作者| Drishti Shastri
Translator | Inf, Zebian | Xu Veyron
Cover photo | CSDN download the visual China
In the modern era, the enterprise network and data security risks has never been a milestone like this. Nevertheless, the conventional method (method comprising using public cloud operator) are substantially identical.
The rise of cloud security threats and its native application
In the modern era, the enterprise network and data security risks has never been a milestone like this. Nevertheless, the conventional method (method comprising using public cloud operator) are substantially identical.
Response measures to prevent the threat of attack rather than turn to deal with the threat. Cloud native applications have received increasing attention in every possible way to question the conventional wisdom.
From the development of infrastructure to application stack traditional methods and more modern methods among cloud-based stark contrast, most of the patterns and practices have been successfully reached a mainstream view: DevOps culture, continuous delivery and micro-service architecture. Why do not we re-imagined safety of native cloud it? Where we are bold new ideas in it?
It's safe to say that in the course of delivery of applications, the security of cloud native has been in long-term follow. Traditional IT security team will be treated as a middleman own. They must correctly complete the work, or face greater risks faced by the agency.
They all have high demands on safety in all processes, but to meet these levels takes time, testing and revision. Because it would delay the development of applications and often can not ensure full protection, so development teams often complain about.
When organizations want to improve and accelerate the application lifecycle to improve scheduling and native cloud applications, security will become more prominent test. Most cloud applications run native on the new model, these models can provide unconventional productivity, flexibility and cost advantages.
Dev-ops using cloud development native DevSecOps as a further security component. DevSecOps try to incorporate safety speed, agility and continuous delivery process. However, if DevSecOps ignoring integration, business process and control functions and safety of users is low, it may be difficult to provide security in a continuous delivery system.
Cloud native loopholes
Cloud native certainly vulnerabilities occur. We are human beings, and will definitely make mistakes, especially in the harsh period and after product delivery. Despite all the warnings, signs and notes, we will make some errors of judgment .
In the process of issuing warnings, people continue to blindly copying and pasting from the Stack Exchange, to cover up the application found on GitHub, or even randomly pulled from a random code clueless folder, and can only wonder the authors believe that never met or even talked with no third party.
The distributed nature of the micro-service applications means that even in the case of internal write all the code by eliminating the risk of third-party participants, different components may be owned by different teams.
Communication barriers between team can cause a range of issues, including testing, quality assurance lack of coordination and even application vulnerabilities settlement.
A single cloud native application may include many thousands of remaining tasks on the basis of dispersion. In the local data center, many public cloud, and edge data center may have a strange micro-services, and finally, in the field of organization, we can not currently seem to development.
Every developer and every team knows that and learn how to solve different problems. What they do is accordingly develop their knowledge and attention. In the internal code environment, even if all sectors are to protect themselves part of a broader program in some way, micro-services must also be in touch with other departments, and risk communication here or vulnerability.
These claims all sounds daunting and frightening, but the cloud native does solve some very complex reality, we can no longer ignore its existence. As we continue to upgrade its security, cloud native vulnerabilities are constantly developed and has always existed.
The main threat to native cloud applications
Although the company began to experience the advantages of cloud-native applications, but they know little about the practical aspects of handling and maintenance of such systems. Compared in a cloud environment, the protection of the consequences if compared to conventional systems are very different? How protective measures and safeguards affect it?
The following are some of the highest security issues cloud-based environment:
1. Cloud configuration error
Configuration error IaaS and cloud data storage is the main reason for some of today's most devastating cloud violations and data leakage. Whether you want to remove the cloud security settings structured, generic tags, unlimited access to certain resources or for any other reason, configuration errors can lead to many unknown threats that often only seen in the newspaper after an embarrassing encounter . The latest "2019 Cloud Security Report," about 40% of organizations believe cloud platform is the misconfigured their main focus on network security.
2. Business Management of IT
Do not worry about the "shadow IT" or "rogue IT". It is no exaggeration to say that several companies will acquire infrastructure marked trend, will receive customer operations and business bridge cloud service called "commercial management of IT", as well as creativity and the development of the engine. "Harvey Nash / KPMG CIO 2019 survey," the report said, there are more than two-thirds of the company for the enterprises to promote or to allow IT management. This is because the ability to do so the company beat competitors industry increased by 52%, to provide better services to improve the likelihood of employees by 38% .
The concern is, if there is no cooperation in information and network security professionals, these cloud security barrier island could become a huge organization. These companies are developing very fast, but the survey shows that the likelihood of redundant safety hazards wavelength is twice the latter.
3. Purchase cloudy Products
"Cloud IUCN report" shows that most companies rely on a variety of cloud vendors to purchase cloudy products. About 66% of the company has arranged cloudy, wherein about 36% depending mix cloudy and hybrid systems.
