Abstract: compares cloud security to an "iceberg", not only the "security services and features" on the iceberg must be paid attention to, but also the various basic security constructions under the iceberg.
This article is shared from the HUAWEI CLOUD community " in-depth native iceberg security system, detailed explanation of how HUAWEI CLOUD security services build full-stack security ", the original author: HUAWEI CLOUD community selection.
In recent years, with the rapid development of global cyberspace, high-risk vulnerabilities, high-traffic DDoS attacks, and data leakage incidents have occurred frequently. In the rapidly changing cyber threat landscape, it is not enough to rely solely on the remediation of vulnerabilities or targeting the known ones. New threats are still emerging. In the process of digital transformation and cloud migration, enterprise customers need to systematically build a security system to cope with new security challenges.
If cloud security is compared to an "iceberg", then cloud security services and the security features of cloud services belong to the visible part of the "iceberg". The security capabilities of 90% under the "iceberg" are often unknown, but it is the part under the "iceberg" that carries the security of the entire public cloud.
The native iceberg security system built by HUAWEI CLOUD has four capabilities: self-developed security services, global security certification, global security assurance capabilities, and full life cycle data security governance , helping companies resist cyber attacks. Free from complex and professional security work, you can quickly and conveniently obtain inclusive, compliant, and efficient security services. (For details, see "Building a native iceberg security system and protecting security on the cloud" ).
Full analysis of Huawei cloud security services
Based on the more than 20 years, HUAWEI CLOUD independently developed 20+ cloud security services, , which is one of the most important capabilities in HUAWEI CLOUD’s iceberg security system. Through security services, Huawei’s security capabilities are shared with users to help users efficiently and steadily. Develop business.
HUAWEI cloud security services cover "protect cloud workloads, protect application services, protect data assets, manage security posture, and go to the cloud for business compliance." five major areas, from the computing layer, network layer, data layer to the security management layer, Accumulated cloud security experience in different dimensions, formed a collaborative cloud security service system, provided users with excellent practices, and built full-stack security.
In order to have a better understanding, we take a typical e-commerce scenario as an example to understand in detail how these five security services escort enterprises.
Protect cloud workloads
The core of the operation of computers and networks is data, and the attribution of data is the host, which includes personal computers, servers, and some large disk arrays. For enterprises, the mainframe is not only the underlying platform that carries the company's business and internal operations, but also the core of the enterprise's data and services. Its stable and safe operation is the prerequisite guarantee for the normal operation of the company.
For example, during the e-commerce promotion period, tens of thousands of users' order information will be stored in the server. If there is no host security protection system, hackers can use password cracking, social engineering attacks or vulnerability attacks to invade the server database and obtain a large amount of data assets. In the process of being attacked, the e-commerce business will be interrupted, and a large number of malicious files occupy system resources, which will also cause the server to fail to operate normally and affect the user's purchase order.
The host security literacy of the new era: it is indispensable to prevent brute force cracking, detect the mining Trojan horse, and guard the backdoor loopholes. HUAWEI CLOUD Enterprise Host Security (HSS), as the personal security steward of the server, achieves security protection such as virus and Trojan horse detection, one-click repair of vulnerabilities, intrusion detection, and anti-ransomware protection. Its flagship version and webpage tamper-proof version also increase the ability to rebound Shell, high-risk command execution, and self-start detection to prevent webpages from being tampered with, effectively respond to advanced threats such as APT attacks, and escort cloud companies in all aspects.
Many companies deploy their businesses on multiple cloud platforms to enjoy the advantages of products and services of different cloud vendors; secondly, to diversify and reduce business system risks. However, multi-cloud deployment will also bring about the difficulty of increasing the difficulty of host security management. Mogujie makes you more beautiful, and Huawei Cloud makes Mogujie safer. Through Huawei Cloud HSS, Mogujie realizes unified security protection and management of multi-cloud platform hosts, increasing the efficiency of security management by 3 times. At the same time, the rich security experience of the Mogujie security team combined with the powerful intrusion detection capabilities of HUAWEI CLOUD HSS has improved the security protection level of Mogujie.
