Ali Cloud Ge Dai Bin: let the world have no difficult security operation and maintenance

As a female editor who loves watching zombie movies, I have been teased by my fellow nerd channel colleagues for my taste.

Oh my god, I just love watching zombie Rising. It’s not like some of my colleagues queued up to grab a Uniqlo/KAWS T-shirt. This is the real zombie war, okay?

One is when the joy spreads across the corners of the mouth and traffic increases, especially if the platform makes a big push and users rush in. This is known as a “human version” DDoS. There is also a serious DDoS, forget it, where someone is out to get you, like in the most common game industry, if a game goes viral and its security is so lax that jealous competitors may send in attackers to do a DDoS.

This zombie army will block the “doorway”, preventing real users from using the service, or frequently and ineffectually preempting the service entrance and paralyze the system. The scary thing is that hackers can now use a small amount of bandwidth to launch a massive DDoS attack, easily bringing down a system.

Like ignorant era, if a boy was bullied, may angrily said to each other: you don’t go after school. Then, get a bunch of “brothers” to help.

General enterprises usually do not reserve the ability to fight against T large traffic attacks, but they thought of a way – on the public cloud, called on all over the world “brothers”, together to contend with large traffic attacks.

We call this movement “cloud”.

Change an environment, security challenges, many security companies put forward their own solutions and products, party A father to do is to clear their needs, spend money to buy security products and services, like a string of mutton string their own “weapons”, this is a solution.

The alternative solution, proposed by public cloud security vendors, is that since we provide the best cloud, we also provide the best cloud security products and services, the core of which is “cloud native security capabilities.”

How is the cloud’s native security capabilities different? Take ali Cloud as an example to occupy the majority of the domestic public cloud market.

Since the emphasis on “native”, and the previous solution is different, of course, “unified” : unified identity access, unified network security connection, unified host security and unified overall management.

Whether it’s a general leading a war, or a corporate security guard versus an attacker, the most important strategy is to “know yourself and know your opponent.” Three of the cloud-native security capabilities are dedicated to this.

One, know what you have, where the boundaries are, what your vulnerabilities are, where you are being invaded.

Natural advantages of cloud is “network virtualization scheduling ability”, enterprises can clearly see their host north-south flow, unified management’s own border security issues, including foreign security boundary and the security boundary between internal assets, exposed in public assets, ports, exposure, even suffering from the condition be clear at a glance attack.

Second, if the first is from our own perspective, we also need to know the “big picture”.

Cloud has real-time whole-network threat intelligence monitoring and analysis capabilities, breaking the limitation of a single point of view and knowing the “change” of the overall environment. But that’s not enough. If soldiers have to go out and look and act at every whiff of trouble, that may work in real war, but it doesn’t work in cyber threats. Who knows which of the myriad threat alerts should really be worth noticing? Even if the manpower could be analysed, the problem is that there are not so many people on call in real time, so an automated response from threat detection to proactive defence is an urgent requirement.

Thirdly, I need to know who my employees are and whether they are doing things within the scope of their authority. However, if there are too many internal business systems in the enterprise, what should I do? As enterprises embrace the cloud and reap the benefits of SaaS services, cloud-based unified identity management authentication becomes key.

Nearly 50% of enterprise security incidents are caused by employee account permissions. Cloud-based API and other native capabilities, enterprises can carry out unified authentication and authorization of identity permissions, and can grant different permissions to different people in a dynamic environment, so that anyone at any time, anywhere, in the right, safe and convenient access to the right resources.

The essence of security is to ensure the continuous and smooth operation of services. If it can also improve service efficiency, it is like enjoying the value-added joy of buy one get two free.

The last three aspects of cloud native security capabilities are for knowing your enemy.

The first rule it adheres to is, “I know the attacker must be present and persistent, so I make myself more secure.” Sinking safely into the underlying hardware and trusted environment is an option, but the dilemma remains: No one has money and the cost is high, but the security chip built in the cloud native is different. The public cloud manufacturer will open the underlying hardware capability of the security chip to users and build a trusted environment. It is very simple, and users do not need to arrange the layout by themselves, and the cost of “crowdfunding” to the public cloud is much lower.

The second rule is, “I know an attacker will go after my most valuable data, and I know it wants it.” In the future, with increasingly high requirements for data security and user privacy data protection, full-link data encryption must be the biggest demand of enterprises on the cloud. Based on the encryption capability of the cloud native operating system, the secret key is kept by the enterprise itself. No matter the cloud service provider, external attackers, or internal employees can see the data without the secret key.

The third rule is, “I know that no matter what I do to prevent, the attacker will come, so I want to stay one step ahead of prevention.” Under the background of cloud and Internet mode, frequent business adjustment and online put forward higher requirements for business process security. Only security at the source can eliminate hidden dangers. Based on the cloud’s native capabilities, security can be built into the whole process of design and development to ensure that online security.

