Financial cloud--the letter, the cloud

According to the CBRC statistics, in 2011, China's rural commercial banks, rural credit cooperatives, villages and towns bank more than 2000, but for a long time, these small and medium-sized banks have been with the internet has maintained a cautious boundary relationship. 2012 China's network retail market transaction scale reached 1.3 trillion, the rapid development of e-commerce touched the traditional small and medium-sized banking business transformation of the nerves, but the traditional it architecture characteristics can not support the financial business after the internet, "phenomenon-class" technical support challenges, So the transformation of the IT technology structure of financial institutions becomes the primary strategy of whether they can embrace the Internet and upgrade their business.

The so-called "phenomenon-class" technical guarantee challenge refers to the unpredictable nature of the user's behavior and the unpredictability of the user's motivation after the business is Internet, the former requires the linear expansion and fast delivery feature in the IT technology architecture to support the business, so as to support the massive user access behavior; The latter determines that IT security must have the ability to automatically respond, resilient defense, to ensure that the security defense capability is not a huge amount of users of the differential access and dilution.

Cloud computing technology and the inherent linear expansion and elasticity of the framework is to solve the "phenomenon-level" It technology guarantee the challenge of the best choice, but accompanied by cloud computing technology generated by virtualization technology security, And a series of security problems, such as data protection in the multi-tenant environment, are the key to restricting the large-scale application of cloud computing technology in the high risk industries such as finance, and the root cause is the worry of the ownership and system stability of the cloud data control right after the clouds in the system. As the financial industry relies on the credit system as the key to business, cloud computing service providers also "as the cornerstone of industry survival, how to surround the" credible, available "proposition to create a" security compliance, stable and efficient "cloud computing services, is to determine whether the cloud computing business can obtain recognition of the financial industry premise.

Safety Compliance

How to reassure financial users of the cloud data security concerns, the response to the financial system after the cloud security needs, verify that the industry supervision of the cloud to the landing and other financial customers the most concerned about the problem? The three issues that the above financial cloud customers are most concerned about will be answered one by one.

1. Data security

Based on the data lifecycle and virtualization technology, the financial cloud constructs cloud data security framework covering data access, data transmission, storage, data isolation and data destruction.

Data access: Customer access to cloud resources need to be isolated with the public cloud of the exclusive console for day-to-day operation and operations, customer identification is the use of passwords combined with the dynamic token of the two-factor authentication, the customer and the purchase of the cloud services corresponding to the use of symmetric encryption to achieve identity resistance to deny; Customer Cloud resource access operations are carried out through a bastion machine and support for real-time operational audits. Aliyun operation and maintenance personnel to the financial cloud operations are required to use the data certificate combined with the dynamic token to achieve dual-factor authentication, operating permissions are required to undergo a multi-level security approval and command-level rules of the curing, illegal operation of real-time audit alarm.

Data transmission: Two different data objects for customer's personal account data and cloud production data, respectively, from client to cloud, cloud services, clouds service to cloud service control system three levels of transmission control. The personal account data from the client to the cloud transmission are using SSL encryption, from the cloud subsystems, cloud services to the cloud service control systems are used to ensure that the customer's personal account data cloud not landing. Cloud production data from the client to the cloud transmission can only be done through a VPN or a dedicated line, cloud storage using the service-side entropy encryption and support the customer's own key to encrypt data after the cloud storage.

Data storage: All customer cloud production data no matter what cloud services are used, the fragmented distributed discrete technology is used to save the data, which is divided into many pieces of data and followed by random algorithms that are distributed in different racks, and each data fragment stores multiple replicas. Cloud Service control system based on different customer IDs to isolate their cloud data, cloud storage based on customer symmetric encryption to the cloud storage space access control, to ensure that the cloud storage data of the minimum authorized access.

Data isolation: Financial cloud data isolation is divided into two aspects of physical resource isolation and cloud resource isolation. The physical resource isolation is based on the requirement of the industry supervision to construct the special financial cluster, and the combination of the iron cage and the Palmprint recognition realizes the physical isolation and access control of the public gathering group. Cloud resource isolation requirements for different user-purchased cloud servers, in its production process by the cloud server production system according to the order automatically to each user's cloud server tag, different users through the data Link layer and Network Layer access control technology composed of security groups to isolate; In the cloud environment, the malicious user creates a large amount of ARP traffic to cause the network to face the risk of blocking or interruption, and uses the cloud server tag and arptables to guard against it; Finally, in order to prevent cloud server from being invaded and become an external attack source, an Ethernet firewall (ebtables) is used. Isolate the cloud server from unauthorized access to external public networks.

Data destruction: The financial cloud uses the advanced Qing 0 method to delete all its data before the user requests to delete the data or equipment before disposal or resale. For the cloud computing environment due to a large number of hard disk repair or server scrap may result in data theft risk, the data center fully implement the replacement disk must be eliminated, degaussing record per disk can be checked, degaussing video daily traceability standard operating procedures, enhanced disk degaussing operation video surveillance strategy, Focus on the monitoring operation of the non-repudiation and video monitoring record preservation integrity.