In addition to protecting external security issues, we also need to always pay attention to IT operation and maintenance security issues such as corporate identity, authority, and assets. A survey shows that more than half of corporate network security incidents are not caused by external attacks, but by insecure and non-compliant operation and maintenance operations within the enterprise.
The bastion machine has become a security product that every enterprise needs under the dual requirements of enterprise security operation and maintenance internal needs and legal compliance. HUAWEI CLOUD bastion machine does not require installation and deployment, one-stop operation and maintenance and security management, reducing enterprise operation and maintenance costs; real-time recording of all operations and logs, and providing real-time monitoring, screen recording, and playback functions to facilitate post-audit and evidence collection; at the same time, the product Safety compliance, three major features make Cloud Fortress a must-have security O&M explosive for enterprises.
Securing application services
Many companies rely on Web applications for their key businesses, and 75% of Internet attacks are focused on the application layer. In the case of e-commerce, during 618 and Double 11, the spike activity application page is often published. Some illegal attackers will use the proxy server to generate legitimate requests to the victim host, and make a large number of access requests to the Web server, causing normal users to be unable to access normally. . Eventually, there will be a 404 inaccessible page as soon as the spike activity starts.
Web pages have been tampered with, visits have been phished, and there would be downtime as soon as they do activities... In fact, these are all due to the inadequate protection of web applications.
For web application protection, web application firewalls can be used to detect and block common attacks, and support the identification and blocking of common web attacks. Help users deal with security issues such as website intrusion, vulnerability exploitation, web page tampering, backdoor implantation, CC attacks, etc., and escort the safe operation of corporate Web services.
Take Huawei Cloud's web application firewall as an example. It first analyzes web attack behaviors and sets dynamic protection for specific business scenarios. The intelligent defense CC function is turned on as soon as possible. In the process of continuous confrontation, based on the flexible custom strategy configuration, we can find out the attack strategy of the black product and resist it. At the same time, it helps customers sort out business logic and provide a basis for business adjustment and optimization. carefully! The website suffered a web attack! Beware of data leakage and web page tampering! Through comics, it vividly shows how HUAWEI CLOUD Web Application Firewall helps users cope with security issues such as website intrusion, vulnerability exploitation, web page tampering, backdoor implantation, CC attacks, etc., and escort the safe operation of corporate Web services.
Not only that, e-commerce platforms are often subject to malicious competitors or hackers using a large number of "controlled hosts" to issue malicious attacks, resulting in the inaccessibility of platform websites, resulting in business interruption, economic losses and customer loss. Large-scale cyber attacks come at any time, how can they be shot? HUAWEI CLOUD DDoS high defense service can help you solve it easily! In addition to these security guarantees that can protect against external attacks, companies also need vulnerability scanning to automatically discover the security risks of websites or servers in the network, provide multi-dimensional security detection services for cloud businesses, and protect data assets from security weaknesses. .
We all know that data is the core information of an enterprise, and the key location of data storage is still in the database. The current situation is that in a large number of interconnected enterprise environments, databases generally lack effective security protection. Some criminals will attack the database to steal information by dragging the database, washing the database and hitting the database.
We know that the data of e-commerce companies not only include product information, but also a large number of registered users, user behaviors and other related privacy data. Data privacy needs to be stored and circulated, but it cannot be "streaked".
How to keep the data gold mine? Data on the cloud can protect data privacy through authentication methods such as key technology, new algorithms, and encryption algorithms, while enhancing the protection of the data itself. Data is encrypted at each stage of data transmission, storage and processing, and cloud technology is used to process information to realize information concealment and protect user data security.
To ensure the security of databases on the cloud, we can perform sensitive data monitoring, data desensitization, database auditing, and anti-injection attacks based on reverse proxy and machine learning mechanisms. You can learn more about Database Security Service (DBSS).
If you are worried about data leakage, Data Encryption Workshop (DEW) can quickly solve this problem for you, providing exclusive encryption, key management, and key pair management functions, so that you can avoid data leakage worries.
Not only that, in today's proliferation of phishing websites, companies also need to prevent their websites from being counterfeited or tampered with, which will trigger the theft of users' information and data and cause economic losses to users.
