Cloud security: Technology is far from enough

In May 2003, the Harvard Business Review published Carr's "It no longer important" article. He compares it development with power development, and thinks it will be in the cloud computing model--like today's power plants--to achieve standardized on-demand supplies and fees.

Today, cloud computing as the future development of the information society may trend, has become the industry consensus. In both academia and industry, cloud computing is one of the topics that are hotly discussed.

But as the discussion progresses, people realize that bits are not electrons and that business processes are not electrical or electric. Cloud computing is encountering a problem that has never been seen before in the electrical age-how to secure cloud computing.

The security dilemma of the "cloud age"

On December 18, the "National information security strategy for the cloud Computing Age" forum, hosted by CCF Yocsef, said Feng Deng, director of the Institute of Software at the Chinese Academy of Sciences and the National Key Laboratory of Information security, pointed out that the development of information security technology, in addition to its own system development, There is a lot of technology that comes with the development of information technology.

In the era of electronic communication, the key point of information security is how to realize the secrecy of communication, so the key point of the research is cryptography technology. In the personal computer age, the key point of information security is to build a computer-oriented security system, which can also be called "Host Security". After the rise of the internet, the previous "host Security" strategy is difficult to meet the needs of users, people pay more attention to all kinds of risks from the network protection. In the era of cloud computing, shared, dynamic cloud computing resources weaken the user's ability to control, thus bringing new challenges to information security.

Feng Deng that the advent of the cloud computing era, mainly to information security has brought 3 challenges.

The first is the security protection of cloud computing systems. In cloud computing mode, user data is saved in a shared and dynamic manner, which poses a huge risk to its security--if the service provider has access to the data, it may dispose of the user's data at will, and may even produce a reselling behavior, resulting in loss of user data rights. For such behavior, users are often difficult to trace and evidence.

"Cloud service provider dynamic virtualization management and multi-tenant sharing mode, lack of clear security boundaries, so easy to raise the security of the operating environment." "Feng Deng said.

Second, cloud computing will also have an impact on existing security systems. Cloud computing provides users with more powerful computing and storage capabilities, but it is difficult for cloud services to identify the purpose of user behavior and to distinguish between the legality of the user's computing tasks. These potential risks are difficult to deal with in the existing security system.

"Cloud-based security attacks will undoubtedly create a security nightmare." If the cloud service platform is controlled by an attacker, a security vulnerability is exploited, or the identity of the cloud user is compromised, the attacker will be able to exploit large network resources, user identity resources, and computational resources to organize a larger scale attack of the DDoS type. "Feng Deng said.

Feng Deng pointed out that in the era of cloud computing, as the scale of the system and the increase in complexity, external attacks will be more efficient, so that the traditional security issues further amplification, to bring more formidable challenges.

The third challenge comes from the issue of safety regulation. How to supervise and guide the information content in the cloud computing age is a key issue related to social stability and national security. The existing supervision and early warning system is mainly aimed at the traditional web and other open applications, while cloud computing brings new problems to the establishment of the regulatory system, and the amount of work required is greater.

Security has become a bottleneck in development

The above information security problem obviously restricts the development and popularization of cloud computing to some extent. As far as China is concerned, this constraint is even more pronounced.

At the second China Cloud Computing Conference in May this year, Accenture and the Chinese Institute of Electronics jointly released a report entitled "A pragmatic path to China's cloud computing development". The report notes that security issues are the biggest global challenge to cloud computing. Such concerns are particularly pronounced in China, "so much so that CIOs are treading on eggshells, especially when it comes to public cloud services."

According to the report, 59% of Chinese respondents said they were "very concerned" about the security, privacy and confidentiality of data in the cloud, higher than 50% in the United States and 42% per cent in other countries outside China. Compared to all other countries, a higher percentage of Chinese respondents believe that their businesses and institutions have sensitive data that must not be leaked. Chinese executives are particularly concerned about data being hacked or accidentally leaked to other users of the same cloud or to unauthorized employees of the enterprise.

