Ali cloud xiaoli: skip the process of quantitative security qualitative change

Author Xiao Li is engaged in network security work for nearly 20 years, has dealt with all kinds of attack threats, experienced the construction of cloud security under the cloud. Cloud computing security work started 10 years ago, they set up the protection system of Ali cloud platform, to help users of various industries to build enterprise security capabilities on the cloud. The emergence of cloud native further deepened his understanding and thinking about security. The future may no longer be called security, but a native “immune system” living in the cloud.

The author | | ali XiaoLi source technology public number

I have been engaged in network security for nearly 20 years. I have dealt with all kinds of attack threats and experienced the construction of cloud security under the cloud.

Cloud computing security work started 10 years ago, we feel the stone to cross the river, set up the protection system of Ali cloud platform, to help users of all industries to build enterprise security capabilities on the cloud.

The emergence of cloud native has further deepened my understanding and thinking about security. In the future, we may not call it security anymore, but a set of native “immune systems” that live in the cloud.

Twenty years under a cloud: external hanging security

From 2000 to 2020, thousands of security companies were born in China, providing hundreds of categories of security products. In the introduction manual, the usage experience has never changed as described: plug and play. However, no seamless plug – in can avoid compatibility problems. Secondly, due to the interface uniformity, compatibility and other problems, the actual situation is that the annotated Plug and Play devices can not be deployed in one month.

The acrobatic attacks that most people remember as “panda burns incense” are long out of date. Last year, with the emergence of the global epidemic and the new normal of telecommuting, we observed highly sophisticated attacks. A few months ago, the SolarWinds Apt attack took down one of the world’s top security companies. Ali cloud successfully defended resource depletion type DDoS attack, refresh the history of the largest observation record. As for corporate losses, the latest ransomware attack has demanded hundreds of millions in ransom.

Consider, for a moment, the state of enterprise digital asset security in this situation.

The cloud directly changes this security status quo.

In January, the outbreak of the IncaseFormat worm virus, mainly rely on U disk to spread, the cloud space to achieve natural immunity, the default is not affected by the way of transmission, all the cloud users do not feel through this public opinion greatly affected by the security event.

Cloud native containers have mirrored snapshots that encrypt data in the event of a ransomware attack, allowing users to recover quickly without having to pay a ransom.

Cloud native security development direction, I from the security technology and concept of two aspects, summed up as built-in, front two key words.

• Built-in – a single point of protection breaks down and reassembles into the infrastructure itself.
• Forward – consider security at a higher level, establishing a trust and a suspicion.

Native security technologies: Immune systems integrated into the infrastructure

Ali cloud own security practice has been for a long time, whether based on the generalized cloud native or the narrow concept of cloud native, several future technology trends have become more and more clear.

1 security into public resources to achieve on-demand call

Most enterprise security resources are very limited, but there is a paradox: that is, the need to support the peak flow, most of the time the amount is not satisfied.

For example, Alibaba’s own business, Singles Day is undoubtedly a traffic peak, and the annual business consists of a peak + multiple peaks + troughs, the difference between the peak and the trough may be very large, security is not necessary to reserve a large number of “food” in the “standby” state.

Security capabilities as a service (SaaS), is an industry looking forward to a long time trend, security can be called on demand?

I often gave an example last year. During the epidemic period, the capacity of 20,000 servers was expanded every hour, and security coverage was achieved at an hourly level. For similar enterprises under the cloud scenario, each device needs to be put on shelf, adjusted and connected in series on the link for defense blocking, which will take at least 1 month.

In the cloud environment, the service system only needs to complete the access action to go online, and security protection will follow.

2. The infrastructure is naturally equipped with detection and protection capability

Security capabilities are built directly into the infrastructure nodes. When traffic passes through some nodes, such as SLB load balancing and CDN edge calculation, security detection is completed directly. The same bandwidth resources, the service speed up to do no protection.