2. Security services

Financial cloud security services are combined with Alibaba years of security and defense technology accumulation, relying on the high elasticity of cloud computing and large data mining capabilities, small and medium-sized financial institutions to solve the business after the Internet security attack difficult to predict, security services slow response, security personnel will be launched a one-stop cloud security value-added services, including security Operations Weekly, DDoS Defense Services, web site Security Defense Services (WAF), Network backdoor detection, password-resistant brute force cracking services, vulnerability security detection services.

The security operation Weekly uses the Data view method to provide the financial cloud user with the cloud application security, the system and the network security, the physical security, the audit and the compliance and so on security operation Dynamics.

The DDoS defense Service consists of the Malicious Traffic Detection Center, the Security Policy dispatch center and the malicious flow Cleaning center, all of which are covered with all data center nodes of the financial cloud in the form of distributed structure and full mesh interconnection in three centers. Help cloud users to resist all kinds of DDoS attacks based on network layer, Transport layer and application layer, and realize 80G cleaning ability.

Web site Security Defense (WAF) service by the WAF Engine Center, Operations Monitoring Center and Cloud User Control center, based on cloud computing architecture, with high elasticity, large redundancy characteristics, according to the number of access to the site and access to the level of the WAF cluster of flexible expansion, providing comprehensive web security defense and "0day" Vulnerability 24-hour quick response service

Password brute force cracking attack defense services are designed to support SSH,RDP,TELNET,FTP protocols on Windows systems and Linux systems for a large number of intrusions based on brute-force hacking of site account passwords. Relying on large data analysis and computational ability to set up on the cloud Server site password Error event real-time analysis and full port blocking.

Web Trojan detection services through the HTML and JavaScript engine decryption malicious code, matching the identity library identification, while supporting through the Simulation browser access page analysis of malicious behavior, found that the site unknown trojan, trojan detection "0" false alarm.

Web site Web Vulnerability Detection service detection vulnerability types cover owasp, WASC, CNVD classification, system support malicious tampering detection, support Web2.0, AJAX, various scripting languages, PHP, ASP,. NET and Java environment, support complex character encoding, Chunk,gzip , such as deflate compression mode, a variety of authentication methods (Basic, NTLM, cookies, SSL, etc.), support proxy, HTTPS, DNS binding scan, etc., support the popular hundreds of Third-party station system unique vulnerability scan.

Compliance Safety

Financial institutions as the most stringent regulation of the industry, whether to choose the use of cloud services is the key to the establishment of the cloud service provider Trust, and whether from the Aliyun or financial institutions, objective, impartial third-party authoritative certification is the basis for mutual trust, so Aliyun by covering international and domestic, Traditional IT security and cloud computing security a series of Third-party certification to build financial institutions and cloud services between the security link.

ISO27001: A widely adopted global security standard in the 2005, using risk management as the core to manage company and customer information, and to ensure the continuity of the system by periodically assessing the effectiveness of risk and control measures. Aliyun in 2012 has achieved ISO27001 international certification, and the traditional IDC operators only limited to the physical infrastructure of the scope of the certification, Aliyun certification access not only to provide the financial cloud the physical infrastructure of all IDC, and covers the financial cloud currently or in the future may use all cloud services, Includes resilient computing, RDS (relational database services), ODPs (Open Data processing services), OSS (open Storage services), OTS (open structured Data Services), Yun Dun (Cloud security services), and cloud monitoring services.

Cloud Security International Certification (CSA-STAR): is a new and targeted international Professional certification program, by the global standard founder------The British Standards Association (BSI) and the International Cloud Security Authority, the Cloud Security Alliance (CSA) launched jointly to address the specific issues related to cloud security. It is based on ISO/IEC 27001 certification, combined with the requirements of the cloud Security Control matrix CCM, using the Maturity model and evaluation method, to provide and use the cloud of any organization, integrated assessment of the organization cloud security management and technical capabilities, and finally gave "unqualified-bronze-silver-gold" Four-level independent third nowhere conclusions. Aliyun has won the world's first Zhang Security International Certification Gold medal (Csa-star), this is the first gold medal by BSI to the global cloud service provider. It is also the first time that Chinese companies have achieved world-leading results in the area of information and cloud computing security compliance.

Information Security level protection: Aliyun has passed the Ministry of Public Security Information Safety Rating protection assessment, including flexible computing, RDS (relational database services), ODPs (Open Data processing services), OSS (open Storage services), OTS (open structured Data Services) OSS (open Storage services), Basic network and other supporting systems are through the three-level assessment.

Aliyun Financial Cloud IT Infrastructure assessment: The Aliyun financial cloud has been evaluated by the IT infrastructure implemented by NSFocus, which is based on the "Electronic Bank safety Assessment Guideline", "General code for information security of internet banking systems" and "Evaluation Guide for information Security level protection in financial industry Information system", " Insurance Information Security Risk Assessment Index System specification, the Securities Company online Securities Information System Technical guidelines stipulated in the technical evaluation content as the outline, from the Information security technology system angle to Ali financial cloud infrastructure risk assessment. This assessment includes cloud computing server ECS, load Balancing SLB, relational database service RDS, open Storage services OSS, Open Data processing services ODPs, and related infrastructure network equipment. Evaluation results for the first grade.

