Main technical analysis of cloud security

The main part of security control in cloud computing is no different from security controls in other IT environments, and the single biggest change in cloud computing is the use of shared resources, the multi-tenant environment, which affects the movement of trusted boundaries. Based on the cloud service model, operating mode, and technology to provide cloud services, cloud computing may face different risks than traditional IT solutions.

Cloud computing security issues include the challenges of cloud computing security technology, how service providers and users collaborate on management challenges, and the challenges of government information security regulation, privacy protection, and forensic forensics that can be brought about by features such as Cross-regional, multi-tenant, and virtualization. The security problem of cloud computing mainly refers to the use security of "cloud" end data. Many users want more data on the cloud, so they are less expensive and more convenient. But the more data is stored in the cloud, the more data is likely to be misused. Cloud security is so important for cloud computing, and the following are some technical considerations for the key aspects of cloud security.

I. Infrastructure security

Infrastructure security includes the security of core IT infrastructures, such as network, host, and storage. All the network-layer security challenges associated with cloud computing have become more severe in cloud computing, but this is not the result of cloud computing, which includes network access control (such as firewalls), transmission of data encryption (e.g. SSL, IPSEC), security event logs, and network-based intrusion detection systems/ Intrusion Prevention System (IPS), etc.

Host-layer security issues, such as the growing demand for host boundary security and the need to increase security for virtualized environments, in the cloud has also been expanded, but also not caused by cloud computing, the host level of security control, including host firewall, access control, installation patches, system consolidation, strong authentication, security event log, host-based intrusion detection System/intrusion prevention system.

Infrastructure security and cloud-related issues need to clarify which side provides the level of security (for example, by the user or by the cloud service provider), in other words, the need to define trust boundaries. A key feature of the cloud security architecture is that the lower the rank of the cloud service provider, the more security and management responsibilities the user has to undertake.

Ii. Virtualization Security

Leveraging the economic scalability brought about by virtualization is conducive to strengthening infrastructure, the ability to provide multi-tenant cloud services at the platform and software levels, while leveraging these virtualization technologies also poses other security concerns, if the cloud services infrastructure uses virtual machine (VM) technology, the isolation and reinforcement between these VM systems must be considered.

The reality of virtual operating system management is that most of the processes that provide default security are not joined, so special attention must be paid to how to replace their functionality. Virtualization technology itself introduces the new attack layers of hypervisor and other management modules, more importantly, however, virtualization poses a serious threat to network security, where virtual machines communicate through the backplane of hardware rather than the network, so these traffic flows are not visible to standard network security controls, They cannot be monitored and blocked online, and similar security control features require new forms in virtualized environments.

Mixing data in centralized services and storage is another concern, and cloud computing services provide centralized data that is theoretically more secure than data distributed across a wide variety of endpoints, but it also focuses on risk, adding to the potential consequences of an intrusion.

Another issue is how different sensitivity and security requirements for VMS coexist. In cloud computing, the security of a minimum security tenant is a common security for all tenants in a multi-tenant virtual environment, unless a new security structure is designed, and security is not interdependent across the network. Therefore, we need to consider the security isolation of virtual machines, virtual machine mirroring security management, communication security in virtualized environments, virtualization and unified management and visualization of physical security devices. Virtual machines that do not need to be run should be shut down immediately.

Iii. Data Security

Cloud users and providers need to avoid data loss and theft. Today, personal and corporate data encryption is highly recommended and, in some cases, mandated by worldwide laws and regulations. Cloud users want their providers to encrypt their data to ensure that no matter where the data is physically stored is protected. Similarly, cloud providers need to protect sensitive data for their users.

Strong encryption and Key management is a core mechanism that cloud computing systems need to protect data. Because encryption itself does not guarantee data loss, encryption provides resource protection while key management provides access control over protected resources.

Data security technologies include data isolation, data encryption and decryption, identity authentication, and rights management to ensure user information availability, confidentiality and integrity. Cryptography is trying to study the new methods of predicate encryption, to avoid data processing in the cloud to decrypt, the recent release of the full Homomorphic encryption method implemented by the encryption data processing functions, has greatly promoted the data security of cloud computing.

Iv. Identity and access management security

Managing identities and controlling access to enterprise applications remains one of the biggest challenges facing today's it. While businesses can leverage a number of cloud computing services without a good identity and access management strategy, extending the Enterprise identity Management Service to cloud computing in the long run is the precursor to the implementation of an on-demand computing service strategy. Therefore, an honest assessment of the enterprise's cloud-based identity and Access Management (IAM) readiness, as well as understanding the capabilities of cloud computing services providers, is an essential prerequisite for the adoption of the cloud ecosystem.

The necessary IAM capabilities for successful and effective identity management in the cloud include: Identity supply/cancellation provisioning, authentication, federation, authorization, and user profile management. It also includes open application interfaces that support SAML, open users with SPML, and meet a variety of user and access process automation requirements.

One of the most important factors in an enterprise's effective management of identity and access control in cloud computing is the need to build a powerful set of directory and identity federated management capabilities within an organization-such as architecture and systems, user and access lifecycle management processes, and auditing and compliance capabilities. For authenticated users and services in cloud computing, in addition to risk-based authentication methods, it is also necessary to be aware of simplicity and ease of use.

V. Web security

In cloud computing mode, Web application is the most intuitive experience window for users and the only application interface. In recent years, a variety of web attacks, it has a direct impact on the smooth development of cloud computing.

The term "browser is your operating system" aptly illustrates the important role of browsers. In order to secure the cloud computing terminal to the terminal, it is necessary for the user to maintain good browser security, which requires patches and upgrades to the browser to reduce the threat of browser vulnerabilities. In addition, in view of several typical cloud computing models, some manufacturers have adopted the method of detailed application of security protection, for different applications, to provide professional-level gateway security products.

VI. Application Security

Because of the flexibility, openness, and public availability of the cloud environment, cloud computing is a particular challenge for applications at all levels of SaaS, PaaS, and IaaS. Cloud-based applications need to be designed in the same way as applications that are deployed in the DMZ area. This includes in-depth upfront analysis that covers the traditional aspects of how to manage the confidentiality, integrity, and availability of information.

Due to the public nature of cloud computing applications, the security requirements of the software development lifecycle are undoubtedly increased, as well as ensuring that the APIs are thoroughly securely tested. Network applications deployed in the public cloud must be designed according to the Internet threat model and must be securely embedded in the software development Lifecycle (SDLC).

Application security controls include the software development lifecycle embedded security development process, "minimal privilege" configuration, timely installation of application patches, user authentication, access control, account management, browser with the latest patch reinforcement, terminal security measures including anti-virus, intrusion prevention system, host-based intrusion detection system, Host firewall and virtual private network VPN for management.