On June 15, the 2022 Cloud Native Industry Conference announced that Alibaba Cloud has obtained the only global highest-level certification in China in the "Cloud Native Security Maturity" assessment by the Academy of Information and Communications Technology. The "Cloud Native Security Maturity" of CAICT examines enterprise cloud native architecture security from five dimensions, including infrastructure security, cloud native infrastructure security, cloud native application security, cloud native R&D operation security, and cloud native security, with a total of 315 sub-items. Level. Alibaba Cloud's cloud-native application platform has accumulated full-link cloud-native security solutions through large-scale enterprise customer service accumulation and innovative technology polishing, and fully demonstrated the richness and leadership of Alibaba Cloud's cloud-native product security capabilities.
(Figure 1: Alibaba Cloud Cloud Native Security Maturity Model Evaluation Report)
Security compliance is the primary requirement for enterprises to migrate to the cloud and deploy globally. As cloud native redefines computing infrastructure and enterprise application architecture, the traditional enterprise security protection architecture is also facing new challenges.
- Lack of systematic cloud-native security capability building: Traditional enterprise application security models usually divide security boundaries based on different trust domains, and east-west service interaction within the trust domains is considered secure. After going to the cloud, container applications may need to drift on the IDC and the cloud. Static identifiers (such as IP addresses) in the traditional perimeter-based security model are no longer feasible in cloud-native scenarios, and enterprise security protection needs to be closer to attribute-based and meta-cluster-based (such as tagging, etc.) to identify changing dynamic loads, and implement zero-trust security measures.
- Lack of security protection means for the entire life cycle of the application side : Containers provide elasticity, agility, and dynamic scalability, and also change the deployment mode of applications. The life cycle of the application itself is greatly shortened, and the life cycle of a container application is usually in minutes. This requires the implementation of more automated security controls in the enterprise application life cycle and security design architecture, including application-side full-life-cycle security protection from identity system, asset management, authentication and authentication, threat analysis, detection, and blocking.
- Lack of understanding of the shared security responsibility model on the cloud : In the process of enterprise application cloud-native architecture transformation, enterprise application developers and security operation and maintenance personnel need to understand the responsibility boundary between the enterprise itself and the cloud service provider. From application design, development, construction, distribution, deployment to runtime, on the one hand, cloud service providers need to provide cloud-native security protection productization capabilities, and on the other hand, enterprises need to enhance their understanding of cloud-native security concepts, tools, and Continuous learning of the process and real long-term practice into application.
Cloud Native Security Maturity Model
Alibaba Cloud's cloud-native security aims to provide more full-link, secure and credible defense-in-depth based on the traditional security model based on cloud-native agile, efficient, distributed, and immutable architectural features. In the cloud-native application life cycle, "security left", integrate security as early as possible and implement preventive active defense; at the same time, based on zero trust, security software supply chain DevSecOps and other security architecture designs to improve the efficiency of enterprise security protection.
In the evaluation of the cloud native security maturity model of the Institute of Information and Communications Technology, the security protection capabilities of the cloud native platform architecture are covered in all scenarios and multiple dimensions. The entire security evaluation standard can help enterprises provide self-inspection rulers and construction guidelines for cloud-native security capabilities. In the evaluation of all 5 domains of this standard, Alibaba Cloud has obtained the only highest-level certification for all domains in China.
(Figure 2: Cloud-native security maturity model)
Cloud-native security panorama
From container image service ACR and container service ACK to cloud security center and web application firewall, Alibaba Cloud's rich family of cloud-native security products guarantee Alibaba's own large-scale cloud-native practice and ensure cloud-native security for the entire application life cycle. At the same time, these cloud-native security capabilities also support millions of enterprises in the cloud, from infrastructure, cloud-native infrastructure, cloud-native applications, cloud-native R&D operations to cloud-native security operations and maintenance, improving the security of the entire link and enterprise security efficiency of governance.
At present, Alibaba Cloud has officially released the cloud native security panorama , involving more than 10 product lines of the Alibaba Cloud native platform, and 50+ products with a total of 522 core security capabilities , helping enterprises to build a more secure, controllable, and more advanced and intelligent business system.
(Figure 3: Alibaba Cloud Cloud Native Security Panorama)
- Infrastructure security: Alibaba Cloud has built a solid platform base security capability on the cloud infrastructure side such as computing, storage, and network. In the direction of computing security, Cloud Security Center and Container Image Service support automatic vulnerability detection, alerting, source tracing and attack analysis, as well as automatic and intelligent repair of image vulnerabilities; at the same time, it supports baseline scanning and rich policy configuration for multi-OS and hybrid cloud architectures ;In the direction of network security, the cloud firewall service supports multiple boundary protection and adaptive intelligent policy recommendation and distribution based on traffic learning results; in the direction of storage security, the container service backup center supports remote backup and rapid recovery of application data. ACK One provides In the multi-cloud and hybrid cloud scenario, the backup and disaster recovery capabilities of two locations and three centers are provided. At the same time, ACK-TEE also provides confidential computing technology based on the integration of software and hardware to help achieve residual information protection in the memory dimension.
- Infrastructure security/supply chain security: First, on the cloud native network side, the container service and cloud security center provide pod-dimensional east-west policy control and intelligent blocking capabilities, and support the visual display of cluster network topology; ASM grid service provides It provides full-link traffic encryption, observation, monitoring and seven-layer access control capabilities under the Service Mesh framework; in the direction of orchestration and component security, the ACK container service supports multi-dimensional automatic security inspection capabilities, helping to discover potential risks of cluster applications and provide Hardening recommendations, and ensure that all system components are hardened based on CIS and other compliance specifications. The automatic self-healing and repairing capability of cluster node CVE can be realized by using managed node pool. In terms of access control, the RRSA function of the ACK cluster supports the isolation of resource permissions on the cloud in the pod dimension on the cluster application side; in the direction of image security, ACR Container Image Service Enterprise Edition provides the cloud-native delivery chain function, combined with image integrity verification, etc. Productization capabilities have built enterprise-level supply chain DevSecOps capabilities; in the direction of runtime security, Cloud Security Center supports container-dimensional runtime threat real-time detection, alarms, and intelligent processing, helping enterprises defend against container escape, sensitive file operations, abnormal connections, etc. Various in-container attack behaviors.