Stable and quick

It is well known that the 911 incident has raised awareness of the importance of disaster preparedness, particularly in the financial sector, such as Deutsche Bank and New York bank, where Deutsche Bank has quickly resumed operations because of its off-site disaster preparedness Center, and New York bank has been forced into bankruptcy because of data loss. Therefore, the CBRC issued the "Commercial Bank data Center supervision Guidelines" clearly stated: commercial banks should be in the acquisition of financial permits within two years, the establishment of production centres, production centres set up two years to set up a disaster preparedness center.

All along, the financial industry to the disaster preparedness and development of love and Hate, Love is in the "Data security" to buy more insurance, not afraid of 10,000 just in case, hate is this policy is too expensive, it is easy to lose the chain, difficult to cash, so basically can see such a situation, most banks based on cost considerations, Only to the core of the business of disaster preparedness, peripheral business can only be forced to accept interruptions, and for systems that have established off-site disaster preparedness, although it is stated in the bank's "banking Information System disaster Recovery Management Specification" that "units should organize at least one practice session per year", there are very few that can actually be done. The reason is that it takes a lot of expensive cost to hire a consulting team, a system integration team, a complex system integration development, and a large stack of vendors standby in the real drill. The establishment of a disaster preparedness center but not the drill, has become a common problem in the financial industry.

Ali Financial Services output in the financial business, in addition to its obvious ultra-high elasticity, but also in "Data security" and "business continuity" on the provision of more advantages. Among them, disaster preparedness service is one of value-added services.

According to the different requirements of financial business for continuity, Aliyun provides two kinds of disaster preparedness solutions, which are "bi-live" and "three centers of both places". Through the same city or off-site, the establishment of two or more sets of functions of the same application system, integrated health monitoring and disaster preparedness switching functions, when a system due to accidents (such as fire, earthquakes, etc.) to stop working, the entire application system can switch to another place, continue to provide services. For the peripheral system, you can take the "two-live" program, for the core system, can choose a higher service level of "two places Three center" program.

At present, Arrey Financial Cloud Production Center set up in Hangzhou, disaster preparedness Center set up in Qingdao, Hangzhou set up two rooms, can provide the same city disaster preparedness. In the future, as the volume of business increases, more locations will be chosen as data center construction. On the architecture, two centers deploy the same application systems, static data is stored on ECS (cloud servers), structured dynamic Data is stored on RDS (relational database services), unstructured data is stored on OSS (Open Storage services), RDS and OSS dynamic change data, Data synchronization is done through the underlying data replication.

Disaster preparedness Data Center as a standby site, with the ability to take over the business at any time, usually disaster preparedness data Center can support read-only business. During the whole disaster standby switching process, Aliyun provides the underlying resource switching module.

Compared to the traditional way of disaster preparedness switching, in terms of cost, cloud computing can greatly reduce the cost of a single resource through economies of scale, at the same time, service resources support on demand, for non-critical business, in the disaster preparedness Center can be degraded configuration, once the disaster is ready to switch, can also within a few minutes, Clone one or more servers by a predefined mirror, or upgrade the original server configuration, quickly have the same service resources as the original production center, take over the application, so that the application system can not be paralyzed because of too much pressure.

In resource monitoring, due to the standardization of cloud computing, compared to the traditional financial data Center complex resource environment (often including different manufacturers, different models of equipment), all resource monitoring can be used as a standard service output, users need only through the console or call the Monitoring API interface to obtain resource status , and the user can set a threshold value for the resource state, and once the threshold is exceeded, the alarm can be triggered.

In the disaster standby switching, the switching mode is more simple, the switch of the complex resource environment transforms to the service switching, the user can complete the switch through the disaster standby console, also can complete the switching operation by invoking the service corresponding API. 2013 Xiamen Bank fast payment production business for disaster preparedness drills, from Hangzhou to Qingdao, and from Qingdao back to Hangzhou, the entire process data is not lost, the database and network switching through a command to complete the business normal takeover, switching and failback time each control within 5 minutes.

With the continuous development of e-commerce, in order to meet the public's convenience of consumer demand, small and medium-sized banks and the Internet more closely linked. As China's largest cloud computing public service platform, the financial cloud launched by Aliyun, a large distributed operating system with fully independent intellectual property rights, relies on hyper-elasticity, very low cost, high quality network and platform-level security advantages to consolidate and centralize the thousands of systems that need to be dispersed across financial institutions clouds In order to realize the rapid delivery of Internet financial business, the bottleneck of the rapid development of rural e-commerce has been opened up, so that more than 2000 regional banks can realize online transaction payment functions quickly and cheaply. In this most "conservative" financial institution embracing the Internet, Aliyun Financial Services has accelerated the pace of transformation and upgrading of small and medium sized banks in China, making it easier for fast-moving e-commerce to sink to small and medium-sized towns and rural residents.