What does a comprehensive ECs security solution look like?

Source: Internet
Author: User

What does a comprehensive ECs security solution look like?

For many enterprise users, as ECs replaces traditional servers and carries Internet services closely related to the survival and development of enterprises, this makes users' questions about cloud security largely focus on the security of ECS.


Is ECs secure? This problem is not only limited to the invisible virtualization layer, but is even more profound to users: Suddenly, many common and common security protection systems, especially the "hardware box", were discovered ", all items are removed from the purchase list. The cloud computing environment changes security protection.

In this way, how can we implement ECs security?


Threats to ECs Security
Just like a revolutionary change in cloud computing for Internet businesses, the change in security is thorough, not only reflected in the security protection concept, but also changes in the security delivery method.

However, the nature of security has not changed because of the introduction of cloud computing technology. In fact, servers deployed in traditional and cloud environments are not much different in terms of security risks.

As you can see, ECs security risks mainly include:
(1) vulnerabilities, such as vulnerabilities (including the virtualization layer), incorrect configurations, and ports that should not be opened;
(2) external threats, such as backdoors, Trojans, and brute-force cracking attacks.

Whether deployed in a traditional data center or cloud data center, server security must face and address the risks mentioned above.

For ECs, the first thing to solve is its own vulnerability, especially the vulnerability. A system with vulnerabilities is like a room with a window opened. No matter how advanced an access control system is installed, it cannot block thieves. In addition, the inspection and monitoring of key server configurations and ports can reduce the attack surface and control the system security status at any time. From the perspective of external threats, brute-force cracking is still the biggest network threat to ECS. Brute-force cracking protection must cover the system, application, and database layers. The absence of any layer will increase the probability of system intrusion. Finally, the ability to quickly discover and clear viruses, Trojans, and backdoors on ECS is a major test of protection capabilities.

Dual challenges of ECs Protection
However, the reality is skinny. ECS security faces both internal and external challenges.

First, the vulnerabilities of ECs are highlighted in unrepaired vulnerabilities. According to statistics from a foreign security organization, the average vulnerability repair time in the financial industry is as long as 176 days. This figure is slightly improved after cloud computing is adopted. However, the average time for fixing ECs vulnerabilities is still 50 days. Whether it is 176 days or 50 days, it is enough for the attacker to traverse the entire server.

Second, according to tests by a foreign security company, it takes only four hours for a hacker to successfully intrude into the AWS server. On the surface, it is caused by system vulnerabilities, which are actually caused by brute force cracking by hackers. In a cloud computing environment, most cloud service providers do not provide brute-force cracking protection services. Instead, they recommend that you install third-party protection software on your servers. In fact, popular ECs security software in the market only provides brute-force cracking protection at the operating system level, and does not cover the application and database level. The lack of applications and databases is undoubtedly a "saw arrow" method in ECs protection-the operating system is my manager, and the above is someone else.

Third, the vast majority of ECs security systems/solutions are reflected in single point of protection. Single-point protection has two features: horizontal protection against individual servers and vertical protection at the server layer. Horizontal Single Point protection means that each ECs instance is isolated from each other. Today, Trojans and backdoor mutations are emerging. If malicious sample collection is not real-time, Analysis and Policy sharing and distribution cannot be completed quickly, it is tantamount to giving the initiative to intruders. Vertical spof are also common faults in ECs security software ", network, system, application, and data protection rely on software installed on ECS. Not to mention the protection effect, enabling the protection function requires calling a large amount of system resources, which is equivalent to initiating an independent Denial-of-Service attack.

Finally, security defense is backed by the confrontation between human skills, wisdom, and experience. In specific circumstances, personnel are required to quickly collect samples, collect evidence, analyze and block attacks. However, for most enterprises, it is unrealistic to build a professional security defense team.

Therefore, ECs security protection is a comprehensive challenge to platform-based, systematic, and operational capabilities including rapid response and technical experience, rather than simply installing a host protection software.

What Should ECs protection look like?
A complete and comprehensive ECs protection solution should include fast locating and fixing of internal vulnerabilities (vulnerabilities, configurations, ports, etc.) and rapid discovery and blocking of external threats.

For internal vulnerabilities, especially those that seriously threaten the security of ECs instances, precise locating is required. For most vulnerabilities, automatic vulnerability repair can effectively improve the efficiency and effectiveness of security protection. For critical servers or servers with strict compliance/business requirements, cloud service providers should provide risk warnings for vulnerability fixing, and this work should not be handed over to users.

Second, for the primary external threat of ECs-brute force cracking, the protection system must cover Systems, Applications, and databases.

Third, ECs security protection must be platform-based and systematic. The platform is reflected in that each ECs is a collection point of malicious samples, and is also the receiver of real-time security policies, ensuring integrated cloud-based defense.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.