1. What is cloud computing security?
In the rapid development of the Internet today, the security of the network is an unavoidable problem, especially the various security threats to the business system of potential harm gradually magnified today, any IT system construction is difficult to ignore the existence of security problems. and a variety of private cloud or public cloud of data Center building, safe, efficient business delivery is its success and necessary requirements. Every moment, the construction process of the physical environment, the construction of cloud computing business system, the deployment of server storage resource pool and the operation of the system are all the potential manufacturers of security risks and the factors that affect the security delivery of the system. From the FORRESTERCONSULTING2011 Survey report (shown in Figure 1), security concerns have become an important reference for users to choose cloud computing services during the deployment of cloud computing.
Figure 1 User focus survey during cloud computing deployment
As the main participants in the cloud computing industry chain, enterprise customers, cloud computing service providers, cloud computing equipment suppliers have their own understanding of cloud security: For service providers, how to build a secure cloud computing environment, how to provide customers with high security SLAs is the focus of their attention; for enterprise customers, The focus is on the security of the core data that is stored or used by its own business system, which, if leaked or lost, will damage the core competitiveness of the enterprise. It can be seen that, although the respective perspectives are different, but its essence is to focus on the security of the entire cloud computing business system, which is our definition of cloud security, then we will be based on this perspective of cloud computing security risk analysis.
2. The security risk in cloud computing environment
In the construction process of cloud computing, every construction link may lead to security problems, such as the security of physical computer room environment, the security of network, the security of application system, the security of data storage and the security of management platform. Without the safety of the physical environment, the security risks that may result from several other links can be attributed to the following aspects.
1 disclosure or loss of user data
This is the current cloud computing users are most concerned about security risks, but also the user data disclosure is an important way. User data in the cloud computing environment for transmission and storage, the user itself for their own data in the cloud security risk does not have the actual control ability, the data security completely relies on the service provider, if the service provider itself to the data security control existence omission, is likely to result in data disclosure or loss. There are several typical situations that may lead to security risks at this stage:
Because the server security flaw causes the user data loss which the hacker invasion causes;
The risk of intrusion of user data due to security vulnerabilities of virtualized software;
The data is not encrypted during transmission and leads to information leakage;
Encrypted data transmission But the lack of key management leads to the leakage
There is no effective isolation between different users, which leads to the theft of data;
User data is stored in the cloud without a disaster recovery backup.
From this point of view, cloud computing service providers in the recommendation to users of cloud computing services, and enterprise users need to sign a service quality assurance agreement, and from the technical and management of two aspects of security to users to reduce user concerns about data security.
2 user application can not be safely delivered
Cloud computing service providers in the maintenance process, the entire cloud computing center of the server storage network and other resources for operational management. In this process, any operation dimension management link's problem, may cause the user the application the damage, if because of the configuration negligence, causes the user the fictitious computation resources to be insufficient for the normal operation business system; Because network Security Configuration error causes Internet connection not to pass , because the service provider to the public security risk such as DDoS attack protection caused the user external business delivery failure.
3 Internal personnel data theft
Enterprise's core data storage in the cloud computing environment, can not be separated from the administrator's operation and audit, if the management of the service provider internal omissions, will likely lead to internal personnel to steal user data, thereby causing damage to the interests of users. In this case, in addition to the technical means to enhance the data operation of the log audit, strict management system and irregular security checks are necessary. Cloud computing service providers need to investigate the background of the staff and develop appropriate rules and regulations to avoid internal crime, and ensure that the system has sufficient security operation of the log audit ability, in order to ensure user data security, under the premise of the compliance of the Third-party audit units of compliance audit requirements.
4 Security of User identity authentication
Cloud computing service providers in the process of providing services, the need to deal with the operating environment of multiple tenants, to ensure that different users can only access the enterprise's own data, applications and storage resources. In this case, operators must introduce a strict identity authentication mechanism, different cloud tenants have their own account password management mechanism. If the operator's identity authentication management mechanism is flawed, or the operator's identity authentication management system has a security loophole, it may cause the Enterprise user's account password to be counterfeited, thus making the illegal user to steal the enterprise data. Therefore, how to ensure the security of identity authentication of different enterprise users is the first barrier to ensure user data security.
3. The difference analysis of security protection under cloud computing environment
Based on the security risk analysis in cloud computing environment, in the process of cloud computing security, we need to take targeted measures to protect the security risks. Compared with the traditional security construction method of data center, the security construction in cloud computing environment has its obvious characteristics, there are several differences in the following aspects.
