First Review | Alibaba Cloud successfully completed the first domestic cloud-native security maturity assessment

The global digital economy has entered a period of rapid development. The digital economy has become an important part of my country's economic growth and a new growth pole to promote my country's economic development. Accelerating the digital transformation of various industries has become an important phased goal during the "14th Five-Year Plan" period. It has become a social consensus to build a digital infrastructure with cloud computing as the core to realize the modernization of IT architecture, and cloud-native technology plays an important role as the technical core of next-generation cloud computing. After years of development, my country's cloud-native technology ecosystem has tended to improve, industry user acceptance has increased rapidly, and the capital market is surging. It is foreseeable that my country's cloud-native industry is about to enter a period of high prosperity.

On the user side, it is the general trend to fully transform cloud-native, but the reshaping of cloud-native technology architecture and the transformation of application models have introduced new security risks, such as image vulnerabilities, container escapes, and service interaction security brought by fine-grained splitting of microservices Such problems are threatening the cloud-native platforms and applications of enterprises, and cloud-native security construction has become an essential item in the process of enterprise cloud-native platform construction and application cloud-native transformation . In view of this, the China Academy of Information and Communications Technology, together with nearly 40 experts from more than 20 units in the industry, completed the compilation of the first domestic cloud-native security maturity model standard in one year, providing a self-inspection scale and construction guide for enterprise cloud-native security capability building .

As one of the world's leading cloud service providers, Alibaba Cloud successfully completed the first "Cloud Native Security Maturity Assessment". Alibaba Cloud is committed to building a stable, standard, and advanced cloud-native platform, promoting the industry to upgrade and revolutionize cloud-native technologies, and is one of the first companies to propose and define cloud-native security in China. The security capabilities are applied to protect cloud-native applications, and the advantages of cloud-native rapid development and convenient deployment are applied to security product technologies, so as to continuously provide cloud users with the protection capabilities of native applications, data, business, network, and computing. The deep integration of infrastructure promotes security as a service, supports flexible, dynamic, and complex industry scenarios, and is recognized by users in various industries including government, finance, and the Internet.

The most comprehensive evaluation dimension

Cloud-native security maturity assessment covers infrastructure security, cloud-native infrastructure security, cloud-native application security, cloud-native R&D operation security, cloud-native security operation and maintenance 5 dimensions, 15 sub-dimensions, 46 practice items , and 356 subdivisions Ability requirements , multi-dimensional inspection of the security protection capabilities of the cloud native platform architecture in all scenarios.

The widest range of collaboration

The technical team involved in this evaluation spanned Beijing, Hangzhou, and Shenzhen, and collaborated with more than 20 cloud-native products such as container services, container image services, cloud security centers, and web application firewalls , and comprehensively inspected Alibaba Cloud's cloud-native products. Richness of security capabilities.

Finest inspection granularity

The engineers of the China Academy of Information and Communications Technology strictly checked the verification requirements, carefully checked each evaluation item, and recorded the entire test process in detail. All tests were completed based on the Alibaba Cloud production environment, and the final evaluation report was nearly 400 pages long.

Introduction to the Cloud Native Security Maturity Model

The Cloud Native Capability Maturity Model (CNMM-TAS) aims to improve enterprise R&D efficiency and promote business innovation and development. Skill building. The Cloud Native Security Maturity (CNMM-TAS ) assessment integrates the four concepts of zero trust, security left shift, continuous monitoring and response, and observability, from infrastructure security, cloud native infrastructure security, cloud native application security, cloud native The five dimensions of R&D operation security and cloud-native security operation and maintenance fully examine the security level of cloud-native architecture, help enterprises to quickly compare and locate the level of security capabilities, diagnose their own problems, and customize the evolution direction of security architecture according to business needs and high-level capabilities of models.

*Cloud-native security maturity model *

In terms of infrastructure security domain capabilities , Alibaba Cloud has the world's leading technical capabilities in computing, storage, network and other infrastructure fields. At the same time, combined with the characteristics of cloud-native technology, Alibaba Cloud provides comprehensive cloud services in scenarios such as hybrid cloud/distributed cloud and edge. Security isolation, attack protection, threat detection and other means and cross-regional multi-center data backup and recovery capabilities.

In terms of cloud-native infrastructure security domain , Alibaba Cloud provides comprehensive security measures to build container infrastructure, supply chain and runtime end-to-end security capabilities based on cloud-native technologies, including seven security measures on the cloud-native network security side. Layer access control and container firewall capabilities; industry-leading security hardening and access control capabilities on the orchestration and cluster management side, and complete DevSecOps capabilities on the cloud-native supply chain side; Advanced intelligent protection, policy governance and data security protection means.

In terms of cloud-native application security domain capabilities , Alibaba Cloud has built an enterprise-level cloud-native application security architecture. For application communication, it provides full-link and multi-dimensional security isolation and traffic analysis capabilities. At the same time, it provides capabilities such as active attack defense against security vulnerabilities and interface sensitive information protection for internal application logic. Under the cloud-native microservices and serverless architecture, Alibaba Cloud also provides security circuit breakers, fine-grained tenant isolation, and intelligent attack detection capabilities to safeguard enterprise application security.

On the basis of realizing the 100% cloud-native nature of core applications, Alibaba Cloud has ensured that its R&D and operation platform is fully integrated from the automatic management of security requirements to function design, development, testing, and product release in terms of the security domain capabilities of cloud-native R& D operations. Process platform-based security management and DevSecOps capabilities ensure the security compliance of Alibaba Cloud Platform's own products throughout the life cycle from design, development, to operation and sales.

In terms of cloud-native security operation and maintenance domain capabilities , Alibaba Cloud provides platform-based identity and password security management capabilities for the enterprise operation and maintenance side, and supports complete policy governance, asset management, and full-link security based on the characteristics of the zero-trust architecture. The audit function not only effectively guarantees the efficient and safe operation and maintenance of enterprises, but also supports intelligent threat detection, multi-level response, and traceability analysis capabilities in cloud-native scenarios, helping enterprises build a comprehensive security system.

Summarize

From the Internet to retail, finance, manufacturing, transportation, etc., more and more industries are using cloud-native technologies to solve real business problems. Alibaba Cloud's rich family of cloud-native security products guarantees Alibaba's own large-scale cloud-native practices and ensures cloud-native security for the entire application lifecycle. At the same time, these cloud-native security capabilities also support millions of enterprises in the cloud, from infrastructure, cloud-native infrastructure, cloud-native applications, cloud-native R&D operations to cloud-native security operations and maintenance, improving the security of the entire link and enterprise security The efficiency of governance accelerates the upgrade of the cloud-native architecture of enterprises, and helps enterprises to build a more secure, controllable, advanced and intelligent business system.