CEF: You can't be unaware of the public cloud security concerns

Source: Internet
Author: User
Keywords Cloud security Cloud security

Companies are using cloud services at a rapid pace because they realize the benefits of scalability, flexibility, agility, and better workload allocation-all at lower cost. But conventional wisdom insists that public clouds can only handle less important data and applications, while more sensitive or private data should be handled only in the private cloud of the enterprise.

Is this really the best choice? This is an understandable response but not a logical response. I predict that we will actually send them to the cloud era for higher security, rather than the "risk to the cloud" era, but first we need to look more closely at the human perception of risk ...

Security on the Cloud

How many times must we be told that flying is safer than a ride before everyone can relax and enjoy the flight? There is no simple answer, because the fear of flight has a strong emotional and instinctive basis, and it takes a long time to adapt to the logic argument.

Sitting in your own car, especially if you are a driver, provides a sense of control or at least understandable risk, while air passenger passengers cannot even see the driver or go where they are headed. There is the fact that the air crash news is bigger than the accident. Figure 1 (numbers from Wikipedia), comparing the death rate per 1 billion trips, suggests that it's three times times safer to travel by car or hiking than by air-but that's because the average hike is less than a kilometer, and driving from New York to New Orleans is too far from the average car trip.

  

Figure 2 will be recorded as a death rate of 1 billion kilometres per day, with an average of 0.05 deaths in air travel, almost invisible on the graph. We now see the grease Domino "Go New Orleans" made the wrong choice-he should fly.

Our intuition tells us that it is more dangerous to travel 800 kilometers an hour above the clouds than to walk 6 kilometres per hour on the ground, and our intuition is correct. But that is why global business and government regulations have invested billions of of billions of dollars over the past century to overcome this danger, making the figure 2 true. In fact, the biggest risk of traveling by air is not on the plane, but on the way to and from the airport.

Cloud computing is exactly what it is. Our intuition tells us that preserving critical processes is safer in our own data centers because we know where it is and who can access it, but companies worth billions of of dollars are doing everything to make sure our intuition is wrong-they are heavily involved in the system to protect cloud data and operations, Because their own reputation and the future of cloud computing depend on it. Of course, the cloud industry knows it's the target of cyber attacks-just as the same planes are an attractive target for terrorists-but that's why so much money is spent on preventing these attacks, more than most likely to protect the private cloud.

In fact, the biggest risk is not in the cloud, but in the journey to the cloud-as in the journey to the airport. Once this fact is understood, it makes sense to avoid trusting the key data via the Internet to the cloud, and to connect to the cloud using an Ethernet line.

This is the cliché of an old business: buying decisions are largely dependent on emotions and emotions, and this is partly true even when it comes to deliberate it choices. What is needed is a clearer understanding of actual rather than intuitive cloud risks, their relative importance, and how best to mitigate risk. CEF (Cloud Ethernet Forum) addresses this need by analyzing the security challenges of the following four-class use cases:

· Cloud Security

· Cloud Network

· Privacy issues

· Security from the Clouds

Cloud Security

You do not send data to the cloud lest it be treated poorly or lost. Cloud services must be implemented with high quality and well maintained infrastructure. In fact, this is one of the main attractions of the public cloud: cloud Computing uses the latest technology on a "pay by use" basis to provide state-of-the-art services, rather than an ongoing burden of updating your computer's applications, operating systems, and security.

Data integrity and cloud service can be directly dependent on the stability and uptime of the cloud infrastructure, and must be protected against accidental incidents such as human error, power outages, and natural disasters.

Cloud customers are primarily concerned that their data must be accessible to legitimate users without access to unauthorized users. Access management and user identification are critical in the cloud. This is not just data theft protection: cloud-assisted machines for machine (machine-to-machine) communications and Internet of Things (iot,internetof things) require allocating only access to devices covered by existing contract agreements and cloud information providers.

Then there is a particular example of "fear of the Unknown": adding vulnerabilities to the virtualization technologies underlying many of today's cloud services. Distributed denial of service (DDoS) attacks on virtual machines can exacerbate service demotion for virtual machine management programs, and may not be sufficient to protect the traditional solution of a non-virtualized system. Such attack traffic should be filtered before entering the target virtual machine.

Cloud Network security

The journey to the airport may be more risky than flying itself, which is also true of the cloud. No matter how safe and efficient the operation in the cloud is, if the data transfer between the cloud or between the user and the cloud becomes as uncertain as a car going to the airport during the rush hour, everything is in vain. This can be a significant challenge when you consider the size of many data transfers and the low latency requirements of many users. Plus the risk of cyber attacks on the web-or being hijacked on the way to the airport-you need to strike a balance between securing your network and still allowing fast, low-latency connections.

