Cloud security visualization enables End-to-end cloud protection

Source: Internet
Author: User
Keywords Cloud security Cloud security

I have articulated the idea that cloud computing is not just a collection of services provided by business entities. In contrast, from a security standpoint, cloud computing is a single, interoperable system that includes interconnected subsystems designed to provide on-demand service-specific combinations across multiple entities. In this case, we define a system of "a set of interacting or interdependent components that form a complete whole", and a "set of independent but interrelated elements that contain a unified whole". In short, they provide services voluntarily (such as negotiated successful paid services) or involuntarily (such as malicious services provided through dark or deep networks).

However, while perfecting our definition of cloud computing, companies must make some effort to better understand such a complex system. To do this, companies can use visual techniques or prototyping methods.

In this article, we will explain to readers how the enterprise uses visual technology to implement better end-to-end cloud protection.

Where to start

Cloud computing visualization and its associated organizations enable security professionals to explicitly define objects, elements, boundaries, and relationships. Once the relevant definitions are in place, the enterprise can discard the assumptions and start making meaningful implementation strategies. The result is efficient protection of the infrastructure that the security professionals are responsible for, without conflict, blank, or invalid protection.

Organizations can use tools such as affinity diagrams to start with a record concept to actually implement the visualization process, which helps to classify unstructured concepts as organized topics and to uncover the links between concepts. Figure 1 is a affinity graph that displays the environment of cloud computing components in the form of systems and subsystems, as well as features and service patterns of affinity graphs from previous articles.

Figure I

Table I

The following figure represents the complete system and/or cloud computing of the Internet and/or ISP and the so-called Dark Network, and represents the relationship between different subsystems and/or cloud computing. It shows the attributes of the different components and their superset of the relationships based on the elements they contain. Basically, a component contains the same elements in another component, and a component is a superset of the service mode attribute, which indicates a dependency relationship. For example, an Access control list (ACL) is a superset of firewall rules. Why? Because the firewall rules specify what traffic is allowed or what traffic is rejected, the same ACL specifies information such as subnets, hosts, or domains.

A affinity graph like this can help a business identify cloud computing components to make it easier to decide where to add security elements (technologies, policies, or processes) and potentially create unexpected opportunities between systems, components, and elements.

What opportunities are available? Let's discuss a business that runs heterogeneous environments. Management wants a single source of identity authentication between multiple systems across Windows and UNIX. A visualization of the current state can determine all the sources of authentication and their capabilities, provided by Windows Server 2008 R2 running Active Directory (AD) implementations, and Lightweight directory Access Kyoto is capable of accomplishing the tasks required by management. This measure also allows companies to take full advantage of the workers who are already managing ad, eliminating the need for identity authentication, authorization, and billing services, and then reducing the holding costs associated with maintaining a AAA-rated server.

Figure 2

For security: How to use visualization technology

As we now visualize cloud computing from an end-to-end perspective, a business can decide what cloud computing is inert or closed, meaning they have little or no controller at all. For example, the Dark network is closed because it is developed by anonymous on demand, most of which may involve illegal businesses. Companies have no control over the software or files downloaded from the dark web, which means they may be clean or poisoned by malicious software. One today's Peer-to-peer network or Peer-to-peer, host-service piracy technology may no longer exist by tomorrow. One enterprise still has no control over whether its consumers, the service technology, will become part of a dark network, or whether an employee's remote home network has been compromised.

On the other hand, open cloud computing is a potential, trusted cloud that interacts with the enterprise's own cloud computing. Open cloud computing refers to all cloud computing infrastructures that seek trustworthy relationships with other infrastructure in the Internet. For example, a software that is a service, an infrastructure, a service, and a platform that is a service (or SaaS, IaaS, and PAAs) is all open mode, so a business has the ability to configure enough environments to support its needs as a business entity (which is also true for individual individuals).

With such a visual approach, it is possible to determine appropriate protection for different cloud computing models by using ideas, ideas generation, and reverse thinking, which are essentially the goals and assumptions and the forced-reverse thinking that differs from the expected paradigm.

For example, we say that the company's goal is to provide cloud computing services for companies that manage credit card transactions. Now, in turn, ask a question, "How do we prevent malicious behavior from seeping into our cloud services (for example, from wireless/from a hacked PC/from a malicious URL)?"

Reverse thinking allows us to think about problems from the perspective of cloud infrastructure attackers. When combined with a use case based scenario, it ensures that the corresponding protection measures can be effective against legitimate threats, thus reducing FUD and resource waste, including two aspects of human and financial resources. Well-developed and structured visualization techniques can be expressed using a serial pattern. The first concept is to set up scenes, identify roles, and encourage brainstorming. The next step is to outline the following three states from a higher level: the current state (for example, what the enterprise currently owns), the temporary state (this is how the enterprise is here), and the final state (this is the result and associated cost). The focus that will appear in the soap opera pattern begins with a specific set of features that will be changed at the end.

Here's another example of how to deploy this approach in a real-world scenario, imagine a business that decides to invest in an intrusion-protection technology for best-of-breed networks. The End-to-end story is one of notification and prevention of intrusion. Related roles are filled with facilities such as edge devices, gateway devices, various hosts, and clients. The focus is on the concept of preventing intrusion, which will change in the transition from a single endpoint product to an enterprise-class technology suite that contains many roles. An end-to-end artifact goes into a reverse-thinking process, asking a question about how the host should be configured to prevent intrusion or issue an event warning to the enterprise.

In these scenarios, there are some representative questions to ask: How do I do this on a router? How do we implement it on our database? The process may find another story in one story. For example, where will all the events take place? Do we have the security information and the technology to deal with the event, or can our Siem gather this magnitude of data? Visualization technology helps to uncover gaps, prioritize, and develop practical roadmap.

Of course, visualization technology is not an overnight process, it is a need for a series of visual design to meet the target audience or provide a large number of perspectives for the audience. It may require several visualization techniques to clarify intent and direction, but the end result is a clear understanding of the enterprise's cloud infrastructure and what needs to be done to provide end-to-end cloud protection.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.