This article is Alibaba Cloud blog "How to ensure data security on the cloud? An article detailing the study notes of cloud native full-link encryption"
https://developer.aliyun.com/article/739282
Cloud-native full-link encryption
CIA Elements of Information Security: Confidentiality, Integrity, Availability
A common means of confidentiality is data encryption. In cloud native, it is the full-link encryption capability.
"Full link": the process of data transmission, calculation and storage.
"Full-link encryption": end-to-end data encryption protection capability, that is, from the cloud to the cloud and the transmission process between the units on the cloud, to the calculation process (use/exchange) of the data when the application is running, and to the data The encryption capability in the storage process that is finally persisted to the disk.
- Data transmission (data communication encryption, microservice communication encryption, application certificate and key management);
- Data processing (runtime security sandbox runV, trusted computing security sandbox runE);
- Data storage (CMK/BYOK encryption support for cloud native storage, storage management for ciphertext/key, storage encryption for container images, container operation/audit log security).
The following will describe the existing and future goals of cloud-native full-link encryption.
Cloud Security -> Cloud Data Security -> Cloud Native Full Link Encryption
cloud security
Covers cloud customer and cloud vendor security in IaaS software, hardware, and physical data center security.
Cloud Native Customer Security
- Application Security
- Operational safety
- business security
- Container Network Security
- Container Data Security
- Container runtime security
Cloud Customer Security
Cloud vendor (Cloud IaaS DevOps) security
Cloud-native security
Cloud-native security
Cloud-native security first needs to follow cloud data security standards.
It requires the security of multiplexing infrastructure (such as physical security, DDOS security, etc.); it also requires security in data and software.
Cloud native storage describes the life cycle of cloud data through declarative APIs (such as Kubernetes yml files), and does not reveal the data encryption details of the underlying IaaS to users.
Cloud native storage is generally used as the carrier of cloud data, and reuses the basic security capabilities of cloud IaaS. It also needs to include image security in the software supply chain, root file system security during container runtime, and container network security.
- Cloud-native secure runtime = computing security, memory security, file system security and network security during data processing
- Cloud Native Software Supply Chain Security = Executable/User Code Security
- Cloud-native infrastructure security = cloud data storage security
Cloud data security
It includes three aspects of work:
- Data protection: RAM ACL controls access to fine-grained data; Sensitive Data Discovery and Protection (SDDP), data desensitization, and data classification.
- Data encryption: CMK encrypts data; BYOK encrypts data.
- Key/ciphertext management: cloud services such as KMS/HSM; third-party Vault services.
Data Security Lifecycle
The data life cycle has the above six items.
Cloud-native data life cycle (take ACK, the container service Kubernetes) as an example:
- The creation of cloud disk persistent volumes defines data, and the encryption of cloud disk data needs to be reflected in the definition. Both key selection and encryption algorithm selection can be supported declaratively, and RAM permissions are fine-grained and follow the minimum permissions;
- The cloud disk is attached to the virtual machine: it can be triggered and realized by the PVC reference in the container group Pod;
- Decryption of cloud disk data: achieve transparent encryption and decryption on block devices through user CMK/BYOK;
- Changes in the Pod life cycle lead to Detach/Attach of PVC-associated cloud disks on different host ECSs;
- The Snapshot life of the PV triggers the creation of the cloud disk Snapshot;
- The deletion of PV can be related to the suspension of the cloud disk and the deletion of data through OnDelete.
Full link data security
In a narrow sense, it refers to end-to-end encryption of data. Focus on three phases of the data life cycle.
- data transmission
- data processing
- data storage
data transmission
The design of secure communication, the secure management and transmission of ciphertext/key, not only needs to meet the secure transmission in the cloud environment, the container network, microservice, and blockchain scenarios introduced by cloud native, but also proposes a further step for the secure transmission of cloud native data. requirements.
Cloud secure transmission
uses VPC/security group in cloud environment, secure management of ciphertext/key, KMS north-south traffic obtains a trusted and effective CA through SSL certificate service, HTTPS encryption and offloading for north-south traffic, and RPC/ gRPC communication uses SSL encryption to reduce the attack surface of VPC, and secure access links are achieved through VPN/SAG Gateway.
Cloud-native secure transmission
cloud-native scenarios, a single cluster allows multiple tenants to share the network at the same time, system component permission control, data communication encryption, certificate rotation management, network isolation and network cleaning of east-west traffic in multi-tenant scenarios; cloud-native microservice scenarios, Communication encryption between applications/microservices, and certificate management; independent management and three-party integration of keys and ciphertexts in cloud-native scenarios, integration of KMS with Vault CA, fabric-ca, istio-certmanager, etc.
data processing
For memory-level trusted computing, there are not only the requirements for safe operation of cloud security virtualization, but also the requirements for container security sandbox and trusted security sandbox.
- Cloud Security Virtualization Trusted Computing: TEE SGX; ARM Trust Zone;
- Cloud native container security sandbox: runV Kata security container sandbox; runE Graphane/Occlum trusted security sandbox.
data storage
There are not only cloud security requirements for cloud storage encryption and cloud data service encryption, but also requirements for container image storage encryption, audit log, application log encryption, and tripartite integration, as well as support for ciphertext password storage.
Cloud storage encryption method:
- data + encryption algorithm + user key or master key;
- Client-side encryption / server-side encryption.
Cloud storage data, mainly server-side encryption; secure key management KMS/HSM; secure encryption algorithm, fully supports domestic algorithms and some international common cryptographic algorithms, to meet the needs of users for various encryption algorithms:
- Symmetric encryption algorithm: support SM1, SM4, DES, 3DES, AES;
- Asymmetric cryptographic algorithms: support SM2, RSA (1024-2048);
- Digest algorithm: Support SM3, SHA1, SHA256, SHA384.
Alibaba Cloud can only manage device hardware, including monitoring device availability indicators, enabling, and stopping services. The key is completely managed by the customer, and Alibaba Cloud does not have any way to obtain the customer key.
Cloud storage encryption support:
- Block storage EBS cloud disk: Supports the encryption of data on the block storage device (ie cloud disk) used inside the virtual machine to ensure that the block storage data is encrypted and stored in the distributed system, and supports the use of service keys and user-selected keys Data encryption as the master key;
- Object Storage OSS: Supports the storage encryption capabilities of the server and client. In server-side encryption, it supports using the service key and user-selected key as the master key for data encryption; in client-side encryption, it supports using the user's self-managed key for encryption, and also supports using the master key in the user's KMS. Perform client-side encryption;
- Data encryption of RDS database: Multiple versions of RDS database support the use of service key and user-selected key as the master key for data encryption through Transparent Data Encryption (TDE) or cloud disk instance encryption mechanism;
- Table Store OTS: Supports data encryption using service keys and user-selected keys as master keys;
- File storage NAS: Supports data encryption using the service key as the master key;
- MaxCompute big data computing: supports data encryption using the service key as the master key;
- Operational logs, secure storage of audit logs, and third-party logging system integration.
Cloud-native storage encryption:
Currently, Alibaba Cloud Container Service ACK can host mainly block storage, file storage, and object storage. Other types of data services such as RDS and OTS are supported through Service Broker.
- User container image/code (enterprise container image service, OSS CMK/BYOK encryption);
- Cloud native storage volume PV (declaratively supports CMK/BYOK of cloud storage and encryption support of data service layer);
- Action logs and audit logs (ActionTrail OpenAPI/Kubernetes AuditLog: SLS log encryption);
- Ciphertext password (KMS/Vault's three-party encryption support and memory storage for ciphertext, non-etcd persistence).