Abstract:If we compare cloud security to an “iceberg”, we should not only pay attention to the “security services and characteristics” on the iceberg, but also pay attention to the various basic security construction under the iceberg.
This article is shared from the Huawei cloud community “in-depth native iceberg security system, detail Huawei cloud security services how to build the full stack security”, the original author: Huawei cloud community selection.
In recent years, with the rapid development of the global cyber space, high risk vulnerabilities, large traffic DDoS attacks and data leakage incidents occur frequently. In a rapidly changing cyber threat landscape, it is no longer enough to simply fix vulnerabilities or target known ones. New threats continue to emerge. In the process of digital transformation and going to the cloud, enterprise customers need to systematically build a security system to deal with new security challenges.
If cloud security is an “iceberg”, cloud security services and their security features are the visible part of the “iceberg”. The security capability of the 90 percent under the “iceberg” is often unknown, but it is the part under the “iceberg” that carries the security of the whole public cloud.
Huawei cloud to construct native iceberg safety system, through four big ability: independent research and development of the security services, covering global security certification, global security ability and the whole life cycle of data security management, help enterprises to resist network attack, liberated from the safety of the complex professional work, quickly and easily get to pratt &whitney, compliance and efficient security services. (See “Accumulate Thinly, Huawei Cloud Constructs the Native Iceberg Security System, Protects Cloud Security” for details).
Huawei cloud security services full analysis
Huawei Yun-based security accumulation in more than 20 years, independent research and development of 20+ types of cloud security services is one of the most important capabilities of Huawei Yunbing security system, through security services will share Huawei security capabilities to users, to help users efficiently and steadily develop business.
Huawei cloud security service coverage“Protecting cloud workloads, protecting application services, protecting data assets, managing security posture, and business compliance on the cloud”From the computing layer, the network layer, the data layer and the security management layer, we have accumulated cloud security experience of different dimensions, formed a coordinated cloud security service system, provided excellent practices for users, and built a full stack security.
In order to understand more concretely, we take a typical electric shopping scene as an example to understand in detail how the five security services for the enterprise escort.
Secure cloud workloads
At the heart of how computers and networks operate is data, which is owned by mainframes, including personal computers, servers and some large arrays of disks. For enterprises, the host is not only the bottom platform carrying the business and internal operation of the company, but also the core carrying the data and services of the enterprise. Its stable and safe operation is the premise of the normal operation of the company.
For example, during the promotion period of e-commerce, the ordering information of tens of thousands of users will be stored in the server. Without a host security system, hackers can use password cracking, social worker attacks or vulnerability attacks to break into server databases and gain access to large amounts of data assets. In the process of e-commerce being attacked, the business will be interrupted, a large number of malicious files will occupy system resources, and the server will not be able to operate normally, affecting the purchase and placing of users.
The new era of host security literacy: to prevent the violence to crack, find mining Trojan, keep the back door loopholes, indispensable, the same can not be less. Huawei Cloud Enterprise Host Security (HSS), as the server’s personal security steward, realizes virus Trojan killing, one-key vulnerability repair, intrusion detection, anti-blackmail and other security protection protection. Its flagship version and webpage tamper-proof version also add rebound Shell, high-risk command execution, self-start detection and other capabilities to prevent webpage from being tampered, effectively deal with advanced threats such as APT attack, and provide all-round escort for cloud enterprises.
Many enterprises will deploy their business in multiple cloud platforms to enjoy the advantages of products and services from different cloud vendors. Second, to diversify and reduce business system risks. However, cloud deployment also brings with it the difficulty of host security management. Mogujie makes you more beautiful, and Huawei Cloud makes Mogujie more secure. Mogujie realizes the unified security protection and management of multi-cloud platform hosts through Huawei Cloud HSS, and the security management efficiency has been increased by three times. At the same time, the rich security experience of Mogujie security team combined with the powerful intrusion detection ability of Huawei Cloud HSS has improved the security protection level of Mogujie.
