Apple's icloud service has made users excited and impatient to migrate personal data to Apple's data center for easier access and sharing. Look, the service is cool and convenient. But when you give your information to icloud, should you pray for the security of the data?
Apple CEO Steve Jobs unveiled the mystery of Apple cloud service icloud in WWDC 2011, Apple's Global developer conference, on June 7, 2011, marking Apple's entry into the cloud. It provides a free MobileMe service that synchronizes and stores users ' music, photos, applications, calendars, documents, videos, mail, Contacts, and more, and delivers them wirelessly to all devices of the user, as well as photo streaming, document cloud services, automated backups, and more. In the cloud computing tide, this is Apple in the face of increasingly rich product lines and a variety of terminals of the user needs of the inevitable choice.
The spread of cloud computing makes information security more threatening
Cloud computing is the result of the development of it technology, such as computing, storage, virtualization, the development of communication and network technology, the promotion of demand and the change of business model. The main attraction of cloud computing is the characteristics of high cost performance, high utilization, high scalability, high reliability and transparent use of resources. However, with the development of cloud computing technology and the landing of application, the security of cloud computing becomes more and more the focus of users. Because in a cloud computing environment, users no longer have the hardware resources of the infrastructure, they use Remote Storage and computing; The data is in the cloud and the software is running on the cloud. This approach breaks traditional it deployment habits and poses new security challenges for applications, especially those deployed in the cloud. In the face of this challenge, what are the security technologies for cloud computing? How do we avoid cloud computing security risks?
Cloud computing Security and status
From Google's mobile advertising subsidiary suspected of illegally collecting user information, to the largest downtime in the history of Amazon to its data center interruption service two days, and then a short time ago Sony Server was hacked, 77 million online users of personal information stolen; This series of cloud security issues has caused users to be filled with questions and concerns about cloud computing. Survey data show that more and more companies are considering putting more important data in the company's firewall than on the cloud, and even whether it is appropriate for companies to re-examine their cloud services contracts. The security of cloud computing is the biggest concern for companies to apply cloud computing. According to Forrester Research's findings, 51% of small and medium-sized businesses believe that security and privacy issues are the main reasons they have not yet used cloud services; The IDC survey also shows that security issues are a primary consideration for corporate users to choose cloud computing.
Security issues become the primary concern of cloud computing
There are two main security issues in cloud computing: one is the unique security of cloud computing environment, the traditional idea that the information stored in their own controllable environment than stored in the unfamiliar, unfamiliar place more secure, that is, traditional users can not accept their own uncontrollable environment can provide better security. The second is that traditional it is closed, in the security of only external access to the interface and firewall protection, the internal deployment of anti-virus software can be, the use of cloud computing, all the access is exposed to the public network, the user's operations need to be in the remote after the operation, so cloud computing has changed the existing software system security protection mode.
Cloud computing application Security has not yet formed the relevant international standards, there are three types of organizations to study it, the first category of non-profit organizations, such as CSA (Cloud Security Alliance, Cloud Safety Alliance); The second category is cloud computing service providers, They proposed some cloud computing security solutions and security policies, mainly through identity authentication, security review, data encryption, system redundancy and other means to improve the cloud computing business platform robustness, usability and user data security, such as Google will use a two-step authentication mechanism (two-step verification) To control information access to improve the security of cloud computing; the third category is engaged in security organizations, such as Symantec, Rising, Jinshan, and so on, this part of the security technology and program This article is not discussed.
Google two-step certification mechanism
Cloud computing security Related technologies
Cloud computing by service model can be divided into: infrastructure is the service (infrastructure as a Service,iaas), platform as a service (Platform as a Service,paas), software as a service (Software as a services, SaaS), the relationships and dependencies between cloud computing models are critical to understanding the security of cloud computing. Cloud computing security technology can be based on the cloud computing services model three aspects of the deployment. IaaS covers all of the infrastructure resource levels from the machine room to the hardware platform. PAAs on top of IaaS adds a level of integration with application development, middleware capabilities, and functions such as databases, messages, and queues. PAAs allows developers to develop applications on the platform, developing programming languages and tools provided by PAAs.
