Improvements to the security approach to cloud computing services: Vase model V4.0

Questions raised:

With the rise of cloud computing and the Internet of things, the internet is increasingly "urbanized", the traditional courtyard (metropolitan area Network) is being replaced by skyscrapers (cloud Computing data Center), just formed soon the "global village" quickly developed into "Earth City", the Internet of Things is the "city" of all the goods information, The real world and the virtual world are becoming "real-time" control editions.

But the cloud-computing service model also poses new problems for information security, virtualization services, different users of the business "at the same time" run in a service "container", the traditional information security of the border isolation ideas have been suppressed, the security of the boundary is not, the traditional security equipment, such as firewalls, intrusion detection where the deployment? Without security protection, are users willing to use your service?

Cloud Services is a change in the delivery of service patterns, in view of this service pattern, we have improved the "Vase model" of information security system construction, proposed the concept of service access boundary, introduced the business logic boundary, that is, the boundary between the virtual machine, it includes the mutual "neighbor" virtual machine, And the boundary between the virtual machine and the "mother"---the cloud operating system that generated it.

The concept of security monitoring also from the actual equipment and system monitoring, development to the virtual machine and outside the monitoring, on the one hand, in the establishment of virtual machines, not only the allocation of the corresponding calculation, storage, network resources, but also according to the management and user business needs, the allocation of appropriate security resources, such as virtual firewall, virtual intrusion detection, Virtual virus filtering, for the user is no longer a "rough room", but "refined decoration of the apartment." On the other hand, monitoring the environment of the cloud operating system becomes the focus of the entire cloud service security, and entering here can control the business direction of all applications. The third aspect, is the cloud service access area monitoring, here brings together each kind of user business traffic, the cohabitation, is also the hacker and the worm attack the portal, actually is the cloud service center "the gate".

"Vase Model" description:

"Vase Model" is a guiding model of information security construction planning and a baseline construction model according to dynamic Security event processing (PDR model).

According to the idea of emergency handling of security incidents, the processing process is divided into different stages, in addition to the protection requirements of the level, the static risk analysis method is used to analyze the potential vulnerabilities of each link in each stage, establish the baseline of safety construction at this stage, and finally form the guarantee construction baseline of the whole security incident process.