In addition to the protection of external security issues, IT operation and maintenance security issues, such as the identity, permissions and assets of the enterprise, should also be paid close attention to. A survey shows that more than half of the enterprise network security incidents are not caused by external attacks, but due to the internal security, non-compliance operation and maintenance operations caused by.
Fortress machine in the enterprise security operation and maintenance of domestic demand and legal compliance requirements of the double requirements, become every enterprise needs safety products. Huawei Cloud Fortress machine does not need to install and deploy, one-stop operation and security management, reduce the cost of enterprise operation and maintenance; Real-time recording of all operations and logs, and provide real-time monitoring, screen recording and playback and other functions to facilitate post-audit and forensics; At the same time, product safety compliance, three characteristics make the cloud fortress machine become a necessary security operation and maintenance explosion of enterprises.
Protected Application Services
The critical business of many enterprises depends on Web applications, and 75% of the attacks on the Internet are concentrated in the application layer. Taking e-commerce as an example, during 618 and Double 11, active application pages of seckill are often released. Some illegal attackers will generate legitimate requests to the victim host with the help of the proxy server, and make a large number of access requests to the Web server, causing normal users to be unable to access normally. You will end up with a 404 page that is unreachable as soon as the seckill activity starts.
Webpages are tampered with, visits are phishing, activities go down… In fact, all of this is because the protection of Web applications is not in place.
For Web application protection, Web application firewall can be used to detect and block common attacks, and support to identify and block common Web attacks. It helps users deal with security problems such as website intrusion, vulnerability exploitation, webpage tampering, backdoor implantation, CC attack and so on, and escorts the safe operation of enterprise Web business.
Taking the Web application firewall of Huawei Cloud as an example, it first analyzes the Web attack behavior, sets dynamic protection for specific business scenarios, and turns on the intelligent defense CC function in the first time. In the process of constant confrontation, based on the flexible custom policy configuration, the attack strategy of the black product can be found out, so as to resist. At the same time, help customers to clarify the business logic and provide a basis for business adjustment and optimization. Be careful! The website is under Web attack! Beware of data leakage, webpage tampering! Through the way of comics, it vividly shows how Huawei Cloud Web Application Firewall helps users deal with website intrusion, vulnerability exploitation, webpage tampering, backdoor implantation, CC attack and other security problems, so as to escort the safe operation of enterprise Web business.
In addition, e-commerce platforms are often subjected to malicious attacks by malicious competitors or hackers using a large number of “controlled hosts”, which leads to business interruption due to inaccessible platform websites, economic losses and loss of customers. Massive cyber attack is coming at any time. What if you get shot? Huawei cloud DDOS high protection services to help you easily solve! In addition to these security guarantees that can protect against external attacks, enterprises also need vulnerability scanning to automatically find the security risks of websites or servers in the network, provide multi-dimensional security detection services for cloud businesses, and protect data assets without any vulnerability to hide.
As we all know, data is the core information of an enterprise, and the key location of data storage is still in the database. However, the current situation is that in a large number of interconnected enterprise environment, the database generally lacks effective security protection. Some criminals will use drag library wash library bump database attack to steal information.
We know that the data of e-commerce enterprises not only contains commodity information, but also a large number of registered users, user behavior and other relevant privacy data. Data privacy needs to be stored and distributed, but not “streaked”.
How to keep data gold mine? Data in the cloud can be protected from privacy through authentication methods such as key technology, new algorithms and encryption algorithms, while enhancing the protection of the data itself. Data transmission, storage and processing stages of data encryption, the use of cloud technology for information processing, to achieve information concealment, protect user data security.
In order to guarantee the Security of the Database on the cloud, we can carry out sensitive data monitoring, data desensitization, Database audit and anti-injection attack based on the reverse proxy and machine learning mechanism. The details can be learned about Database Security Service (DBSS).
If you’re worried about Data leakage, the Data Encryption Workshop (DEW) offers you a quick solution to this problem by offering proprietary Encryption, key management, and key pair management to spare you the worries of Data leakage.
