing.
However, while cloud computing brings many conveniences and advantages, it also brings impacts and challenges to information security at multiple levels. The service computing model, dynamic virtualization management methods and multi-layer service models of cloud computing have caused new information security issues; the dynamic nature and multi-party participation of cloud service-level agreements have brought new impacts on responsibility identification and the existing information security system; when the powerful computing and storage capabilities of cloud computing are illegally utilized, it will have a huge impact on the existing security management system , etc. In order to effectively respond to the above security risks, relevant departments in my country have actively promoted the construction of cloud computing security standard system and achieved remarkable results with the joint efforts of all relevant units.
1. Analysis of cloud computing security expansion requirements for 2.0.
Level protection is one of the important systems implemented in my country in the field of network security. In order to enable the series of network security protection standards to keep pace with the times and adapt to the security needs put forward by the development of new technologies and new applications, the 2.0 version of the "Basic Requirements for Network Security Protection" puts forward security expansion requirements for five technical fields, including cloud computing, mobile Internet, Internet of Things, industrial control systems and big data. The cloud computing security expansion requirements chapter puts forward special protection requirements based on the characteristics of cloud computing. The main control points added for the cloud computing environment include "infrastructure location", "virtualization security protection", "mirror and snapshot protection", "cloud service provider selection", "supply chain management", "cloud computing environment management" and other aspects. Taking the most typical and important third-level security requirements as an example, this standard puts forward a total of 46 cloud computing security expansion requirements for 16 control points at 7 levels (5 technical levels and 2 management levels).
Figure Note: Cloud computing security expansion requirements control project distribution
In addition, the appendix for cloud computing security expansion requirements explains the application scenarios, and clearly states that: Software as a service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS) are three basic cloud computing service models.
Figure Note: The relationship between cloud computing service model and control scope
As shown in the figure above, in different service models, cloud service providers and cloud service customers have different control scopes for computing resources, and the control scope determines the boundary of security responsibility. In the infrastructure as a service mode, the cloud computing platform/system is composed of facilities, hardware, and resource abstract control layers; in the platform as a service mode, the cloud computing platform/system includes facilities, hardware, resource abstract control layers, virtualized computing resources and software platforms; in the software as a service mode, the cloud computing platform/system includes facilities, hardware, resource abstract control layers, virtualized computing resources, software platforms and application software. The security management responsibilities of cloud service providers and cloud service customers are different under different service models. When users build their own private cloud platform locally, users need to be responsible for all security guarantees of facilities, hardware, resource abstract control layer, virtualized computing resources and software platform.
2. Analysis of cloud computing security construction requirements
Due to the characteristics of network environment becoming more complex, elastic and dynamic changes in the cloud environment, according to the requirements of the 2.0 standard, cloud computing security construction needs to pay attention to and meet the following needs:
2.1 Analysis of security physical environment risks and requirements
Due to the physical characteristics of the cloud computing platform's unavailability of networks, devices and lines, the cloud computing platform will be unavailable, resulting in the paralysis of the entire user's cloud business. Physical and environmental safety includes computer room location selection, computer room construction, equipment and facilities for anti-theft and damage prevention, fire protection, waterproofing, power supply, electromagnetic protection, etc. It is necessary to strictly follow the relevant national standards during the construction of the data center computer room, comprehensive wiring , and security construction, and be tested and accepted by relevant departments. At the same time, it is necessary to ensure that the location of the cloud computing platform is located in China.
2.2 Analysis of risk and demand for secure communication network
First of all, cloud computing platforms do not carry business application systems higher than their security protection level. In security construction, cloud computing platforms need to ensure isolation between virtual networks of cloud service customers, and provide security mechanisms such as communication transmission, boundary protection, and intrusion prevention according to the needs of cloud service customers. The cloud computing platform can realize the ability of cloud service customers to set security policies independently according to business needs, and at the same time realize the in-depth integration of cloud security management and cloud computing management to provide a better user experience.
2.3 Security area boundary risk and demand analysis
(1) Access control
Cloud service Customers need to set access control mechanisms and set access control rules on the virtualized network boundaries and different levels of network area boundaries.
(2) Intrusion prevention
In the cloud computing platform, it can detect attacks between cloud service customers, between virtual machines and hosts, between virtual machines and virtual machines, and between virtual network nodes to alert, and can record attack type, attack time, attack traffic and other information.
(3) security audit
The privileged commands executed by cloud service providers and cloud service customers during remote management are audited, including at least virtual machine deletion and virtual machine restart; the operations of cloud service providers on cloud service customer systems and data can be audited by cloud service customers.
2.4 Risks and Requirements Analysis of Secure Computing Environment
(1) Identity Authentication
For remotely managing devices in cloud computing platforms, a two-way authentication mechanism should be established between the management terminal and the cloud computing platform.
