Three major development trends of cloud Platform security

This article from today's information security industry separatist, with the three features of enclosure and hardware, this paper analyzes the increasingly serious gap between information security and cloud platform with typical cloud platform architecture, and puts forward corresponding solutions, that is, three development trends of information security: the defense of information security itself in depth (Defense in Depth), software defined by the combination of application and information security, defines information security (Software tabbed infomation), virtualization of security devices driven by virtualization technology and information security Device Virtualization), the combination of these three formed a more secure, agile, economic cloud platform security system.

The rise of traditional information security and cloud computing.

In the traditional information security era, the main use of isolation as a security means, specifically divided into physical isolation, internal and external network isolation, encryption and isolation, the practice proved that this isolation means for the traditional IT architecture can play an effective protection. At the same time, this isolation-oriented security system has spawned a group of security companies based on hardware sales, such as various firewall (firewalls), IPS (Intrusion detection system/intrusion prevention System), WAF (Web application Firewall), UTM (Unified Threat Management), SSL gateways, encryption machines, etc. Under the idea of isolation, there is no need for application providers to participate in more information security work, in a typical scenario is the integration of application and information security by the total integrator, which leads to the development of information security and application relatively independent for a long time, especially in the two areas of domestic circles. As a result, traditional information security has three characteristics, such as decentralization, closed application and hardware box.

But with the rise of cloud computing, the traditional information security, which is isolated as the main idea, has become increasingly difficult to deal with in the new IT architecture. In the NIST (National Institute of Standards and Technology) of the specification of cloud computing is divided into three layers, SaaS solves the application of the use of instant, IaaS solution to the load of the application of the computing resources of the dynamic changes, and PAAs to solve the application in the life cycle of the problem caused by changes. This article focuses on the more basic IaaS and PAAs.

Second, the public cloud scene under the isolation principle failure, in depth defense is an inevitable trend.

A typical scenario for a public cloud is multi-tenant sharing, but compared to traditional it architectures, the original trusted boundaries are completely broken and the threat may come directly from neighboring tenants. Of course, smart people are carefully designed to prevent the virtual machine from escaping, to prevent the tenant network monitoring, to prevent each single point of functional vulnerabilities, but the exception is always there.

In the typical open source IaaS platform-openstack scenario, many tenants share the computing resources of the same physical operating system through hypervisor (virtual machine Monitor) to implement a network partition on a shared two-tier network. In the G version of OpenStack, for example, once an attacker realizes a virtual escape to a host (the Nova node in OpenStack) through a 0day vulnerability, the attacker can read the memory of all the virtual machines on the host, allowing them to control all virtual machines on the host. At the same time, it is even more fatal that the APIs that communicate across the OpenStack nodes are trusted by default, so they can interact with cluster message queues from this host, and the cluster message queues will be controlled by attackers, ultimately ending the entire OpenStack cluster.

Then, PAAs, mainstream PAAs generally adopt process-isolated container technology (such as LXC in the Linux kernel), this technology is not as good as the security maturity of hypervisor, the principle of attack with the above OpenStack, this is not open. Functionally, mainstream PAAs generally for the application of source code management, continuous integration, deployment, operations, automated processing, and from a security point of view this means the weakening of trusted boundaries, such as once the continuous integration of this node is controlled by the attackers, subsequent deployment, production environment operations will be directly exposed to the attackers. Therefore, the rapid and automation of the cloud here is a double-edged sword, if there is a loophole, the harm will happen as soon as possible.

Again, there is a saying in the security circle that the "Big data age is the first to benefit hackers". Before also to one by one break, now data concentration, directly can Yiguoduan. Centralized mass of data, with n copies stored in different IDC, calculated on a large number of distributed nodes, how does the owner of the data ensure that their data is secure? Large data plus public cloud, if lack of effective security protection, will be a feast for the hackers.

Therefore, from the perspective of the development of information security itself, defense in depth (Defense in Depth, hereinafter referred to as did) is the inevitable trend of the classical Information security defense system under the new IT architecture change. The original trusted boundary is weakening, the attack plane is also increasing, in the past Single-layer defense (single Layer Defense) has been difficult to maintain, and the defense-in-depth system can greatly enhance the protection of information security. The two main features of defense-in-depth are "viewpoints from @phreaker":

1. Multi-point linkage defense. In the past security system, each security node individually, without substantial linkage. And if these security links can be coordinated combat, complementary insufficient, will bring better defense effect. For example, organic linkage between firewall, IPs, WAF, UTM, SIEM (Security information and event management) can be more accurate in locking intruders.