Not only that, in today’s flood of phishing websites, enterprises also need to prevent the website from being counterfeited and tampered, and cause the user’s information data to be stolen, causing economic losses to the user.
Managing security posture
In the daily safety operation and maintenance work of enterprises, a variety of security products will produce a large number of threat warnings every day, which requires a large amount of manpower to manually detect real threats and false alarms. Over time, the effect of “Wolf is coming” will be produced. How to really know who is attacking you, what is the overall situation of the attack, and even to predict the possible direction of the attacker according to the existing information, has become the key work of enterprise security protection.
Situational awareness is to obtain, understand and predict the future development trend of all the security elements that can cause changes in the security situation of the system on the user’s cloud, and present them through visualization technology to provide decisions for security protection actions. It has four core points: perception, understanding, prediction, presentation and decision making.
Worrying about unknown risks and making wrong decisions? Situational Awareness Makes Safety Operations Dark! Situational awareness, based on the security analysis capability of big data, summarizes and correlate the information of assets, logs, alarms and other multi-dimensional information in the cloud, changing the dilemma of operation and maintenance personnel being overwhelmed by massive data in the past, and finally reducing the time to actively discover security threats. Moreover, the large screen with visual situational awareness, just like a combat command center, can present the protection level and shortcomings of network security from a global perspective, which has important guiding significance for the management to measure the value of security investment and make decisions.
Based on situational awareness, e-commerce enterprises can clearly understand where attacks on the cloud come from, how to prevent them, and what is the security situation of assets? Let enterprises easily perceive the present, predict the future!
In addition to situational awareness and risk in the cloud “stethoscope” huawei threat detection of cloud services (MTD) can continuous monitoring of malicious activities and unauthorized behavior, complement other services detection ability, for the first time identify risks, avoid caused by a potential threat to security incidents, to help enterprises improve security operation efficiency and ensure the continuity of the business.
Business compliance on the cloud
Of course, in addition to network security and business security need to be guaranteed, for e-commerce enterprises, the best security protection is institutional protection. As early as June 2017, the Cybersecurity Law of the People’s Republic of China was formally implemented, and the hierarchical protection system has become the basic system of national cybersecurity. In 2019, the protection 2.0 puts forward new technical requirements and management requirements, emphasizing “one center, triple protection”, enterprises need to be more comprehensive in the construction of safety protection system, risk assessment and management.
To this end, Huawei Cloud provides customers with Equal Security (DJC) solutions to help enterprises improve their security protection capabilities and meet the compliance requirements of Equal Security. It’s not that hard to overprotect. It’s important to get the right help! Before serving customers, all major regions of Huawei cloud have passed the level 3 guarantee, and some large regions with high security requirements and nodes have passed the level 4 guarantee, laying a foundation for the smooth and high score guarantee for users. In order to make users more worry and trouble, Huawei Cloud is to 100% meet the requirements of the deployment of various security protection products.
30 years of experience in security and, in combination with huawei, huawei launched cloud detection and response management services (MDR), in the form of cloud services, for the customer to establish composed of management, technical and operational safety risk control system, combined with the safety of the enterprises and institutions needs feedback and continuous improvement, prevention and control effect for user security protection of the To help enterprises and institutions to achieve effective monitoring of security risks and security incidents, and timely take effective measures to continue to reduce security risks and eliminate the loss caused by security incidents.
In order to better help enterprises to do a good job of security protection, open the cloud security mode. On the security special day of Huawei Techwave Global Technology Summit, Huawei Cloud focused on application security protection and released four new security products: security intelligent analysis platform ISAP, threat detection MTD, application trust center ATC and security operation center SoC, adding new weapons to the cloud security protection of enterprises.
Cloud native era, ubiquitous cloud native security
With the maturity of cloud native technology and the upgrading of market demand, the development of cloud computing has entered a new stage — the era of cloud native 2.0. More and more businesses and individuals are choosing to use cloud-native technologies to build their businesses. While enjoying the original dividend of cloud, enterprises also have a higher demand for security protection, because they need security services that are more in line with the development of cloud native business.
