Enterprises go to the cloud, how to improve security compliance - this article disassembles the concept and practice of Amazon cloud technology cloud security

This article will take a look at the cloud security fortress built by Amazon Cloud Technology, and then deconstruct the three security concepts it proposes for readers.

Going to the cloud is the general trend, but is it safe to go to the cloud?

In the development process of the gradual rise of cloud computing, this question has always been with us. Today, digital transformation is accelerating, and the platform's own security compliance, data privacy security and other requirements are constantly escalating. "Security" has become a consistent and top priority in the journey of many enterprises to the cloud. Factors: Before going to the cloud, the security of the cloud platform itself must be ensured; in the cloud, the security of the data migration process must be guaranteed; after the cloud, the security construction in the cloud must be comprehensively considered, and how to use cloud-native services to improve security performance and improve compliance efficiency.

As the number one player in global cloud computing, Amazon Cloud Technology has accumulated numerous methodologies and practical experience in the field of cloud security. This article will take a look at the cloud security fortress built by Amazon Cloud Technology, and then deconstruct the three security concepts it proposes for readers.

1. It is actually safer for enterprises to go to the cloud

1.1 Compared with the self-built data center, how is the security experience of migrating to the cloud?

For many years, companies have believed that building their own data centers is the safest. However, Amazon Cloud Technology believes that when enterprises go to the cloud, the security experience can be a step higher than the former.

For enterprises, if they build their own data center, they need to build everything by themselves, including security equipment management, contract signing, cost and other issues. However, if the application goes to the cloud, the enterprise does not need to invest energy in the security of the underlying infrastructure, and its security governance in the cloud is expected to go further. It is embodied in the following four aspects:

First, automation. In the local environment, products from different manufacturers are used, and the integration of security data can be extremely complex. On the cloud, the high level of integration between cloud security services will make data integration easier and better automated.

Second, visualization. With better data integration, there is also more opportunity to use a centralized platform for secure visual management on the cloud. Through a unified log platform, identity management, and unified API, users can achieve better visualization.

Third, cost. Cloud security has no up-front investment cost, and pays according to usage, and enterprises have more flexibility in cost control.

Fourth, it can help enterprises automate compliance tasks on the cloud and do compliance more efficiently. As far as Amazon Cloud Technology is concerned, users can not only automatically inherit the compliance certification of Amazon Cloud at the infrastructure level, but also refer to the compliance best practices provided by Amazon Cloud for security compliance construction.

In short, if the compliance of self-built data centers starts from 0, then the cloud may start from 50 points. Because the cloud vendor has already done another 50 points, the enterprise can directly inherit it. By moving to the cloud, businesses enjoy advantages in automation, visibility, cost control, and more efficient compliance.

1.2 Is the cloud platform itself safe and compliant?

No matter what industry or scale an enterprise is in, its demands for cloud platform security compliance are equally urgent. The security of the cloud itself is the foundation of trust, the precondition for enterprises to decide to migrate to the cloud, and the cornerstone for enterprises to build applications on the cloud. But the problem is that at present, many cloud vendors do not explain enough about the security of the cloud itself. How cloud vendors build their own security compliance is a blind spot for enterprises.

As far as Amazon cloud technology is concerned, millions of users around the world have put their data and services on the Amazon cloud, many of which are heavily regulated industries such as finance and telecommunications. For example, Nasdaq, the world's largest stock exchange, will migrate all its business to Amazon cloud technology in stages, and NTT docomo, Japan's largest telecom operator, will migrate PB-level data warehouses to the cloud. To gain the trust of so many enterprises, Amazon Cloud Technology mainly ensures its own security compliance through the following four points:

One, secure infrastructure.

Provide extremely scalable and highly reliable infrastructure, such as 1 region (Region) usually 3 availability zones (3AZ), this deployment concept is to build a highly available architecture. However, there will be very strict physical distance regulations between the availability zone and the availability zone to achieve disaster tolerance.

There is a lot of redundancy and layered controls and extensive use of automation to ensure 24/7 monitoring and protection of the underlying infrastructure. This is especially important to ensure business continuity during the epidemic prevention and control period.

Amazon Cloud's data centers and networks are built to the highest security standards, so all businesses can get consistent cloud foundational security without the huge capital and operational overhead of traditional data centers.

