Abstract: If the cloud security is compared to the “iceberg”, we should not only pay attention to the “security services and features” on the iceberg, but also pay attention to the various foundation security construction under the iceberg.
This article is shared from huawei Cloud community “In-depth native iceberg security system, detailed explanation of Huawei cloud security services how to build full stack security”, the original author: Huawei Cloud community selection.
In recent years, with the rapid development of global cyberspace, high-risk vulnerabilities, high-traffic DDoS attacks and data leakage incidents have occurred frequently. In a rapidly changing cyber threat landscape, it is no longer enough to rely solely on vulnerabilities to be remedied or on what is known, and new threats continue to emerge. Enterprise customers need to systematically build security systems to meet new security challenges in the process of digital transformation and moving to the cloud.
If cloud security is likened to an “iceberg”, then cloud security services and cloud security features belong to the visible part of the “iceberg”. The security capability of the 90% of the “iceberg” is often not known, but it is the part under the “iceberg” that carries the security of the whole public cloud.
Huawei cloud to construct native iceberg safety system, through four big ability: independent research and development of the security services, covering global security certification, global security ability and the whole life cycle of data security management, help enterprises to resist network attack, liberated from the safety of the complex professional work, quickly and easily get to pratt &whitney, compliance and efficient security services. (For details, see “Huawei Cloud Builds A Native Iceberg Security System to Protect Cloud Security”).
Huawei cloud security service full resolution
Huawei Cloud Base has accumulated over 20 years of security accumulation. The 20+ cloud security services independently developed by Huawei Cloud Base are one of the most important capabilities in huawei Cloud Security system. Huawei security services share huawei security capabilities with users to help users develop their services efficiently and stably.
Huawei cloud security service coverage “cloud workload, protect application service, protect data assets, management, security situation, business compliance on cloud” five areas, and from calculating layer, network layer, data layer to safety management, the different dimensions of cloud security experience, formed a collaborative linkage cloud security service system, to provide users with excellent practice, construct the whole stack.
In order to understand more concrete, we take a typical e-commerce scene as an example, to understand in detail how these five security services for enterprises escort.
Protect cloud workloads
At the heart of computers and networks is data, and that data belongs to mainframe computers, which include personal computers, servers, and some large arrays of disks. For enterprises, the host is not only the bottom platform to carry the company’s business and internal operation, but also the core of enterprise data and services, its stable and safe operation is the premise of the normal operation of the company.
For example, during the big promotion of e-commerce, tens of thousands of users’ order information will be stored in the server. If there is no host security protection system, hackers can use password cracking, social worker attacks or vulnerability attacks to break into server databases and obtain large amounts of data assets. During the attack, e-commerce services will be interrupted and a large number of malicious files will occupy system resources, which will also cause the server cannot run normally and affect the purchase order of users.
The new era of host security literacy: to prevent brute force cracking, mining Trojan, to keep the back door loopholes, indispensable, the same can not be less. Huawei Cloud Enterprise Host Security (HSS), as the server’s personal security manager, provides security protection for viruses and Trojans, vulnerability one-click repair, intrusion detection, and extortion prevention. Its flagship edition and webpage tamper-proof edition also add resilience Shell, high-risk command execution, self-start detection and other capabilities to prevent webpage from being tampered, effectively respond to APT attack and other advanced threats, and fully protect enterprises in the cloud.
Many enterprises deploy their services on multiple cloud platforms to enjoy the advantages of different cloud vendors’ products and services. Second, to spread and reduce business system risks. However, multi-cloud deployment will also bring host security management difficulties. Mogujie makes you more beautiful, and Huawei Cloud makes Mogujie safer. Mogujie realizes unified security protection and management of multi-cloud platform hosts through Huawei Cloud HSS, and improves security management efficiency by 3 times. At the same time, mogujie security team rich security combat experience combined with huawei cloud HSS powerful intrusion detection capabilities, improve the security protection level of Mogujie.
