HCIP Study Notes-Cloud Security Service Planning-6

1. Cloud security design and Huawei Cloud security system

1.1 Why Pay Attention to Cloud Security

• CSA: Cloud Security Alliance, Cloud Security Alliance

1.2 Security requirements of enterprises on the cloud

1.3 Five Security Dimensions to Respond to Cloud Security Requirements

1.4 Overview of HUAWEI CLOUD Security Services

2. Workload Security

2.1 Enterprise host security HSS

• The management console is a visual management platform, which is convenient for users to centrally distribute configuration information and view the protection status and detection results of hosts in the same area.
• The HSS cloud protection center receives the configuration information and detection tasks delivered by the console, and forwards them to the Agent installed on the server. According to the configured security policy, the Agent prevents attackers from attacking the host, and at the same time regularly performs detection tasks, scans the host in full, monitors the security status of the host in real time, and collects the host information (including non-compliant configuration, unsafe configuration, Intrusion traces, software list, port list, process list and other information) reported to the cloud protection center
• Cloud Protection Center presents the analyzed information on the console interface in the form of a detection report.
• Other functions:
  • Webpage anti-tampering: The webpage anti-tampering function can detect and intercept the behavior of tampering with files in the specified directory in real time and quickly obtain the backed up legal files to restore the tampered files, thereby protecting the website's web pages, electronic documents, pictures and other files from being tampered with by hackers and destroy.
  • Advanced defense: Realize advanced defense functions, including: program operation authentication, file integrity management, and ransomware protection.
  • Multi-cloud unified management: 35 supports cross-cloud platform management of massive (100,000-level) 358 heterogeneous (X86/ARM), multi-OS (mainstream Linux/Windows) host security status.

2.2 HSS Applicable Scenarios

• Host security provides comprehensive and effective security solutions for 230,000 enterprises and individual users at home and abroad, including government, Internet, education and other industries. Host security provides customers with comprehensive risk prevention and real-time protection, regularly outputs security operation reports to meet customer security requirements, and realizes all-round host security protection of prevention + detection + operation.

2.3 Cloud container security CGS

• Container Security Service is a security service used to detect the life cycle of container images. It can help efficiently manage the security status of containers and images, and reduce the main security risks faced by containers and images. It can be viewed from the three stages of construction, distribution, and operation.

2.4 CGS Applicable Scenarios

2.5 Cloud Bastion Host CBH

• CBH also supports collaborative operations, batch management of user hosts, database operation and maintenance (management of database host resources), etc.

2.6 CBH usage process

• Custom Policy Process:
  • Add resources: administrators add resources to be managed, including servers, network devices, security devices, application systems, database systems, and other objects. Supports editing related device information, including the department to which the system type belongs, resource name, resource address, protocol type, application program, etc.
  • Add master account: The administrator adds a master account (user account). The master account is the only account that logs into the cloud bastion machine and obtains the access right of the target device. It corresponds to the actual user identity one by one. Each user has a master account. Each master account belongs to only one user.
  • Add secondary account: The administrator adds the secondary account (resource account) corresponding to the resource, including account name, password, etc. The slave account supports automatic, manual, and semi-automatic login methods, and can switch from an ordinary account to a privileged account, and the password can be automatically updated regularly by the cloud bastion machine
  • Create an access control policy: The administrator establishes an association policy based on elements such as "time + master account activation + resource + slave account + authority".
  • Whole-process auditing of behavior: the cloud bastion machine automatically records all behavior logs of administrators such as resource management, user management, and policy management, so that auditors can monitor and audit.