Each bit of data between the cryptographic cloud and the customer adds a heavy computational burden, and not every bit is equally sensitive: it requires an agreement between the customer and the vendor for each type of data security level. ISPs should ensure data transmission at the physical level is secure, and the virtual private network (VPN) solution between the cloud and the customer is a more reassuring way to provide security and privacy in the data transfer process. Plus common intrusion detection solutions-firewalls, DPI, threat management, log management, antivirus services, and more.

As server virtualization increases the uncertainties in the cloud, network virtualization adds both positive and negative potential. By separating the control layer and the data layer, SDN makes the network structure more flexible: this restricts the malicious access to the data layer unless the attacker obtains the access control layer. Therefore, it is more important to protect the control layer against malicious access and attacks. As a cloud virtual machine monitoring program, the controller will be the target of DOS and information disclosure. Techniques such as rate limiting, event filtering, packet loss, and timeout adjustments should be deployed at the control level to help protect against such attacks.

Privacy issues

We've solved the obvious problem that no one wants their data in the cloud to be compromised or tampered with. This question requires a further stage: can users rely on the cloud to "solve a problem without knowing what the problem is"?

This applies in particular to large-scale large data or numeric operation operations. Take a bank as an example, as part of its portfolio management may not have internal digital computing power to solve large-scale optimization problems, so it may need to use cloud computing resources. But the actual dataset includes sensitive information that should not be leaked to third parties or the public. Technologies such as Homomorphic encryption should be able to process the data, without the fact that the actual content is displayed and that the solution is used, (a) encrypted input, (b) decryption schemes, and (c) verifying the correctness of the solution must be much less computational overhead than the complexity of the computational task itself.

Another factor is the growing concern of governments over data routing. Cloud data audits need to be efficient and easy to implement, and must retain the privacy of audited data at the same time.

Cloud Security Management (CMS)

This is a particularly promising development and is best explained by the analogy of water supply. A service provider that allows malware and spam to reach the client, and therefore wants each customer to buy and rely on their own defenses (firewalls, antivirus, mail filtering, etc.) is equivalent to a water company providing contaminated water to the user's home. We should expect data and services to be delivered cleanly, and as good as tap water is generally safe to drink.

Cloud security management replaces the traditional, complex, and often inefficient distributed security approach with security enabled by centralized, consistent, and flexible cloud computing. This "security as a service" can be built on a seamless detection, management, and monitoring solution for the cloud, and will need to meet several requirements. It must be: strong enough to ensure connectivity between the cloud and the customer; sufficiently comprehensive to replace all local security facilities, such as anti-virus software, filters, and firewalls; it must be consistent among customers with different security requirements and operations, and must be in a precise, real-time, Low latency malware detection and processing provides high quality of service.

Shifting local security arrangements to the cloud, in this way, will cut overall costs and significantly improve the user experience with increasing convenience. As a hosting service for cloud providers, it provides a new business opportunity in which the cloud is not a source of risk to customers, but a means of risk aversion. The service can take many forms.

Because of the peripheral technology, any traffic that reaches the customer's perimeter will be redirected to the cloud for security review, processing, and return to the customer. A device-based security solution, such as a proxy device, a firewall at a client gateway, and so on, can use cryptographic and resilient methods such as Ipsecvpn redirected to the cloud. For a higher level of security requirements, SSL protects communications regardless of the type of underlying connection, and can further support users of portable devices.

By appropriately configuring DNS servers on the Internet and using proxy mechanisms, a simpler solution can transfer data directly to the cloud for security checks and enforcement. So the cloud acts as a highway checkpoint between customers and the public Internet. It examines the data in a bit cell by a server cluster in the cloud. SaaS Services, GRE tunnels, agent chains, port forwarding, and Web browser proxy configurations are some of the ways that can be used to meet different needs and achieve adequate efficiencies.

Network functionality Virtualization Security (NFV-S) is the third and fundamental new paradigm that leverages the latest network virtualization and SDN technologies. Data traffic on the customer's home gateway, edge router, or vswitch will be virtualized to virtual overlay streaming into the cloud, operated by virtualized network security features that are based on the filtering and anti-spam/anti-virus data detection and security intelligence modules. The cloud also hosts management and control modules such as billing, secure service subscription and management, incident and event rollup, service delivery, network configuration, and directory and Reporting Services. Customer data traffic, after security checks and enforcement, is then sent from the security management cloud to the customer's target network.

Conclusion

Although you have been shown to have higher safety and security in high altitude cloud planes, I suspect that even Hughes will not choose to fly between airports for the rest of his life. But there are also people who opt to retire to a giant cruise room and enjoy all the services of a secure, large ocean liner.

Already done so, cruise operators can invest so much so that not only provide excellent service, but also minimize the risk of attack or accident, it really starts to look like a safer and better deal than buying a private home on land.

This is what we perceive as a possible future scenario for the cloud. It would be considered the best and safest way to store and process data-no matter how private and critical the data is.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.