“Cloud Security White Paper 2021” was written by the Howler Security Industry Research Institute through multi-party research and expert interviews over a period of more than a month. This cloud security white paper introduces the perspective of Party A for the first time. The Howler Industry Research Institute explained at the meeting that the cloud security market is about to break the 10 billion mark in 2021, and the profit model will also start from simply selling products and “people”. Tilting to more capital side, channel side and economical profit model side, the high-speed development trend of cloud security in the future is unstoppable.
Improving resource utilization and reducing costs are the main reasons behind the trend of hybrid cloud
Cloud computing is one of the important strategies for my country’s new infrastructure construction. It is a new base for 5G, Internet of Things, and industrial interconnection. It is also an inevitable trend of digital transformation. The concept of cloud computing was first proposed in 2006, and it has gone through the stage of formation and development to widespread application. According to different industries and different application requirements, form public cloud, private cloud, proprietary cloud and hybrid cloud, and take root in government affairs office, police affairs, medical care, education and other industries.
With the increase of user services, a single private cloud or public cloud can no longer meet the user’s business development needs. For example, rapid capacity expansion is required to ensure the stability of business access during peak business access periods, and resources need to be quickly recovered during business trough periods. In order to save expenses, obviously, it is difficult to achieve rapid expansion and recovery of resources in a single private cloud environment. At this time, it is undoubtedly the best practice to deploy such services on the public cloud, which can not only ensure the continuity and stability of business access, It can also achieve rapid resource recovery, save costs, and achieve capacity expansion in a short period of time; in addition, in the face of strong data compliance, in order to ensure data security, the front-end and back-end can be separated, and the front-end can be deployed on the public cloud and the back-end core data. Deployed in a private cloud, data interaction is realized through cloud-network linkage, which can not only ensure the continuity of business access, but also ensure data security. Find the “sweet spot” to deploy applications, which can provide the best performance of business access, flexibility of business deployment, and ensure the security, reliability and strong control of business data.
Threats and challenges facing the hybrid cloud
Cloud computing is a new foundation for the transformation of the digital economy. Cloud computing security is a prerequisite for ensuring stable and reliable business operations. There are two aspects of security under the hybrid cloud architecture. 1. The commonality of business migration from traditional physical computer rooms to cloud computing environments problems, as well as the problems of security consistency and unified management arising from the hybrid cloud architecture.
In the traditional single construction mode, the security responsibility subject and the security user subject from physical security, network security, host security, application security and data security are the same subject; while in the cloud computing model, according to different service modes, the boundaries of the responsible subjects different. In addition, in the idea of security protection, in the single construction mode, security devices can be deployed at the border to ensure the security of the intranet, attacks are detected based on traffic, and differentiated protection between different levels can be achieved by partitioning and sub-area. After that, computing virtualization, storage virtualization, network virtualization, and resource centralization resulted in unstable boundaries, which could not be divided according to physical areas, resulting in the inability to implement the idea of physical device isolation and detection.
Under the hybrid cloud architecture, when business workloads are migrated from private clouds to public clouds, how to ensure the consistency of security protection policies when migrating between different cloud computing environments, and how to ensure the security of business data flow between multiple clouds , and how security incidents between multiple clouds are managed and operated in a unified manner to discover potential security threats.
Overall architecture of hybrid cloud security protection
The security construction of hybrid cloud must first follow national standards and norms, first clarify the security responsibility subject and security level division, and build a security system according to different responsible subjects and different businesses. The cloud security protection system is divided into five parts: cloud platform security communication network, Cloud platform security area boundary, secure computing environment, security management center, security operation and maintenance/service system.
In addition, security is a systematic construction process, which should be considered from the dimensions of security management, security construction, and security operation and maintenance. While ensuring the general security of the platform, the security of platform virtualization, and the security of tenants, it should also provide continuous security monitoring and operation. To maintain security, build a security closed loop through the product + service method, and realize the security protection system of the whole life cycle from construction to operation, before and after the cloud.
Tianrongxin hybrid cloud security protection architecture helps cloud security
For hybrid cloud architectures such as public cloud, private cloud and proprietary cloud, Tianrongxin proposes a four-layer defense-in-depth system for cloud computing environment, which divides cloud computing environment into physical boundary layer, cloud virtual boundary layer, cloud virtualization layer and cloud computing environment. There are four levels including the host layer, and in the face of different cloud computing application scenarios such as public cloud, private cloud and proprietary cloud, the corresponding security capabilities are provided for the cloud platform and cloud tenants; at the same time, the security capabilities in different cloud computing scenarios are provided. Through the cloud security management center, unified management and unified operation and maintenance are realized, so as to realize the consistency of security policies and unified management of security under the hybrid cloud architecture.