2. Intrusion tolerance technology (intrusion tolerance Marvell). Take OpenStack As an example, we assume that virtual escape exists. So our design principle is that even if an attacker controls a nova node, we will avoid further attacks by the attacker on the OpenStack message queue, or attack the other virtual machines of the Nova, by means of security design.

The current information security industry, which is generally a single layer of defense, rather than defense in depth, is caused by the decentralized fragmentation of security vendors, such as firewall, IPS, WAF, UTM, SIEM, PKI (Public Key Infrastructure), SSL gateways, code audits, terminal security, Encryption machine and other manufacturers, at the same time the decentralized status of security vendors will hinder the further development of defense in depth. How to disperse the various security vendors of the ability to effectively integrate the formation of linkage, we need to ponder, perhaps the next to explore the software definition of information security will be a means.

The closure of safety equipment hinders the safe development, and the future opening of safety equipment is a trend.

In the past many years, the traditional security vendors have exhibited the characteristics of closure. Although the design of a large number of security software, such as firwwall in the implementation of the rules, IDs in the business logic, but these software is not designed for users, but the security vendors are written dead in the security hardware equipment, as the hardware and software bundled with the integration of external services. This leads to a user's inability to flexibly use security software to combine their own business scenarios, such as traffic cleaning for specific scenarios. At the same time, the sealing of the traditional safety manufacturer also hinders the linkage integration between the security equipment, and it is difficult to form the linkage defense.

Closed security equipment, in a sense to maintain the interests of traditional security vendors, but it has harmed the interests of users. And from the user's point of view, the future of security equipment open, programmable is likely to be a trend, software definition information security (Software tabbed infomation, hereinafter referred to as SDIs) this concept is for users of this demand and health. SDIs emphasizes the programmability of security hardware devices, so that users can flexibly put security hardware equipment and application scene, in-depth integration, linkage defense. The so-called software tabbed, not only the application software and security equipment API-level interaction, more importantly, between the security equipment, or defense between the brain system and security equipment, the API-level linkage, so as to effectively build defense in depth. From this point of view, it can also be said that SDIs for the construction of a defense-in-depth system provides a possibility. From the point of view of application software threat, the new attack mode is more advanced and upper level. For example, for a high value of a certain electrical dealer's website malicious attack, the specific way is the website a promotion, the attacker uses the registered account to take the high value commodity, but delays the payment, to deal with this kind of attack way's one kind of solution idea is lets the application software the malicious single detection module and the firewall interaction.

The essence of Software tabbed is to break the ecological seal of security equipment, while minimizing the principle of openness, so that the security equipment or security equipment and application software effectively interact to enhance overall security, rather than simply to increase the risk of security equipment exposure. In fact, in the closed ecology of traditional security equipment, if the minimum open principle or other defects are violated, even a security device box with an open API may also be vulnerable. And SDIs is precisely to enhance the overall security of the system, and the individual security equipment to do the necessary API open.

SDIs is not a specific technology (in comparison, SSL gateway, WAF, encryption machine is specific technology), SDIs is a kind of application of information security design concept, is an architectural idea, this idea can fall to the concrete architectural design. Based on SDIs design concept, the user's will the most important, the traditional safety equipment manufacturer according to the stipulation SDIs specification (SDIs specification by the party a union leading formulation) provides the specialized security equipment which the breakdown domain, simultaneously also may appear some in line with the SDIs specification White card security equipment, the user through the API level interaction, The deep integration of these security devices forms an organic whole and improves overall security. For example, a real-time collection of all the security devices in the environment logs, through an intelligent brain system analysis (such as Splunk), can draw more meaningful conclusions, and then feedback to the relevant security equipment. Another benefit for users is that if the SDIs drives the security device to open the standard interface, which will then train a group of professional safety service providers in the vertical field, or white brand security equipment manufacturers, then the traditional safety equipment manufacturers can no longer taibaodalan, the user is not the safety equipment manufacturers kidnapped.

If the comparison of the popular network technology-SDN (software Definition Network), the SDIs technical architecture may have the following modules: SDIs South Interface (security device and brain system API), information security brain system (similar to SDN Controller), SDIs North Interface ( Interface or interface between the user and the brain system. From the concept of software definition information security SDIs, software can be either an application or a defense-in-depth brain system.