- Cloud-native application security: Cloud-native application security includes all aspects of enterprise application-side protection. First of all, in the general security direction, by using services such as cloud firewall and web application firewall, enterprise application north-south and east-west attack protection and fine-grained access control can be realized, and API vulnerabilities, injection attacks and sensitive data leakage can be monitored, analyzed and controlled. Automatic repair suggestions, and enterprise applications can access ARMS RASP services to implement API-dimensional call chain monitoring and API service asset management; in the direction of microservice security, the MSE microservice engine ensures the microservice network through cloud native gateway combined with cloud firewall and other services Communication security, while providing rich microservice governance capabilities, provides security monitoring and RASP protection capabilities at the application code layer. In the direction of serverless security, Function Compute supports fine-grained access control and tenant isolation for function resources such as storage and network, and supports real-time monitoring and complete auditing of function resources and traffic.
- Cloud-native security operation and maintenance : How to perform security operation and maintenance of cloud-native applications is a key concern of enterprises. In the direction of security management, services such as Container Service and Cloud Security Center support rich and detailed visual asset management capabilities. At the same time, based on the log service, it provides complete audit logs on the control side and business side, and supports audit-based intelligent analysis, alarming, and charting. Demonstrate ability. In terms of policy management, the container service supports the OPA-based cluster deployment time policy governance engine, and the cloud effect service provides policy-based operation process configuration and security detection functions for cloud-native development and testing processes. Identity management is the foundation of zero-trust security. Alibaba Cloud RAM and IDaaS services support enterprise LDAP interconnection, and support identity-based service-to-service access policy rule customization and real-time detection and alarming of identity credential leakage in the service mesh. In the direction of security operations, Cloud Security Center supports inducing and capturing attackers through cloud honeypots and customizing attack countermeasures. It also supports multi-dimensional visual detection, early warning and source traceability analysis. In addition, Alibaba Cloud Threat Intelligence Platform supports IOC-based search and judgment results. Vulnerability intelligence can be obtained through multiple channels and the offline subscription of industry security event reports can be ordered to help enterprise security operation and maintenance teams improve operation and management efficiency.
- R&D operation security: The Alibaba Cloud security team conducts strict security audits and management of the platform's internal R&D operation processes. In the direction of security requirements, the security team customizes the requirements list for cloud products, supports application-specific customized requirements and automated test cases, and supports multi-channel requirements collection and systematic management; in the direction of development security, first of all work in process In terms of security, it realizes automatic inspection of component vulnerabilities, integrity verification and identity traceability, and supports systematic threat modeling and internal standardized security design specifications and technology stacks in security design; The end-to-end testing tool chain cooperates with daily manual penetration testing to discover vulnerabilities in time and automatically enter the system to notify repairs. The entire DevSecOps process can realize risk identification and operation through policy configuration without manual intervention.
Alibaba Cloud Container Product Family - Efficient, Secure, Intelligent and Boundless
Alibaba Cloud Container Service ACK supports the cloud nativeization of 100% of the Group's core applications, and provides upgrade services for tens of thousands of enterprises on the cloud to modernize and upgrade their applications. From the Internet to retail, finance, manufacturing, transportation, more and more industries are using innovative cloud-native technologies to solve their business problems. At the same time, containers are also supporting innovation in more industry scenarios. For example, in the field of intelligent driving, simulation requires massive computing power. Only cloud computing and cloud-native technologies can meet the demand for flexibility, scale, and efficiency of business computing power.
Alibaba Cloud Container Image Service ACR is one of the important infrastructures of cloud-native architecture, responsible for the secure hosting and efficient distribution of cloud-native application products. It has served thousands of enterprises successively, hosted several petabytes of container image data, and supported hundreds of millions of monthly image pulls. In the DevSecOps scenario, enterprises can use the ACR cloud-native application delivery chain, or combine them with self-built CI/CD tools, to achieve efficient and secure cloud-native application delivery and accelerate the innovation iteration of enterprises.
Alibaba Cloud Container Service ACK ONE is based on the multi-cloud, multi-cluster, and multi-environment management capabilities provided by Alibaba Cloud. ACK ONE can manage clusters on Alibaba Cloud, edge clusters, clusters deployed in user customer centers, and Kubernetes on other clouds at the same time. It realizes unified management of clusters, unified scheduling of resources, unified disaster recovery of data, and unified delivery of applications.
(Figure 4: Alibaba Cloud container product family)
Alibaba Cloud Container Service looks forward to working with more excellent partners and enterprises to explore the future of cloud computing, build a new generation of cloud-native infrastructure that is efficient, secure, intelligent and unbounded, and helps enterprises accelerate technological innovation in the cloud era.
From June 23rd to July 23rd, 2022, scan the QR code in the picture above and click: https://page.aliyun.com/form/act1888746316/index.htm to fill in the questionnaire and purchase Alibaba Cloud Container Service Professional Edition ACK Pro for the first time , Container Image Service Enterprise Edition ACR EE customers can enjoy a 30% discount. Looking forward to your feedback!
**粗体** _斜体_ [链接](http://example.com) `代码` - 列表 > 引用。你还可以使用@来通知其他用户。