2.7 CBH Applicable Scenarios

• The access rights of CBH can be controlled through the IAM account. At the same time, administrators can create system users in the CBH system and assign different system roles to users. The figure shows the different account permissions assigned in CBH, of which only admin has management system roles permission.
• Strict audit compliance scenarios:
  • By deploying the cloud bastion machine system on the cloud, single sign-on entry, centralized management of accounts and resources, isolation of departmental authority, multi-person review and authorization of core assets, secondary review authorization of sensitive operations, and a sound operation and maintenance audit mechanism, it can provide high-risk Yanye provides strict auditing functions to meet industry regulatory requirements.
• Efficient and stable operation and maintenance scenarios:
  • In the process of remote operation and maintenance, the cloud bastion machine hides the real address of assets and solves the problem of remote operation and maintenance asset information exposure. At the same time, a comprehensive operation and maintenance log is provided to provide effective monitoring for the audit operation and maintenance and the operation behavior of the operation and maintenance personnel, reduce online security incidents, and help the long-term and stable development of the enterprise
• Mass asset and personnel management scenarios:
  • For a large number of users and a large number of assets, the cloud bastion machine can accommodate a large number of personnel and resource data in a large amount, and single sign-on for operation and maintenance personnel can solve the problem of low efficiency and error-prone maintenance of multiple assets by operation and maintenance personnel. At the same time, through the establishment of fine-grained authority control and resource operation records, it is possible to audit the operation behavior of all users and effectively trace the accidents to ensure effective accountability. In addition, the system desktop presents the operation and maintenance panorama in real time, and can receive abnormal behavior alarm notifications to ensure that personnel cannot operate beyond their authority.

2.8 Load Security Products in Cloud Architecture

• Lines represent access traffic.
  • DMZ is the abbreviation of "Demilitarized Zone" in English, and the Chinese name is "isolated area". It can be understood as a special network area different from the external network or the internal network. Some public servers without confidential information are usually placed in the DMZ, such as WEB server, E-Mail server, FTP server, etc. In this way, visitors from the external network can only access services in the DMZ, but cannot access information stored in the internal network. Even if the server in the DMZ is damaged, it will not affect the information in the internal network.

3. Network security

3.1 Security Group & ACL

3.2 Cloud Firewall CFW

• Provides functions including real-time intrusion detection and defense, global unified access control, full traffic analysis and visualization, log audit and traceability analysis, etc., and supports elastic expansion on demand, which is the basic service of network security protection

3.3 DDos attack protection solution ADS

3.4 Anti-DDos Pro AAD

3.5 Network security protection products in the cloud architecture

• Lines represent access traffic

4. Application Security

4.1 Web Application Firewall WAF

• SQL injection attacks refer to the attacker performing unauthorized arbitrary queries by deceiving the database server. SQL injection attacks use SQL syntax to target flaws or imprecise codes in the programming process of application developers. When attackers can manipulate data and insert some SQL statements into applications, SQL injection attacks occur.
• XSS is a common web security vulnerability that allows attackers to inject malicious code into pages that are served to other users. Unlike most attacks (which generally only involve the attacker and the victim), XSS involves three parties, namely the attacker, the client, and the web application. The goal of XSS attacks is to steal cookies stored on the client or sensitive information used by other websites to identify the client. Once the legitimate user's information is obtained, the attacker can even pretend to be the legitimate user to interact with the website.
• Command injection attack refers to the fact that embedded applications or web applications do not strictly filter the data submitted by users, so that hackers can submit data to the application by constructing special command strings, and use this method to execute external Programs or system commands carry out attacks, illegally obtain data or network resources, etc.
• Webpage hanging horse refers to uploading a Trojan horse program to the website to generate a network horse. When it is executed, more Trojan horses will be generated. After the user downloads the Trojan horse, execute it and continue to download and execute it, entering a vicious circle, so that the user's computer is attacked and controlled
• CC attack (Challenge Collapsar Attack, CC) is an attack against a web server or an application using a standard GET/POST request to obtain information, such as a URI (UniversalResource ldentifier) ​​that involves database operations) or other URIs that consume system resources, causing server resources to Exhausted, unable to respond to normal requests.