Manage the security posture
In the daily security operation and maintenance work of an enterprise, various security products will generate massive threat alerts every day, requiring a lot of manpower to manually investigate real threats and false alarms. Over time, it will have the effect of "the wolf is coming". How to really know who is attacking you, what the overall situation of the attack is, and even predict the possible direction of action of the attacker based on existing information has become the key task of enterprise security protection.
situational awareness is to acquire, understand, and predict future development trends of all security elements that can cause changes in the security situation of the user's cloud system, and present them through visualization technology to provide decision-making for security protection actions. It has four core points: perception, understanding, prediction, presentation, and decision-making.
Worried about unknown risks and wrong decisions? Situational awareness makes security operation and maintenance no longer black! Based on big data security analysis capabilities, situational awareness summarizes and correlates and analyzes multi-dimensional information such as assets, logs, and alarms in the cloud, changing the dilemma of the operation and maintenance personnel in the past submerged in massive data, and ultimately reducing the time to actively discover security threats. In addition, the large visualized situational awareness screen, like a combat command center, can present the protection level and shortcomings of network security from a global perspective, which has important guiding significance for the management to measure the value of security investment and make decisions.
Based on situational awareness, e-commerce companies can clearly understand where cloud attacks come from, how to prevent them, and what is the asset security situation? Let enterprises easily perceive the present and predict the future!
In addition to situational awareness, Huawei Cloud Threat Detection Service (MTD), which can be called a “stethoscope” of cloud risks, can continuously monitor malicious activities and unauthorized behaviors, complement other service detection capabilities, identify risks in the first place, and avoid potential threats. Security incidents to help companies improve the efficiency of security operations and ensure business continuity.
Business compliance to the cloud
Of course, in addition to network security and business security needs to be guaranteed, for e-commerce companies, the best security protection is institutional protection. As early as June 2017, the "Network Security Law of the People's Republic of China" was formally implemented, and the hierarchical protection system has become the basic system of national network security. In 2019, Dianbao 2.0 puts forward new technical requirements and management requirements, emphasizing "one center, triple protection", and enterprises need to be more comprehensive in the construction of safety protection system, risk assessment and management.
To this end, Huawei Cloud provides customers with DJC solutions to help companies improve their security protection capabilities and meet DJC compliance requirements. In fact, it is not difficult to pass the guarantee, it is very important to find the right helper! Before serving customers, all regions of HUAWEI CLOUD have passed the level 3 guarantee, and some regions and nodes with high security requirements have passed the level 4 guarantee, laying the foundation for smooth and high grade guarantees for users. In order to make users more worry-free and trouble-free, HUAWEI CLOUD has deployed various security protection products that meet the requirements of the equivalent warranty clauses 100%.
In addition, combined with Huawei’s 30 years of security experience, Huawei Cloud has launched a management detection and response service (MDR), in the form of cloud services, to establish a security risk control system composed of management, technology, and operation and maintenance for customers, combining corporate and institutional businesses. The safety demand feedback and prevention and control effect of the company continue to improve user safety protection, help enterprises and institutions realize effective monitoring of safety risks and safety incidents, and take effective measures in a timely manner to continuously reduce safety risks and eliminate losses caused by safety incidents.
In order to better help enterprises to do a good job in security protection, turn on the cloud security mode. On the security theme day of the Huawei Cloud TechWave Global Technology Summit, Huawei Cloud focused on application security protection and released four new security products: security intelligence analysis platform ISAP, threat detection MTD, application trust center ATC and security operation center SOC , which are cloud for enterprises New weapons are added to safety protection.
Cloud-native security everywhere in the cloud-native era
With the maturity of cloud native technology and the upgrading of market demand, the development of cloud computing has entered a new stage-the cloud native 2.0 era. More and more companies and individuals choose to use cloud native technology to build their businesses. While enjoying the cloud-native dividend, enterprises also have higher requirements for security protection, because they need security services that are more compatible with cloud-native business development.
