With cloud hosting booming today, the benefits of cloud hosting are already well known, but including multi-tenancy, better server utilization, and data center consolidation, how to address cloud host-specific security threats is becoming more and more important. Recently, the World Data special also launched the World cloud-Hong Kong cloud host activities, specific activities of the content of small partners can log on their own official website of the world to query. Small World also on the enhancement of cloud host security methods to give you a few suggestions.
1. Basic Security
First, the cluster into a distributed deployment in multiple data centers, the data center asset equipment, supplies, supplies have strict rules, the network is basically located in the core backbone area, the property security 7x24 hours patrol, and all the infrastructure 7x24 hours of centralized video surveillance. Ensure the physical machine and the operating environment strong guarantee.
2. account and system security
Organization of professional security team, combined with many years of experience in security practice, cloud host mirroring a series of security hardening strategy. Including account management and security authentication, such as the prohibition of root account login ( No other cloud service provider Restrictions ) Disable the very use of ports, hide the history of Operation Records ; complex password settings include: Enforce password length, must contain uppercase and lowercase letters of the complexity of the setting, effectively reduce the user account is the risk of brute force.
The physical machine system chooses the stable version of the operating system , installs the software package in a custom way , and deploys the basic system in a minimized installation ; update patches and software releases in a timely manner, plugging known vulnerabilities.
Support two-factor authentication, after the purchase of cloud host and tenant mobile phone binding, reset password, reload system, delete all need to enter a checksum code to continue operation. The addition of two-factor authentication is another effective guarantee for account security.
3. Network Security
The network security aspect uses the multi-defenses, through the firewall, theACL and so on security to carry on the strict control to the intra-cluster traffic, protects the cluster cloud host from the internal, the external network attack. The physical machine and the cloud host all adopt VLAN Strict isolation, the same tenant falls into one VLAN, different tenants do two layer isolation, can effectively prevent the cloud host to produce including ARP spoofing, port scanning, and other security threats. The whitelist is used to set the access control list so that only trusted hosts can access the host in the cluster . independent research and development of the top protection products website Defender, network full-flow analysis and other equipment input can effectively prevent SYN Flood , cc and other common cyber attacks. Regular security scan, timely detection of security vulnerabilities, quickly patching or protection of vulnerabilities.
4. Security Audits
All physical machines in the cluster enable security-related logging (shell log) and redirect logs to a separate log server ; provides a unified log security audit system for the entire security infrastructure, including virtual environments ; auditing is turned on for account management, logon events, system events, policy changes, success of account logon events, and failures.
5. safe operation and maintenance
Centralized group and role management system to define and control permissions , Operations engineers have a unique identity ; manage with encrypted channels , Identification and authentication ; all landing and operation processes are audited in real time . establish internal traffic aggregation points , Monitor the dynamics and traffic of the entire network.
Physical machine, cloud host real-time CPU, bandwidth, disk monitoring , found abnormal situation immediately by SMS, email alerts ; real-time resource monitoring is an effective way to demonstrate the use of resources, and is also one of the effective ways to automate operation and maintenance.
Cloud server vendors should be committed to providing enterprise and individual users with high-performance, reliable, secure cloud services, minimizing the IT infrastructure technology and cost threshold required for enterprise development, and providing the most convenient and professional security service system for enterprises to move to the cloud.
Copyright NOTICE: This article for Bo Master original article, without Bo Master permission not reproduced.
World data: A brief discussion on cloud Host security protection