4.2 WAF Applicable Scenarios

• Remarks: 0day vulnerabilities, also known as "zero-day vulnerabilities" (zero-day), are vulnerabilities that have been discovered (maybe undisclosed), but there is no official patch. In layman's terms, except for the vulnerability discoverer, there is no Others know the existence of this vulnerability and can use it effectively. The attacks launched are often very sudden and destructive

4.3 The difference between WAF and CFW

4.4 Application Security Protection Products in Cloud Architecture

• Lines represent access traffic.
  • DMZ is the abbreviation of "Demilitarized Zone" in English, and the Chinese name is "isolated area". It can be understood as a special network area different from the external network or the internal network. Some public servers without confidential information are usually placed in the DMZ, such as WEB server, E-Mail server, FTP server, etc. In this way, visitors from the external network can only access services in the DMZ, but cannot access information stored in the internal network. Even if the server in the DMZ is damaged, it will not affect the information in the internal network.

5. Data Security

5.1 Data asset security

• 10% increase in the average total cost of a data breach between 2020-2021
• Data breach costs rose from $3.86 million to $4.24 million, making it the highest total annual average cost ever reported for this report. Organizations with more mature security postures have significantly lower costs, while those lagging behind in areas such as AI security and automation, zero trust, and cloud security have higher costs.

5.2 Data Security Center DSC

• Applicable scene:
  • Automatic identification and classification of sensitive data: Automatically discover and analyze the use of sensitive data from massive data, based on the data identification engine, scan, classify, and classify its stored structured data (RDS) and unstructured data (OBS) to solve data problems "Blind spots" for further security protection
  • Abnormal user behavior analysis: establish a user behavior baseline through the in-depth behavior recognition engine, realize real-time alarms for abnormal operations outside the baseline, real-time query of behavior operations, visualization of behavior trajectories, risk event correlation identification, and improve the traceability audit chain for risk events associated user operations. Timely discover whether there are security violations in data usage and give timely warnings to prevent data leakage
  • Data desensitization protection: Through a variety of preset desensitization algorithms + user-defined desensitization algorithms, a data protection engine is built to realize desensitized storage of unstructured data and static desensitization of structured data to prevent sensitive data from leaking
  • Meet information compliance requirements: DSC has dozens of compliance templates, including GDPR, PCI DSS, HIPAA, etc., one-click matching and identification of various compliance rules, generating reports for targeted rectification, accurately distinguishing and protecting personal data, and avoiding compliance issues.

5.3 DSC data content protection process

5.4 Database security DBSS

5.5 Identity Guarantee for Data Transmission - Digital Certificate

• Public certificate: Enables web browsers to identify and establish encrypted network connections with websites using the Secure Sockets Layer/Transport Layer Security protocol
  • Issued by a public CA to authenticate resources on the Internet
  • Trusted by applications and browsers by default: the CA root certificate has been stored in the browser and OS trust zone
  • Adhere to strict rules, provide operational visibility, and follow security standards dictated by browser and operating system vendors Must follow strict specifications
• Private certificates: Identify and secure resources such as applications, services, devices, and users within an organization
  • Issued by a private CA organization for the certification of internal resources of the organization
  • Servers, websites, clients, devices, VPN users, etc.
  • Resources within the private network
  • Not trusted by default: users need to install the certificate into the client's trusted zone
  • Advantage:
    • Can be used to identify any resource
    • Custom issuance rules for verification and naming, etc.
    • Not subject to public CA certificate/institutional rules

5.6 Cloud certificate management CCM

• Currently, SSL certificates issued by international certificate authorities are basically valid for one year. CCM supports private certificate rotation configuration, and the rotation period can be set according to the expiration time of the private certificate. Before the old private certificate expires, the new private certificate will be replaced on the corresponding working node to avoid interruption of business communication due to the expiration of the private certificate.
• SSL certificate management:
  • Website credible certification website construction. Provide trusted identity authentication support based on digital certificates for websites established by users to prevent websites from being counterfeited.
  • Application trusted certification is applicable to cloud application services and mobile application services. Provide trusted identity authentication support based on digital certificates for applications (CRM, OAERP, etc.) on the user cloud to avoid access to illegal applications.
  • App data transfer protection applies to data transfer between websites, apps, and clients. Encrypt the transmission data between the client and the website and application to prevent data from being stolen midway, maintain data integrity, and prevent tampering.
• Private certificate management
  • Enterprise informatization application establishes a unified enterprise certificate management system, realizes certificate life cycle management, integrates continuous monitoring and automatic management capabilities, and prevents risks caused by poor certificate management
  • Internet of Vehicles Application Car enterprise TSP uses private certificate management services to issue certificates for each vehicle terminal, providing security functions such as authentication, authentication, and encryption for vehicle-vehicle, vehicle-cloud, and vehicle-road multi-scenario interactions.
  • The Internet of Things application IOT platform uses private certificate management services to issue certificates for each IoT device, and through the IoT platform linkage PCA, realizes the identity verification and authentication of IoT devices, ensuring the security of device access in IoT scenarios.