Second, secure cloud services.

The security of the cloud itself should not only depend on how many security services Amazon Cloud Technology has, but also the security of its services. In the development of any new service, the security team is involved from the very beginning. If there were any known security issues during development, the service would not have been released. Plus, automate and reduce risk with deeply integrated services. Amazon Cloud Technology itself has a complete set of API management and security tools, which can automatically perform security tasks, including continuous operation status detection and protection, threat repair and response, etc. The above measures not only ensure the security of services, but also ensure Security for solutions built with services.

Third, adhere to the concept of customer ownership and control of data.

Only by allowing users to always own their own data and be able to operate the data autonomously will users be able to put their applications on the cloud with confidence. Amazon Cloud Technology does not touch the data uploaded by users to the cloud, which means that Amazon does not know and understand whether the data uploaded by users to Amazon includes personal data. At the same time, it ensures that customers have complete control over their data, and users can independently decide which data can be uploaded to the Amazon cloud, as well as when, where and how to protect it.

And Amazon Cloud's own data encryption is ubiquitous, and all data flows must be automatically encrypted at the physical layer before leaving its infrastructure. In addition, there are other layers of encryption. For example, all VPC traffic between regions will also be encrypted, and there will be many TLS connections between services. In addition, Amazon cloud technology's global regions can help customers achieve data localization requirements.

Fourth, it supports numerous security standards and compliance certifications, meeting the compliance requirements of almost all regulatory agencies around the world.

At present, Amazon Cloud Technology has obtained 98 security standards and compliance certifications around the world, which users can directly inherit. For example, ISO/IEC 27018:2019 certification, which is mainly aimed at protecting the security of personal data in the cloud. Amazon Cloud Technology adheres to this internationally recognized code of conduct and has received independent third-party assessments that demonstrate Amazon Cloud's commitment to respecting privacy and protecting user content.

In addition, the Beijing region and the Ningxia region are two Amazon cloud technology regions that provide services in China. In order to ensure a better user experience and comply with Chinese laws and regulations, Amazon conducts technical cooperation with local partners who hold relevant telecommunications licenses in China, and local partners provide cloud services to customers. Beijing Sinnet Technology Co., Ltd. is the service operator and provider of Amazon Cloud Technology Beijing regional cloud, and Ningxia West Cloud Data Technology Co., Ltd. is the service operator and provider of Amazon Cloud Technology Ningxia regional cloud.

1.3 How to deal with data protection laws?

Globally, 132 countries and regions have formulated data protection and privacy-related laws and regulations. In China, since 2017, the "Internet Security Law of the People's Republic of China", "Data Security Law of the People's Republic of China" and "Personal Information Protection Law of the People's Republic of China" have been successively promulgated, which have also put forward higher requirements for the data security of enterprises. Increasing the emphasis on safety compliance can not only help companies avoid and prevent many administrative and even criminal punishment risks, but also from another perspective, safety compliance has also become one of the core competitiveness of enterprises.

Data security construction is hierarchical. Amazon Cloud Technology provides a variety of cloud-native security services, customers can quickly use and improve the security level, only in China: in the access control level, there are Multi Factor Authentication, API-Request Authentication , Temporary Access Token; at the log request management level, there are CloudTrail, Config, GuardDuty; at the data encryption level, there is application KMS to encrypt EBS/S3/Glacier/RDS.

In addition, Amazon Cloud Technology has an Information Security Program (Information Security Program), which is specially designed to help users protect data from accidental or illegal loss and access, identify internal security risks and unauthorized network access, and pass risk assessment and regular testing. to minimize security risks. The plan mainly includes 5 types of measures:

cyber security. Employees, contractors, and service providers can all access the Amazon cloud technology network through authorization. Amazon Cloud Technologies manages and maintains access control policies that govern each network connection and user access to the Amazon network, including through the use of firewalls and other authentication controls. Amazon will also be responsible for policy correction and response to security threat incidents.

physical security. The physical devices of Amazon Cloud Technologies are located in undisclosed areas. Physical barriers are used at the perimeter and at building entrances to prevent unauthorized access to the Amazon cloud technology area.

Limited employee and contractor access. Amazon Cloud Technologies provides access to these areas to employees and contractors with legitimate business needs. Access is revoked immediately when the employee or contractor no longer has a business need.

