Cloud Computing Security Forum: From encryption, cloud security architecture to trusted computing

"Csdn Live Report" The Second China Cloud Computing Conference in May 2014 20-23rd at the Beijing National Convention Center opened the curtain. The Conference based on practice, with an international perspective, to help participants understand the global cloud computing technology trends, from the application of the transport, medical, education, finance, manufacturing, digital entertainment and other industries in the field of practical experience; and through technical sessions, product launches and training courses and other means, A deep analysis of the core technology of cloud computing big data.

Hunenghei, director and professor of Information Processing Center, China University of Science and Technology

"Cloud Computing Security Forum" in China University of Science and Technology Information Processing Center, Professor Hunenghei under the auspices of the official beginning. The landing of cloud computing and the popularization of mobile devices have brought new challenges to information security, resulting in new problems in the IT environment, such as public cloud data security, dedicated cloud defense, and mobile payment security. In this forum, experts and scholars in the field of security have put forward the characteristic path and breakthrough method of the security development of cloud computing in a more practical and scientific manner.

Zhang Researcher, Institute of Software Research, CAS

Zhang, a researcher at the Institute of Software Studies of the Chinese Academy of Sciences, first published a speech "ciphertext search-the golden key to unlock the shackles of cloud storage." Cloud computing has become an irreversible technology trend, and for individuals, everyone generates a lot of data on the web every day, including active public data, such as pictures and articles on the web. There is also a large part of the information we want to share with ourselves or with our closest friends, such as commercially important documents or photos of ourselves that are more sensitive and private. But these personal privacy data are also stored on the Internet or in the service provider's server, encryption to ensure that these data security is an important means, but encryption will bring the use of inconvenient, and so on, one of the biggest problem is the query and retrieval of the inconvenience, resulting in the need for ciphertext search.

The goal of redaction retrieval is to support users in locating ciphertext information on remote servers. The generalized ciphertext retrieval includes searchable encryption and outsourced database encryption retrieval. Searchable encryption refers to the retrieval of unstructured information, such as documents, through keywords. Searchable encryption can be divided into symmetric searchable encryption (SSE, users are both ciphertext data generators, but also encrypted information retrieval) and asymmetric searchable encryption (ASE, ciphertext data generators and encrypted data retrieval is not the same person). Outsourced database encryption retrieval refers to the retrieval of structured data, but the information stored on the server is all ciphertext information, the server does not control my key. In his speech, Zhang introduced the current development status and future trend of ciphertext retrieval.

Zhang in the Chinese Academy of Sciences Software, TCA laboratory research and development of "cloud storage Security Support platform" has been implemented in the speech of the ciphertext retrieval function. Now the draft national standard "cloud storage security technology requirements" also have the relevant requirements of redaction search, Zhang that the ciphertext retrieval technology is from the scientific research to practical, the future or will become a cloud computing center, data center indispensable components.

National Computer Network Emergency Technology Treatment Coordination Center deputy Director, chief Engineer Yun Xiaochun

National Computer network Emergency Technology Processing Coordination Center deputy Director, chief Engineer Yun Xiaochun brought the speech is "enhance the network based on large data security analysis capabilities." National Computer network Emergency Technology Processing Coordination Center at the beginning of each year, will release the last year of domestic Internet security practice. According to the latest figures for March this year, China still faces a large number of attacks from overseas addresses. 2013, outside 31,000 hosts through the implantation back door to the domestic 61,000 sites to implement remote control, although the number of foreign control of the host decreased by 4.3% compared with 2012, but the control of the number of domestic websites has increased significantly 62.1%. From the control of the number of domestic sites, located in the United States, the first host, a total of 6215 hosts control the territory of 15,349 sites, the average control of 2.5 domestic sites per host, compared to 2012 (about 1.4) growth of 78.6%. The second is Hong Kong, China, which controls 13,116 websites, a significant increase of 179.5% in 2012. The third is South Korea, which controls 7,052 sites in the country, down 11.1% from 2012.

Phishing attacks in the area, the fishing site for our country is located outside the 90.2%, a total of 3,823 foreign IP address to carry 29,966 of our domestic Web site Phishing page, compared to 2012 growth of 54.3% and 27.8% respectively. From the number of fishing pages hosted, the United States still occupies the first place, a total of 2043 hosts 12,573 fishing pages, China Hong Kong and South Korea second to third, hosting 4,500 and 1093 fishing pages respectively.

Yun Xiaochun that security analysis based on large network data can play a role in 4 aspects: first, we can find some solutions to perceived security threats; second, assess security status; Third, forecast security trends; According to the National Internet security in 2013 issued by the Center of Emergency Technology Treatment center at the beginning of this year, the 10.9 million hosts were controlled by 29,000 servers abroad, and the network information system of government agencies, basic telecommunication enterprises, scientific research institutes and large commercial organizations were attacked many times.

Security analysis based on large network data can form the process of analysis from four steps, the first step is to submit the task because the so-called big data does not exist Panacea says a method can solve all problems, it must be targeted, for different security objectives, for different security scenarios, for different security tasks, To have different methods of analysis, the first step is to analyze the task, abstract the security scenario, and determine the security objective. In the second step, with this scenario and goal, we can learn what our data sources are, understand our data, and visualize the corresponding models. The third step, with the corresponding model, to select the control, design flow, small sample single step test, multidimensional verification. The final step, in the pattern library to determine the analysis logic, set the appropriate parameters, and finally the entire analysis task, analysis mode curing. This is the security analysis process that we think should be based on large data security analysis.

