Ali Yun Xiao li: skip the quantitative process of security qualitative change

Introduction: Author Xiao Li has been engaged in network security work for nearly 20 years. He has dealt with all kinds of attack threats and experienced the construction of security under cloud and on cloud. The security work of cloud computing started 10 years ago. They built the protection system of Ali Cloud platform to help users in various industries build enterprise security capabilities on the cloud. The emergence of cloud native has further deepened his understanding and thinking about security. The future may be less about security and more about a native “immune system” living in the cloud.

The author | | ali XiaoLi source technology public number

Xiao Li: Vice President of Alibaba Group, General Manager of Ali Cloud Security

I have been engaged in network security for nearly 20 years. I have dealt with various attack threats and experienced the construction of security under cloud and on cloud.

Cloud computing security work began 10 years ago, we feel the stones across the river, build ali cloud platform protection system, help users in all industries to build enterprise security capabilities on the cloud.

The emergence of cloud native has further deepened my understanding and thinking about security. In the future, we may no longer be talking about security, but a native “immune system” growing in the cloud.

20 years under the Cloud: External hanging safety

From 2000 to 2020, thousands of security companies were born in China, providing hundreds of categories of security products. One sentence describing the use experience in the introduction manual has never changed: Plug and play. However, even seamless plug-ins are hard to avoid compatibility issues. Secondly, due to interface uniformity and compatibility problems, it is common to find that plug and play devices cannot be deployed within a month.

The acrobatic attacks that most people remember as “panda burns incense” are long out of date. Last year, with the emergence of global epidemics and the new normal of telecommuting, we observed highly sophisticated attacks. The SolarWinds APT attack a few months ago took down one of the world’s top security firms. Ali Cloud successfully defended against resource exhaustion DDoS attacks, setting a new record for the largest number of observed attacks in history. At a loss for businesses, the latest ransomware attack has demanded hundreds of millions of dollars in ransom.

Consider the state of enterprise digital asset security in this case.

The cloud directly changes this security reality.

Incaseformat worm virus broke out in January, mainly rely on U disk to spread, cloud space to achieve natural immunity, default is not affected by this mode of transmission, all cloud users have no perception to pass this public opinion has a great impact on the security event.

The cloud native container has the mirror snapshot function. When data is encrypted during ransomware attacks, users can quickly recover data without paying ransom.

The development direction of cloud native security, FROM two aspects of security technology and concept, summed up as built-in and front-loaded two key words.

• Built-in – The ability of a single point of protection to shatter and reassemble into the infrastructure itself.
• Front-loading – Think about security further upstream, establish a trust and a suspicion.

Two native security technologies: Integrated into the infrastructure of the immune system

Ali Cloud itself has been practicing security for a long time. Whether based on the concept of cloud native in a broad sense or in a narrow sense, several technical trends facing the future have become increasingly clear.

Secure as a common resource for on-demand invocation

Most enterprise security resources are very limited, but there is a contradiction: that is, the need to be able to support the peak flow, most of the time consumption is not enough.

For example, Alibaba’s own business, Double 11 is undoubtedly a traffic peak, and the annual business is composed of one peak + multiple peaks + troughs. The difference between peaks and troughs may be very large, so there is no need to reserve a large number of “provisions” in the “standby” state.

Security capability as a service (SaaS) is a long-anticipated trend in the industry. Can security be invoked on demand?

Last year, I often told you an example. During the epidemic, 20,000 servers were added in an hour, and security protection covered every hour. For a similar enterprise in cloud scenarios, each device needs to be mounted, adjusted, and connected in series to block defense, which takes at least one month.

In the cloud environment, service systems only need to be connected to the system and security protection is required.

2 Infrastructure is naturally capable of detection and protection

Security capabilities are built directly into the infrastructure nodes. When traffic passes some nodes, such as SLB load balancing and CDN edge computing, security detection is performed directly. For the same bandwidth resource, service speed is accelerated to achieve no sensorless protection.