In addition to protecting external security issues, IT operation and maintenance security issues such as identity, permission, and assets within the enterprise should also be paid close attention. A survey shows that more than half of the enterprise network security incidents are not caused by external attacks, but due to the enterprise internal security, non-compliance operation and maintenance operations caused by.
Fortress aircraft in the enterprise safety operation and maintenance of domestic demand and legal compliance with the double requirements, become every enterprise needs the safety products. Huawei Cloud Fortress does not need installation and deployment, one-stop operation and security management, reduce enterprise operation and maintenance costs; Records all operations and logs in real time and provides functions such as real-time monitoring, screen recording, and playback to facilitate audit and forensics. At the same time, product safety compliance, the three characteristics of cloud Fortress machine become the necessary enterprise safety operation and maintenance explosive products.
Protecting application services
Many enterprises rely on Web applications for their critical services, and 75% of Internet attacks are concentrated at the application layer. In the case of e-commerce, during the period of 618 and Double 11, the activity application page of seckill is often published. Some malicious attackers will use proxy servers to generate legitimate requests to the victim host and make a large number of access requests to the Web server, resulting in the failure of normal users to access. Eventually, the page will be 404 unavailable as soon as the seckill activity begins.
Webpage is tampered, access is phishing, do activity on the downtime… In fact, these are all because the Web application protection is not done properly.
To protect Web applications, Web application firewalls can detect and block common Web attacks, identifying and blocking common Web attacks. It helps users to deal with security problems such as website intrusion, vulnerability exploitation, webpage tampering, backdoor implantation, CC attack and so on, and escorts the secure operation of enterprise Web services.
Take the Web application firewall of Huawei Cloud as an example. It analyzes Web attack behaviors, sets dynamic defense for specific service scenarios, and enables the intelligent DEFENSE CC function in the first time. In the process of continuous confrontation, you can use flexible user-defined policy configuration to find out the attack policies of the dark generation and defend against them. At the same time, help customers to sort out the business logic, and provide a basis for business adjustment and optimization. Be careful! Web site encountered Web attack! Beware of data leakage, webpage tampering! In the cartoon, it vividly shows how Huawei Cloud Web application firewall helps users to deal with security problems such as website intrusion, vulnerability utilization, webpage tampering, backdoor implantation, CC attack and so on, and escorts the safe operation of enterprise Web services.
In addition, e-commerce platforms are often subjected to malicious competitors or hackers using a large number of “controlled hosts” to launch malicious attacks, resulting in the platform website can not be accessed, resulting in business interruption, economic losses and customer loss. A massive cyber attack is coming at any time. What if I get shot? Huawei cloud DDoS high defense services help you easily solve the problem! In addition to these security guarantees to protect against external attacks, enterprises also need vulnerability scanning to automatically discover the security risks of websites or servers on the network, provide multi-dimensional security detection services for cloud services, and protect data assets from security vulnerabilities.
As we all know, data is the core information of the enterprise, and the key location of data storage is still in the database. However, the current situation is that in a large number of interconnected enterprise environment, the database is generally lack of effective security protection. Some criminals will use the way to wash the library library database attack to steal information.
We know that the data of e-commerce enterprises not only contains commodity information, but also a large number of registered users, user behavior and other related privacy data. Data privacy requires storage and circulation, but not “streaking”.
How to defend the data gold mine? The privacy of data on the cloud can be protected by authentication methods such as key technology, new algorithms and encryption algorithms, while the protection of data itself is enhanced. At each stage of data transmission, storage and processing, the data is encrypted, and the cloud technology is used to process the information to realize information concealment and protect the security of user data.
In order to ensure the Security of the Database on the cloud, we can carry out sensitive data monitoring, data desensitization, Database audit and anti-injection attack based on the reverse proxy and machine learning mechanism. In detail, we can understand the Database Security Service (DBSS).
If you’re worried about Data leakage, The Data Encryption Workshop (DEW) is a quick way to solve the problem by providing proprietary Encryption, key management, and key pair management capabilities that will save you the worry of Data leakage.
