Improvement on "cloud computing" Service Security-vase model V4.0

Improvement on "cloud computing" Service Security --- Vase model V4.0 Jack zhai Question: With the rise of cloud computing and the Internet of Things, the Internet is becoming increasingly "urbanization". The traditional siheyuan (man) is being replaced by skyscrapers (cloud computing data centers, the just-established global village quickly evolved into a global city. Iot is informatization of all the items in the city, and the real world and the virtual world are becoming a "real-time" version. However, the cloud computing service model also brings new problems to information security. virtualized services, services of different users "run in one service" Container "at the same time, the concept of border isolation for traditional information security has been restrained, and security boundaries have no boundaries. Where should traditional security devices, such as firewalls and intrusion detection, be deployed? Without security protection, are users willing to use your services? Cloud Service is a change in delivery service model. In response to this service model, we have improved the "vase model" of information security system construction and proposedService Access BoundaryIntroduces the logical boundary of the business, that is, the boundary between virtual machines. It includes virtual machines that are mutually "neighbors, and the boundary between the virtual machine and the "parent" that generates it-the cloud operating system. The concept of security monitoring has also evolved from monitoring the actual equipment and systemInternal and external monitoring of virtual machinesOn the one hand, when creating a virtual machine, it not only allocates computing, storage, and network resources, but also allocates corresponding security resources according to the needs of management and user services, for example, virtual firewalls, virtual intrusion detection, and virtual virus filtering are provided for users instead of "rough houses", but "well-decorated apartments ". On the other hand, the monitoring of the cloud operating system environment has become the focus of the security of the entire cloud service, so that the business trend of all applications can be controlled here. The third aspect is the monitoring of the cloud service access area, which collects the traffic of various user services and is also a portal for hacker and worm attacks, it is actually the "Gate" of the cloud service center ". Description of "vase model: The vase model is a guiding model for information security construction planning. It is a baseline construction model that complies with the dynamic security event processing (PDR model. According to the emergency handling of security incidents, the handling process is divided into different stages. In addition to meeting the protection requirements of classified protection, static risk analysis is adopted, analyzes potential vulnerabilities in each stage of each stage, establishes a security construction baseline for this phase, and finally forms a security construction baseline for the entire security event processing process. 650) this. width = 650; "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0T35G927-0.jpg "Border =" 0 "/> Security Event processing is divided into three phases: Ø beforehand: Security Protection Baseline, clear boundaries, divide security areas, and separate protected resources from attackers, build a wall, set up border inspection measures, and increase the "space" distance to reduce external channels and increase the barrier and difficulty of intrusion; things: dynamic monitoring baseline, the attacker's movements should be observed outside the boundary. The attacker should pay attention to some abnormal user behaviors within the boundary. Once an attacker finds "installation", the attacker will immediately report to the Police and intercept the attack. The purpose of monitoring is to discover the other party as soon as possible before the intruders cause damage and respond promptly to reduce possible losses. Ø after the event, the responsible person of the evidence collection should be held accountable to deter the attackers, that is, the Trust Management baseline, after the incident is handled, We need to trace the way the intruders enter, find out where the problem is, and analyze the behavior records of the intruders, so as to discover the vulnerabilities in the protection and monitoring systems and prevent the intruders from entering again. Further refining the Security baselines of the three systems of protection, monitoring, and trust forms the "Vase" model (the shape is like a vase, and it also implies that the work of security management personnel is like a bottle of hands, always Be careful and neglected. A beautiful vase may be broken. The main point of security management is "no secret "). 650) this. width = 650; "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0T35I648-1.jpg "Border =" 0 "/> 1) Protection System: Protection focuses on boundaries, not only real network boundaries, man-machine boundaries, but also virtual business access boundaries, the vase model provides five boundaries that need to be protected. a) network boundary: the egress of the network, which is an uncontrollable area and must be well protected, common security technologies include FW, IPS, UTM, Service proxy, and gatekeeper. You can select WAFb as the website egress.) security domain boundaries: security domains are different resource regions based on network functions, you can also isolate different departments based on management requirements. The security domain can be clearly isolated from the network layer. Common security technologies such as VLAN and FW) provide service access boundaries: multiple application systems are often run on the network at the same time. One application system may provide multiple services (cloud computing services are one of them), and each user can access multiple applications, use multiple services. We need to isolate virtual networks and application systems that do not need services (users), and avoid increasing users in virtual machines to cloud operating systems. Application access boundaries are usually controlled using user authorization. On the one hand, you can restrict the application areas (Network Layer) and service ports (Transport Layer) that you can access based on your identity ), on the other hand, you can use the account management and identity authentication technologies of the application system to control whether users can access the application system. In the application system, you can also separately authorize the function module, restrict the user's permission to use different services of the same application system. d. SERVER: Host management man-machine interface. Generally, operating system reinforcement and database reinforcement are used, minimum authorization for assigning administrative personnel and user permissions e) terminal: man-machine interface management, such as user logon, media management, illegal external connections, data encryption, and other security policy implementation, for example, red, white, and blacklist Software 2) monitoring system: displays the overall security situation of the system, and understands the "Breeze" in the