The problem is that the enterprise cloud is not an overnight “action”, but a relatively long time span process. The larger the enterprise, the heavier the historical burden, the longer the cloud.

There are some enterprises do their own business well, there was no need to go on the cloud, suddenly want to do some innovative business need to go on the cloud.

May arise as a result, in a “public clouds”, “private clouds”, “proprietary cloud” permutation and combination in the game: a hybrid cloud, that is to say, there may be several clouds in the enterprise, so that with public cloud cloud native security ability to say “unity” what’s the use, can in the local and public clouds, or sharing a few clouds cloud security plan?

There’s this solution.

Ali Cloud intelligent security director Ge Daibin said that the formation of hybrid cloud security solutions is actually driven by user development needs or encountered security events.

Ge Daibin, every time he thinks of this hard to build a plan, he shows a Mona Lisa smile.

There is an enterprise with the four cloud and dedicated line are the four clouds get through, one day, the enterprise found himself encountered worm virus, at first, he only applied on ali cloud cloud security center, thought or also in other some clouds on the deployment of the security center, see if other cloud is affected, the results found that other cloud already poisoning.

This is the first requirement: can we apply the same set of security centers to the four clouds? It is like a rich owner who has houses in four communities. The owner thinks: It would be nice if the four houses are managed by the same property company and have the same security system.

There is also a need to reduce operating costs and maintain business continuity, as in the zombie army story at the beginning, by handing over local interfaces to the public cloud to withstand the attack.

But hybrid clouds also have “natural genetic defects” : different resource management, different underlying architectures, inconsistent security tools.

Ge Daibin thinks, the hybrid cloud security main cloud native security capability should fall in four aspects.

When adopting hybrid cloud, the boundary of security becomes blurred. How to narrow the boundary?

Identity becomes the smallest logical boundary.

“There needs to be a unified authentication of who can access the app, how, and what permissions are available. In the past, the Intranet and extranet belonged to different systems. We wanted to give them a unified authentication system, whether they were Intranet or extranet users, whether the authentication source was in the public cloud or in the private cloud, as long as they authenticated once.” Ge Dai Bin said to the homebody channel.

Just like some university campuses now have no walls, but teachers and students have to swipe their cards or face to enter various LABS, virtual environment gives users a more powerful “key” : as long as the authentication once, it will be remembered by the system, which is more convenient.

In addition to turning identity into boundaries, you can extend boundaries to infinity: Exclusive and private cloud doesn’t need to have the exposed surface of the Internet, all traffic entrance on ali cloud, whether internal or external users, employees access is ali cloud interfaces, while users and the attacker does not know flow have quietly returned to the enterprise within the IDC, the exposed surface is reduced, the safety risk is reduced.

“Before set up a DMZ (border zone), all the traffic through the DMZ, but now all the traffic from Ali cloud to ali cloud, equivalent to handing over the border to Ali cloud, Ali cloud is your border, I just need to do the border of Ali cloud.” In the face of potential attackers, Ge Daibin offered a “fake trick”, the enterprise from the original “hired a few security” to the security work to the “security company”.

This is also known as unified interface.

Some users have their own computer rooms, but later put part of their business on the public cloud due to business requirements. Some users have tens of thousands of distributed servers. If there is a security system on the cloud to manage security, how to manage the security of offline servers? How to manage servers in several places?

As mentioned earlier by the worm virus erosion of the four cloud users, server security can be unified, whether online or offline, all handed over to the cloud security center. Probes can also be deployed to other cloud platforms for unified detection and response, because as long as all cloud API interfaces are also open, the cloud security center can call the API for response.

By the same property and want to manage their own four sets of house owners, the safety management can be unified, however, some enterprise users to consider is that most of the assets in the offline, only a small portion of assets on the cloud, if you use a unified management platform, will simply move from cloud to cloud console option is optional.

“What we want to do is the same as the whole Concept of Alibaba: make it easy to do business, make it easy to do safe operation and maintenance.” Ge Dai Bin said to the homebody channel.

To put it bluntly, the direct purpose of this hybrid cloud security scheme is not to make security schemes that can make money like security service providers, but to let Ali Cloud float further, and users covered by cloud get greater security with lower cost, fewer professional security personnel and a lighter way.

There are numerous ways of martial arts in the world, ali Cloud security wants to do, is to simplify, less to expose to the opponent “weak side” at the same time, break the threat intelligence, data, operation and maintenance barriers, mount Tai top, all the mountain trends in a glance.

The cyber world is like a battlefield, always under threat. No one can be safe forever, but security can be simpler.

This article was first published on Otaku channel by Li Qin

Ali cloud double 1.1 billion yuan subsidy in advance, to extract the iPhone 11 Pro:www.aliyun.com/1111/2019/h…

The original link

This article is the original content of the cloud habitat community, shall not be reproduced without permission.