Moreover, in today’s flood of phishing websites, enterprises also need to prevent websites from being counterfeits and falsified, which will lead to the theft of users’ information and data and cause economic losses to users.
Managing the security situation
In the daily security operation and maintenance work of enterprises, a variety of security products will produce a large number of threat alarms every day, it needs to spend a lot of manpower to manually identify real threats and false positives, a long time will produce the effect of “crying Wolf”. How to really know who is attacking you, what is the overall situation of the attack, and even to be able to predict the attacker’s possible direction of action according to the existing information, has become the focus of enterprise security protection.
** Situational awareness is to obtain, understand and predict the future development trend of all security elements that can cause the security situation of the user’s system on the cloud to change, and present them through visualization technology, so as to provide decisions for security protection actions. ** It has four core points of perception, understanding, prediction, presentation and decision.
Worried about unknown risks, bad decisions? Situational awareness makes security operations no longer dark! Based on the security analysis capability of big data, situational awareness summarizes and correlation analysis of multi-dimensional information such as assets, logs, and alarms in the cloud, changing the dilemma of operation and maintenance personnel drowned in massive data in the past, and finally reducing the time of active discovery of security threats. Moreover, the large screen of visual situational awareness, like a battle command center, can present the level of protection and weaknesses of network security from a global perspective, which has important guiding significance for management to measure the value of security investment and decision-making.
Based on situational awareness, e-commerce enterprises can clearly understand the attack on the cloud from where, how to prevent, what is the security situation of assets? Let enterprises easily perceive the present and predict the future!
In addition to situational awareness and risk in the cloud “stethoscope” huawei threat detection of cloud services (MTD) can continuous monitoring of malicious activities and unauthorized behavior, complement other services detection ability, for the first time identify risks, avoid caused by a potential threat to security incidents, to help enterprises improve security operation efficiency and ensure the continuity of the business.
Business compliance on the cloud
Of course, in addition to network security and business security need to be guaranteed, for e-commerce enterprises, the best security protection is institutional protection. As early as June 2017, the Cyber Security Law of the People’s Republic of China was formally implemented, and the hierarchical protection system has become the basic system of national cyber security. In 2019, isobao2.0 put forward new technical requirements and management requirements, emphasizing “one center, three protection”, enterprises need to be more comprehensive in the construction of safety protection system, risk assessment and management.
To this end, Huawei Cloud provides customers with equal-security (DJC) solutions to help enterprises improve their security protection capabilities and meet equal-security compliance requirements. Pass wait to protect actually not difficult, find the right helper very important! Before serving customers, all regions of Huawei Cloud pass level 3, and some regions with high security requirements and nodes pass level 4, laying a foundation for smooth and high-score pass. In order to save users more worry and trouble, Huawei Cloud deploits all kinds of security protection products that meet 100% of the requirements.
30 years of experience in security and, in combination with huawei, huawei launched cloud detection and response management services (MDR), in the form of cloud services, for the customer to establish composed of management, technical and operational safety risk control system, combined with the safety of the enterprises and institutions needs feedback and continuous improvement, prevention and control effect for user security protection of the It helps enterprises and organizations to effectively monitor security risks and incidents, and take effective measures to continuously reduce security risks and eliminate losses caused by security incidents.
In order to better help enterprises do a good job in security protection, the cloud security mode is opened. On the security special day of Huawei Cloud TechWave Global Technology Summit, Huawei Cloud focused on application security protection and released four new security products: security intelligent analysis platform ISAP, threat detection MTD, application trust Center ATC and security operation Center SOC, adding new weapons for enterprise cloud security protection.
Cloud native security is ubiquitous in the era of cloud native security
With the maturity of cloud native technology and the upgrade of market demand, the development of cloud computing has entered a new stage — cloud native 2.0 era. More and more enterprises and individuals are choosing to use cloud-native technologies to build their businesses. While enjoying the dividend of cloud native business, enterprises also have higher demand for security protection, because they need security services that better fit the development of cloud native business.
