"Safety Method" for Multi-account Management in Large Enterprises

Introduction to unified management of the network under the multi-account environment on the cloud is the only way to protect the network security of large branch enterprises. Whether it is foreign companies entering China, domestic companies going overseas, or local group-based companies growing on a large scale, unified network security management and control and overall security situation awareness on the cloud can align the security water level between corporate accounts, so that security protection has no dead ends.

introduction

When large and medium-sized enterprises go to the cloud, they usually choose to establish a multi-account system based on business lines, projects or usage scenarios, and production test environments. Compared with a single account system, cloud resources between multiple accounts are isolated by default, which facilitates independent cost settlement and operation and maintenance management between different products/branches, and reduces the risk of excessive RAM permissions under a single account.

But at the same time, it will also make security management more complicated than a single account system:

• Security report analysis and asset inventory need to cover multiple cloud accounts, and statistics are time-consuming and labor-intensive;
• Security policies have to be repeatedly configured in multiple accounts, and operation and maintenance personnel fall into the trap of "duplicate labor";
• Vulnerability attacks, intrusions, breaches and other abnormal behaviors affect multiple accounts in a hurry in emergency response;
• Under multiple business accounts, the north-south and east-west traffic lacks a unified perspective, and log analysis lacks global analysis capabilities.

So, starting from the business needs and organizational structure of different companies
How does Cloud Firewall achieve unified security management of multiple accounts on Alibaba Cloud?
Let's open this "Mind Secret Book" together to find out

Cloud Wall "Mind Method" 1: Concentrate the use of troops to fight the battle of annihilation

No matter how much business there is, protection also has a "God's perspective"

Large and medium-sized enterprises on the cloud have very different business types, forming as few as tens to as many as thousands of business sub-accounts. Enterprise security personnel manage the unified protection of thousands to hundreds of thousands of assets, and the pressure of security operation and maintenance is great. Under the traditional network defense architecture, the management authority of the firewall belongs to different business departments, and each business account is managed independently, lacking a unified perspective, and passive intrusion detection can hardly escape the embarrassment of "fixing the deadlock".

• Internet entrance and exit management : Internet entrances and exits are scattered among different accounts, and the incoming and outgoing traffic is mixed with a large number of attacks. Attacks against EIP are highly concurrent, and the accounts belong to different owners, preventing fragmentation;
• attack IP ban : Strong confrontation scenarios test corporate defense strategies, and have stringent requirements for the real-time detection of IP ban strategies, blacklist mechanisms, and active outreach behaviors;
• worm management : Once a highly infectious worm breaks out, cloud defense needs to achieve unified organizational control and immediate defense;
• vulnerability repair : Under the organizational hierarchy, the level of awareness, repair methods and vulnerability defense understanding of high-risk/medium-risk vulnerabilities are urgently needed;
• high false alarm rate : Lack of learning of the association relationship between accounts, traditional firewalls are difficult to distinguish between frequent normal access of associated users and brute force cracking, and the false alarm rate of intrusion detection is high.

Figure Thousands of account intrusion prevention to fix the problem vs. multi-service account unified intrusion prevention architecture diagram

Automatic and secure management of cloud firewall public network assets

Through the cross-account unified Internet boundary asset management capability of Alibaba Cloud Cloud Firewall, users can manage EIP assets under each account in a single console, covering ECS, SLB, and NAT resources. When a managed account discovers a new network asset, it will be automatically taken over by the cloud firewall to avoid asset omission and there is no shortcoming in network defense.

Eliminate blind spots in business areas

For public network exposed assets with protection turned on, all IPS rules will take effect immediately, and the Internet borders under multiple accounts will be unified security defenses, truly realizing single-point alarms against external malicious intrusions and attacks and coordinated interception of all business quadrants, reducing management and control omissions Network security incidents.

• One-click convergence of the exposed surface: Disconnect the traffic of complex business scenarios, rely on in-depth message analysis and machine learning of massive historical logs to achieve one-click convergence of the exposed surface of the boundary, and reduce the attack level by 90%;
• Big data collaborative defense: Relying on the self-growth of graph computing intelligence correlation, real-time interception of tens of millions of high-quality and accurate intelligence per day, collaborative construction of dynamic network security boundaries for multi-account enterprises, offensive and defensive and deadwood worm scenarios to achieve the earliest global cloud network vision Visible and preventable when used in the wild;
• Virtual patch: Implement cross-account virtualization defense against remotely exploitable vulnerabilities (RCE) for customers on the cloud, aligning emergency response capabilities.
• Whitelist strategy to reduce false positives: Based on the flow learning of the relationship between accounts, a whitelist strategy with higher confidence is formed between enterprise accounts, and mutual visits between enterprise accounts achieve zero false positives.

