What security protection does the private cloud need?

(1) Law and compliance management


　　


(a) security policy


　　


Enterprises in the introduction of cloud computing environment, must be in accordance with legal and industry norms, the development of relevant security policies, including:


　　


Cloud Service Usage specification (which business and data can use public cloud service? which can only use the internal private cloud?)


Cloud Services Provisioning Program


Cloud Data backup solution


internal Private cloud security management specification


Virtualization Environment Security Protection


　　


Enterprises can ISO27000 do the basis, reference CSA (Cloudsecurityalliance) provided by the "cloud computing key areas of security Guide" to develop a complete cloud information security management system.


　　


(b) Compliance Management


　　


Enterprises have developed a cloud related safety and management norms, "acts of law is not enough to their own", must have a systematic process and tools to implement the relevant norms. However, through manual inspection, regardless of complexity, cost or response time can not meet the need for flexible scheduling, rapid response to the needs of the cloud environment needs, so import automation compliance management tools, has become the cloud compliance management of the necessary technical means. In addition to the introduction of automated compliance management tools, enterprises must also have a corresponding management process, safeguard strategy, norms and technical means of implementation.


　　


(c) Personnel Management


　　

The most likely trend for
future Clouds is the "hybrid cloud", the non-enterprise core business is entrusted to the third cloud service provider to reduce the overall cost of the enterprise; However, this also brings new challenges for the enterprise in the personnel account and the Authority management, the enterprise does not only consider the data center each system unified account management and the Authority control, Also take into account the use of the third cloud services for enterprise security management. For example, when people retire, in addition to shutting down the enterprise accounts and permissions, you must also shut down the third cloud service account, to avoid the cloud services stolen or abused.


　　


(d) Missing corrective


　　


enterprises through internal and external audit can find the information environment potential hidden dangers, but in the cloud environment, due to the flexible system scheduling and rapid response, the following two points, will become the enterprise to ensure "cloud environment" safe operation of the focus.


　　


How to retain the relevant log, as the basis for immediate analysis and audit afterwards


immediate correction is missing, shorten the protection window period, avoid the recurrence of the same security risks


　　


In addition, how to audit the third cloud service providers, and to require timely correction of possible deficiencies, involving multi-party trust and two-way audit issues, will be the enterprise to "cloud era" a major challenge. To minimize possible disputes and risks, enterprises should define the terms and conditions of the contract and service level agreement (SLA) with the cloud service provider.


　　


(e) Security Report


　　

The
safety report is an important reference for the high-level supervisor to control the operation of the enterprise information environment. For private clouds, how to relate the log to the dynamic scheduling system and accurately locate the security events will be the challenge of the enterprise security protection; for public cloud, enterprises need to consider whether the third cloud service provider can provide the security report that the enterprise need immediately, and integrate with the log of related system in enterprise, To produce a full range of safety reports on the overall operation of the enterprise. The Information Security information management system with event regularization and automatic association ability will be a sharp weapon for enterprise to solve the problem of safety report.


　　


(2) Content and privacy protection


　　


(a) data classification


　　


with the advent of the cloud era, enterprises in addition to the existing structured data, there is a large number of unstructured data. In the face of massive data, if the data are sensitive and non-discriminatory, give the same protection, not only the complexity of management, operation efficiency is low, and must spend Ju amount of cost; In practice, it is not feasible at all. Therefore, the enterprise must classify the data in the enterprise, give different levels of protection, minimize the interference to the users, and take into account the security, cost and efficiency.


　　


(b) Data protection





in the cloud computing environment, the cloud platform is carrying a large amount of data processing and storage, enterprises must ensure that sensitive data have appropriate authority control, and through the data content control, to prevent the cloud platform operators inadvertently or intentional leakage behavior. In addition, the terminal is an important tool to access the cloud resources, but it is also one of the important channels of information leakage. Enterprises can reduce these two kinds of risks effectively through the data leakage prevention (DATALOSSPREVENTION,DLP) tool.


　　


(c) Data encryption


　　


data is stored in the enterprise's data center or Third-party cloud platform, enterprises can not help but worry about the "inside" and "data isolation" problem, data encryption is an important defense mechanism to solve such problems. In addition, cloud computing environment, the emergence of a large number of mobile terminals, has become an inevitable trend, terminal encryption is one of the important means to solve the loss of terminal equipment.


　　


(d) Data flow to


　　


in the face of a large number of data stored in the cloud, enterprises, whether in the storage management, security audits or forensic evidence, will face the following three issues:


　　


who accesses the data most often?


who accessed the data?


What data has an employee visited?


through the system log although can give some answers, but the enterprise faces difficult to analyze and can not grasp the full picture of the challenges; automated data flow monitoring and tracking system, can give answers to the above questions, so that enterprises for data security protection will be more confident.


