1.
Multi-cloud business requirements
According to Gartner's definition, multi-cloud refers to an enterprise that has two or more cloud computing platforms at the same time, and may use public cloud, private cloud or some combination of the two when deploying.
The user's business needs are mainly concentrated in the following aspects:
1.
Multi-cloud access
2. Heterogeneous resource management
Unified management of infrastructure (computing instances, storage, network, security) and application resources (OpenAPI)
Service orchestration (automation template) for virtual machines, containers, service grids, etc.
High-speed Internet access and cross-platform joint network management
3. Metering and billing
Cost management through resource optimization and bill estimation
Cloud computing expense report and budget
4. Operation and maintenance monitoring
Need to support cross-cloud coordination functions and provide visibility into the performance of different cloud services
Monitor the performance of infrastructure (computing instances, storage, network, security) and applications;
Multi-cloud service migration (automatically perform certain maintenance tasks, such as dynamically moving workloads from one cloud to another)
5. Security Management
Security, including identity management and data protection/encryption
Security assurance for multi-cloud environment infrastructure
Task approval workflow and policy compliance review
2. Multi-cloud business security architecture
Let's start with the multi-cloud infrastructure:
First of all, it is recommended to choose Kubernetes automated orchestration and Pod container deployment for all multi-cloud infrastructure. Try not to choose virtual machines, because virtual machines cannot orchestrate other public cloud networks and cannot implement more flexible network isolation strategies. Although Google is trying to redefine the trick used by the cloud market, but then again, users like this idea. They will not be restricted by a single cloud, and open source is free.
Separate multi-cloud OpenAPI management and container orchestration management. Multi-cloud OpenAPI management needs to shield the differences in the underlying multi-cloud and create infrastructure such as cloud hosts, basic networks, and storage. The container orchestration system is responsible for more advanced management requirements (as mentioned in the first point).
Need to separate the locally deployed kubernetes and the central control center. This independent layer can help users quickly migrate and deploy.
Use lstio standard network architecture to unify the multi-cloud.
With a standard multi-cloud infrastructure, our security infrastructure is easy to plan. I personally think that the differentiation of each multi-cloud management system mainly reflects the basic security part, and the application security part can use multiple products.
1. If we use Kubernetes and Pod in the underlying architecture, then our multi-cloud infrastructure security is actually based on container security. Then a container-based security ecosystem needs to be established.
(1) For the mirror warehouse in the basic capability model, we need to scan the mirror warehouse to ensure that the mirror image that enters the entire security platform is safe.
It is necessary to have the ability to issue a policy to scan the uploaded container image, complete the online inspection function of known CVE vulnerabilities of the operating system and software, and output reports.
It is necessary to perform virus and Trojan detection and webshell detection on the uploaded container image, and output the report.
It is necessary to perform sensitive information detection on the uploaded container image, its key location files, and output reports.
(2) A baseline check is required for Kubernetes and Pod. Of course, some baseline configurations need to be set on the side of the multi-cloud management platform. This part can be tested by the CIS_Kubernetes_benchmark standard.
(3) The container is safe at runtime, and restrictions are required for the container to run untrusted processes, files, and network connections. At the same time, the linkage stops or deletes the container and controls the network connection. Form a closed-loop container safety management.
2. The security of the multi-cloud infrastructure container needs to be parasitic on the host machine (for example: cloud host, bare metal server, physical server). Therefore, host security needs to support installation in any of the above environments.
3. In order to better understand the operating status of the entire multi-cloud cluster, the Kubernetes log audit system is also one of the essential functions of multi-cloud basic security.
4. Finally, companies that can use the multi-cloud management system must have a complex organizational structure and require coordination between multiple parties to complete the closed-loop safety operation.
The multi-cloud application security part
1. Multi-cloud anti-D and multi-cloud WAF
Many game companies have integrated multi-cloud anti-D solutions early on. Board games in previous years. The solution of public cloud A is not working, immediately switch through the dispatch system, or automatically switch through HTTPDNS and DNS. Ensure the availability of gaming business. Cloud WAF also makes sense.
2. Automated missed scan service and safety public testing
In a multi-cloud scenario, you can choose to purchase multiple automated vulnerability scanning tools to obtain differentiated vulnerability scanning reports. At the same time, most public clouds in China can be charged on a per-use basis, which is convenient for implementation in specific scenarios (for example: heavy insurance, business systems) Go online, routine safety inspections, etc.).
Let's talk about security crowd testing. In fact, security crowd testing is not a new concept in the security circle, but with the re-painting of the concept of multi-cloud security, it will be greatly applied. After all, the core concept of multi-cloud is to obtain the security capabilities of various vendors.
3. The future of multi-cloud security
Although the multi-cloud management security solution at this stage is a relatively new concept and is still relatively weak in terms of commercial implementation, it is definitely a big trend. Public cloud vendors that cannot keep up with this trend will not have much room for development in the next 2 to 3 years. . Google should be the biggest winner in this wave. Through the open-source container orchestration system Kubernetes, enterprise-level consumers can accept and use the system under their own control for free, and obtain great benefits. Secondly, it will build a multi-cloud management platform through Anthos, and finally commercialize it. Use Google Cloud to monetize.