Containers are one of the cloud’s native representative technologies, and every enterprise should have an understanding of container security. In the era of cloud native 2.0, enterprises should understand the container security, from the container and virtual machine comparison, for us to introduce the container more portable and efficient characteristics. Huawei Cloud Container Security Service CGS has built a container security threat defense system in depth, providing a complete set of container security capabilities including mirror scanning, threat detection and threat protection, providing container Build, Ship and Run life-cycle protection capabilities, and penetrating into the entire container DevOps process. Ensure the security of the container virtual environment from development to production. At the 2020 Trusted Cloud Conference, after strict testing by ICT, 49 security capabilities have all been checked, Huawei cloud container security services have obtained the highest level of advanced certification of trusted cloud.
Not only that, in terms of cloud native security, Huawei Cloud launched CFW cloud firewall, DSC data security center service and ATC application trust center three products.
At Huawei’s TechWave Cloud native 2.0 feature day,In order to provide multi-scene full traffic protection for enterprise business, build the first line of defense of network securityHuawei cloud CFW cloud firewall officially released! As a new generation of cloud native firewall, Huawei Cloud CFW Cloud Firewall provides protection of Internet boundary and VPC boundary on cloud, with four characteristics of “minimalist, intelligent, visual and open”.
Traditional security protection is based on the network boundary, but with the rise of cloud computing and mobile Internet, the traditional network boundary is gradually blurred, and the defense concept based on the network boundary is difficult to adapt to the needs of the cloud environment. The idea of “never trust, always verify”, to build access control systems based on identity rather than network location, was born out of this.
Huawei Cloud is based on the concept of zero trust, relying on the cloud native security capabilities, network stealth, adaptive risk control and other key technologies to innovate, in security operation and maintenance, remote access and many other scenarios to carry out a lot of practice, to make the application more secure, Huawei Cloud Application Trust Center ATC officially open test. ATC service is a security service built around the user application. By constructing the application security threat panoramic topology, it realizes the fine-grained access control and meets the customer’s demand for zero-trust access control ability.
In June 2021, the 29th session of the Standing Committee of the 13th National People’s Congress passed the “Data Security Law of the People’s Republic of China” (hereinafter referred to as the Data Security Law), and will be implemented on September 1. Data is the gold mine of today’s times, and protecting data security is the core appeal of enterprises. How to ensure the security of the whole life cycle of enterprise data assets while the enterprise is transforming with cloud digitalization?
Today’s data security capabilities in the cloud have been dispersed among services such as VPNs, security groups, SSL certificates, and integrated encryption capabilities such as ECS, RDS, OBS, etc. Data security is a pipeline, and the overall security ability is composed of the security ability of each stage. In other words, if a stage is strong, and the other stage has no protection measures, then it is useless for the overall data security state. In the absence of a unified view of the overall security capabilities of the enterprise, the enterprise needs a data assets “close guard” – the data security center.
As the private test started in September 2019, the cloud native Huawei cloud data security center service will be officially launched at the end of 2020. The service can provide basic data security capabilities such as data classification, data security risk identification, data watermarking traceability and data desensitization, etc. By building a unified data security entrance and surrounding the whole life cycle of data, it can help users realize the visual management service of data security on the cloud. It also provides companies with a full life cycle view of their data assets, so that customers know exactly where their data is coming from, where it is going, and whether there are security issues. Ensure the security of cloud data in all stages of generation, collection, transmission, storage, use, exchange and destruction. Real help enterprises to do: data security center at hand, data protection programs are available.
The last
Security is a systematic project that requires continuous investment, continuous evolution and continuous improvement. With the rapid development of emerging technologies, it also brings the frequent occurrence of unknown security threats. Huawei Cloud Security inherits Huawei’s security capability accumulation for more than 20 years, gradually builds and improves cloud security service matrix, builds full-stack security defense line, and helps customers to efficiently and safely ground the cloud in the cloud native era.
Click on the attention, the first time to understand Huawei cloud fresh technology ~