(2) Access control
When the cloud service customer virtual machine is migrated, the access control policy is migrated with it, and the cloud service customer sets access control policies between different virtual machines.
(3) Intrusion prevention
The security construction of cloud computing platform should be able to detect resource isolation failures between virtual machines and alarm, detect unauthorized new virtual machines or re-enable virtual machines, and alarm; it can detect malicious code infection and spread between virtual machines and alarm.
2.5 Risk and demand analysis of security management center
Cloud computing platform needs to perform unified management, scheduling and allocation of physical resources and virtual resources according to the strategy. In the security construction, cloud computing platform management traffic is separated from cloud service customer business traffic. According to the division of responsibilities of cloud service providers and cloud service customers, the audit data of their respective control parts is collected and their respective centralized audits are realized. Centralized monitoring of the operation status of their respective control parts, including virtualized networks, virtual machines, virtual security devices, etc., should be implemented according to the division of responsibilities of cloud service providers and cloud service customers.
3. Cloud computing security construction plan design
Cloud computing security construction needs to meet the general construction part in ISCO 2.0 and combine it with cloud computing expansion requirements to establish the concept of "one center triple protection", namely, the security management center and the secure communication network, the boundary of the secure area, and the security computing environment. The overall information security guarantee system is based on the secure computing environment, the secure communication network and the secure area boundary as the guarantee, and the security management center as the core.
Figure Note: Cloud computing security standard system framework
3.1 Secure communication network
The cloud computing platform has a vSwitch layer inside the server, which blurs the originally clear boundaries. For this reason, this challenge must be considered in security design to ensure that the security solution can be implemented. In the actual deployment of user services in the cloud computing platform, there are two levels of security protection challenges between the internal networks of the server:
The first level: enable the VPC mode within the cloud computing platform, build an isolated network environment according to user needs, and realize network isolation between different business departments or different business systems within the user. Secure isolation between VPCs can adopt the security isolation capabilities of virtual firewalls. By providing virtualized firewalls, logical VPNs and other services between cloud computing platform VPCs, port groups are isolated between virtual machines that need to be protected and external networks to achieve the needs of network security in a virtualized environment. Shanshi Netke Virtualization Next Generation Firewall-Cloud·World can provide cloud data center with logical security boundaries with isolation functions, support multi-tenant environments, and safely share network resources, realizing the secure isolation of application system cloud server groups.
The second level: According to the level protection requirements, isolation between the virtual machines where the user's business system is located needs to be considered. At this level, Shanshiyun·Grid is deployed in the cloud computing platform for security protection between virtual machines. The "virtual machine micro-isolation" technology provided by Yunge provides each virtual machine with "personal bodyguard" security protection. Through patented traffic drainage technology, Shanshi Yunge can pull the traffic of each business virtual machine to the virtual security service module and perform threat detection at layers 2-7, thereby discovering and blocking security threats from east-west traffic. Cloud service customers can independently set security policy capabilities according to their needs to provide a better user experience.
3.2 Secure area boundary
3.2.1 Access control and intrusion prevention
Cloud service customers need to deploy access control mechanisms on virtualized network boundaries and different levels of network area boundaries, and set access control rules. Within the cloud computing platform, it can detect attacks between cloud service customers, between virtual machines and hosts, between virtual machines and virtual machines, and between virtual network nodes to alert, and can record attack type, attack time, attack traffic and other information.
Implementing VPC boundary protection and boundary access control protection in cloud computing platform can use Shanshiyun·Biography to provide boundary traffic filtering, network layer protection and application layer protection functions. For access control and intrusion prevention between virtual machines, Shanshiyun·Grid can be deployed to build a powerful and trustworthy "shield" in a virtualized environment. Through statistics on system traffic and policy rules, that is, whenever a session passing through the stone cloud grid matches a certain policy rule, the IPS/AV template configured by the user will be called to detect whether there is any threat or attack behavior. At the same time, perform corresponding actions on sessions with threat or attacks based on the user's own configuration, thereby improving the defense capabilities of the cloud data center, thereby reducing user security risks.
3.2.2 Security Audit
Security audit of virtual security devices and business systems in cloud computing platforms is also an important part of security protection construction. All virtualized security products of Shanshi NetKe provide rich information logs themselves, and all logs support local and syslog protocol storage. In the log category about "content", users are recognized, and event records include date and time, user, event type, event results, etc., to meet the relevant requirements in "security audit".
Shanshi Network Technology provides a professional virtualized log audit platform that can audit all user access behaviors and security events. The log data of node devices can be pushed to the log audit platform through the syslog protocol for unified storage and log analysis. The log storage time is required to be no less than 6 months, which meets the requirements of the equal protection and network security laws.
