Text / In-depth onlooker Du Hao
Recently, the Yunnan Forest Fire Brigade has been unanimously praised by many netizens in the rescue operation of the Chongqing Beibei mountain fire. Its novel tactics and professional operations are refreshing. In December 1993, the team transferred from Daxinganling, Heilongjiang to Yunnan, from Daxinganling with large forest farms to Yunnan, which is also covered with large forests. In recent years, an average of 142 fires have been extinguished every year, with a maximum of 281 a year . At most, they fought in 13 fire fields at the same time. The longest continuous battle lasted 66 days and nights. It deserves that the whole country is boasting.
Security has always been a top priority in every field, and the ability to address security concerns also depends on the number of security threats encountered and dealt with. Amazon Chief Information Security Officer Steve Schmidt said in his speech at the cloud security event 2022 re:Inforce: Amazon cloud technology has millions of customers around the world and tracks billions of events every day, which enables Amazon cloud technology to detect more security threats. Amazon Cloud Technology will quickly locate and resolve these security threats, and update these capabilities into security services to benefit more customers. "
Chen Xiaojian, general manager of the product department of Amazon Cloud Technology Greater China, said: "The security situation on the cloud is constantly changing and changing with each passing day. Security protection. Amazon Cloud Technology always regards security as the highest priority, and takes security as a culture throughout the entire enterprise operation of Amazon Cloud Technology. We will accelerate the implementation of security concepts, new security services and functions in China , work with Chinese customers to solve the thorny challenges of security and compliance on the cloud, and escort their business innovation on the cloud."
Adhering to the safety concept of " prevention before it happens "
Instead of fighting fires, what we need to do is to prevent problems before they happen. This is the concept that Amazon Cloud Technology Cloud Security has always promised.
Through mass operations, to support various security incidents of millions of customers around the world, and then reuse the practices obtained in one customer to other customers, so as to achieve economies of scale. This is what security on Amazon Cloud Technology Cloud does every day.
Use automated tools
How do you get this information in your daily work? It may be too late to respond when a client has a security failure. In each data center covered by Amazon cloud technology around the world, billions of security events and various logs are received every day, and these security risks are automatically identified through automated processing tools, and security events between users can be aggregated Linked together, we can have a global understanding. What Amazon Cloud Technology needs to do is to discover these possible events with extremely low probability, because security accidents are often the result of accumulation and fermentation of inadvertent small events.
Amazon GuardDuty is a security service used by many customers of Amazon Cloud Technology. It is a threat detection service that continuously monitors malicious activities and unauthorized behaviors to protect the security of accounts, loads, programs and stored data in the cloud. Because it has a built-in machine learning engine, through the built-in machine learning capability, it can continuously improve the detection of threats, and can very effectively identify potential malicious user activities from the cloud environment. Because the machine learning function can make security incidents 50% reduction in false positives.
In addition, Amazon S3 is object storage, which is a service provided by Amazon cloud technology to every customer. Amazon GuardDuty can monitor the external requests received by each user of Amazon S3, and by adding probability prediction to the machine learning logic, it can determine which requests are abnormal.
Establish a unique working mechanism
Amazon Cloud Technology has a very unique mechanism --- security guardians, set up a security guardian group, set up security personnel positions in the product team according to a certain proportion, they are responsible for all security of products and services, and also set up an independent Application security review process, updates and releases of services applicable to all products.
separate people from data
One is people and the other is data. How to achieve security? For people, it is to control access rights, access on demand, define access rights based on the principle of minimization, and set a validity period for this permission. For data, what needs to be considered more is the content of the data itself, whether it needs to be desensitized, whether it needs to be encrypted, which data needs to be used by whom, and so on. It is necessary to consider these two dimensions at the same time before forming a more rigorous plan.
Onion-type multiple protection
Amazon Cloud Technology has always advocated that "security in the cloud must be an onion-like multi-layer protection, not an egg." Although an egg has a hard shell, its protection is only the shell layer. If a point is breached, the entire security system will collapse, but the onion is different. The onion has a multi-layer protection structure, so not only each layer Structures can play a role of mutual protection, and it will have a layer-by-layer access mechanism, which is what Amazon Cloud Technology thinks a reasonable security mechanism must have.
The end result is that Amazon cloud technology and users will work hand in hand to become stronger, Stronger together.
Security dissolves in the enterprise to boost efficiency
The just-launched preview version of Amazon Cloud Technology Marketplace Vendor Insights can greatly shorten the customer's procurement cycle for Amazon Cloud Technology Marketplace services. It may have taken several months before, but now it has been upgraded to eight to twelve weeks. With Vendor Insights After that, the purchase can be completed within a week at the earliest, so it can help customers to achieve rapid business launch.
In the field of encryption, in order to cope with the rapid development of quantum computing in the future, Amazon Cloud Technology has launched a hybrid post-quantum key exchange, which has provided quantum security for Amazon Key Management Service (Amazon KMS) , Amazon Certificate Manager and Amazon Secrets Manager. algorithm.
Amazon Cloud Technology released many new services and functions in the security field at this re:Inforce:
Amazon IAM Roles Anywhere, which extends the user's IAM Roles function from the public cloud to other cloud environments, it can provide a short-term credential. Instead of having to manage and create long-term credentials for customers, businesses and their customers are more secure with temporary credentials provided by IAM Roles Anywhere.
Through this service, customers can set temporary credentials for workloads such as their local servers, containers, and applications. Customers use the same access controls, deployment pipelines, and testing processes for workloads on the cloud and on-premises, which not only reduces operation and maintenance Cost and complexity, but also further improve the security of customer workloads.
Amazon Detective For EKS, Amazon EKS is a container service of Amazon Cloud Technology. Amazon Detective is an analysis tool for users to detect various security risks above. It is also the first time that the function of Detective is extended to EKS, which can help users analyze the Potential security issues and suspicious activities on the EKS cluster improve the security of Amazon EKS.
Amazon Amazon GuardDuty Malware Protection, when malware is detected, Amazon GuardDuty Malware Protection can automatically send malware investigation results and their potential sources to the Amazon GuardDuty console, Amazon Security Hub, Amazon EventBridge, and Amazon Detective, and customers can quickly Take corresponding measures.
Amazon Config. Amazon Config has added a compliance score function to help customers track resource compliance. With this service, users can view configuration changes and the relationship between AWS resources, and can find some non-compliant configurations and quickly alert them.
Through the construction of new products, new functions, new technologies and various systems, the concept of security and security work are embedded in the daily work process of each product and service team. Let tools and systems help work more efficiently.
epilogue
Amazon Cloud Technology has always attached great importance to the Chinese market, and Chinese customers have their own unique security compliance requirements and environment. Most of the problems focus on privacy protection, data cross-border and cloud security construction. Amazon Cloud Technology hopes to help customers solve cloud security issues. Comply with the toughest issues and enjoy the good days on the cloud.
In addition, Amazon Cloud Technology launched Cloud Audit Academy (CAA) auditing, risk control and compliance work training, which is specially designed for cloud computing. CAA can guide users to apply cloud technology to daily audit work, and can be applied In security, compliance, audit, risk control and other departments. The entire course is also planned to be introduced to China this year to provide support for Chinese customers. And this year, Amazon Cloud Technology started to hold CISO dialogues in China. By discussing security management, culture and technology together, security and compliance will no longer be an obstacle to the rapid growth of business on the cloud.
Amazon Cloud Technology not only prevents problems before they happen, but actively discovers problems, and works with many partners to provide corresponding products and solutions through strength innovation and reshaping, so that security on the cloud is not a problem, but an answer.