“Cloud Security” integrates emerging technologies and concepts such as parallel processing, grid computing, and judgment of unknown virus behavior. Through the abnormal monitoring of software behavior in the network by a large number of mesh clients, it obtains the latest information about trojans and malicious programs in the Internet, transmits it to the server for automatic analysis and processing, and then distributes the virus and trojan solutions to each client.
What are the key cloud security technologies?
1. Credibility of infrastructure
The main infrastructure of mobile cloud can be divided into four layers, including physical layer, loan source energy simulation layer, virtual machine layer and cloud management plane.
Trusted computing refers to security protection while computing, so that the calculation results are always the same as the expected values, so that the whole calculation process can be measured and controlled without interference. The basic idea of using trusted computing technology to actively protect devices and systems in cloud infrastructure is to first build a trusted root at the first moment of device startup, and then establish a trust chain, starting from the trust root to the device firmware, BootLoader, operating system, and then to the application or virtual machine system. Level 1 authentication and level 1 trust extend this trust to the entire device system, So as to ensure the security and credibility of the entire equipment system.
It mainly involves technologies such as physical trusted root, trusted startup, trusted metric, virtual trusted root, virtual machine trusted startup, virtual machine reliability, trusted connection, and trusted certification. By comprehensively using these trusted computing technologies, you can achieve trusted security reinforcement of the cloud system, with cloud management plane security.
2. Micro isolation.
At present, the east-west traffic in the resource pool has become the main traffic in the resource pool, while the physical security devices or virtualized security devices deployed at the border can hardly find attacks on east-west traffic in the resource pool (such as cross tenant attacks in the resource pool, attacks between provincial businesses, etc.), especially east-west traffic attacks that do not leave the physical network card between different virtual machines of the same host. The current VLANs, VXLANs, etc. have solved the isolation of tenants and virtualized network elements, but they cannot perform fine monitoring and control of ports. Therefore, we need to use micro isolation technology to conduct a comprehensive and detailed visual analysis of east-west traffic, and conduct fine-grained security access policy management. At present, micro isolation generally includes network port status carding, port analysis, port monitoring and disposal functions.
3. Application security.
When cloud services interact with external services, key technologies such as port whitelist, vulnerability detection and security reinforcement, HTTP request content detection and DNS security should be used to ensure the security of cloud service applications.
4. Data security.
Based on the data security protection requirements of the cloud platform, certain data security technical means should be used to ensure the confidentiality, integrity and availability of data. Typical means include data desensitization, automatic identification of sensitive data, data encryption, log audit, etc.
5. Zero trust based access control.
In order to ensure the safe and stable operation of the cloud data center and user business, and solve the problems of fuzzy boundaries and difficult access control caused by cloud computing, on top of the traditional 4A access control, we can also conduct joint identity authentication, continuous trust rating and dynamic adaptive access control for the accessed users and devices based on the concept of zero trust, and take the audit results as the risk items of trust rating, finally forming a closed-loop management of access control. It includes account management, identity authentication, access authorization and operation audit.