Cloud Wall "Mind Method" 2: Strive to be active and avoid passivity

Cross-business environment unified management, security policy configuration is done at one time

Service or resource isolation is an important means to reduce inter-system dependence and avoid the spread of faults. Cloud companies often divide the business resources that need to be isolated from the network level by dividing different VPCs.
Under the hybrid cloud architecture, for different business branches or environmental attributes, cloud accounts support more complex isolation and business mutual access scenarios, such as IDC and VPC, VPN, dedicated lines, etc. The complex isolation access requirements bring about more complex security policy configuration.

• Duplicate work: set up firewall equipment under different accounts, and configure access control policy ACLs in different areas, resulting in a same policy that needs to be configured multiple times;
• Policy conflicts: The lack of unified management and control of policies in different account environments can easily cause policy conflicts during access control;
• Business blocked: It is difficult to synchronize the security control policies between different businesses/environments of the same enterprise, and may affect the business in severe cases (for example: for certain types of intrusions, the test environment is not blocked, and the production environment is blocked without testing. The protection rules are related to the business. Conflict, affecting normal business traffic).

Figure Multi-environment security configuration is busy vs. cross-business/development-test-production environment policy configuration management

Strategy management is more efficient

Alibaba Cloud Cloud Firewall currently integrates CEN services to provide a unified policy management and control capability for cross-account and cross-VPC traffic exchanges for enterprises, helping enterprises to achieve unified access control policies between different accounts and VPCs through a policy configuration platform Management, in addition to covering mutual visits between VPCs, it can also implement a strategy for hybrid cloud scenarios such as dedicated lines and cloud connection network CCNs, which takes effect globally, and the time for issuing a single strategy is reduced from the original day as the unit to the second as the unit , Eliminating the increased workload and risks of configuring the same strategy multiple times, helping enterprises better achieve unified management and control.

Cloud Wall "Mind Method" 3: Diligent and prudent, command if determined

Analysis and settlement of unified security reports in multiple branches

The organizational structure determines the structure of the cloud account to a certain extent. Whether it is the group-subsidiary operation mode or the multi-branch operation mode, the biggest problem for the corporate security department is the unified security awareness of each business operating environment. Among them, Network security is one of the most important analysis objects. How many network ports are exposed by the enterprise on the Internet, how many isolation domains are currently running, whether the planned north-south and east-west isolation strategies are normally in effect, how many network intrusions occur every day, and whether the full amount of logs is correct as planned Records to meet audit requirements, whether abnormal traffic is occurring, whether the calling relationship between services is reasonable, etc. These network security operation and maintenance issues are relatively controllable under one account, but once they are distributed to multiple cloud accounts, Managers have become a disaster. The unification of traffic data, the unification of network logs, and the unification of attack analysis are almost all "impossible tasks" for daily security operation and maintenance.

Figure Multiple branches realize unified report analysis and settlement through management accounts

Centralized traffic analysis and report statistics

Through centralized data statistics, network security operation and maintenance personnel only need to pay attention to a unified data platform to grasp the overall network security operation situation, asset exposure, strategy configuration and effects, intrusion prevention data of the entire enterprise in real time, and integrate different account environments The log data under the download is automatically collected. On the basis of meeting compliance requirements such as Equal Guarantee 2.0, unified analysis and optimized report statistics are used to make the results more accurate and comprehensive, and better provide for subsequent optimization work. Data basis.

User voice

"The centralized management and control capabilities of cloud firewalls have helped us manage multiple business accounts and third-party test accounts on the cloud in a unified manner, realizing a console's protection visualization. This greatly simplifies the daily network strategy operation and maintenance work, and improves The efficiency and quality of the unified analysis of network traffic satisfies the needs of our company for centralized management of network security, and paves the way for more refined network strategy management and control in the future."-A large financial company is responsible for information security people

The unified management of the network under the multi-account environment on the cloud is the only way for the network security protection of large branch enterprises. Whether it is foreign companies entering China, domestic companies going overseas, or local group-based companies growing on a large scale, unified network security management and control and overall security situation awareness on the cloud can align the security water level between corporate accounts, so that security protection has no dead ends.

Copyright Statement: content of this article is contributed spontaneously by Alibaba Cloud real-name registered users, and the copyright belongs to the original author. The Alibaba Cloud Developer Community does not own its copyright and does not assume corresponding legal responsibilities. For specific rules, please refer to the "Alibaba Cloud Developer Community User Service Agreement" and the "Alibaba Cloud Developer Community Intellectual Property Protection Guidelines". If you find suspected plagiarism in this community, fill in the infringement complaint form to report it. Once verified, the community will immediately delete the suspected infringing content.