5.7 Data encryption service DEW

• DHSM: Encryption machine on the cloud, e is provided separately to customers to meet high compliance scenarios 6 The business is relatively large and the concurrent business is high, such as our payment business).
• KMS: cloud service encryption (integrated), data disk encryption, small data encryption
• KPS: Mainly for host login.
• CSMS: important password, passphrase, token storage

5.8 DEW service module - exclusive encrypted DHSM

• If the user has purchased a dedicated encrypted instance, the dedicated encrypted instance can be initialized and managed through the Dedicated HSM. The user, as the device owner, has full control over key generation, storage and access authorization.

5.9 DEW service module - key management KMS

• The KMS key management service is widely integrated with Huawei Cloud products. Customers can create their own keys in the KMS console, or import external keys, and store them on 45+ cloud products such as RDS, ECS, OBS, SFS, DDS, and EVS. The data is encrypted and protected to ensure data security.

5.10 DEW service module - key pair management KPS

• The public key and private key are commonly known as asymmetric encryption. The public key (Public Key) and the private key (Private Key) are a key pair obtained through an algorithm (that is, a public key and a private key). The public key is the public part of the key pair, and the private key is the non-public key. public part. Public keys are often used to encrypt session keys, verify digital signatures, or encrypt data that can be decrypted with the corresponding private key. The key pair obtained by this algorithm can be guaranteed to be unique in the world. When using this key pair, if one of the keys is used to encrypt a piece of data, the other key must be used to decrypt it. For example, data encrypted with the public key must be decrypted with the private key, and if encrypted with the private key, it must also be decrypted with the public key, otherwise it will not be successfully decrypted
• Enhanced RDS/WKS password management, passwords no longer rely on memory, making it possible to enable randomly generated high-complexity passwords, anti-collision library. It supports dynamic binding of key pairs to ECS, provides a one-click solution for switching from ECS to key pair login, and completely solves the problem of ECS weak passwords.
• The private key/password is not statically stored on the client side, reducing the risk of private key/password leakage on the client side. It is managed uniformly by KMS/KPS and rotated regularly, effectively reducing the attack time window. The private key/password is encrypted by KMS/KPS in the cloud and stored safely, and is dynamically obtained after authentication and authentication with IAM/MFA before use. At the same time, it is easy to use and supports access anytime and anywhere: with the IAM certificate in hand (with MFA), the private key/password can be dynamically obtained anywhere to achieve resource access.

5.11 DEW service module - credential management CSMS

• Users or applications can create, retrieve, update, and delete credentials through the credential management service, and easily realize the full life cycle and unified management of sensitive credentials, effectively avoiding the leakage of sensitive information and loss of authority control caused by problems such as program hardcoding or plaintext configuration. coming business risk

5.12 Applicable Scenarios of DEW Service Products

5.13 Data Security Protection Products in Cloud Architecture

• The DEWs shown in the figure are KPS and KMS respectively

6. Safety management

6.1 Security Management (1)

• Verizon Communications Corporation (Verizon ) is the largest provider of wireline communications and voice communications in the United States, with 140 million access lines.

6.2 Security Management (2)

6.3 Security Management (3)

• The digital transformation of enterprises faces compliance and security issues, with many compliance requirements, heavy responsibilities, and high penalties. Compliance security is the focus of enterprise cloud security, and compliance standards determine the level of security enterprises need to achieve on the cloud. Codes are different compliance standards.