3.1 Characteristics of general security risk in cloud computing environment
In the process of cloud computing, although it has revolutionized business model or server virtualization, the application system itself and the behavior of user access have not changed fundamentally: the security delivery of server business system, security isolation and control of user access, The network itself still has security threats such as attacks against malicious traffic such as DDoS, virus worms, malicious code, and phishing sites. Therefore, the security protection of cloud computing should first consider how to protect this part of the conventional security risk. From this point of view, traditional firewall and intrusion prevention and other product forms are still suitable, and the related technical support and equipment protection deployment ideas can continue to learn from. Of course, in the cloud computing environment, because of the relative concentration of the system traffic model, there are some new requirements for the performance and extensibility of security devices, and the system needs to support higher performance security, especially when security is provided externally as a service. The security resource pool is also needed to provide a corresponding guarantee for high performance scalability.
3.2 New security risks caused by virtualization technology
Server virtualization is the current cloud computing data Center implementation of the most extensive technology, server-based virtualization technology, can be a single physical server virtual multiple virtual machines and independent installation of their own operating systems and applications, thereby effectively improve the efficiency of the server itself. Under this model, this virtualization technology can lead to new security risks in the following three areas, which in turn affect the operational security of a single physical server or a whole virtual machine.
1 The security vulnerabilities of various low-level applications of virtualization software.
Potential security vulnerabilities in virtualized applications that are represented by VMware, Citrix, and Microsoft virtualization applications esx/xen/hyper-v affect the security of the entire physical host. After hacking into the host system, the hacker can make arbitrary configuration damage to the virtual machine on the whole host, which will cause the system not to provide the service or steal the related data. At the same time, for the virtual machine configuration management program represented by Vcenter, considering that it involves the security of all virtual machines, it is also a new security risk to exploit the security vulnerabilities of this kind of management platform software.
2 security vulnerabilities for virtual machine applications.
These applications are the core components of cloud service delivery, including Web front-end applications, various middleware applications, and database programs, and even in traditional network security environments, they still have multiple security vulnerabilities due to the flaws in the programming technology that continue to exist in a cloud computing environment, Typical examples are various web session control vulnerabilities, session hijacking vulnerabilities, and various injection attack vulnerabilities. At the same time, some new security vulnerabilities may be created to accommodate or use various API management interfaces in virtualized environments.
3.3 Cloud computing Virtual machine Traffic Exchange Security new risk
In virtualized environments, a single physical server can virtualize multiple fully independent virtual machines and run different operating systems and applications. There may be a direct two-layer traffic exchange between each virtual machine, and this two-layer exchange does not need to go through the external two-layer switch, the administrator for this part of the traffic is neither controllable nor visible, Thus facing new problems (as shown in Figure 2):
1 How does an administrator determine if access to a VM virtual machine conforms to a predetermined security policy, and how do you enable or disable security policy settings for traffic access between these VMS?
2 If the flow of traffic between the VMS is allowed, how do you determine if the access traffic is an attack? Is there an attack on the Web Application Layer Security vulnerability? Security protection in cloud computing environments requires targeted solutions.
Figure 2 Virtual machine Traffic Exchange Security risk map
3.4 Cloud Terminal security access and access control risk
In the traditional network security model, there are some mature solutions for secure access and access control of network end users, but in cloud computing environment, there are some new requirements for secure access and access control of cloud users, especially after the service model of IaaS has appeared, The service provider needs to provide self-service management interface for each user, differentiated user authentication Management authorization policies are required for different enterprises or types of tenants to ensure that legitimate users have access to the correct server, as well as to provide differentiated solutions to the logging of user access behavior and reporting of security incidents. To this end, the user authentication gateway and the AAA Authentication authorization platform are more stringent requirements for the related multiple instance multi-domain support. A weak user authentication mechanism, or a single factor of user password authentication, is likely to create a security risk, while the Cloud Self-Service management Portal potential security vulnerabilities will lead to various unauthorized illegal access, resulting in new security risks.
Concluding
In the process of building cloud computing, as long as the analysis of the current environment may exist in the security risks, and through technology and management means, the development of a corresponding framework of security construction, you can maximize the implementation of cloud computing environment system security, to ensure the security of cloud computing business delivery.