network. It is the data source for timely detection of intrusions and violations. For cloud computing, the monitoring system is divided into several layers: Monitoring of virtual machines and monitoring of the cloud computing management platform. There are five main monitoring points at each layer: a) viruses and Trojans: they are characterized by self-replication and pervasive, which are extremely harmful to network performance; generally, intrusion and abnormal behavior can be intercepted on the network and monitored by the host (the monitoring software in the terminal and server) B. intrusion is mostly concealed, multi-Point Monitoring on networks and hosts is required. Intruders are discovered through feature matching and behavior matching to detect abnormal behaviors of internal personnel, such as massive data downloads, abnormal time access should also be included in the abnormal monitoring scope c) Traffic exception: collects traffic information of key points in the network, monitors the overall traffic dynamics, and establishes a traffic baseline model, at the same time, the composition of traffic should be analyzed in detail according to the service type, user, and access direction. There are four common causes of traffic exceptions: first, the occurrence of a worm virus, second, malicious attacks (such as DDOS), and third, the emergence of business Hotspots (sudden increase in normal business access, (For example, major news releases). (4) network faults, causing other business access to the local device. (d) device and system status: hardware faults of devices will inevitably lead to unstable service access (Virtual Machine environments are the status of Virtual Devices). Therefore, you must understand the status of devices and systems such as networks, security, transmission, servers, and storage, is the basis for analyzing the overall security situation e) Business Service Status: Information Security ensures the service capabilities. Therefore, real-time Monitoring of Security indicators related to service capabilities, such as the process status, number of users, and disk space of business services. 3) Trust System: Monitoring of behaviors of "legal" users, it is implemented through audit. To audit, you must first identify the user, clarify the user permissions, and then record the user's behavior in detail, and do not allow deletion or modification of records. Three elements of the trust system: a) Identity Authentication: Optional account password mode, you can also select the CA certificate method, the purpose is to uniquely identify the user. Identity Authentication usually appears on the user login host (local login), login network, login business system three logon points B) authorization management: the user can use resources, and restrictions on actions that can be performed. Authorization is granted by the security administrator, and unauthorized access is caused by this ban. c. Behavior audit: audit is the behavior record, such as data operations and configuration changes. Different security audit measures can be adopted according to the audit objectives. The following are common methods: I. network behavior audit: network resource access by users ii. host behavior audit: Audit of behaviors on servers or terminals, such as account management and data maintenance on servers, mobile media usage on terminals, and external network conditions. iii. internet behavior audit: It is generally placed at the Internet egress of the network to audit the Internet access behavior of internal users. iv. O & M audit: audits the daily management of maintenance personnel, mainly records routine maintenance activities of network, security, servers, databases, storage, and other devices. business compliance audit: Audit of user business operations and business processing 4) Security management platform: public network security facilities, it is implemented and managed in concert with protection, monitoring, and trust security systems. It is also an operating platform for security management personnel to maintain public network security, also known as SOC. The Security Management Platform generally includes five aspects: a) Asset management: understanding your own background is the foundation of security management and the object of interest to the monitoring system terminals, including hardware equipment and software systems, physical and virtual. Common scenarios such as dynamic network topology and resource registry B) data backup and recovery: Data Backup is the basic security measure in the background, and business data is the core of business operations, with data, the system can be restored after a disaster. c. Security O & M: security management personnel must be responsible for the daily management of the public part of the network, users of various business systems should also be provided with security services, such as terminal security issues and investigation and punishment of illegal security incidents, process-based and standardized O & M management process is the basis for improving O & M Service Quality d) configuration change management: the security configuration of the system is the on-site deployment of security policies, security Protection, Monitoring, and auditing are directly affected. Therefore, configuration changes must be consistent without errors. Security Configuration data is the basic data of the overall security O & M system, as important as business data e) Vulnerabilities and Patch Management: Patch Management is the basic security measure in the background. When detecting vulnerabilities, patches should be promptly patched. However, patches may conflict with the original business system, therefore, patch installation is optional. Patch Management requires maintenance of various patches and the latest available software resources for terminals, servers, databases, and application software to ensure that network users update security baseline assurance ideas in a timely manner, it is a baseline for three security measures plus a platform. Various security measures work together and complement each other. In the overall design of security assurance, pay attention to the relative balance of the three baselines. One of the three baselines is too strong, the overall security protection capability may not be improved, but it may lead to unnecessary waste of funds. If one item is too weak, the overall security capability will be pulled down, leading to a short board of the security system. The security protection ideas and security measures mentioned here are designed to meet the specific security requirements of users and are not limited to the existing technical means. On the one hand, intruders are still making progress, and the new attack technology and means layer are not poor. Our protection methods must also be constantly upgraded to adapt to the changes of our competitors. On the other hand, to deal with the same intrusion technology, more accurate and cheaper measures will be constantly emerging with technological advances. We should promptly update and reasonably deploy them, ensure that all security measures in the security architecture are always in the optimal state.

This article is from the "Jack zhai" blog, please be sure to keep this source http://zhaisj.blog.51cto.com/219066/541228