　　


(e) data retrieval


　　


Enterprises have a large number of data stored in the private cloud and public cloud, how to quickly retrieve, find the necessary information, is the enterprise into the cloud era of the process, must face the problem; the cost of enterprise data retrieval can be significantly reduced through automated search tools.


　　


(3) Infrastructure security


　　


(a) system security





to prevent the cloud system from being invaded, has been the focus of many enterprises; with the operating system manufacturers constantly improve security, and security defense technology progress, hackers have focused on the application of security, through the enterprise development and application of loopholes, penetrate the cloud data center, access to enterprise-sensitive information. For application vulnerabilities, enterprises can detect and hinder by applying vulnerability checking and analysis tools, intrusion detection system, application firewall and security incident Audit system to minimize possible risks. However, as enterprises continue to strengthen the cloud data center protection capabilities, hackers will attack the user side, through sophisticated targeted attack (targetedattack) techniques, long-term ambush in the enterprise terminal, access to sensitive data within the enterprise, and as a further invasion of the cloud data center of the best springboard. In view of the high persistence threat (ADVANCEDPERSISTENTTHREAT,APT) tactics adopted by the target attack, the security vendors have launched a new generation of security defense methods such as cloud credit rating system and behavior detection technology to prevent effectively. In addition, in the case of system security protection, the enterprise must consider whether the security product can provide the same protection capability as the physical environment and whether it will cause resource conflict in the virtual computing environment. The security protection of virtualized environment is a challenge to the security vendors, At present, only a handful of security products in the market can be safe and efficient, and can effectively avoid the conflict of virtual environment resources. Although "system security" is only an integral part of the overall security protection framework in the cloud, it is often an important key index for the success of the enterprise information security.


　　


(b) System Management


　　


Cloud Platform emphasizes on-demand self-service and flexible resource scheduling, automation system management has become the necessities of enterprise cloud platform; In addition, through automated system management tools of asset management, software and patch distribution and application monitoring functions, can further assist enterprises to enhance the cloud Platform security protection and management capabilities. "Terminal consumption" has become a trend in the cloud era, more and more employees require their own mobile devices to send and receive the company's Mail and processing business, the diversity of equipment, the user's freedom and privacy protection and so on, the traditional enterprise management mode of the terminal has been seriously challenged. Many enterprises are imported through the mobile device management solution, conditionally allow employees to use their own mobile devices; Enterprises can distribute the necessary security policies and internal Office applications, or remotely lock or erase data in the device, and make a clever balance between the freedom of the employee's choice of equipment and the security of the enterprise data. There are already system management vendors that can provide an integrated solution from the terminal to the private cloud and the public cloud, allowing the enterprise to have the lowest total cost of ownership (TCO) and enjoy the benefits of cloud and mobile devices.


　　


(c) Storage Management


　　


with the advent of the cloud era, a large number of data from the mainframe, minicomputer and terminal to the cloud platform, how to more efficient use and management of storage, improve efficiency and reduce costs, enterprises are facing new challenges; In addition, a large number of virtual machines in the cloud platform, how to avoid the launch of the storm, but also the enterprise in the cloud Era storage management, The problem that needs to be solved. Storage virtualization solutions that cross platforms and support virtualized environments will be an important means of storage management in the process of enterprise moving towards private cloud. In addition, in the public cloud environment, there are already cloud service providers to provide storage virtualization software leasing services, so that enterprises in the public cloud can also be more efficient use and management of leased storage.


　　


(d) High Availability


　　


modern enterprises have been separated from the information system, to ensure the high availability of the system is the enterprise to maintain business processes and brand image of the important work. In a private cloud, in addition to considering the usability of the system, the enterprise must consider the high availability of the critical application itself to reduce the risk that the underlying system can still respond to the request, but the application has ceased to function. For applications that use the public cloud, consider the scope of Service level agreement (SLA) coverage to avoid the disruption of service by cloud service providers; In addition, enterprises in the adoption of the third cloud services, the supplier should consider the financial situation and alternatives to reduce the risk of suppliers to fail or discontinue the service.


　　


(e) Backup archive


　　


data Backup is an important means for enterprises to recover quickly after a major security accident. In addition, data archiving has become an important tool in the cloud computing era to enhance the efficiency of storage and reduce the cost of using Third-party cloud platforms. For a private cloud environment, the enterprise must consider the existing backup and archiving tools, whether it can support virtualized environments, and for businesses that use third-party public cloud, enterprises must consider a contract and service level agreement (SLA) to ensure data backup, recovery, archiving, and destruction. A perfect data protection plan will be the key to guarantee the sustainable operation of modern enterprises.