Cloud computing is the trend, noted in 2016 according to IDC's statistical analysis:
2015-- between 2020 total IT market compound growth rate of only 3%
Global public cloud market compound growth rate of 19%
74% of Chinese companies that trusted cloud
62% of companies believe that cloud based on defense, stable platform, with the inherent advantages of the professional team.
Therefore, with the development of the major cloud vendors cloud platform, more and more companies trying to migrate their applications on the cloud from a local computer room.
When just 45 years ago, public clouds emerge in the domestic market, the majority of companies are maintaining a state of wait and see. After all, the rapid development of information technology today, data is the lifeblood of a business. The data on the public cloud, so that the traditional business managers harbor ill at ease. But with the cloud to test the water on enterprise applications in recent years, and gradually allow more business managers believe in the public cloud, the data will be more secure.
In recent chat with clients, she found a strange idea, the customer asked a question:
Now not all cloud vendors publicity is to secure it in its own public cloud advertising time, why do we need to buy security products? ? ?
In fact, there is a difference in understanding, manufacturers commonly referred to as cloud public cloud is safe and reliable, in fact, I think most of the time refers to the time relative to our local computer room.
We put the server or the data stored in the cloud is safe and reliable, because they had the resources needed to support the physical condition now made to the tenant SaaS form. In fact, the risk will depend on the manufacturers of the major cloud room physical condition, while the major manufacturers a huge cloud of physical condition, of course, will be higher than the stability of localized small room.
National Internet Emergency Center August 13 release of "the first half of 2019, China's Internet network security situation," the first half of 2019, occurred in our cloud platform of network security incidents further exacerbate the situation compared to 2018.
According to the National Internet Emergency Center monitoring data, take place in our cloud platform for all kinds of mainstream network security incidents accounted for the number is still high, which suffers DDoS attack on the cloud platform, the number of accounts was 69.6% attack targets inside times, are implanted the number of links back door accounted for 63.1% territory of all be implanted backdoors number of links, the number of pages to be tampered with 62.5% of the territory has been tampered with the number of pages.
Our application systems, whether local or public cloud in the room, in fact, the risks are the same faces. Just when we put applications on the public cloud, we do not need to buy their own safety box, prepare themselves to defend the environment, we can easily direct the use of the major manufacturers to provide cloud security products directly to our SaaS applications for protection.
Our applications will face what risk?
Dimensions introduced from the figure, we can clearly will face the risk of the application system is divided into four dimensions. Namely: network security , business security , host security , APP security . In fact, these four categories of risk, whether we will apply on the local computer room, or the application on the public cloud, and all will be our applications need to face, of course, if our application is B / S architecture, APP will not have security risks.
Based on past experience, we know that online next room, we can purchase a range of hardware boxes, and a combination of these security hardware boxes with our local network, server up and use, played a role in security protection. So in our public cloud environment above what we need minimum configuration to allow applications on the cloud for better protection?
In order to reflect subsequent introduce more intuitive, what we need to adopt security measures to protect the security application, I use the following simple example to his assistant, architecture diagram will be described.
1. Host level
Antivirus software: to the official website server, for example (in the lower right corner of architecture diagram), you need to install antivirus software on the server. General cloud vendors have self-developed anti-virus software. Cloud antivirus software manufacturers will be stronger than traditional antivirus software functions. In addition to anti-virus function, in general, will also include vulnerability scanning and remediation, server security baseline scan, asset management and other functions. Better protection system from the host level.
Cloud database auditing: can inject SQL for databases, database operational risk behaviors and other risk operation for recording and alarms. Support cloud database, self-built database to provide security for the cloud database diagnostic, maintenance and management capabilities.
2. Network Access level
在架构图中从终端用户到应用访问的网络路径中,会先经过多个云安全产品从网络数据传输上对应用进行防护。此处,我们列举常用的三款云安全产品:
Web应用防火墙:
基于云安全大数据能力,有效防御各类OWASP常见Web attack并过滤海量恶意CC attack,实现网站防篡改,避免您的网站资产数据泄露,保障网站业务安全性与可用性。
DDoS防护:
有效防火DDoS attack,保护应用不受DDoS attack影响。
证书服务:
以最小的成本将您的服务从HTTP转换成HTTPS,实现网站的身份验证和数据加密传输。
3. 运维安全管理层面
这一个防范措施往往是用户容易忽略的,甚至很多用户会认为,这些防护手段在传统IDC机房惯用的防护手段,在云环境中没有必要去做,其实这是对云上运维工作错误的理解。上云后解决的是我们对物理环境的运维,以及减轻大量的手工运维工作。
堡垒机:
集中了运维身份鉴别、账号管控、系统操作审计等多种功能。基于协议正向代理实现,通过正向代理可实现对SSH、Windows远程桌面、SFTP等常见运维协议的数据流进行全程记录,再通过协议数据流重组的方式进行录像回放,达到运维审计的目的。
安全加固:
通过堡垒机,对包括了操作系统、数据库、中间件等的安全参数、日志审计、账号审计、登录审计等进行配置
漏洞修复:
通过堡垒机,对包括操作系统、数据库、中间件、应用等的漏洞进行修复。
子网划分:
通过不同的子网,规范云资源的管理工作,对云资源进行访问控制。
总结上述三种安全保护措施,当我们在公有云上发布应用时候,为了保障应用安全性以及合规性。我们最小需要配置的云安全产品应包括:杀毒软件、DDoS防护、Web应用防火墙、证书服务、数据库审计、堡垒机等云安全产品。同时还需要云服务器、数据库、中间件等资源进行安全加固和漏洞修复等运维工作。
作者:林伟栋
———— / END / ————
更多讨论
嘉为出席GOPS全球运维大会:运维巅峰时代,研运中台或是唯一选择
Error: network connectivity issues? Try connecting netstat monitoring network!
How nanotube and definitions cloudy?