Aliyun security expert Shen Sixi

Aliyun security expert Shen Sixi's address is "cloud security", which is the first time Alibaba has appeared at the cloud Computing Conference. Currently Aliyun has a large number of users, in the user classification compared with the general cloud is more complex, there is a traditional view of small and medium-sized sites, there are also like the government, electricity, and so on, in the output form also has a great difference, Shen Sixi's speech mainly from the government industry user perspective, interpretation of the use of cloud computing services security confusion.

Aliyun in the process of contact with customers especially government clients, is asked the most is the data security how to ensure that users can be effectively isolated and so on. Shen Sixi that cloud security services should be provided to customers by default. Why do you say that? In the cloud computing environment, the traditional firewall can not be used, but things still need to be done, so in the cloud security service process must build the traditional user needs security features.

How to build it? Shen Sixi that cloud platforms with the following characteristics meet the requirements:

Have Low-cost, high-precision, large-scale security defense structure;

The platform itself has the complete data security ability;

Comprehensive compliance, for industry users, especially the government and financial users, this is a basic requirement.

Finally Shen Sixi use "If not Jianyun, how to know safety, if not safe, how dare to Clouds" End the speech: Many people feel that the cloud is not safe, but you can not imagine the data in the cloud is more secure, because the cloud to do a lot of things that could not be done before.

360 company chief Privacy officer, Vice President Tanxiaosheng

Next, 360 company chief Privacy officer, Vice President Tanxiaosheng in the speech "based on large data analysis of network attack detection" describes how to use cloud computing technology to solve security problems. 360 as a security company is the focus of attack by others, as a security company if you are infiltrated by others, malicious samples are loaded and so the impact is very large, and even related to national security aspects of things.

Moreover, now the security problem is not the past traditional fishing, hanging horses and so on, new types of attack such as apt attack is today's network security focus and difficulties. Tanxiaosheng that the essence of APT's attack is that it is no longer limited to the use of computer vulnerabilities and loopholes, but to social engineering to exploit human weaknesses. The current security defenses should be based on four assumptions:

The system has an uncovered vulnerability;

The system has found that the vulnerability has not been patched;

The system has been infiltrated;

Employees are unreliable.

For example, 360 of the employees password requirements are the lowest 15, and must be a variety of combinations, 360 two servers are dedicated 7*24 hours to the employee password brute force, as long as can be broken must change.

Tanxiaosheng also describes several examples of 360 analysis of attacks through real-time visualization of large data. 360 of large data platforms using Hadoop and Storm Technology, data volume:

Real-time monitoring of 100G bandwidth, daily cleaning after the storage data is 50TB, for an attack response time is 10 seconds

Storage & Computing Servers scale over 15000 Total storage data 200PB, add 1PB Daily

Daily Computing task 20,000, daily processing data 3.5PB

Tanxiaosheng that in the current network security precautions, including cloud computing thinking or public cloud prevention, there is a trick is now have to use, is based on large data flow monitoring, after listening to find an abnormal attack inside. The problem with this is the privacy of the data, because you're listening to all the data, including the listening packages that you do at the office exit and the core Exchange, and you can hear all your daily emails. Corporate employees are subject to such regulation when they sign an agreement, but there is a question of privacy if it is applied to a larger public cloud.

Li Yu-ai, global chief strategic diplomat, Cloud security alliance

Cloud Security Alliance global Chief strategy diplomat Li Yu-ai in the "Cloud Security Forum" brought a speech to "swords", Li Yu-ai introduced the Cloud Security Alliance summed up the nine cloud security threats:

Data breaches

Data loss

Accounts or service traffic hijacking (account hijacking or traffic hijacking)

insecure interfaces and APIs (unsafe interface/application interface)

Denial of service (Denial-of-service attack)

Malicious insiders

Abuse of cloud services (misuse of cloud service)

Insufficient due diligence

Shared Marvell vulnerabilities (vulnerabilities in shared technology)

Top Ten Security Clouds:

Identity and Access Management (IAM) – Identity Cloud

Data Loss Prevention (DLP)

Web Security

Email Security

Security assessments

Intrusion Management, detection, and prevention (IDS/IDP)

Security information and Event Management (SIEM) – Safety monitoring cloud

Encryption

Business Continuity and Disaster Recovery (BCDR)

Receptacle Security

Gartner considers the identity cloud and security monitoring cloud to be a concern. At present, the Cloud Security Alliance China Office has been formally established, Huawei and several domestic research institutions joined the alliance.

Round Table Discussion

Finally, Wuhan University professor, doctoral tutor Zhang Qi chaired the final round table discussion, the Intel Cloud security solution architect Li, Huawei Technology Co., Ltd. Cloud computing security architect Yesh Sea, scholar Security Cloud CTO, Tianjin scholar software company general Manager Youbing together discussed the " End to end China trusted cloud infrastructure and solutions.

Zhang Qi first introduced the background of the emergence of trusted computing: Most of the reasons for not using cloud computing is to worry about the cloud "information security and privacy protection issues", trusted computing technology is the reason for this, the goal is to improve the credibility of computer information systems to let users believe. June 2012, Wuhan University, Intel, National technology, Huawei, Hundred AO, winning software, Tao Yun, jointly launched the establishment of China's trusted cloud computing community.

Intel is also introducing a solution as a hardware manufacturer, Li describes Intel's trusted execution Technology (TXT), Trusted Computing Pool (TCP), and open Authentication (OAT). In this respect, Huawei first completes the development of the trusted cloud server and realizes the industrialization. Yeshei that to achieve industrialization as the goal, with emphasis on application as the breakthrough point, the implementation of research and development cooperation is an effective way to develop China's trusted computing technology and industry.