Currently, due to the cloud actually we want to reduce the tool of choice for all of their other business operations processing costs, thus providing a range of cloud computing services (SaaS, PaaS, IaaS) cloud to its customers. Cloud provides secure its entire context, rapid response and quality of service. However, each time the user can not migrate from one cloud to another cloud when it will cost to maintain QoS and scalability. To overcome this cloudy computing framework, it is introduced between the cloud-based resources sharing system dynamics. In cloudy devices, security is even a more complex issue.
4. The hybrid architecture
According to the famous "Cloud Security Alliance Report", about 55% of organizations have complex, hybrid cloud computing environment operations. The system provides an excellent method for the gradual transition to the cloud for large organizations, but when they are difficult to track assets and monitor the entire architecture of the many activities connected hybrid cloud, it gives security challenges. In fact, Firemon previously released a report showed that 80 percent of organizations are challenging security monitoring and management tools limitations and complexity of mixing.
5. Data dark
Like dark fiber telecommunications industry as dark data also apply to business and commerce. There are a lot of untapped data is mostly unregulated, they are just there is nothing, did nothing.
Unfortunately, despite the clear dark fiber is lit to represent the only advantage of increased power and bandwidth, even if they are identified and ignored the dark data there may be a security risk, regardless of errors as they appear in the user's hand or fall range of users outer.
Most arguments about the dark data tend to focus on the organization's potential value and usefulness. In fact, willing to spend for capital (money, equipment and time) to create and utilize organizational knowledge and interest of the data locked in the dark, these prospects will undoubtedly be profitable. This also explains why many companies do not plan although work on their behalf, but refused to further exchange in the short term or in the dark details of the planning process.
Like many of the attractive potential of information resources, companies must also realize that dark or dark data and customer data and data concerning their dark cloud operations, they may give their continued health and well-being at risk, beyond their direct control and management scope. According to recent studies, 40% of organizations still in the planning stage or basic security policies related to container environment.
6. The arrangement of the container and the container
If you develop applications using container or on the surface of an existing single-source (monolithic) application of the ecosystem into the container, the container must understand the strange environment will bring security threat. From day one, you should be ready to respond to these threats. Start building your own container, the container will be installed and run in the manufacturing industry.
The following are the most common container security risks:
Privilege mark : Even those who have a good understanding of the container may also know the meaning of the privilege of the container. Privileged sign of the vessel can perform almost any operation server can perform, execute and gain access to client resources. This means that if an intruder enters a protected group logos me, they may be damaged.
Unlimited interaction : In order to achieve its goals, the container must interact with each other. However, the number of containers and container services and micro-short design usually means that it may be difficult to perform network or firewall regulations in line with the concept of least privilege. However, your goal should be to make the container can only interact necessary to reduce the attack surface of the container.
Lack of isolation : Container security is a double-edged sword. In addition to the short life and limited functionality, their invariant properties also offer a variety of safety advantages. However, the container can also be used to attack the host. We previously discussed, this danger is present in a container with a mark of privilege. The underlying host may be affected by many other threats misconfigured.
Ensure full security
To access the native security of the cloud, it is best not to use the traditional manual safety technology. In addition, in order to build a successful DevSecOps, IT departments should focus on automation and security personnel into the DevOps team. Because of its micro-services architecture packages in the container infrastructure, so you can expand faster than traditional applications of cloud-based applications. Above means that the manual method is too slow to retain the security and automation is mandatory. The security team classified DevOps set to ensure safety is included in the application code, rather than the problem once found it to be modified. It can also speed up and clarify the response to questions.
Let's talk about five DevSecOps pillars, these pillars have significant potential to ensure comprehensive network security:
Security Compliance deployment pipeline : analysis tools, integrated pipeline and how compliance and auditing into DevSecOps and Cloud-Native Development pipeline.
Security and compliance cloud platform : identity and access management assessment, measurement and control, infrastructure protection, data protection, and responding to events.
Code consistency : In the software development process, compliance is regarded as the code framework to ensure that the management, compliance and risk mitigation of any problems.
Confidential information management : managing sensitive information, key and certificate in hybrid cloud cloud-based business model.
Container privacy : how to adapt to container security policies, how to link container security threats and how to review and inspect vessels operating model.
All these pillars are the focus areas, therefore, always and completely secure business applications, and the need for further review. In order to provide the implementation of cross-sectoral vision of each pillar, all horizontal governance pillar. The governance model is applicable to each pillar and pillar to ensure a mutually beneficial way operation.
Protected Delivery : ensuring support for applications and cloud infrastructure platform stability, compliance and security.
Safe Mode : develop a safe location and threat modeling to support customer acceptance of diversity.
Information Protection : Ensure that employees from both internal and external customer data protection.