As one of the cloud-native representative technologies for containers, every enterprise should have an understanding of container security. In the cloud native 2.0 era, all enterprises should know about container security. From the comparison of containers and virtual machines, we introduce the more portable and efficient features of containers. Huawei Cloud Container Security Service CGS has built an in-depth defense system for container security threats, providing a complete set of container security capabilities including image scanning, threat detection, and threat protection. It provides full-lifecycle protection capabilities for containers such as Build, Ship, and Run, which penetrates the entire The container DevOps process ensures the safety of the entire process of container virtual environment from development to production. At the 2020 Trusted Cloud Conference, after strict inspection by the Institute of Information and Communications Technology, all 49 security capabilities have passed the inspection, and Huawei Cloud Container Security Service has obtained the most advanced advanced level certification of Trusted Cloud.
Not only that, in terms of cloud native security, Huawei Cloud has launched three products: CFW Cloud Firewall, DSC Data Security Center Service, and ATC Application Trust Center.
On the HUAWEI CLOUD TechWave Cloud Native 2.0 Special Day, provides multi-scenario full traffic protection for enterprise services . HUAWEI CLOUD CFW cloud firewall is officially released! As a new generation of cloud-native firewall, Huawei Cloud CFW cloud firewall provides protection for the Internet boundary and VPC boundary on the cloud, and has the four characteristics of "minimalism, intelligence, visibility, and openness".
Traditional security protection is based on network boundaries, but with the rise of cloud computing and mobile Internet, traditional network boundaries are gradually blurred, and defense concepts based on network boundaries are difficult to adapt to the needs of the cloud environment. The concept of zero trust "never trust, always verify" emerges, that is, to build an access control system based on identity rather than network location.
Based on the concept of zero trust and relying on cloud-native security capabilities, HUAWEI CLOUD has innovated key technologies such as network stealth and adaptive risk control, and implemented a lot of practices in many scenarios such as secure operation and maintenance and remote access to make applications more secure. HUAWEI CLOUD applications The Trust Center ATC is officially tested. ATC service is a security service built around user applications. By constructing a panoramic topology of application security threats, it achieves fine-grained access control and meets customers' needs for zero-trust access control capabilities.
In June 2021, the 29th meeting of the Standing Committee of the 13th National People's Congress passed the "Data Security Law of the People's Republic of China" (hereinafter referred to as the Data Security Law), which will come into force on September 1. Data is the gold mine of today's era, and protecting data security is the core demand of enterprises. While enterprises are using cloud for digital transformation, how to ensure the security of the entire life cycle of enterprise data assets?
Today's data security capabilities on the cloud have always been scattered among various services, such as VPNs, security groups, SSL certificates, and integrated encryption capabilities such as ECS, RDS, and OBS. Data security is a pipeline, and the overall security capability is composed of the security capabilities of each stage. In other words, if one stage is very strong, and the other stage does not have any protective measures, then the overall data security status is It doesn't help. Enterprises lack a unified perspective on overall security capabilities. At this time, they need a "close guard" of data assets-the data security center.
As the internal test started in September 2019, the cloud-native Huawei Cloud Data Security Center service will be officially launched at the end of 2020. The service can provide basic data security capabilities such as data classification, data security risk identification, data watermark traceability, and data desensitization. By building a unified data security portal, around the entire life cycle of data, it helps users realize data security visual management services on the cloud. It can also provide enterprises with a panoramic view of the full life cycle of data assets, allowing customers to clearly know where their data comes from, where to go, and whether there are security issues. Ensure the security of data on the cloud at all stages of generation, collection, transmission, storage, use, exchange, and destruction. It really helps enterprises to achieve: Data security center is in hand, and data protection solutions are available.
at last
Security is a systematic project that requires continuous investment, continuous evolution, and continuous improvement. The rapid development of emerging technologies also brings frequent occurrences of unknown security threats. HUAWEI CLOUD Security inherits Huawei’s 20-year accumulation of security capabilities, gradually builds a comprehensive cloud security service matrix, builds a full-stack security line of defense, and helps customers efficiently and securely in the cloud-native era Clouds on the ground.
Click to follow, and learn about Huawei Cloud's fresh technology for the first time~
**粗体** _斜体_ [链接](http://example.com) `代码` - 列表 > 引用。你还可以使用@来通知其他用户。