Physical security protection. All access points (except the main entrance door) remain secure (locked). Access points to physical facilities are monitored by video surveillance cameras designed to record all individuals entering the facility.

Continuous evaluation. Amazon Cloud Technology conducts periodic reviews of the security of its network and its information security in accordance with industry security standards and its policies and procedures, continuously evaluates the security of its network and related services, and determines whether additional or different security measures are required to deal with periodic Review identified security risks.

Regarding the security of the cloud itself, as well as the security of Amazon cloud technology itself, this article will not do more explanation. In the current market environment, the acceleration of digital transformation and the tightening of security compliance make enterprises seem to be in constant contradiction, but rapid innovation and security are not a choice for enterprises. How to ensure security? Promoting rapid business innovation under the premise is the correct solution. In response to this pain point, Amazon Cloud Technology has proposed three major security concepts and onion models to help enterprises improve cloud security capabilities.

2. Dismantling the three major security concepts of Amazon cloud technology

2.1 Idea 1: Use the event-driven architecture on the cloud to build automated guardrails instead of building checkpoints.

The biggest threat to network security still comes from people, such as being exploited due to lack of security awareness, misconfiguration caused by personnel negligence, or failure to effectively implement network security work due to other human reasons. In addition, the traditional enterprise security system is basically driven after the fact, and the network security team often assumes the role of the back-up and firefighters, and often falls into a situation of lack of skills.

Amazon Cloud Technology believes that it is imperative to promote standardization and automation. Excessive human involvement creates new security risks, so automated security processes should be established while keeping people away from data. Standardize security and achieve consistency through automation.

By automating security tasks on the Amazon cloud, users can improve security by reducing manual configuration errors and giving developers more time to focus on the business itself. Choose from a variety of deeply integrated solutions that can be combined to automate tasks in novel ways, making it easier for users' security teams to work closely with developer and operations teams for faster , create and deploy code more securely.

For example, using Amazon GuardDuty to combine Amazon CloudWatch and Amazon Lambda to do an integration, Amazon GuardDuty can analyze log events for many data sources of Amazon Cloud Technology, such as Amazon CloudTrail event log, Amazon VPC flow log, domain name system The tens of billions of events in service (DNS) logs and Amazon S3 data event logs are analyzed, capable of detecting more than 100 security threats, and automatically classifying these threats. For these detected threats, users can use Lambda To respond quickly, reduce the impact of security incidents quickly and efficiently, and repair them in a timely manner.

In practical applications, the SaaS platform Anzhilian 365 uses Amazon IoT Core to build a device IoT platform to realize the status collection and two-way message transmission of intelligent security hardware, and introduce Amazon Lambda service based on the microservice architecture so that the development team can use simple code Handle application scenarios such as caching. After realizing automatic operation, maintenance and monitoring with Amazon CloudWatch, Anviz only needs one engineer to handle the operation and maintenance management of Anzhilian 365 global infrastructure, so that enterprises can devote more human resources to the development of the business chain middle.

2.2 Concept 2: Security in the cloud is actively designed, not just reactive.

The habit of Chinese users is to build security compliance based on compliance requirements or social security incidents. This kind of construction idea usually lags behind, which will make enterprises exhausted and busy with various responses.

Amazon Cloud Technology believes that, first of all, security compliance is closely related to the business development and continuity of users. Security is not an independent existence, but should be fully integrated with enterprise business as the primary condition for business development. Furthermore, security compliance is based on design rather than response to incidents. The construction of safety should be planned ahead of time. According to the business situation and the characteristics of the system, the construction should be actively carried out from the technical and management level. Finally, the security service construction of Amazon Cloud Technology is based on prevention, detection, response, and repair. Users can also use this as a reference to build a security system.

Prevention: Identify user permissions and identities, infrastructure protection, and data protection measures to develop a smooth and well-planned security strategy.

Detection: Gain visibility into your enterprise's security posture through logging and monitoring services. Extract this information into an extensible platform for incident management, testing, and auditing.

Response: Automate incident response to help security teams shift their focus from response to root cause analysis.

Remediation: Leverage event-driven automation to rapidly remediate and secure environments in the cloud in near real-time.