At the traditional physical boundary layer, traditional security equipment is used to solve security problems such as boundary access control, intrusion attacks, vulnerability attacks, and traffic attacks, and effectively implement physical boundary security protection; Provides cloud security resource pools and public cloud native security capabilities, provides vertical protection and horizontal isolation, and flexibly solves security isolation and differentiated protection requirements between different tenants; for the traffic between virtual machines in the cloud Isolation and traffic visualization, an agentless micro-isolation firewall is used to create isolation based on the virtualization layer, which effectively prevents security threats from spreading horizontally between virtual machines; for malicious code attacks and vulnerability exploitation attacks on cloud hosts, light-proxy EDR, automatic Adapting to host security products can more accurately and accurately achieve full-life-cycle protection. Then, through the idea of layered design and layered protection, a defense-in-depth system can be built to resist attacks from all levels.
Public cloud native security. In terms of public cloud, Tianrongxin provides security empowerment for cloud tenants on public cloud, and provides security services for tenants through the construction of security ecosystem, such as integrating security capabilities into Alibaba public cloud. As one of the earliest manufacturers of network security in China, Tianrongxin has a relatively complete product system, which can provide security guarantees from the dimensions of network, host, application, data, etc., and realize the full life cycle protection of tenant business on the public cloud.
Internal east-west protection design of the private cloud platform—micro-isolation. For the private cloud/proprietary cloud, the east-west security protection in the cloud platform, Tianrongxin adopts a virtualized distributed firewall to realize. At present, this product is the first product in China to obtain VMware Ready certification, and it is also the first product in China. Products that adapt and apply the Xinchuang cloud environment. Through tight coupling and docking with major cloud platforms, personalized security policies can be formulated and dynamically adjusted according to different attributes and levels such as tenant networks, business applications, usage environments, and application ports, so that security is closer to business, and business traffic can be adjusted according to different levels. The layers are visualized, and the virtual network security of the cloud platform is effectively guaranteed.
The north-south protection design of the private cloud virtualization boundary – security resource pool. The products of Tianrongxin security resource pool have more than ten built-in security capabilities. Tenants can purchase on-demand according to security protection requirements to achieve differentiated protection. Through visual traffic orchestration technology in several dimensions such as the environment, security protection measures such as access control, communication transmission, border protection, intrusion prevention, and security auditing are implemented, which perfectly meets the regulations on security compliance management. At present, this product is the first product in China that uses Xinchuang Government Cloud and supports IPv6 data storage.
Hybrid cloud API gateway. How to realize multi-cloud data security under the hybrid cloud architecture? API Gateway can help users solve security problems such as malicious access, SQL injection, and DDOS attacks in the process of providing services through the application API interface. At the same time, the API gateway, as an important part of the zero trust architecture system, controls the identity authentication of visitors.
Container cloud security is the future development direction of Tianrongxin. The container security protection system is a container protection product launched by Tianrongxin based on the concept of full life cycle protection of containers. The product takes the four dimensions of container environment security, container image security, container network security, and workload security as the entry point, and establishes a defense-in-depth system from the host layer to the container application layer to ensure the safe and reliable operation of business systems in the container environment.
Under the multi-cloud and hybrid cloud architecture, cloud host workload security is mentioned more. Tianrongxin builds an adaptive security protection system with cloud workload protection platform as the core, which integrates prediction, defense, detection and response. By strengthening monitoring and response capabilities and continuous monitoring and analysis, it can timely respond to new threats and adjust security policies. , Empower security capabilities to cloud hosts. Compared with the security defense system of defense and emergency response, the self-adaptive security protection concept runs through the entire attack process from information collection, network intrusion, privilege escalation, intranet penetration, installation of backdoors and removal of traces in the face of cloud host security. Advanced Persistent Threat.
Hybrid cloud security management. Tianrongxin can realize the safe purchase of users through the hybrid cloud security management center, and open online application through the tenant management mode.
Buy on demand. For different application scenarios, Tianrongxin provides general application scenario solutions, such as basic security, security operation and maintenance, network security, level protection, etc. On the user side, you can purchase security services on demand with one click to quickly ensure the security of your own business.
Hybrid cloud security middle platform – cloud network security posture. Security As the premise of ensuring business security, cloud computing security should provide security visualization capabilities for cloud service providers and cloud service customers. In the face of cloud service providers and cloud service customers, Tianrongxin provides security event situation, security operation situation, and security component situation, comprehensively perceives security risks in the cloud, and ensures security availability, security reliability and integrity.
Summary of Hybrid Cloud Security Solutions
Tianrongxin’s overall cloud security solution is divided into four parts: defense-in-depth, comprehensive coverage, to solve the protection needs of all layers of the cloud platform; security construction for the cloud platform to prevent risks from entering the cloud platform; micro-isolation and micro-segmentation within the cloud platform The technology realizes security protection in the cloud platform; centralized security management realizes unified management, unified operation and maintenance, and centralized Display of security situation under the multi-cloud hybrid cloud architecture.
Build a closed loop of security capabilities through products and services, provide continuous security monitoring and operation and maintenance guarantees, and realize the full coverage of hybrid cloud from design, construction to operation life cycle, escort cloud services, and promote the digital transformation of enterprises. New kinetic energy for defense, elastic expansion, and centralized monitoring.