Each security capability node across the infrastructure opens a “God’s perspective” in the face of risks. Single point of threat realizes second-level coordination across the network and improves the risk response and processing speed of the whole IT environment. In the past few years, Ali Cloud in some customer major event security and large-scale actual combat exercises, offensive and defensive ability has been the top position. On the one hand, its advantages come from its own technical reserves, and more importantly, from cloud-based global threat detection and linkage disposal capabilities.

3 Attack active repair to achieve insensitive defense

More than a decade ago, when we were doing security, we had to fix it with human flesh.

Sometimes a vulnerability appears, dozens or hundreds of applications, one by one to manually check. During the repair process, services cannot be offline and users should be insensitive, which leads to slow and painful operation in the background. This forced deceleration further lengthens the attack window and increases the business risk.

Today, ali Cloud vulnerability repair, has become very simple. Once a vulnerability appears, the cloud automatically opens the shield to ensure that the attack cannot enter, and the cloud will continue to evolve to automatically repair it.

We have considered and solved many difficulties that may cause problems during IT construction. What security personnel see is a relatively simple unified console. They configure security policies through business logic and focus their energy on high-value things.

Three primary safety concepts: absolute trust and constant doubt

The complexity of modern business is much higher than in the past. Simplicity is the best way to eliminate complexity, and the concept of safety needs to be reduced.

Employee displacement and identity dynamics are changing at about N times the speed of the past. Data can be generated from any terminal, any person, and any geographical location. Data may be stored in public clouds, private clouds, edge computing nodes… The computation, processing and exchange of these activities form a complex cross network structure.

Security seems to be nowhere to go, which is why the “immune system” is so important. We look at security from all angles, and we peel back the pieces to see the logic behind it.

The life cycle journey of data on cloud may occur in the brain, heart, or even the end of IT system. IT flows in the enterprise like blood, serving the operation of various organs. Information flow replaces workflow to promote the development of business. How to ensure the security of the whole system?

1 The cloud is trust

The evolution of cloud native security is reducing the cost of trust, making the infrastructure itself a more highly available and secure trusted computing environment.

Chip-level hardware is trusted

Chip level security is the highest level of security in the current technology field. The immutable nature of hardware makes it the basis for the highest level of security.

Ali cloud in October last year, the industry’s first trusted virtualization instance based on SGX2.0 and TPM, the earliest to complete the implementation of chip-level hardware security. The latest launch of the seventh generation OF ECS instances, fully equipped with security chips as hardware trusted root, to realize the trusted start of the server, to ensure zero tampering. This means that for the first time, a secure and trusted environment that can support big data computing has been realized.

Users no longer need to care about the hardware layer based on any tampering anomalies can be found in the first time, thus more focus on security development, further reduce the amount of code.

Data is transparently encrypted by default

Encryption is the most primitive form of data protection, and this is not a new concept of security.

Data encryption on the cloud is a more natural process, with native data being encrypted by default from birth. Data generated on the cloud is automatically encrypted, data migration is encrypted on the cloud disk by default, and key service-sensitive data is encrypted at the byte level.

The cloud infrastructure also provides public-key cryptographic applications that add a lock to data encryption.

A cryptosystem can change passwords automatically or by custom, a feature that sounds mundane, but requires the ingenuity of infrastructure-layer algorithms, called “key rotation.” The public cloud has a master key, which is rotated every day by default. Users can customize the rotation period of their own key from day to year, making it impossible to crack the key.

2. Zero trust in persistent suspicion of dynamic factors

Data is always created by people. As every link of an enterprise goes online, everyone may be a data producer.

Whether enterprise access to the OA system, examination and approval system, the company traditional requirements such as E-mail, video conference, or remote development, testing, operations, customer service and other complex scenes, from the identity authentication, network access, dynamic rights management and so on, to the ability to achieve through the network security of Intranet access, sustainable building, doubt, cloud environment dynamic monitoring and certification of safety.

When the cloud is an IT infrastructure and computing power is a common resource like water, electricity and coal, the implications of security are obvious. We also want to build the most secure cloud in the world, offering simpler and simpler choices amid increasing complexity.

The original link

This article is the original content of Aliyun and shall not be reproduced without permission.