6.4 Unified Identity Authentication IAM

• For a project, there may be different resources in the project. These resources can grant permissions to different accounts according to the policy. In the figure, project A is only authorized to A, some resources in project B are authorized to A, and some resources are authorized. Authorized to B.

6.5 IAM user authentication

• AK: Access Key, access key ID. The unique identifier associated with the secret access key, Access Key ID is used with the secret access key to cryptographically sign the request.
• SK: Secret Access Key, private access ID. The key used in conjunction with the Access Key ID to cryptographically sign the request, which identifies the sender and prevents the request from being modified.

6.6 Basic Concepts of IAM

• IAM does not own resources and does not carry out independent billing. The permissions and resources of IAM users are uniformly controlled and paid for by the account they belong to.
• User groups can be used to authorize IAM users. 3 By default, the newly created IAM user does not have any permissions and needs to be added to the user group, and the user group is authorized, and the users in the user group will obtain the permissions of the user group. After authorization, IAM users can operate cloud services based on permissions.

6.7 Fine-grained access control to HUAWEI CLOUD resources

• Authorization policy:
  • System policy: maintained by HUAWEI CLOUD
  • Custom Policies: Maintained by Users

6.8 Access resources across accounts

• Delegation only supports accounts, not federated accounts and IAM users
• Entrusting other cloud services to manage resources: Due to the business interaction between various services of HUAWEI CLOUD, some cloud services need to work with other cloud services. Users need to create a cloud service delegation, entrust the operation authority to this service, and let the service use the user's Identity uses other cloud services to perform some resource operation and maintenance work on its behalf. For example, if the CGS container security service wants to scan the container image, it needs to entrust the SWR container image service authority to it.

6.9 Use the original account of the enterprise to use cloud resources

• OIDC (OpenID Connect, OIDC for short): is an identity authentication standard protocol based on the OAuth 2.0 protocol.
• SAML (Security Assertion Markup Language, referred to as SAML): Security Assertion Markup Language is an XML-based open source standard data format, which exchanges authentication and authorization data between parties, especially in identity provider IP and service provider exchange between.
• ldP (Identity Provider, IdP for short): Responsible for collecting and storing user identity information, such as user name, password, etc., and responsible for authenticating the user when the user logs in. In the process of federated identity authentication between an enterprise and HUAWEI CLOUD, the identity provider refers to the enterprise's own identity provider.
• Federal certification implementation process:
  • Create an identity provider and create a mutual trust relationship
    • Based on the OIDC protocol: Create OAuth 2.0 credentials in the enterprise IdP, create an identity provider on HUAWEI CLOUD and configure authorization information to establish a trust relationship between the enterprise management system and HUAWEI CLOUD
    • Based on the SAML protocol: exchange metadata files between HUAWEI CLOUD and the enterprise IdP (the interface file stipulated in the SAML2.0 protocol, including interface addresses and certificate information), create an identity provider on HUAWEI CLOUD, and establish trust.
  • Configure identity conversion rules: By configuring identity conversion rules on HUAWEI CLOUD, users, user groups and their access rights in IGP are mapped to HUAWEI CLOUD.
  • Configure the login entry of the enterprise management system: Configure the access entry of HUAWEI CLOUD to the enterprise management system, and users can directly access HUAWEI CLOUD by logging in to the enterprise management system

6.10 Situational Awareness SA

• After data collection, batch processing is carried out through the big data basic platform, and then intelligent analysis is carried out through the big data operation center, and the analysis results are input into the situational awareness service for analysis and alarm and other protective operations.