Take Amazon GuardDuty for example. This intelligent threat detection service continuously monitors malicious activity targeting users' AWS accounts and their workloads, and provides detailed security reconnaissance results for visibility and remediation. Use Amazon GuardDuty's console integration with Amazon Detective to quickly determine the root cause of suspicious activity. For example, it is often difficult to quickly spot account takeover threats without continuous monitoring of relevant factors in near real-time. GuardDuty, however, enables continuous monitoring and analysis to gain insight into security events through detection results that provide context, metadata, and details of affected resources. It also stops unauthorized activity in a timely manner, preventing the use of compromised credentials, unusual data access in Amazon Simple Storage Service (S3), API calls from known malicious IP addresses, and more.

2.3 Concept 3: Cloud security must be an onion-type multi-layered protection, not an egg.

With the widespread application of multi-cloud environments, the IT architecture of enterprises is becoming more and more complex, and security threats on the cloud are widely distributed in various links. The security threats and challenges faced by enterprises are becoming more and more extensive, ranging from CVE vulnerabilities, illegal intrusions, to DDoS attacks, and various security incidents emerge one after another.

Amazon Cloud Technology believes that cloud security protection should be like an onion model, unfolding layer by layer, not like an egg. Although the egg gives the impression that the shell is harder than an onion, it is actually a single layer of protection, and cloud security must be a progressive protection mechanism like an onion.

In the onion model, Amazon Cloud Technology sets it to five layers, starting with threat detection, incident response, then identity authentication and access control, then network and infrastructure security, then data protection and privacy, and finally Risk management and compliance. Take a look at security services in these five areas one by one:

1) Threat detection and incident response. It needs to be able to accurately locate, respond quickly, monitor and analyze security threats at all times. Key services include:

Amazon GuardDuty, which enables precise location of threats. Its advantage lies in that, on the one hand, it has a wealth of intelligence threat sources, and on the other hand, it integrates the ability of machine learning to model the calling behavior of the API, and combines probability prediction to more accurately isolate and warn highly suspicious users. Behavior.

Amazon Security Hub, as a unified management platform for security events, can not only realize 7X24 online real-time monitoring of threat detection, respond in time, and automatically perform compliance checks, but also connect the upstream and downstream of threat events and try to do root cause analysis. .

Click to enter Amazon Security Hub >>>>

2) Identity authentication and access control. This link has been relatively weak in enterprise security management. Statistics show that 80% of security incidents are caused by weak passwords. In this regard, Amazon Cloud Technology has two experiences and three technical suggestions.

Two experiences: maintain the principle of minimum authorization, and confirm whether each authorization is necessary and whether it is related to business/responsibility; regularly audit the principle of minimum authorization, do not have permanent authorization, and all authorizations must be time-sensitive.

Three technical suggestions: refine the granularity of access as much as possible, and set access conditions according to time, location and service; combine multi-factor authentication (MFA) technology to strengthen identity authentication; reduce the use of long-term credentials.

At the specific tool level, Amazon Identity and Access Management (IAM) is the core service of identity authentication and access control, which can provide granular access control covering all services and resources of the entire Amazon cloud technology. Amazon Organizations is an efficient identity authentication and access control service, which can centrally manage and manage multiple accounts of an organization, and establish permission protection mechanisms and data boundaries.

3) Network and infrastructure security. The security protection on the CDN side is the focus of this layer of protection. The defense against DDoS attacks should be carried out for a long time, because any attack may cause business interruption, which in turn affects the experience of end users. If you wait until a DDoS attack is discovered, the stability and continuity of the business will be severely damaged.

Amazon Shield Advanced provides 24/7 defense against loaded resources and enables rapid response and mitigation. Another standard product is Amazon WAF. As a web application firewall service, its unique feature is that it provides a rich rule base, including fully managed rules developed by the Amazon security team, and users can customize according to their needs. rule.

4) Data protection and privacy. Amazon Cloud Technology provides encryption services for the entire life cycle of data, and data protection covers all aspects of data storage, transmission, and use.

For encryption during data storage, Amazon KMS key management service integrates with 140 Amazon Cloud Services services to encrypt data stored in these services. The high level of integration reduces manual operations and reduces the probability of errors. For users who require higher data confidentiality, Amazon CloudHSM provides a secure and simple dedicated encryption machine on the cloud.

