2014, attack and defense battle resounded through "cloud" Xiao

2014 China's cloud computing industry continued to maintain a 2013-year development trend, and gradually with the game, mobile Internet, large data and other industries combined to produce amplification effect. Everything has its pros and cons, and as scale expands and target value increases, many hackers begin to focus on the "potential value" of this emerging sector. Imperceptible in, undercurrent surging, "the War of Security" resounded "cloud" Xiao. Below, from the IaaS, PaaS, SaaS three service models talk about the cloud computing field of attack and defense trends.

IaaS level

We can see that there are three types of attacks at the ISSS level.

Distributed denial of service attack (DDoS). DDoS attacks to date are still the most effective means of attack, and as DDoS technology advances, the cost of this attack is getting lower and still cannot be cured for a long time in the future. The attack was covert and very effective, and Ucloud suffered a massive 63G traffic attack this May. This is fatal to IAAS vendors, and prolonged business disruption is not affordable to any customer. Using NTP's reflective DDoS can be said to be a DDoS in the nuclear weapons, killer, can be magnified to 200 times times the attack flow, such as the four dials, almost can be paralyzed any manufacturer's bandwidth exports, foreign CDN manufacturers CloudFlare this year to suffer from the 400G reflective flow attack.

Web attacks. In order to enhance the interactive experience, the cloud service provider will provide a Web-mode management console, if the console itself has a loophole, will certainly cause harm. This loophole comes mainly from two aspects. On the one hand, the program code for the input information to verify the incomplete or procedural logic errors caused by the vulnerability. For example, the search tool developed by a cloud-computing giant manufacturer based on Open-source software Elasticsearch has a remote execution vulnerability that can execute arbitrary commands and write-file operations. The other is the vulnerability caused by improper deployment or use of third-party tools. For example, the use of OpenSSL by a cloud service provider causes user information to leak, allowing hackers to log in as that user and obtain server-sensitive information.

Virtual machine resource abuse. The current cloud computing business is in development, and some traditional users are still in the tangle of whether to migrate to cloud computing. Therefore, many cloud vendors provide free virtual machine trial service, hackers are taking advantage of this opportunity and other means, such as mass registration of free mailbox, etc., to a large number of applications for free cloud computing resources to build a strong cloud attack environment, and form a business service AAAS (Attacks-as-a-service) , anyone who buys the service can launch a DDoS attack on any target.

PAAs level

The problem with the underlying IaaS still exists at the PAAs level. Because the PAAs platform can host applications and complete development on its platform, the user's App may be tampered with or maliciously deleted if permissions are not properly managed. This May, the Sina SAE was found to have the user ultra vires operation, can delete any user's code warehouse loophole. In addition, the PAAs platform provided by the database services, if the database is improperly configured can also create a lot of security risks, some databases even lack of robust identity authentication capabilities, such as Redis. If the PAAs vendor has no restrictions on access requests, the hacker can get the database password through brute force, causing the data to leak.

This June, foreign code MSN, a PAAs platform under the Amazon AWS EC2, was forced to shut down because the hackers maliciously removed all the data. From this we see that because the PAAs platform is built on the IaaS basis, users can not touch the real physical server, so the operation of the Management Server can only be through the IaaS provided by the Control Panel, management console and other Web interface to complete, once the password is cracked, Real-world users can only watch hackers manipulate their machines. So I suggest that IaaS in addition to providing the necessary basic security measures, but also can further consider the provision of additional security mechanisms, such as multifactor identity authentication and other value-added services, to give users more choices.

SaaS level

SaaS business forms are primarily web-based, so the main security risks are focused on aspects of SQL injection, Cross-site scripting (XSS), API interaction lack of signature verification, and even data disclosure.

So far, all the publicly operated cloud services, regardless of size, almost no one spared, are more or less exposed to the above loopholes.

My view on cloud computing security

Security defense, is a system engineering, it not only involves technology, but also includes management tools. Especially in the cloud computing environment, business models, deployment methods, and technology architectures have changed dramatically, leading to significant changes in risk. If the management means cannot keep up with, can cause a big accident. For example, we are a development of the test server deployed on a cloud, but one day suddenly inaccessible, the administrator login to the management console was surprised, the server has been destroyed by cloud service providers. Cloud service providers replied that this was caused by human error within them, but could not be recovered because it was physically removed. Through this event you can see that without a perfect management process, even with powerful technology there is nothing to do. Therefore, a clear division of responsibilities and permissions is essential, otherwise a point of hacking can lead to abuse of authority, thereby causing huge losses to customers.

In the technical confrontation, we think: Division "cloud" long technology to the system "cloud." The essence of cloud computing is to improve efficiency and reduce costs, while traditional security devices are in the opposite direction, for example: the traditional application Firewall (WAF) single device throughput and processing capacity is limited, to cloud computing services to create bottlenecks. In the technology selection, users should be more concerned about those who can integrate with the cloud technology products or programs.

Combined with cloud computing business features and technical architecture, cloud computing service providers should combine their own business characteristics, focusing on the following three major areas of defense: Application and API security, data security and collaboration, firewalls (physical firewalls and virtual firewalls). While strengthening the platform security mechanism, it is necessary to instruct or help the user to do the security service, so the two-pronged approach can improve security. Of course, the surgery industry has specialized, cloud computing service providers are not security experts, themselves may not be able to deal with a number of complex security issues, in this respect should also strengthen the depth of cooperation with professional security vendors.

As hackers carve out a second battlefield in the cloud, "cloud security War" has been unavoidable, which also stimulated the development of cloud security services industry, only a growing number of cloud security service providers to promote the cloud security industry technology innovation and development, I believe the new forces will become the main force of cloud security.