About security before the Conference

Like all conferences (such as the Olympics and Expo), security is an important topic before the cloud computing conference. Unlike other conferences, the focus on security is not only to ensure the success of the Conference, but also to ensure that it is one of the most important topics in the cloud computing field.

 

The second cloud computing conference will be held in Beijing on July 22 and July 22. This will be another event in the cloud computing field in China. Judging from the agenda of the Conference, this year's Conference is far more pragmatic than the first one last year. If the content at the Conference last year is still at the stage of preaching, this year, we can obviously feel the smell of the vertical flag, which is filled with gunpowder. Several large international vendors that once served as cloud computing advocates continue to advocate their various definitions for the cloud world, while attempting to lead the industry's development direction, on the other side, I am still trying to sell my traditional online products with the cloud computing label. At the same time, a large number of domestic manufacturers have made fruitful work in a down-to-earth manner based on their own understanding of the cloud and the actual needs in China, and have achieved remarkable results. In particular, several telecom operators in China have launched support and exploration for cloud computing in the past year, their special position in the cloud computing industry chain makes their participation play an important role in the development of cloud computing in China. If the "big cloud" exhibited by China Mobile at last year's conference can make attendees shine, then this year we will have to get something better to attract everyone. Of course, what people expect is that operators can implement services related to cloud computing technologies as soon as possible, so that they can truly feel the benefits of cloud computing.

Although cloud application and promotion are imperative, its security has been criticized since its birth. When all the computing behaviors and data storage are scattered in an invisible and illusory cloud, people will feel the fear of being out of control, without exception, the question of whether the real estate cloud will undermine their privacy and further damage their rights and interests. At this year's conference, cloud security was considered an important topic, I invited Dr. Xu Rong from the security field in China and Huang Yu, an internationally renowned computer system structure expert, to explain the security problems faced by the cloud. I have been in touch with both of you, and I have benefited a lot from the fact that the cloud has been built. In particular, Mr. Xu Rongsheng is a senior teacher of the two high school students. Therefore, we must be more emotional.

So what is the difference between cloud security and traditional security? What should I pay special attention? As CsA (cloud security alliance, http://www.cloudsecurityalliance.org/) said in its release of "security guidance for critical areas of focus in cloud computing": in terms of security control, cloud is not much different from other IT environments. However, in terms of service models, operation models, and technologies used to provide services, the cloud may lead to different risks.

Taking the cloud service model as an example, three models that are already well-known but not necessarily reasonable: IAAs (Infrastructure as a service) and PAAs (platform as a service) and SaaS (software as a service), NIST defines them as follows:

-SaaS: provides users with services for applications running on the cloud architecture. Users can access applications from a variety of thin client devices through thin client interfaces (such as Web browsers. Users do not need to manage or control the underlying cloud architecture (including networks, servers, operating systems, storage, and even individual application capabilities ), instead, you only need to focus on the limited application configurations that require them to be specially set;

-Paas: provides services for users to deploy their applications (which may be created by users or obtained from other places) on the cloud architecture, the programming languages and tools used to create these applications must be supported by service providers. Users do not need to manage or control the underlying cloud architecture (including networks, servers, operating systems, and storage), but they need to control the deployed applications, you may also need to configure the application environment;

-IAAs: provides users with services for processing, storage, networks, and other basic computing resources. Users can deploy and run any software including operating systems and applications on them. Users do not need to manage or control the underlying cloud architecture. However, they need to control the operating system, storage resources, and deployed applications, and may need some network components (such as host firewalls) limited control.

From the definition of these three cloud service models, it is not difficult to see that even though users have already entrusted their computing and storage to the cloud, however, in the process of enjoying the service, they are not allowed to take the lead. Especially in terms of security policies, they are absolutely unable to hope that cloud providers can solve all the problems. The security protection methods and responsibilities of the three cloud service models are different: SaaS puts forward the highest security requirements for cloud providers, so that they need to establish an overall protection system from the top-layer application to the underlying hardware to ensure the security of the service, and thus assume the majority of security responsibilities, but this also limits the user's freedom to play; on the contrary, IAAs gives users sufficient freedom to build their own computing environment and then develop or deploy the required applications, however, it also requires users to manage all layers of the computing system hierarchy except the underlying hardware, and providers only need to consider the security of the hardware layer; Paas is located between the other two service models, service providers must provide basic security protection, and users must perform different security configurations based on actual needs to form a complete protection system, however, this also blur the responsibility boundary between providers and users.

As mentioned above, special service models complicate cloud security policies, and more comprehensive and in-depth research is required on the security complexity caused by other cloud features. In the cloud security topic, which fields deserve more attention from the industry? To answer this question, CSA gave some guidance and they proposed 12 focus areas. These fields are divided into control and operation categories. The control class focuses on security issues from a strategic perspective, while the operation class focuses on specific tactical solutions. For more detailed descriptions of the twelve fields, refer to CSA's "security guidance for critical areas of focus in cloud computing.

From the analysis of the cloud service model, we can see that no matter which model is used, the management and control of the underlying cloud architecture must be implemented by the service provider. In terms of the development status of cloud computing in China, IAAs will be the mainstream services of various providers in the future, therefore, the security of the underlying hardware resources of the cloud has become the focus of the provider's attention. In order to provide better dynamic system expansion capabilities and improve the management complexity of Large-Scale Systems, virtual machines are widely used in the underlying architecture of the cloud, this has resulted in the need to consider the problems existing in traditional IT systems in addition to the security issues, but also the need to focus on issues related to virtual machine technology. The underlying cloud architecture based on virtual machines adds additional virtualization resource management layer than traditional IT systems, and the security policy at this layer is critical. For example, the security isolation of virtual machines. Because all virtual machines are deployed in the same virtual resource pool, the effective isolation of virtual resources is the basis for ensuring the isolation of virtual machines. In traditional IT systems, the network is the main channel for connecting servers to the outside world. Therefore, network security has always been a key field for ensuring server security (such as intrusion detection. In a virtual machine environment, in addition to the network, virtual machines can communicate with each other through other local hardware resources (such as sharing the physical machine memory ), therefore, only network-layer security policies are insufficient to protect the security of virtual machines.

Cloud computing service providers should not only study how to ensure the security of services provided to users, but also make users trust the providers themselves, therefore, they are willing to deliver their computing and storage to the provider's cloud. This is similar to savings. The deposit is more decisive than the bank's ability to return interest and other benefits to the bank because they believe that the Bank has a strong credit guarantee. In cloud computing, whether a provider can have the same credibility as a bank is a big question mark, and is different from the non-replicasability of deposits, the information or data of cloud users can be copied and not easily noticed by users. Therefore, in the context of being able to withstand third-party intrusion, cloud providers are more important to "clean themselves" and to effectively monitor them. In this regard, as a special part of the domestic cloud computing industry chain, telecom operators will have the opportunity to play a greater role, because with the support of national policies and their own strength, they may gain considerable influence in the industry and establish sufficient authority in the user group, so that they have capital to establish a cloud security management center as a fair third party, so as to authenticate the services of other cloud providers to ensure the rights and interests of users. At the conference, Mr. Xu's speech entitled "cloud computing security monitoring and forensics" was related to this. Therefore, I really want to know his views on this issue.

The cloud computing conference is coming soon. There are plenty of people and opinions. Let's wait and see! Let's learn about the current situation of China's cloud computing and find the Direction of China's cloud computing. But in any case, security will be an eternal topic in the cloud computing field, and this is precisely to build the eternal security of the cloud.