Abstract: The unified network management under the multi-account environment on the cloud is the only way for the network security protection of large branch enterprises. Whether foreign companies enter China, domestic enterprises go overseas, or local group enterprises scale up, the unified network security control and overall security situation awareness on the cloud can level the security level between corporate accounts, so that there is no dead corner of security protection.

The introduction

When medium and large enterprises go to the cloud, they usually choose to establish a multi-account system according to business lines, projects, usage scenarios and production and test environments. Compared with the single account system, the default isolation of cloud resources between multiple accounts facilitates the independent cost settlement and operation and maintenance management among different products/branches, and reduces the risks caused by excessively broad RAM permissions under a single account.

But at the same time, it will also make security management more complex than the single-account system:

  • Security statement analysis and asset inventory need to cover multiple cloud accounts, and statistics are time-consuming and labor-consuming;
  • The security policy has to be configured repeatedly in multiple accounts, and the operation and maintenance personnel fall into the trap of “repeated work”;
  • Vulnerability attack, invasion, loss and other abnormal behavior in the impact of multiple accounts, emergency treatment in a hurry;
  • Under multiple business accounts, the north-south and east-west flows lack a unified perspective, and the log analysis lacks global analysis ability.

So, from the different business needs and organizational structure of the cloud firewall is how to achieve a unified security management of multiple accounts on the ali cloud? Read on to find out what’s going on in this “Secret Book of the Mind”

Cloud wall “mind method” a: focus on the use of troops, fight a war of annihilation

No matter how much business, protection also has a “God perspective”

Large and medium-sized enterprises on the cloud have different business types, forming as few as tens or as many as thousands of business sub-accounts. Enterprise security personnel manage the unified protection of thousands to hundreds of thousands of assets, and the pressure of security operation and maintenance is high. Under the traditional network defense architecture, the management authority of the firewall belongs to different business departments, and each business account is managed independently. In the absence of a unified perspective, passive intrusion detection cannot escape the embarrassment of “it is too late to remedy”.

  • Internet entry and exit management: Internet entry and exit are scattered among different accounts, and the incoming and outgoing traffic is mixed with a large number of attacks. The attacks against EIP have strong concurrency, and the accounts are owned by different owners, so the protection is fragmented.
  • IP blocking attack: Strong confrontation scenario tests enterprise defense strategy, and strict requirements are placed on IP blocking strategy, blacklist mechanism and real-time discovery of active outreach behavior.
  • Worm management: Once the outbreak of highly infectious worms, cloud defense needs to realize unified management and control of the organization and immediate defense;
  • Vulnerability repair: in the organizational hierarchy, the cognitive level of high-risk/medium-risk vulnerabilities, the means of repair and the understanding of vulnerability defense need to be improved;
  • High false positive rate: lack of association relationship learning between accounts, traditional firewall is difficult to distinguish the associated user high-frequency normal access and brute force crack, intrusion detection false positive rate is high.

Figure thousands of account intrusion protection is too late to remedy VS multi-service account unified intrusion protection architecture diagram

Automatic security management of cloud firewall public network assets

Through the unified Internet border asset management capability across accounts of Aliyun · Cloud Firewall, users can uniformly manage EIP assets under each account in a console, covering ECS, SLB and NAT resources. When a managed account finds a new network asset, it will be automatically placed in the cloud firewall to avoid asset omission. There is no shortcoming in network defense.

Eliminate the blind areas of protection between businesses

For exposed public network assets with protection turned on, all IPS rules will take effect immediately. The unified security defense of Internet borders under multiple accounts can truly realize the single alarm against external malicious intrusion and attack and the coordinated interception of the whole service quadrant, and reduce network security incidents caused by the omission of control.

  • One-key convergence of exposed surface: by removing the traffic of complex business scenarios and relying on deep packet parsing and machine learning of massive historical logs, the one-key convergence of exposed surface of boundary is realized, and the attack water level drops by 90%;
  • Collaborative defense of big data: relying on graph computing intelligence correlation and self-growth, daily average of tens of millions of high quality accurate intelligence real-time intercept, cooperate to build the dynamic network security boundary of multi-account enterprises, attack and defense and rigid wood creep scenes to achieve the earliest visible and defensible use of global cloud network vision;
  • Virtual Patch: Implement cross-account virtualization defense against Remote Exploitable Vulnerability (RCE) for customers on the cloud, and leverage emergency response capabilities.
  • Whitelist strategy to reduce false positives: based on the traffic learning of the association relationship between accounts, the whitelist strategy with higher confidence is formed between corporate accounts, and the mutual visits between corporate accounts achieve zero false positives.

