Definitions and features of secure cloud services
Cloud computing technology is applied to the network security field, network security capabilities and resources are cloudified, and on-demand network security services are provided to customers through the Internet, thus realizing a brand new network security service model, this security service model is often referred to as security as a service (SAAS. To avoid confusion with software as a service (SAAS) in the cloud computing model, this business model is called security cloud service (SCS) in this book ).
Secure cloud services are the product of applying cloud computing technologies and business models to the network security field. Therefore, before defining secure cloud services, let's take a look at the definition of cloud computing.
According to the definition of the National Institute of Standards and Technology (NIST), cloud computing is a model, this model allows you to easily access a public set of configurable computing resources (such as networks, servers, storage devices, applications, and services) as needed, these resources can be quickly provided and released, while minimizing management costs or service provider interference. According to this definition, we can see that the following characteristics of cloud computing should be embodied when cloud computing technology is applied to the field of network security to implement secure cloud services.
(1) clusters and pools of computing resources and capabilities. The computing resources and capabilities are centralized to share services for multiple users, and different physical or virtual resources are allocated or distributed dynamically according to the customer's needs.
(2) provide channels for Internet-based businesses. Users can use various computing resources and capabilities provided by cloud computing services anytime and anywhere.
(3) On-Demand self-service. The system provides users with flexible computing resource management and allocation capabilities, and can provide users with scalable business capabilities that meet their business needs.
(4) Service transparency. When using services, you do not need to know the structure, implementation method, and geographical location of cloud resources, you can obtain the business implementation resources you are concerned about when minimizing management costs and business provider interactions.
(5) provide services. You can use cloud services to obtain computing resources and capabilities that meet your needs, rather than buying, owning, and maintaining specific IT products.
The above features are the core of cloud computing. How to implant and embody these features in the deployment and implementation of secure cloud services is the key to continuing the vitality of cloud computing in the field of network security. Therefore, using the NIST definition of cloud computing and ensuring the continuity of various features of cloud computing, we can get the following definition of secure cloud services.
The so-called secure cloud service is a technology and business model that allows cloud computing to be applied and expanded in the network security field to achieve network security as a service, it improves network security capabilities (including access control, DDoS protection, detection and processing of viruses and malicious code, Security Detection and filtering of network traffic, security filtering of emails, and other applications ). security Detection and abnormal network traffic detection for specific applications such as scanning and web) such as resource clusters and pooling, so that users do not need to maintain and manage their own security facilities and minimize service costs to interact with business providers, provides convenient, on-demand, and scalable network security protection services through interconnected networks.
According to the above definition, cloud security services also have five features.
(1) cloud security services are based on clusters and pools of network security resources. These security resources include various security capabilities that meet the security protection needs of various customers, including the access control, DDoS protection, virus and malicious code detection and processing, Network Traffic Security Detection and filtering, mail, and other application security filtering, network scanning, and Web such as Security Detection for specific applications, abnormal network traffic detection, etc, in addition, the pooling of these security resources will also vary with their security features and Security cloud service models.
(2) Security cloud services are centered on the Internet and the only way the Internet provides services for them. According to this feature, some traditional security services, such as manageable security services (MSS) (including traditional security event monitoring, security access, anti-virus, Trojan scan, content security monitoring, intrusion detection, DDoS attack protection, security scanning, and other security services) security Operation Center (SOC) businesses can become an important part of cloud security services through proper transformation. Some traditional security services, such as security
Outsourcing) will not be included in the scope of secure cloud services. Due to the characteristics of network security, it is doomed that some security services will not have the expected advantages in network provision, especially when telecom operators are not involved in the secure cloud service market, this situation is particularly evident.
(3) Security cloud services should have on-demand scalable services. This feature of cloud security comes from two aspects. First, the security cloud service system is designed to separate various security protection capabilities and provide on-demand capabilities, the customer can flexibly select corresponding security services based on their business characteristics and security protection needs. Second, cloud security services provide scalable service capabilities. The scalability varies depending on the type of security capabilities, which can be network bandwidth, it can also be the number of corresponding IP addresses.
(4) transparent security cloud services. The secure cloud service system is designed to enable users to enjoy corresponding security protection capabilities without having to know the internal deployment mode, security cloud services achieve zero maintenance and zero Management of customers' business usage through the maintenance of the security facilities in the overall security pool and the maintenance of clusters, the development of the secure cloud service self-service system is used to minimize the interaction between customers and service providers.
(5) service-oriented security cloud services. Users do not have to invest, own, or maintain security devices that can provide the corresponding capabilities in the secure cloud, but directly purchase various services provided by the secure cloud. Therefore, providing reasonable billing and SLA Service indicators in secure cloud services is an important part of its business provision.
After clarifying the five features of the cloud security service, we also need to understand several features of the cloud security service and pay attention to them in the design and implementation of the cloud security service.
(1) Not all network security defense capabilities can benefit from the introduction of cloud computing. Therefore, you should avoid "Cloud" and "Cloud" in the design and deployment of cloud security services ".
(2) due to the characteristics of network security, secure cloud services in many service provision usually need terminal and desktop proxy assistance. Therefore, the pure cloud model will be difficult to implement, the cloud + terminal mode is the choice for designing and deploying secure cloud services.
(3) According to the barrel effect of network security prevention, that is, the key factor determining the overall security level of the network is not the best security aspect, but the worst security aspect, just as the key factor determining the amount of water in a bucket is not the longest wooden board, but the shortest wooden board, because the cloud security service fails to provide all the network security protection capabilities, therefore, in addition to cloud security services, enterprise security design also needs to consider the corresponding security measures according to the security requirements.
-- This paragraph is excerpted from the book cloud computing security: technology and application.
Books: http://blog.csdn.net/broadview2006/article/details/7403731