Cloud computing security model at different levels
SaaS is positioned above the IaaS and PAAs to provide a separate running environment for delivering a complete user experience, including content, presentation, application, and management capabilities. The security protection of three kinds of cloud service models differs in methods and responsibilities. Technically, cloud computing security includes three directions for data security, application security, and virtualization security.
The whole process of data lifecycle should be implemented in security management
Data Security
Data is the most important resource for an application, and cloud computing just separates the data from the infrastructure that the user has to store the data, so that the user loses control of the data, and all the user data is in a shared environment, and the user is not aware of the physical location and storage strategy of the data. The technologies used in data security include the following categories:
Data encryption: You can use the public key to encrypt the files or data that you want to transfer, and the receiver decrypts the encrypted content with the private key. Encryption is mainly used in block cipher, stream cipher, encrypted hash algorithm and identity authentication.
Licensing and authentication: Permissions and authentication We are not unfamiliar, but given more meaning in the cloud computing environment, most of these licenses and identities are done by cloud service providers or Third-party certifications, such as Microsoft's ISO2007 certification of its data center and infrastructure. According to the certification strength and impact factors, the certification can be a single factor or two-factor authentication method.
Access control Technology: the methods that can be used are direct access control, role-based access control and mandatory access control technology, which can be divided into readable, writable and full control of access to resources. Microsoft offers an easy way to control the cloud computing security model and services at different levels of the Web application in Windows Azure platform.
Application Security
Cloud computing services model is divided into three levels, cloud computing application security from these three levels. First on the IaaS layer, the IaaS cloud provider should ensure the security of its physical architecture. In general, only authorized employees can access the operating enterprise's hardware equipment, do a good job of power redundancy, network redundancy, fire alarm and security alerts and so on. The IaaS provider has no knowledge of the deployment, management, and operation of the customer application, the customer's application and the running engine, so the customer has the responsibility to apply security on the cloud host, but the IAAS provider should conduct security checks on the customer's application data to avoid some risk, such as executing a virus program. Second, in the PAAs layer, the ability of the PAAs cloud to provide users is to deploy user-created or procurement applications over the cloud infrastructure, which are developed using the programming language or tools supported by the service provider. PAAs application security consists of two levels: the security of the PAAs platform, the security that the client deploys on the PAAs platform, and the security technologies used include system management and access control, firewall and router filtering, and malware prevention. Finally, in the SaaS tier, the SaaS model determines the provider's management and maintenance of the entire application, so the SaaS provider should maximize the security of the applications and components that are provided to the customer, and the customer is typically responsible for the security features of the operating layer, including user access management, authentication, So choosing a SaaS provider requires extra caution. Currently, the usual practice for provider evaluations is to require providers to provide information about security practices based on confidentiality agreements. This information should include design, architecture, development, black box and white box application security testing and release management.
Virtualization security is an integral part of cloud computing
Virtualization Security
A study published by Gartner analyst Neil MacDonald says 60% of virtualized servers are more vulnerable than physical infrastructure. The problem is not that virtualization itself is insecure, but that it exists in the system configuration and that most virtualization deployments are unsafe. Virtualization security technology includes two aspects, the first is the virtualization software security technology, the second is the virtual server security technology.
The security technology of virtualization software relies primarily on the security technology of virtualization vendors, and the Vmsafe program currently released by VMware will provide a framework for virtual security services and provide the necessary APIs for virtual security services that interact with virtual machines and hypervisor.
Virtual server is located on the virtualization software, the security principle and practice of the physical server can also be applied to the virtual server, but also need to take into account the characteristics of the virtual server, specifically from the physical machine selection, virtual server security and day-to-day management of three aspects to ensure the security of virtual servers. You should select a physical server with a TPM security module, while strictly controlling the number of virtual services running on the physical host; When you install a virtual server, you should assign a separate hard disk partition to each virtual server; The virtual server system should also install host-based firewalls, antivirus software, IPS (IDS) and logging and recovery software, installing system patches, application patches, services that are allowed to run, open ports, and so on.
In addition to data security, application security and virtualization security technology, it is also necessary for the cloud computing environment security monitoring, mainly on the basic settings and cloud services security events for the creation, collection and analysis, can be recorded in the way of logging, reporting.
evade cloud computing security risk
The cloud computing industry has huge market growth prospects, but for users of the service, cloud computing services have risks and challenges that are different from traditional it, and a Gartner report on cloud computing security risk outlines 7 risks to cloud computing risk.
