With the development of modern science and technology, increasingly large and dense urban population, but also to urban operation and management has brought unprecedented pressure, security, transport, education, medical, housing ..., problems emerge. Where does the city go? Green, Low-carbon, circular, safe, friendly, intelligent city will be the answer to all these questions.
Since the "Twelve-Five" plan outlines cloud computing as a key development of the strategic emerging industries, the government's support for cloud computing is increasing, the cloud computing centers around the building has sprung up. In layman's parlance, "cloud computing" allows us to use it resources like water and electricity, and to make information communication more efficient. But the city cloud is like "The Water Company", from the economy is from self-sufficient natural economy to the commodity economic transformation, calculates the resources to be possible to use as the tap water, pays on demand. The city cloud is for the government, enterprises and the public's Urban Integrated information Service system, with the City Cloud Computing Center as the main carrier, the overall construction and integration of decentralized hardware, software and data resources, and a more intelligent way to achieve resource sharing and business synergy, can significantly improve urban management and public service capacity.
Security issues are the biggest obstacle to cloud computing development, and cloud users are most concerned about security. Although the cloud uses a variety of security measures to ensure security, but because the system involved in many of the information is enterprise, government or personal confidential, private information, the data security requirements are higher.
What is Cloud security
There are often many explanations for the same word in China. Similarly, there are two sounds of cloud security. Cloud security: Creating a secure environment for cloud computing; security Cloud: Providing security as a service to the user. Two different voices represent the current situation, regardless of right and wrong, all represent a certain demand.
In the cloud computing centers of several cities such as Chengdu and Shanghai, the operating team's expectations of cloud security are mixed. First, they are eager to solve the cloud's own security problems, because this is the key to the sustainability of the cloud computing center. The government, as the main customer of the city's cloud computing center, hopes to put all the applications of the city informatization into the Urban Cloud computing Center, unify the operation and unify the management, but the prerequisite is that the city Cloud Computing center should meet the standard requirement of level three level protection of the National Public Security Ministry. Although the level of protection is the general requirements of information systems, but the cloud computing Center is the first information system, and then the cloud computing center. Therefore, in the city cloud construction, even in some government, military and other cloud computing center construction, the requirement of the level protection is essential.
Second, the operators of the city's cloud computing center are keen to expand their revenue streams, and if they can provide security as a service to their users, then the city's cloud computing hub has found a new profit model. This model can be modeled after the current mobile operators, can customize a variety of packages for users, different user types can choose different security value-added packages: The basic value-added service package for small and medium-sized enterprise information Services, such as portals, mail systems; High value-added service package for medium-sized E-commerce sites, such as portals, office OA and other systems VIP value-added service package for large e-commerce sites.
Service Content
Basic Value-added Service Pack
Premium Value-added Service Pack
VIP Value-added Service Pack
Firewall
√
√
√
Antivirus, worm
√
√
Anti-web tampering
√
Anti-attack (DDOS)
√
√
√
Anti-Trojan, fishing
√
√
URL filtering
√
√
√
Flow Analysis Report
√
√
Abnormal alarm
√
√
√
Vulnerability scanning and patch patching
√
Application load
√
√
Peer-to-peer Current Limit
√
The location of cloud security
Facing cloud security and security cloud, which do we do first? What is the weight of the fish and the bear's paw? To ensure that the cloud computing environment itself is safe or provide a secure service? In the face of how to choose, we can refer to the traditional industry similar practices.
Take the banking industry, for example, China Merchants Bank, which provides safe deposit box services to users. Here The Vault service is a security service, similar to providing cloud security services. It's not hard to see banks in order to provide safe service, first of all to build a secure bank network: the need to install anti-theft system, alarm system, the establishment of a sound identity certification system, may require fingerprint identification, the establishment of appropriate management system to prevent the occurrence of internal security incidents, while not disclosing the user's personal information. The relevant security measures are in place to allow users to deposit their money in the bank. The bank can operate stably and safely for a long time, and users will apply for more advanced safe deposit box business according to their own needs.
In the same way, we can introduce this process into the development of cloud security, first of all, we should build a secure cloud computing environment, introduce various safety measures and security management system, create a safe operating environment, provide users with a trustworthy computing environment. When users have a certain understanding of the cloud computing center, and can trust the cloud computing Center this model, can buy a variety of security services value-added products.
Therefore, the development of cloud security can also refer to the banking model, first solve the cloud computing center security issues, and then develop cloud security services.
The characteristics of cloud security
The journey of the journey begins with a Cloud computing is a new thing, and cloud security is gradually being valued with the advent of cloud computing. So, although cloud computing is in the bloom of the era, but the development of cloud security in any case to step.