The security capability nodes all over the infrastructure are like opening the “God’s perspective” in the face of risks. The single point of threat realizes the second-level collaboration of the whole network, which improves the risk response and processing speed of the whole IT environment. In the past few years, the offensive and defensive capability of Ali Cloud has always been the top position in some customers’ major event guarantee and large-scale combat exercises. On the one hand, the advantages come from the reserves of their own technologies, and more from the cloud-based global threat detection and linkage disposal capabilities.

3. Active attack repair to achieve insensitive defense

More than a decade ago, when we did security work, we relied on human flesh to make up for the system’s failure.

Sometimes a bug appears, dozens of applications, one by one to manually troubleshoot. In the process of repair, the business can not be offline, but also the user does not feel, resulting in slow and painful operation of the background. This forced deceleration further lengthens the attack window and increases the business risk.

Today, Ali cloud on the vulnerability repair, has become very simple. Once a bug appears, the cloud automatically opens a shield to prevent an attack from getting in, and the cloud will continue to evolve to repair itself.

We consider and solve many difficulties that may cause problems during IT construction. Security personnel see a relatively simple unified console, configure security policies through business logic, and focus their energy on high-value things.

Original security concept: absolute trust and continuous suspicion

The complexity of modern business is far higher than in the past. Simplicity is the best way to solve the complexity, and the concept of security needs to be reduced.

The dynamics of employee displacement and identity are changing about N times faster than in the past. Data can be generated from any terminal, any person, any geographic location. Data may be stored in public clouds, private clouds, edge computing nodes… The computation, processing and exchange actions in this process form a complex cross network structure.

Safety seems to be out of reach, which is why the “immune system” is so important. We look at security in all its dimensions, and we peel it off to see the logic behind it.

The life cycle journey of data on the cloud may take place in the brain, heart, or even the end of the IT system, and circulate in the enterprise like blood to serve the operation of various organs. Information flow replaces workflow to promote the development of business. How to ensure the security of the whole system?

1 The cloud is trust

The evolution of cloud native security is constantly reducing the cost of trust, making the infrastructure itself a more highly available, high-security, trusted computing environment.

Chip level hardware trust

Chip level security is the highest level of security in the current technology field. The immutability of hardware determines that it is the basis of the highest level of security.

In October last year, Ali Cloud, the first trusted virtualization instance based on SGX2.0 and TPM in the industry, completed the landing of chip-level hardware security at the earliest. The latest seventh-generation ECS instance is fully equipped with a security chip as the hardware trusted root to realize the trusted start of the server and ensure zero tampering. This means that for the first time in a true sense, a secure and trusted environment can support big data operations.

On the basis that users do not need to care about the hardware layer, any tampering exception can be found in the first time, thus more focus on security development and further reduce the amount of code.

Data is transparently encrypted by default

Encryption, the most primitive form of data protection, is not a new security concept.

Encryption of data on the cloud is a more natural process, with native data encrypted by default from birth. Data generated on the cloud can be automatically encrypted. Data migration can be encrypted by default on the cloud disk, and key business sensitive data can be encrypted at byte level.

The cloud infrastructure also provides public-key cryptography applications that add locks to encrypting data.

The cryptographic system can change passwords automatically or by custom, a feature that sounds trivial, but actually requires the ingenuity of infrastructure-level algorithms called “key rotation.” The public cloud has a master key that rotates once a day by default. The user’s own key can customize the rotation period from days to years, making it impossible to crack.

2. Zero trust in constant doubt of dynamic factors

Data is always created by people. Every link of the enterprise is online, and everyone may be a data producer.

Whether enterprise access to the OA system, examination and approval system, the company traditional requirements such as E-mail, video conference, or remote development, testing, operations, customer service and other complex scenes, from the identity authentication, network access, dynamic rights management and so on, to the ability to achieve through the network security of Intranet access, sustainable building, doubt, cloud environment dynamic monitoring and certification of safety.

When the cloud serves as IT infrastructure and computing power becomes a common resource like water, electricity, and coal, what security means is self-evident. We also want to build the most secure cloud in the world, offering simpler and simpler choices amid increasing complexity.

This article is the original content of Aliyun, shall not be reproduced without permission.