"I am not optimistic about commercial public cloud computing. Management is most concerned about data security issues. If a trade secret is stored in a public cloud that is shared with other people, data security is not guaranteed, and once disclosed to a competitor, the result can be terrifying. Unless the appropriate legal, regulatory and SAL agreements are in place for the business environment, the supplier is regularly evaluated, tested, and audited. "New Austrian Group Information Center manager Xiaopeng So explain his attitude to cloud computing."

And because of concerns about cloud service reliability and data sensitivity, Chinese companies are not particularly trusting foreign cloud providers or start-ups to entrust their data to them. According to the report, only less than 1/2 of respondents said they would choose foreign suppliers, even if the data were kept within China. If the supplier does not set up a data centre in China, the ratio falls below 20%.

Ding Tao, assistant general manager of Technology Center of Shenhua Power company, said that at present, domestic manufacturers are unwilling to choose foreign cloud providers even if they are difficult to compete with global large enterprises because of technical barriers. He believes that China's local cloud providers can provide better services to local customers. He believes that the domestic cloud computing market is not mature, the government and enterprises should continue to develop relevant technical standards, which requires the government departments, research institutions, suppliers, integrators and consulting companies and other aspects of joint efforts.

This shows that the security issues to be solved are important factors affecting the landing of cloud computing in China. The report shows that more Chinese companies ' IT managers want the government to be actively involved in standard setting and industry regulation, making cloud computing more technically and legally safer, and thus widely used in China.

How to break through the security "shackles"

So, in the cloud computing development process, how should break through security "shackles"?

Feng Deng that the application of basic platform, key technology, standard norms, supervision and management, and other aspects of change.

In his view, cloud computing not only brings the challenge of information security, but also promotes the change of information security. This kind of change mainly manifests in 3 aspects, namely the technological idea change, the industrial development transformation and the Security Strategy transformation.

Feng Deng said that the transformation of technological ideas, mainly refers to the balance of security needs of many parties.

"Users have security needs, cloud service providers also have security requirements, the two are sometimes contradictory, how to balance data security and privacy protection?" This requires us to change from the technical concept. "Feng Deng said.

The change of industrial development refers to the change of information security from product development to service. In Feng Deng's view, we should actively promote information security products and technology transformation, from product development to infrastructure, service research, so that through standardized services to solve the various security problems faced by users.

The change of supervision and management refers to the shift of the focus of market supervision. For example, in the past, more attention to the backbone of network infrastructure security work, and in the era of cloud computing, it will pay more attention to the network space large-scale attack prevention, the new infrastructure should also take corresponding technical support means.

Feng Deng said that while cloud computing has advanced the change in information security, this change does not mean subversion of the original technology system.

"For example, traditional rights management and identity authentication technology, with the development of cloud computing, these technologies will also develop and expand functionality, thereby enhancing the ability and level of security." "Feng Deng said.

He Baohong, director of the Internet Center for Communications Standards at the Ministry of Industry and Information technology, sees that, in addition to changing the technical concept of information security, industry and security strategy, the security of cloud computing should be regulated from the level of law, administrative level and industry self-discipline.

He Baohong that the relevant laws on privacy protection and data security should be further improved; the government can define cloud computing from the policy level and authenticate the cloud service providers through the testing of communication quality and security, and in addition, the power of industry associations, At the level of business and market competition to take some restrictive measures to maintain the normal order of the industry.

Symantec Chief Information Security solution Advisor Lin Yu-min said in a media interview that the security of cloud computing is not just a technical issue, but also related to industry standards, policy regulations and market maturity.

"If the data leaked to the user caused the loss, the customer will first through legal means to investigate the responsibility of the cloud operators." At the same time there will be some policies and regulations, audit requirements. "Lin Yu-min said.

Lin Yu-min said that as cloud computing slowly spread and standardize, it would form a benign market competition mechanism, with a number of operators to jointly provide cloud services. If the cloud services provided by one operator are poor and stable, users will switch to other operators ' services. In this case, security issues with the cloud operators close, security issues are not resolved, it is likely to operate, so operators will attach great importance to security issues, and then promote and push cloud services to improve stability and cloud computing security challenges. (Original poem Meng)