Cloud security most conforms to the cask principle, the shortest board determines its ability. We can assume that there is a cloud computing center, in order to protect the user's data security, using a very powerful identity authentication system, no hacker can steal user data. However, the cloud computing center of the room has no access control system, and no one to guard, anyone can access, so even if the use of how good authentication system to protect the user's data, the use of how advanced network isolation measures, "thieves" can still effortlessly enter the computer room to pull the hard drive directly away. Therefore, cloud security requirements are a whole security, not a certain point of security or a certain level of security.
To treat the cloud computing center, we should first consider it as an information system and then the application of cloud features. What kind of security protection does the traditional information system need? Let's take a look at the Ministry of Public Security hierarchy protection requirements for information security:
do a good job of physical security protection, do a variety of fire, waterproof, anti-theft measures, do a good job of network security, detection of various network attacks, and effective blocking and protection, good host security protection, to ensure that the host can withstand the attack of malicious code, data security, different users can be effectively protected data To prevent user data leakage, do a good job in the application of security measures, the application of identity authentication, access control and security audit, and so on, do a good job of safety management, the establishment of a sound management system and safe operation and maintenance process, to ensure that the cloud computing center can operate normally, to deal with various
For cloud computing itself, in addition to the characteristics of traditional information systems, there are some new features. Whether these new features are taken into account in cloud security also determines whether a cloud computing center is fully secure.
One feature of cloud computing is virtualization, with multiple virtual machines within the same physical machine. Then how to monitor the communication between the virtual machines, how to control the flow, how to achieve the isolation between virtual machines. These issues relate to how traditional network architectures are implemented in virtualized environments and how traditional network security devices are virtualized.
These new features of cloud computing are particularly prominent in the public cloud, where small tenants tend to rent one or fewer virtual machines, which can easily result in multiple tenants within the same physical machine. How to isolate these tenants, carry out traffic and access control, complete audit chain, is a new problem in cloud computing environment.
Cloud Security Architecture
In order to achieve the overall security of cloud computing Center, we need "safety standard", "Safety technology" and "safety management" three "stereoscopic" protection system. To "Grade protection", "ISO27000" and "CSA Cloud Security Guide" Three as the guiding standards, to "Identity authentication", "Data protection" and "network security" as a security protection technology, the integration of the corresponding traditional and virtual security products, while combining the "security audit", "operation and maintenance monitoring" and "compliance review" and other security management measures to provide a set of cloud security overall solution.
"Grade protection" and "ISO27000" is the general requirements of the basic security protection of information systems, "CSA Cloud Security Guide" is the cloud computing environment of the new security features of the guidance requirements, the combination of these two standards, as the overall cloud computing security system guidance, to ensure the integrity of security, and to be safe and truly landed.
Aside from the safety standards, the overall cloud security system should include three aspects of "product", "technology" and "management". "Product" refers to the security products, including the cloud computing center needs to use a variety of security products, such as firewalls, CAS, intrusion detection, vulnerability scanning, as well as some of the cloud characteristics of the security products, such as virtual firewalls, virtual IPs and so on. These products solve some of the cloud computing Center or some of the security points, such as the Fortress machine to solve the cloud computing center in the operation of the single sign-on problem, finger vein certification to solve the cloud computing Center in the process of biological identification identity authentication problem.
These security products from the identity, data, network and other perspectives to solve the cloud computing center security problems, but any one product is independent. The traditional information system may only need to maintain a set or few security products, such as firewall, behavior audit, etc. However, with the change of user number and network topology, the number of virtual network security products can be changed greatly. In the face of such a large number of products, if each product manually configured, managed, maintained, not only an impossible task, but also may be due to a momentary negligence led to security products are not in effect. If the large number of security products to manage and maintain, it needs to be "technology" to integrate, so that these security products can really play a safe effect.
In addition to a variety of security technology and safety products, safety management is also very important, is the so-called "three-point technology, seven management", more prominent is the management level in the security system of importance. Safety management is the most effective means to guarantee the concrete function of security technology means, and to establish and perfect the safety management system is not only the requirement of rank protection and ISO27000, but also an indispensable part of a security system. Because if only the corresponding security technology and products, and no corresponding management, can not achieve the required security requirements. Like the procurement of firewall products, but not according to the business needs to set the appropriate rules, or not as the business changes to change the corresponding rules, and can not achieve the required level of security, so operation and maintenance management in the cloud computing Center in the day-to-day work is particularly important.
Future development of cloud security
Cloud computing security concerns a wide range of issues, is a systemic problem, needs from the standard, product, technology, management and other dimensions of collaborative design and construction. With the development of cloud computing, there will be many new cloud security issues emerging, the corresponding security standards will gradually improve, cloud security architecture or content may also be adjusted. Security system not only to meet the corresponding standards, but also to meet the actual needs of the cloud computing Center, can make the cloud is always erratic security real landing.
Author: Shi Cloud system and operations director
(Responsible editor: Lu Guang)