1. Access to privileged users: handling sensitive information outside of a company can be risky because it bypasses the "physical, logical, and manual control" of this information by the Enterprise IT department. Organizations need to have a good understanding of the administrators who handle this information and require the service provider to provide detailed administrator information.
2. Predictability: Users are ultimately responsible for the integrity and security of their data. Traditional service providers need to pass external audits and security certifications, but some cloud-computing providers refuse to accept such scrutiny. In the face of such providers, users can only use their services to do some trivial work.
3. Location of data: When using cloud computing services, users are not aware of where their data is stored, and users don't even know which country the data is located in. Users should ask the service provider whether the data is stored in a specific jurisdiction and whether they are complying with the local privacy agreement.
4. Data isolation: In the cloud computing system, all user data is located in a shared environment. Encryption can play a role, but it is still not enough. Users should understand whether the cloud provider separates some data from others and whether the cryptographic service was designed and tested by an expert. If there is a problem with the encryption system, then all data will no longer be available.
5. Data recovery: Even if users do not know the location of data storage, cloud providers should also tell users what the user data and services will face in the event of a disaster. Any data and applications that have not been backed up will have problems. Users need to ask the service provider if they have the ability to recover data and how long it will take.
6. Survey support: In a cloud computing environment, it is difficult to investigate inappropriate or illegal activities because data from multiple users can be stored together and may be transferred across multiple hosts or data centers. If the service provider does not have such a measure, the user will find it difficult to investigate if there is a violation.
7. Long-term viability: Ideally, cloud providers will not go bankrupt or be bought by big companies. But users still need to be sure that their data will not be affected in the event of such a problem. The user needs to ask the service provider how to get their data back and whether the returned data can be imported into an alternative application.
Although no matter what service or deployment model, the users and providers of cloud computing services should improve the security of their information. For users, before choosing a cloud computing service or migrating an existing IT system to a private cloud or a public cloud service, it is important to have a correct understanding of cloud computing security, which helps users decide what kind of business to put in the cloud; Minimize security threats that may arise after migrating to cloud computing services, and seek technical support from cloud service providers, including design, development, deployment, testing, and operation.
For cloud computing service providers, how to minimize the security threat of cloud computing system, improve service continuity and protect user information security is the key to the success of the business. In addition to traditional IT security tools such as virus protection, real-time monitoring, firewall, route filtering, etc., should also protect the user's information availability, privacy and integrity, the user system and data security isolation and protection, to ensure that the user information storage security and the logical boundaries between users of security protection, while the implementation of strict identity management, Security authentication and access control, providing user access records, access traceable.
Cloud Computing Security trends
There is no doubt that the widespread use of cloud computing will bring about changes in people's lives, and may even radically change the user's habit of using the computer, so that users from the desktop as the core use of various applications to the Web as the core of various activities. In cloud computing security trends, both technical and non technical aspects.
At the technical level, cloud computing security on the one hand, cloud computing services providers in the IaaS layer and the PAAs layer to enhance cloud computing security solutions and technology research, SSL is the basis of most cloud security applications, which may become a major viral media, need more monitoring. At the same time, the application of cloud computing enterprises to migrate to cloud computing security planning, system reconfiguration, technical training and other reserves.
On the non technical level, there are more and more policies and regulations on cloud computing that need to be considered. Earlier this month, the Ministry of Public Security, the Ministry of Communications, government departments at all levels, the Chinese Academy of Sciences, China Academy of Social Sciences, Xi ' an Jiaotong university, Beijing University of Posts and telecommunications, Lanzhou and other academic institutions and Intel (China), Microsoft, Cisco (China), Chinese and foreign cloud computing industry organization experts and scholars on the establishment of China's cloud computing security Policy and Legal working Group for the formulation of relevant policies. Overall, the biggest challenge facing cloud computing remains its security. Despite the active participation of some security people, cloud computing security solutions continue to emerge, but the road of cloud computing security is tortuous and long, we look forward to the security of the cloud to come soon.
(Responsible editor: admin)