3.3 Secure computing environment
3.3.1 Identity authentication
Remotely manage devices in cloud computing platform, VPN technology can be used to realize the interconnection between management terminals and cloud computing platforms, and a two-way authentication mechanism can be implemented. Shanshiyun·jie supports the activation of VPN function, which can realize encrypted data transmission, provide users with a secure and stable connection, and users can operate and maintain efficiently anytime, anywhere.
In operation and maintenance management, bastion machine /virtual bastion machine can realize account permission division and two-factor authentication. Through various means such as identity authentication, authority control, account management, operation audit, etc., the unified authentication, unified authorization and unified audit of core assets in the cloud can be completed, and the operation and maintenance risk control capabilities are comprehensively improved.
3.3.2Access control
Cloud service customers set access control policies between different virtual machines. When the virtual machines are migrated, the access control policies will also migrate with them. In a virtualized environment, cloud security policies can migrate with virtual machines and also with the migration.
3.3.3 Intrusion prevention
In the construction of cloud computing platform, it is necessary to detect resource isolation failure between virtual machines and alarm, and detect unauthorized new virtual machines or re-enable virtual machines for alarm. Detect malicious code infection and spread between virtual machines and alert.
▪ is aimed at the virtual host system of cloud computing platform. By deploying network version antivirus software or Shanshi NetKe EDR products, it actively detects and intercepts malicious programs, free killing Trojans, phishing programs, mining programs, ransomware programs, blacklist programs, etc.
▪ For the security of WEB application deployed on cloud computing platforms, virtual application firewalls can be used to protect against attacks on application systems; web page tamper protection is used to achieve WEB page security protection.
▪ In response to the risks of database information, in order to enhance the security of the database system, the database needs to be protected. A virtual database firewall can be used to protect the database security.
▪ Shanshi Netke virtualization remote security assessment system can perform security scans on operating systems and business systems in the cloud. Assist operation and maintenance personnel to conduct real-time self-inspection of the tenant's internal system efficiently and accurately, discover security problems in a timely manner, and provide detailed and professional safety suggestions and repair solutions to effectively improve the robustness and security of the entire network.
▪ Shanshiwangke cloud computing virtual security equipment can send logs and traffic information to the intelligent security operation system, thereby alerting and visualizing security events in the cloud.
3.4 Security Management Center
In the construction of cloud computing platform, it is necessary to manage, schedule and allocate physical resources and virtual resources according to the strategy. In daily operations, it is necessary to manage the security configuration and policy change management of the infrastructure involved in the cloud computing platform itself, and conduct regular configuration verification; carry out operating system security reinforcement and configuration verification of physical servers involved in the cloud computing platform; promptly discover security vulnerabilities of the cloud computing platform and its related product components, and provide repairs; through a series of fault control systems such as fault monitoring, rapid positioning, automated recovery, notification and alarm, ensure the availability of cloud computing platforms and cloud products; provide cloud computing platforms to provide data security protection to help users protect the availability, confidentiality and integrity of their cloud systems and data; implement centralized audits of cloud computing platform data, and centralized monitoring of the operation status of virtualized networks, virtual machines, and virtualized security devices in the cloud computing platform.
clearly requires that centralized control capabilities should be possessed. Through the construction of a virtual security management platform, the security technology level and management level can be truly combined, and the security guarantee capabilities of the entire network should be comprehensively improved, and the relevant requirements of "centralized control" in China should be met.
4. Shanshi Netke Cloud Computing Security Product
Shanshi Netke launched a cloud computing security solution composed of Shanshi Cloud·Grid and Shanshi Cloud·World in 2015, and has accumulated a large number of successful cloud security cases. With the implementation of compliance with the implementation of the Implementation of the 2.0 policy, Shanshi Net Technology is committed to creating a complete set of cloud computing security solutions to meet the compliance implementation of cloud computing security expansion requirements. The solution covers most of the control measures such as secure communication network-network architecture, secure area boundaries-access control and intrusion prevention, secure computing environment-access control and intrusion prevention, security management center-centralized control and other control measures in the cloud computing security expansion requirements.
Figure Note: Compliance corresponding diagram of Shanshi Netke Cloud Security Solution
Shanshi Netke Cloud Computing Security Solution focuses on cloud security products such as Shanshi Cloud·Border, Shanshi Cloud·Grid, Shanshi Cloud·Collection, virtualized Web application firewall, virtualized log audit, virtualized database audit and other cloud security products as the core. It is aimed at cloud service providers and cloud customers, providing solutions based on cloud platform, tenants, micro isolation, cloud database , cloud security management and other cloud computing application scenarios, to fully meet the needs of future cloud computing security compliance implementation.