As one of the cloud native representative technologies, container security is something every enterprise should know about. In the cloud native 2.0 era, enterprises should understand the container security, from the container and virtual machine comparison, for us to introduce the container more portable and efficient features. Huawei cloud container security Service (CGS) builds a container security threat defense system in depth. It provides a set of container security capabilities, including image scanning, threat detection, and threat prevention. It provides Build, Ship, and Run life-cycle protection capabilities for containers, and penetrates the DevOps process of containers. Ensure the security of the container virtual environment from development to production. In the trusted Cloud Conference 2020, all 49 security capabilities have been inspected by the Institute of Information and Communication technology, and Huawei cloud container security service has won the most advanced certification of the trusted cloud.
In addition, in terms of cloud native security, Huawei Cloud has launched CFW Cloud Firewall, DSC Data Security Center service and ATC Application Trust Center.
In huawei Cloud TechWave Cloud Native 2.0 special day, in order to provide multi-scene full traffic protection for enterprise business, build the first line of defense of network security, Huawei cloud CFW cloud firewall was officially released! As a new-generation native cloud firewall, huawei CFW cloud firewall protects the boundaries of the Internet and VIRTUAL private cloud (VPC) on the cloud. It features simplicity, intelligence, visibility, and openness.
Traditional security protection is based on the network boundary, but with the rise of cloud computing and mobile Internet, the traditional network boundary is gradually blurred, and the network boundary-based defense concept is difficult to meet the needs of the cloud environment. Zero trust The idea of “never trust, always verify”, which is to build access control systems based on identity rather than network location, has sprung up.
Based on the concept of zero trust and relying on the native security capability of the cloud, Huawei Cloud innovates key technologies such as network stealth and adaptive risk control, and conducts a lot of practices in many scenarios such as secure operation and maintenance and remote access to make applications more secure. Huawei Cloud Application Trust Center ATC is officially open test. ATC services are security services built around user applications. By building a panoramic topology of application security threats, the ATC service implements fine-grained access control, meeting customers’ requirements for zero-trust access control capabilities.
In June 2021, the 29th session of the Standing Committee of the 13th National People’s Congress passed the Data Security Law of the People’s Republic of China (hereinafter referred to as the Data Security Law), and will take effect on September 1. Data is the gold mine of today’s era, and the protection of data security is the core appeal of enterprises. How to ensure the full life cycle security of enterprise data assets while transforming into cloud digital?
Data security capabilities in today’s cloud have always been decentralized across services, such as VPNS, security groups, SSL certificates, and integrated encryption capabilities such as ECS, RDS, OBS, etc. Data security is a pipeline, and the overall security capability is composed of the security capability of each stage. In other words, if a certain stage is strong, and another stage does not have any protection measures, then it is not helpful for the overall data security state. Enterprises lack a unified perspective on the overall security capability, this time the enterprise needs a data assets “personal guard” – data security center.
As a private beta started in September 2019, huawei cloud data security Center service of cloud native was officially launched at the end of 2020. The service can provide data classification, data security risk identification, data watermarking traceability and data desensitization and other basic data security capabilities, by building a unified data security entrance, around the full life cycle of data, help users to achieve data security visualization management services on the cloud. It also provides enterprises with a full lifecycle picture of their data assets, allowing customers to know where their data is coming from, where it is going, and whether there are security issues. Ensure the security of data on the cloud during the generation, collection, transmission, storage, use, exchange, and destruction stages. The real help enterprises do: data security center in hand, protection of data solutions.
The last
Security is a systematic engineering that requires continuous investment, continuous evolution, and continuous improvement. The rapid development of emerging technologies at the same time with the frequent occurrence of unknown security threats, Huawei cloud security inherit huawei security capacity accumulation for more than 20 years, gradually build and improve the cloud security service matrix, build a full stack of security defense line, in the cloud native era to help customers efficient and secure cloud on the ground.
Click follow to learn about the fresh technologies of Huawei Cloud