Four common problems and solutions for Alibaba Cloud Public Cloud O & M Security

None!

In fact, security O & M and O & M are two concepts.

My understanding: Security O & M allows engineers to operate and maintain various security devices and software to ensure system security. In contrast, O & M security covers all aspects of the cloud computing system and security. This article mainly discusses common problems and solutions for O & M security in public cloud environments.

 
Currently, public cloud users can be divided into two types:

First, the business was deployed on the public cloud from the very beginning, focusing primarily on emerging Internet companies.
Second, you already have a self-built IT environment and need to migrate IT to the public cloud. As the user's IT environment changes from a traditional self-built IDC to a public cloud environment, the O & M work is also migrated from the intranet environment to the public network, which is a huge change for the user.
This article mainly discusses the O & M security issues faced by migration from a traditional IT environment to a public cloud. You must know that all IT infrastructure and data in a traditional IT environment are under your control. Psychologically speaking, users feel safer and have a shorter public network exposure. Once you migrate your business and data to the public cloud, you may feel insecure.

In fact, the infrastructure security of the public cloud is far more secure than the self-built IDCs of general users, mainly reflected in the following aspects:
1. Because IDC data centers in public clouds have high construction specifications, the availability of IDC data centers in public clouds is more guaranteed in terms of power supply and air conditioning;
2. The public cloud has better network resources, so the public cloud has better network quality;
3. Public cloud servers are purchased and inspected in batches, and generally have reliable storage systems. The hardware reliability of public cloud is also more guaranteed;
4. There are professional teams in public cloud systems and security, all of which are top-level in the industry. The risk of using public cloud is lower in terms of system and security;
However, I have been engaged in O & M for ten years. Recently, in the practice of public cloud O & M, I found that the security of the computing environment from local to cloud is improved, however, O & M on the cloud is facing some new security risks and challenges.

Because the O & M management of the public cloud must be completed through the Internet, and the O & M of the traditional IT environment is very different, the risk mainly comes from the following four aspects:

1. O & M traffic hijacking: The biggest change in O & M in the public cloud scenario is that the O & M channel is not in the intranet, but directly accesses various O & M management interfaces on the public cloud through the Internet. Attackers are vulnerable to sniffing or man-in-the-middle hijacking, resulting in leakage of O & M management accounts and creden.
2. an increasing number of O & M management interfaces: hackers had to intrude into the intranet to crack the password of the O & M management interface, currently, users on the public cloud usually expose the management interfaces of SSH, RDP, or other application systems to the Internet. Security can only be ensured through authentication. Hackers only need to crack the password or bypass the authentication mechanism to directly obtain administrator permissions.
3. Difficult account and permission management: multiple users share the system account and password and use super administrator permissions. Account information leakage and unauthorized operation risks exist.
4. Missing operation records: Resources in the public cloud can be operated through the management console, API, operating system, and application system. If no operation records exist, once an intrusion or internal excessive authority abuse occurs, the loss cannot be traced and the intruders cannot be located.
These risks are common risks for O & M in public cloud scenarios.
On its first day of creation, Alibaba Cloud decided that security was a top priority. To address these problems, Alibaba Cloud provides a variety of security protection measures for users. Users can use the security mechanisms of Alibaba Cloud Platform products, Alibaba Cloud Security, and third-party security products in the cloud marketplace to mitigate or eliminate these risks.
Specific measures to enhance O & M security are as follows:

1. Use VPC networks to help users based on Alibaba Cloud (http://click.aliyun.com/m/1819)
From the perspective of O & M security, you need to divide the intranet segments of the VPC network before using the VPC network. It is generally recommended to divide the network segments into three: Internet application groups, Intranet Application groups, and security management groups.