Cloud wall “mind method” two: strive to be active, avoid passivity

Manage across business environments, security policy configuration done at once

Service or resource isolation is an important means to reduce intersystem dependencies and avoid failure spread. Businesses in the cloud often separate business resources that need to be isolated from the network level by separating them into different VPCs. Under the hybrid cloud architecture, for different business branches or environment attributes, the cloud account supports more complex isolation and business exchange visit scenarios, such as between IDC and VPC, VPN, dedicated line, etc. Complex isolated access requirements result in more complex security policy configurations.

  • Duplicate work: firewall equipment is built under different accounts, ACL of access control policy is configured in different areas, resulting in the same policy needs to be configured several times;
  • Policy conflict: the lack of unified control of policies under different account environments can easily lead to policy conflict in access control and other problems;
  • Business blocked: it is difficult to synchronize the security control strategies between different businesses/environments of the same enterprise, which may affect the business in serious cases (for example, the test environment is not set to block the intrusion, while the production environment is not tested to block the intrusion, and the protection rules conflict with the business, affecting the normal business flow).

Figure Multi-environment security configuration bustle vs. cross-business/development-test-production environment policy configuration stewardship

Strategic management is more efficient

By integrating CEN services, Aliyun · Cloud Firewall provides a unified policy control capability for cross-account and cross-VPC traffic exchange. It helps enterprises achieve unified management of access control policies between different accounts and VPC through a policy configuration platform. In addition to covering VPC exchange, In addition, for hybrid cloud scenarios such as dedicated line and cloud connection network CCN, one strategy can be implemented globally, and the issuing time of a single strategy can be shortened from days to seconds, which avoids the increased workload and risks caused by multiple configurations of the same strategy and helps enterprises to better achieve unified control.

Cloud wall “heart method” three: careful careful, if the command

Unified security report analysis and settlement of multiple branches

Organizational structure determines the structure of cloud account to a certain extent, whether it is group-subsidiary operation mode or multi-branch operation mode. The biggest problem for enterprise security department is the unified security perception ability for each business operation environment, among which, network security is one of the most important analysis objects. Enterprise exposes how much in total in the Internet side network port, how many separate domains are currently running, the planning of the north-south and east-west isolation strategy into effect is normal, how many network intrusion events happen every day, whether the whole amount of log such as planning are correct record to meet the requirements of the audit, whether there are abnormal flow is happening, the invocation of the relationship between business whether reasonable, etc., These network security operation and maintenance problems are still relatively controllable under one account, but once dispersed to multiple cloud accounts, it will become a disaster for managers. The unification of traffic data, network log and attack analysis is almost an “impossible task” for daily security operation and maintenance.

Figure Multiple branches realize unified statement analysis and settlement through account management

Centralized traffic analysis and report statistics

By centralizing the data statistics, network security operations staff need to focus only on the unified data platform, real time control of the whole network safe operation of enterprises can be situational, assets exposed situation, the policy configuration and effect, intrusion defense data, log data and the different account environment automation for the collection, to meet compliance requirements such as insurance such as 2.0, on the basis of Through unified analysis, the report statistics are optimized to make the results more accurate and comprehensive, and also provide a better data basis for the subsequent optimization work.

The user voice

“The centralized control ability of the cloud firewall helps us unify multiple business accounts and third-party test accounts on the cloud, and realize the protection visualization of a console. This greatly simplifies the daily network strategy operation and maintenance work, improves the efficiency and quality of unified network traffic analysis, very well meets the needs of our enterprises for centralized network security management, and paves the way for more refined network strategy control in the future.” — Information security responsible person of a large financial enterprise

The unified network management under the multi-account environment on the cloud is the only way for the network security protection of large branch enterprises. Whether foreign companies enter China, domestic enterprises go overseas, or local group enterprises scale up, the unified network security control and overall security situation awareness on the cloud can level the security level between corporate accounts, so that there is no dead corner of security protection.

This article is the original content of Aliyun, shall not be reproduced without permission.