Click here to watch the big shots share
The cloud is having a huge impact on the construction of digital businesses
With the advent of cloud computing, more and more enterprises will put their business and services on the cloud and host them on the cloud. The technologies and services provided by public cloud also change the way of constructing digital business for enterprise customers. The resulting changes, including API security in our security domain, are a result of these changes. So what are the impacts of cloud computing and cloud computing? Here we can summarize three aspects.
First, one of the characteristics of the cloud is elastic scaling and dynamic scaling, with a flexible infrastructure supporting a more agile business. So when an enterprise goes to the cloud, infrastructure is flexible and available on demand, and “assets” change all the time.
Second, cloud native is becoming the basic idea for building businesses on the cloud. All business infrastructure is fully serviceable, choreographed and “go as you go”.
Third, with cloud native, collaborative invocation mechanisms for different infrastructures are changing dramatically. Api-driven DevOps will quickly take off on a large scale.
Cloud security construction faces new challenges
The security industry itself is aligned with the technical architecture of the customer, so these changes bring some new challenges to the overall security operation and construction. Here we summarize three challenges. The first is that the “assets” in traditional security operations have changed. In the past, the assets in cloud security were mainly hardware facilities such as servers, PCS and printers. On the public cloud, we expand the concept of “assets”, such as some PaaS layer, SaaS layer services, data storage, etc., these new services or products are assets that we need to pay attention to when we do security on the cloud.
The second is the new risks may arise in the public cloud – the cloud native configuration of the risk, that whatever we tencent cloud, or ali cloud or abroad, Microsoft, amazon and so on, will set up some security in the cloud product options, such as object storage inside there will be some access, there will be some security group in the database configuration, However, these configurations are scattered among various products and lack a unified management and operation and maintenance platform. Therefore, it is difficult for cloud customers to achieve unified management and inspection, which may cause some potential risks.
Third, when it comes to safe operation, there are actually two core themes, one is “assets” and the other is “threats”. Then in the security operation, the concept of “threat” on the cloud also needs to expand. In traditional security, we pay more attention to some external attacks and threats on the host, but there may be some new threats and means on the cloud, such as some abnormal operations or unauthorized operations of internal users, abnormal API calls, etc. Therefore, when we conduct security operations on the public cloud, the concept of “threat” needs to be expanded, otherwise it will be difficult to monitor and protect against attacks unique to the cloud.
Cloud security operation new appeal
Because of these changes and challenges, we will have some new demands when we do secure operations on the cloud. The first is the need to make dynamic inventory of elastic assets. Some customers’ IT teams may be composed of operation and security teams, so there is a lag in information between teams. All teams may not know how much assets are used in the cloud, what types of assets are used, and where the risks are. Therefore, it is necessary to do a dynamic inventory of assets on the cloud to give customers a clear presentation.
Second, dynamic and automated assessment of compliance risks. At the end of last year, I proposed a very important concept – dynamic compliance, which is mainly for cloud products. Because assets change quickly in the public cloud, each change needs to be checked for compliance. However, the speed of change is too fast to manually check compliance configurations using traditional methods, so security operations on the cloud require an automated means of checking.
The third and fourth are similar, namely, the detection capability of risks and new threats on the cloud. As mentioned before, the expansion of “threats” on the cloud requires corresponding risk and threat detection capability.
Fifth, customers may need a log audit platform on the cloud, that is, after the occurrence of security incidents to provide an investigation and traceability ability, timely check and rectify risks.
The last one is the ability to respond to the disposal. At present, many customers’ business construction on the cloud has been relatively automated, but the disposal of security events on the cloud may still need to be carried out manually, without forming an automated process. This is where you can leverage some of the cloud’s native capabilities, such as the API call mechanism, to automate responses.
Cloud native security operation architecture
This is a security operation system architecture called “IPMDR” proposed by us, which will be scattered in the three core links of our daily security operation, namely “safety prevention in advance”, “monitoring and detection in the event” and “response and disposal after the event”.
So in the “pre-security” part, we should first identify what assets we have in the cloud environment (including various types of cloud native assets). After knowing these assets, it is very important for us to make a pre-prevention security system for these assets, including configuration risk detection of some cloud assets, attack surface assessment, automatic compliance risk assessment and so on. If these steps can be done well in the cloud security operation, then in fact the real potential risk on the cloud will be reduced a lot.
In terms of “event monitoring and detection”, we will rely on traditional security products such as firewall and host security to do some security event detection on the flow side and host side. Meanwhile, we also need to do some detection on some threats on the cloud, such as the leakage of APIK mentioned above and the abnormal behavior monitoring of internal users.
In terms of “post-response disposal”, response disposal can be divided into three aspects. The first is that we need to have the ability of security arrangement and automation to achieve batch automatic response and improve the efficiency of response disposal. Second, we need to have a unified log audit and traceability investigation platform in line with the cloud environment to get through the data of various security-related products on the cloud. The third aspect is that we often say that “safe operation” is an effective system in which people, technology and processes cooperate with each other. Therefore, in addition to the technologies just mentioned, we will also support some human expert services to respond to and deal with some security incidents.
Build a safety prevention system in advance
At present, prior security prevention needs to be “safe left shift”. “Safe left shift” is to move security protection as far as possible to the early stage of the development process. Our traditional security is often to enter the operation and maintenance link after IT is deployed and business is set up, and the security operation and maintenance personnel are handed over to carry out safe operation and management. So security on the cloud requires us to advance these prevention links, before the occurrence of security incidents to raise the overall security level, nip in the bud. For example, we can do the dynamic inventory of assets, periodic identification and reinforcement of attack surface mentioned above.
Build security incident monitoring and threat detection system
In this case, it is necessary to build a set of perfect monitoring and detection system, such as unified collection of security products and security events on the cloud, to achieve unified monitoring and global management. Meanwhile, in addition to traditional security threats (host threats, traffic threats, etc.), some new ones, such as API abnormal calls and Key leaks, also need to be managed.
Build a post-response disposal system
Of course, we also need to build a post-event response and disposal system, which can timely respond, block and configure reinforcement after the occurrence of security incidents, and actively adopt some automatic means to improve the disposal efficiency of events. At the same time, it is necessary to build a unified investigation and traceability platform for security incidents on the cloud to ensure that “traceability” can be achieved after the occurrence of security incidents.
One central point and three basic points
To sum up, the construction of the security operation system in the cloud era is actually a center and three basic points. First of all, we should build the cloud security operation system with the idea of cloud native, rather than moving the traditional security operation system to the cloud, otherwise it is difficult to deal with some unique risks on the cloud.
There are three basic points. The first is “safe left shift”, which is the basic premise of safe operation in the cloud era. We must have the ability to perceive and check risks in advance. The second “data-driven” is the basic requirement for secure operation in the cloud era. We collect data scattered on various cloud platforms and cloud products, and then manage them uniformly. The third is “automation”, which is the basic means of safe operation in the cloud era. In fact, it is a kind of convenience brought by cloud to safe operation, because it is very difficult to achieve real automation under the traditional system.
The questionnaire
Tencent Cloud University is a one-stop learning and growth platform for cloud ecosystem users under Tencent Cloud. Tencent Cloud University big tycoon share invites internal technology big tycoon every week, to provide you with free, professional, the latest technology trends of the industry to share.