 
The three CIDR blocks are isolated by security groups, and corresponding access control policies are configured to restrict all maintenance ports, such as SSH and RDP, to be accessible only to the security management group. The recommended policy is as follows:

Internet application Group recommendation policy

Recommended Security Management group policies

 
Recommended Intranet Application group policies

 
2. Build an encrypted O & M channel from the O & M work location to Alibaba Cloud. You can purchase professional VPN devices in the Alibaba Cloud Security market to build an encrypted O & M channel to ensure that O & M traffic is not hijacked.
Generally, L2TP/ipsec vpn is recommended for O & m vpn, which can be Site To Site or dialing. If a large number of O & M personnel work in a fixed office location, they can use the Site to Site mode to establish a persistent connection encrypted channel from the O & M office location to the public cloud, the CIDR block of the security management group on the public cloud is equivalent to an extension of the local O & M network. If the O & M personnel are few and often move to the office, you can use the dial-up VPN mode. When the O & M personnel are required, they need to dial up and connect to the security management group CIDR block. Of course, you can also use these two modes at the same time, taking into account the fixed location and mobile office O & M.
We recommend that you enable two-factor authentication when using the dial-up mode VPN, and use it with a digital certificate or dynamic password token to improve the security of VPN access.
3. Use Alibaba Cloud RAM to separate the Alibaba Cloud primary account from the daily O & M account, and limit the O & M account management permissions and scope. In this way, even if the O & M account information is leaked, the security of the entire cloud infrastructure will not be compromised. RAM best practices are as follows:
Enable MFA for root accounts and RAM users
We recommend that you bind MFA to the root account and use multi-factor authentication every time you use the root account. If you have created a RAM user and granted high-risk operation permissions (such as stopping a VM and deleting a bucket) to the user, we recommend that you bind MFA to the RAM user. For more information about MFA, see manage MFA devices.
Assign permissions to RAM users using groups
Generally, you do not need to bind an authorization policy to a RAM user. It is more convenient to create groups (such as admins, developers, and accounting) related to the role and responsibilities of the RAM user ), bind appropriate authorization policies to each group, and then add users to these groups. All users in the group share the same permissions. In this way, you only need to modify the permissions of all users in the group in one place. When your organization staff are transferred, you only need to change the group to which the user belongs.
Separate user management, permission management, and resource management
A good decentralized system should support checks and balances of power to minimize security risks. When using RAM, you should consider creating different RAM users, whose responsibilities are RAM user management, RAM permission management, and resource operation management of various products.
Configure strong password policies for user logon
If you allow users to change their logon passwords, they should be asked to create strong passwords and rotate them regularly. You can create password policies for RAM users through the RAM console, such as the minimum length, whether non-letter characters are required, and the rotation frequency.
Rotate user logon passwords and access keys on a regular basis
We recommend that you or RAM users rotate logon passwords or access keys on a regular basis. If your creden are disclosed without your knowledge, the validity of the creden。 is restricted. You can set a password policy to force RAM users to rotate their logon passwords or access keys.
Revoke permissions that you no longer need
When a user is no longer authorized due to changes in his/her responsibilities, you should revoke the user's permissions in a timely manner. In this way, if your access creden are disclosed without your knowledge, the security risk will be minimized.
Separate console users from API users
We do not recommend that you create a logon password for console operations and an access key for API operations for a RAM user. Generally, only the logon password is created for the employee, and only the access key is created for the system or application.
Use Policy restrictions to enhance security
We recommend that you set policy restrictions for user authorization to enhance security. For example, an authorized user Alice can shut down an ECS instance. The condition is that Alice must perform this operation at the specified time and on your company network.
Do not create an access key for the root account
Because the root account has full control over the resources under it, we do not recommend creating an access key for the root account and using it for daily work to avoid catastrophic losses caused by access key leakage. To create an access key for the root account, you must log on to the Alibaba Cloud Console. This operation requires multi-factor authentication and supports strict risk control checks. As long as the root account does not actively create an access key, the security risks of assets under the account are controllable.
Follow the minimum authorization principle
The minimum authorization principle is the basic principle of security design. When you need to authorize a user, please grant permissions that meet the needs of his work, instead of transitional authorization. For example, in your organization, if the responsibilities of a Developers member (or an application system) only need to read data in the OSS bucket, in this case, only the read-only permission on OSS resources is granted to this group (or the application system), rather than all OSS resources, or the access permission on all product resources.
4. Linux uses a key to log on. Do not use the account and password to log on. Once and for all, the account brute force cracking problem is solved. The configuration method is as follows:
For example, set Ubuntu 14.04.1 as follows:

1. Generate the public key and private key of the key

# Ssh-keygen-t rsa
Generating public/private rsa key pair. please Enter file in which to save the key (/root /. ssh/id_rsa): encrypted Created directory '/root /. ssh '. when Enter passphrase (empty for no passphrase): # Enter the password when entering same passphrase again: # Enter the password when Your identification has been saved in/root /. ssh/id_rsa. export Your public key has been saved in/root /. ssh/id_rsa.pub. specify The key fingerprint is: 1271c: 37: a8: a3: 65: a2: 4a: 89: AB: 46: 30: ad: 54: d1: 40: eb root @ iZ28vo50eu5Z

2. Download the generated private key (id_rsa) to a local windows machine and import the public key to the. ssh/authorized_keys file.
# Cd/root/. ssh/
# Cat id_rsa.pub> authorized_keys

3. Set the sshd server service and enable the following settings:
 
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile/root/. ssh/authorized_keys
Modify the following settings:
ChallengeResponseAuthentication no
PasswordAuthentication no
UsePAM no

4. Restart the ssh service

# Service ssh restart
5. Import the private key to a remote tool, such as xshell.
5. You can modify the default remote desktop port 3389 of the ECS Windows server to reduce malicious scanning and attacks against the remote desktop. The configuration method is as follows:
I. Use tools for automatic modification

You can purchase and use the [3389 remote port modification tool] in the cloud marketplace to automatically modify the default port 3389.

2. Manual modification:

1) [start] ---- enter "regedit" in [run] to open the registry editor;
2) expand the registry entry "HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ TerminalServer \ Wds \ rdpwd \ Tds \ tcp" in sequence;
3) the port number corresponding to the "PortNumber" key value under it is the remote desktop port, which can be changed to the port required by the user;

 
4) expand the registry key "HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ TerminalServer \ WinStations \ RDP-Tcp" in sequence;
5) change and save the "PortNumber" key value according to the above method.
Note: after modification, you need to check whether there are security rule restrictions in the firewall and TCP/IP filtering, and restart the server to take effect.

1) how to enable port in Windows 2003:

After logging on to the server remotely, double-click "windows Firewall" on the control panel. After opening the firewall, click the "exceptions" tab to view the opened ports added to the server. Then, click "add Port ", enter the port number you want to add in the pop-up box. Go to the Control Panel and click "network connection". Right-click "properties" on the Internet Nic, double-click "Internet protocol (TCP/IP)", and click "Advanced ", in the pop-up box, click "options" and "properties". In the TCP/IP filtering pop-up box, add the TCP port. After you confirm, restart the server and activate the port.
2) how to enable the port on Windows 2008:
After logging on to the server remotely, go to the control panel-wiindows firewall, open windows firewall, select "advanced settings", select "inbound rules" in the upper left corner, and select "New rule" in the upper right corner ", select "port" on the rule Wizard page, select "TCP" for the next protocol, select a specific local port, enter the port number you want to enable, and select "allow connection" for the next step ", in the next step, set the rule domain that can be applied to. We recommend that you select All. In the next step, set the port name.
6. Install the Alibaba Cloud Security Server guard client. Server guard not only intercepts password cracking and detects remote logon problems, but also improves host security protection capabilities. We recommend that you install the client.
7. centralized privileges and account management systems are used to centrally manage O & M accounts and permissions, such as professional bastion hosts in the Alibaba Cloud security market. This solves O & M problems such as system account reuse, chaotic O & M permissions, and non-transparent O & M processes, the system operation logs are recorded for audit.
8. Enable Alibaba Cloud ActionTrail to record users' cloud account resource operations, provide operation record query, and save the record files to the specified OSS bucket. All operation records saved by ActionTrail can be used for cloud-based user permission security analysis, resource change tracking, and compliance audit.

 
Open the ActionTrail console and go to "history event query" to view the operation records of the last seven days.
 
Overall architecture

Security protection is a systematic task. The above suggestions are only the most basic requirements for cloud O & M security. If you need more in-depth solutions, contact the Alibaba Cloud Security Solution team.