6.11 SA Applicable Scenarios

• Asset risk management: There are many businesses on the cloud, the assets on the cloud are becoming larger and larger, and cloud assets change frequently, which greatly increases the security risks on the cloud.
  • SA centrally presents the risk status of hosts or vulnerable assets on the cloud. Centralize the security status of all assets on the cloud, monitor the overall security of cloud services in real time, make the vulnerabilities, threats, and attacks in the server clear at a glance, ensure the security of all assets, and help enterprises easily deal with asset security risks.
• Threat event warning: various security threats on the cloud exist all the time, and various new types of threats continue to emerge
  • SA can detect and monitor security risks on the cloud in real time by collecting traffic data of the entire network and security protection device log information, present statistical information of alarm events in real time, and collect statistics on various threat events for common brute force cracking and Web attacks , backdoor Trojan horse, and zombie host threat events, the prefabricated security protection strategy can effectively defend against threats and risks, and improve the efficiency of operation and maintenance.
• Vulnerability risk notification: With the continuous migration of enterprise business to the cloud, in order to avoid successful exploitation of vulnerabilities, it is necessary to find and fix as many vulnerabilities as possible
  • By collecting emergency security notifications on the cloud, SA can disclose newly discovered vulnerabilities in real time, report sudden security vulnerability incidents and warn potential vulnerabilities, and integrate vulnerability scanning results to conduct regular vulnerability scanning and centrally manage host vulnerabilities and website vulnerabilities, and ensure system security , software, and websites to detect vulnerabilities in the system, software, and websites 35. Provide repair suggestions for the detected vulnerabilities. Centralize vulnerability management on the cloud, quickly help users identify key risks, discover assets that attackers may be interested in, and help users quickly make up for security weaknesses.
• Risk configuration management: SA supports the detection of key configuration items of cloud services. By performing scanning tasks, it checks the risk status of cloud service baseline configurations, presents the detection results of cloud service configurations by category, alerts the configurations with security risks, and provides corresponding configuration reinforcement suggestions and help guide.

6.12 Threat Detection Service MTD

• MTD service collects: Unified Identity Authentication (IAM), Cloud Resolution Service (DNS), Cloud Audit Service (CTS), Object Storage Service (OBS), Virtual Private Cloud (VPC) logs using AI intelligence engine, threat intelligence, rules The baseline model continuously monitors malicious activities and unauthorized behaviors such as brute force cracking, malicious attacks, infiltration, and mining attacks, identifies potential threats in cloud service logs, and collects statistics on detected threat alarms.
• Into the cloud: Traffic flows from the Internet to HUAWEI CLOUD, for example, downloading resources from the public network to ECS in the cloud
• Outbound: From HUAWEI CLOUD to the Internet. For example, the ECS in the cloud provides services externally, and external users download resources on the ECS in the cloud.

6.13 MTD Applicable Scenarios

6.14 Difference between MTD and SA

6.15 SA+MTD detects tenant identity risk

• MTD can analyze the logs of the four services of IAM, CTS, VPC and DNS by applying threat intelligence, AI detection engine, correlation model and other advanced detection technologies, so as to detect the brute force operation of account login in time, track and audit network abnormalities Behavior, identify traffic changes of network devices and nodes, and find strange connection numbers. At the same time, MTD sends abnormal alarms to the Situational Awareness Service (SA) and links with other security services to take further action. SA integrates other security services to monitor the overall situational security and discover system security issues in a timely manner.
• The MTD service can detect the security risks of IAM accounts, the risks exposed by DNS attacks, and the risks exposed by various intrusion behaviors in CTS logs. These types of security risks cannot be solved by other security services temporarily or have weak capabilities. . When the risk increases, conduct micro-authentication (such as multi-factor authentication, biometrics, etc.) with IAM to verify the authenticity.

6.16 Management Detection and Response MDR

• Security solution design: Combined with enterprise business scenarios, security solution design is carried out from the aspects of network layer, application layer, host layer, data and management, tailor-made security system, network isolation and account authority control, providing enterprises with comprehensive security guarantee.
• Security Monitoring:
  • professional monitoring personnel
  • Professional monitoring platform
  • 7*24 uninterrupted monitoring
  • Conduct regular security inspections on the system. Including log analysis, alarm analysis, abnormal traffic monitoring, attack status identification, system vulnerability scanning, system penetration testing, etc. Proactively identify possible security incidents in the system, notify the business team in a timely manner, initiate problem handling, and eliminate security risks in a timely manner.
• Emergency response: Once a suspected intrusion occurs, the HUAWEI CLOUD security expert team immediately enters the emergency response process. HUAWEI CLOUD has undergone a large number of daily security drills and has sufficient experience in handling security threats

thinking questions

end flowering