Risk assessment : a gap analysis includes the current architecture, container strategy and cloud infrastructure, and applications.
Technical surgery Change Log: create an orderly tactical execution backlog, by delivering project results to promote a 3-6 month roadmap and strategy implementation plan.
The need for new security prototype
Statistics show that by 2021, 92% of companies will become cloud-native companies.
Having said that, usually the organization is struggling to build a $ 5,000 application and a $ 5 security system for it. On cloud security, the security of the same or a more important factor. Therefore, DevSecOps concepts need to be implemented as soon as possible and seriously.
DevSecOps in all phases of the application development process are provided compliance, and responsible for the design and installation applications. First team to assess the nature or entity, and to establish procedures on behalf of the group or entity.
The first step is to allocate an island between the teams, in order to ensure that everyone is responsible for protection. Because the development team to build applications for security reasons, therefore Ops will deliver software faster and makes you sit back and relax, because they understand the developers know stability and protection is essential.
In fact, the process must be carried out immediately security checks.
Server records show who has been modified, what changes and when to make changes, which are in the review process to know all the important facts. The easiest way to keep protected to ensure the system is always running the latest software updates. Security fixes without having to spend several months and should be fast and automatic. Similarly, when developing new features and API should be a potential update to prevent the software framework to take responsibility and prevent patch to prevent collapse.
When you create a cloud native applications, still there is no single way to protect your security software. In order to protect the cloud server resources, you need a multifaceted approach. To protect your container, you need to take several strategies. Ultimately, you want to put in place security priority list, you need DevSecOps strategy.
Ideal native cloud security framework look like?
In order to allow cloud-based conversion, companies need to consider the following further requirements before designing a security policy:
High standards of safety automation : routine security operations based on preventive measures could not make cloud-based system remains virtually unlimited dynamic. It is not a choice of manual workflow. Demand for native cloud security is to automatically detect and large-scale sensitivity.
Chaos design : micro-service architecture, many software components together at runtime can be used for any function. From a security point of view, this means of detection and control logic does not depend on prior knowledge of the operational safety. CHAOS engineering native cloud security should include - efficiently and effectively run the test.
Quickly identify, covering local and chased trace: the native program is essentially a cloud computing application is assigned. In this ecosystem, then perform a global security can not be easily selected. So, you want to determine the priority measures, so that you can quickly identify trends before the system-wide spread of malicious resume and cover local impact. Although your security decisions are not 100% accurate, but the local operation and fast recovery can provide existing systems more compatible for you.
Then, your cloud solution which should have native security? In short, let's focus on compiler features. The author believes the main functions are as follows:
Mixed stack visibility and decision support
In the server, VM, databases, software and API services, even if the distribution of the application, but the short term is still dynamic resource and containers still need to cloud visibility and decision support native data center. Data on these different layers should be obtained into the engine, for real-time selection process.
Quick response and warning functions to limit the blast radius
In case of accident or attack security solutions to mitigate and control the impact. This argument is equivalent to rapid decision-making and control measures insightful, can prevent malicious behavior before irreversible damage occurs. In the cloud native environment, intelligent detection system can be fully recognize the presence of invading and affect local control.
Closely monitor and investigate
Since all distributed components and API services, cloud the machine workloads safety survey may be very complex, surveillance and safety investigations must minimize the performance impact and storage requirements. This includes monitoring a centralized architecture, the network is not the bottleneck, and the workload can be extended.
Integration with automation tools
The workload containers can be made Kubernetes, Openshift, Amazon ECS or Google GKE management in the cloud native environment. You can (optionally) use Puppet, Ansible Chef or performed automatically deployed. Security tools can automatically be deployed with the protection of a workload, cloud environment must be integrated with the prerequisite of such components.
For the first generation to replace physical servers and virtual machines, event-driven vessel and applications, security must find the right entry point to maximize visibility and reduce risk, while allowing creativity and continuous adaptation of the complexity of the cloud delivery .
in conclusion
The overall environment to migrate from the cloud native environment does sound very appealing, but when we decide to do so, make sure that all safety issues that may arise to assess, evaluate whether there are enough resources and teams to deal with these issues. And most importantly, if you want to achieve this change, your business can really stand out and grow.
Hopefully this article useful to you, and we welcome the comments section to discuss.
Recommended Reading
☞ US group a decade, the world's largest takeaway how to support the delivery of one-stop machine-learning platform is to Make?
☞ Bi Bill Gates quit Microsoft board of directors; Apple WWDC, Microsoft Build Assembly are held online instead; Rust 1.42.0 release | Geeks headlines
☞ My favorite cloud IDE recommendation!
☞ advanced features Solidity written contract of intelligence
You look at every point, I seriously as a favorite