For data calculation and encryption during use, Amazon Cloud Technology also has its own solutions. Amazon Nitro Enclaves provides a confidential computing environment in the cloud, through which users can create an isolated environment to process sensitive data without providing access to their own system administrators, developers, and applications, reducing sensitive Attack surface during data processing.

Click to enter Amazon KMS >>>>

5) Risk management and compliance. Amazon Cloud Technology helps users comply with regulations from four dimensions.

First, to ensure the compliance of Amazon's cloud technology services themselves. The compliance certification of Amazon Cloud Technology is not only in the infrastructure area, but also goes deep into each cloud service. When customers deploy Amazon cloud services, their compliance can be recognized by the certification body; According to user demands, Amazon Cloud Technology will provide many best practices for compliance implementation; thirdly, automated auditing, compliance auditing and evaluation always takes a lot of time, and audit management and compliance evaluation can be simplified through Amazon Audit Manager; The fourth is the consulting and landing capabilities of partners. These partners provide hundreds of industry-leading security solutions to help users improve their security and compliance. Partners can support users in multiple areas, including Infrastructure security, policy management, identity management, security monitoring, vulnerability management, data protection and consulting services.

3. Three major cloud security case sharing

Millions of users around the world have chosen and trusted Amazon cloud technology, covering almost all industries. How do those companies that have successfully migrated to the cloud and have built security barriers on the cloud? Here are three classic cases of cloud migration in the industry.

Case 1: Fenglinhuo takes advantage of its strength to achieve continuous compliance and comprehensively improve safety efficiency

Shenzhen Fenglinhuo Computer Technology Co., Ltd. (hereinafter referred to as "Fenglinhuo") was established in 1996, focusing on online chess and card games, integrating R&D and operation, and its products are in the forefront of domestic online chess and card games.

In the early days, Fenglin Volcano's business and game products were hosted in IDC, and the entire server life cycle management was manually managed by the enterprise itself. At that time, when a game product was released or an upgrade was performed, the relevant personnel had to manually deploy and configure the equipment, and it usually took one month for a new version to be ready to be officially released.

As Fenglin Volcano entered a stage of rapid development, the shortcomings of IDC hosting, such as poor flexibility, limited computing resources, and low efficiency, began to be exposed. Moreover, the old IDC hosting model lacks timely response to customer empowerment and security threats, and the traditional IT architecture cannot provide enough space for business innovation.

When seeing that Amazon Cloud Technology has become the first choice of many overseas game companies, Fenglinhuo finally decided to cooperate with Amazon Cloud Technology and completed the migration of all business from IDC to Amazon Cloud Technology Cloud at the end of 2017.

After the full server is migrated to the cloud, the frequency of release and upgrade of the game version by Fenglin Volcano has been increased from once a month at the time of IDC hosting to at least once a week, greatly improving the speed of business delivery. In terms of security, traditional threat detection services are time-consuming and labor-intensive to analyze massive log data. Continuous compliance and aggregation management at different security times also bring great challenges. To this end, Fenglinhuo uses Amazon GuardDuty and Amazon Security Hub to comprehensively improve the efficiency of its security operation and maintenance.

Xu Huajie, operation and maintenance engineer of Fenglin Volcano Games, said: "Amazon cloud technology allows us to devote more energy to software engineering, achieve faster delivery, and reduce the accident rate by more than 70%. In the past, we were constantly 'fighting fire' , now we can sometimes 'set fire' by ourselves to continuously improve the robustness of the platform." In addition, in the case of insufficient personnel, "Amazon cloud technology empowers our security, realizes efficient security monitoring, and assists us in timely security response. , which reduces security risks and allows us to view security incidents across our entire architecture from a higher perspective.”

Case 2: Zero loss of data on the cloud, Tuya intelligently builds up the vision of intelligent interconnection of all things

On a global scale, artificial intelligence and Internet of Things technologies are forming a new smart industry ecosystem. The IoT development platform Tuya Smart is also committed to becoming a key link in this ecosystem. However, the highly fragmented application scenarios and demands in the middle and lower reaches of the IoT industry often lead to the diversification of network communication methods and platforms, which poses great challenges to the interconnection of devices.

To this end, Tuya Smart should not only strive to promote the collaborative optimization of software and hardware, but also deploy cloud networks around the world so that its cloud service capabilities can be spread across five continents. So far, Tuya IoT development platform has provided IoT services based on mainstream public clouds in 220 countries and regions around the world, thanks to the global infrastructure and rich cloud products including Amazon Cloud Technology.

"When choosing a cloud vendor, we will make a decision based on the coverage of infrastructure, security and stability, and the abundance of products." said Ke Dumin, vice president of Tuya Smart Technology, "and Amazon Cloud Technology can fully meet these three aspects. need."

In terms of security, Amazon Cloud Technology is the first vendor in the industry to launch Key Management Service (KMS). Based on the key protection capability of KMS and the ability to integrate with other Amazon cloud technology services, Tuya is the first in the public cloud industry to support physical encryption of products such as databases, which provides a very good basic security guarantee for Tuya.

As the data processor of Tuya IoT PaaS platform, the registration information of customers on its App and the data generated by various operation behaviors will also be stored on the public cloud platform in real time, which makes the issue of data security particularly important. Tuya Smart uses KMS to manage the encryption key of encrypted data, and uses the Identity and Access Management (IAM) authentication mechanism to ensure data access isolation, which provides a guarantee for data security.

For example, "If we are serving European customers, all their data is stored on Amazon cloud technology in Europe, and the data centers are physically isolated." With the help of Amazon cloud technology, Tuya Smart IoT PaaS Since its launch, zero data loss has been achieved.

Case 3: Self-owned brand sails overseas, Midea secures safe and compliant sailing tickets

In 2006, starting with the construction of a factory in Vietnam, Midea really started the exploration of overseas independent brand management. On the way to the sea for more than ten years, Midea has adhered to the localization strategy of adapting to local conditions, and has formed a brand matrix including Midea, COLMO, Toshiba, etc. According to its financial report, its overseas revenue has also accounted for more than 40% for many years. .

With the realization of intelligent products of all categories, how to build a smart home platform that is safe, stable, reliable, convenient for operation and maintenance, and covers the whole world at a lower cost has become a major challenge for Midea. After a comprehensive evaluation of multiple cloud platforms, Midea chose Amazon Cloud Technology as one of its IT infrastructure partners for overseas platforms.

The smart home platform is connected to the user's smart home appliances, and the relevant user data is stored on it, while the EU and the US have strict requirements for data compliance. In cooperation with Amazon Cloud Technology, Midea can not only rely on its rich security services, but also inherit its compliance and quickly deploy its own applications overseas.

"The IT architecture is deployed on Amazon cloud technology, and these security compliance issues are solved by them, and we don't need to worry about it. If we do these tasks by ourselves, we may need an extremely large team." Midea Group Vice President, Midea International President Wang Jianguo said.

In addition, Amazon Cloud Technology's mature and rich global customer experience is also a driving force for the choice of cooperation, "Amazon Cloud Technology has rich experience, and there are many successful global companies running on its cloud platform, including many of our upstream and downstream companies. Global partners are also on it, thus forming a very good data ecological chain."

Epilogue

1. Currently in the field of cloud security, cloud security compliance is the primary consideration for users when selecting models. How to ensure the security of cloud infrastructure and the various cloud services provided is the first thing cloud platform service providers need to communicate clearly.
2. For multinational companies and overseas enterprises, the global security and compliance capabilities of cloud platform service providers are the focus of these enterprises. Cloud service providers like Amazon Cloud Technologies, with global infrastructure and partner network members, provide security and compliance that can help users meet the compliance requirements of almost all regulatory agencies around the world.
3. Cloud security scenarios are much more complex and richer than traditional data centers. To quickly enter the cloud security market, traditional IT security vendors must not only rely on long-term technical accumulation and customer base, but also choose powerful cloud platform service providers for cooperation. Amazon Cloud Technology is not only continuously introducing the technologies of the world's latest security partners to China, but also strengthening cooperation with local security partners. This kind of security cooperation ecology of powerful alliances is also becoming a trend in the future.
4. For cloud security service providers, careful planning is required to build security compliance without affecting user business innovation. Amazon Cloud Technology provides a new solution: The layout of the three major security concepts fully interprets its practical standards for both security and innovation from the perspectives of automation, active design, and multi-layer protection.

Click to enter Amazon Security Hub >>>>

Click to enter Amazon KMS >>>>