The combination of virtualization technology and security equipment drives the virtualization and mixing of security devices on the cloud.

Traditional security vendors have a hardware preference, especially in the domestic, security vendors tend to be made into box sales, rather than selling software + services. Typically, a security vendor develops a set of security software, but pre-installed the software on a 2U linux server and then labels it for sale. In addition to the encryption machine and other special cases, most of the security device box is not specifically for hardware customization or acceleration, in fact, is the software and hardware together.

On the cloud platform, hundreds of thousands of tenants share the same physical resources, a security hardware box that is already struggling to meet demand. Perhaps for a traditional security practitioner, the public cloud is a safe and worrying thing, but the status quo is no one can stop the flourishing of the public cloud. So on the cloud platform we can only comply with this trend, the traditional security hardware to carry out the necessary innovation, in the premise of ensuring safety security software from the hardware box to move out into the cloud, this is the security device virtualization (virtualization Device, hereinafter referred to as SDV )。 SDN is the softening of security hardware (such as hypervisor, or container, or process), which uses a variety of virtualization technologies to create a security device using standard computing cells on a cloud platform.

The benefits of SDV are significantly reduced costs, increased agility, reduced costs, and even increased concurrency (such as leveraging scale out horizontal scaling and flexible expansion of cloud resources). But we also need to recognize that, compared to hardware security devices, SDV increases attack planes and reduces trusted boundaries, requiring us to carefully design the entire technical architecture of SDV, prudently manage virtualized security devices throughout the lifecycle to avoid new threats.

In fact, the SDV on the cloud platform is also a forced choice, for example, if there is no SDV, the entire cloud platform using a high-performance hardware WAF to a one-size-fits-all protection cloud 10,000 of sites, for different business sites it is difficult to effectively customize the rules, is undoubtedly the naked running. Instead of running naked, it's better to have virtualized WAF instances of targeted protection for different business sites. Of course, in some scenarios, we can mix traditional hardware security devices with virtualized security devices to combine security and economics skillfully.

Five, DiD, SDIs, SDV Three are orthogonal, integrated design can form a complete security system.

On the cloud Platform, Defense-in-depth (DiD), software definition information security (SDIS), Security device Virtualization (SDV) are both independent, orthogonal and interrelated. As shown in the following illustration:

Software definition Information Security (SDIS) and Security device virtualization (SDV) are easy to confuse, so let's do a further analysis. SDIs emphasizes the breaking and sealing of security devices, increases the programmability, and as far as possible tighten the security boundary (for example, API minimum open, API call authentication), SDIs emphasizes the interaction between the security devices, or the application and security equipment, to form the maximum protection effect. And SDV is from the point of view of hardware virtualization, purely to meet in the cloud platform to build a security defense unit, to achieve fast, save money, high-performance purposes.

So if a hardware security device itself has an API for the application, it can also implement SDIs. Conversely, even if a security defense unit does not apply an open API to the application, the Security Defense unit can still be built in a virtualized way (such as a hypervisor virtual machine, container container, or a process). To further prove that SDV and SDIs are orthogonal, list the following 4 possible combinations:

1 Non-SDV (hardware security equipment) + SDIs (not to apply open API): Information security traditional architecture;

2) Non-SDV (hardware security equipment) +sdis (to application Open API): Security manufacturer's hardware security device to the application open programming API;

3 SDV (virtualized security devices) + non-sdis (not to apply to open API): Only the hardware of security vendors with virtualization technology to achieve;

4 SDV (virtualized security devices) +sdis (to the application Open API): Security vendors ' security devices are virtualized, and programming APIs are open to applications;

Vi. potential security threats and responses to SDIs and SDV.

One thing to be serious about is that while SDIs and SDV bring a lot of benefits, they add an attack plane, such as an attack on the security device's Open API, a hypervisor layer for virtualized security devices. Therefore, we must carefully design and grasp three principles:

1. Tighten the attack plane. such as the API interaction of brain systems and security devices, design an authentication mechanism to prevent other nodes or malicious applications from copying into the brain system to send instructions to security devices.

2) Intrusion tolerance technology (intrusion tolerance Marvell). For example, the security device API is minimized, while the malicious invocation behavior of the sensitive API has a detection and alarm module so that if the brain system is also under the control of the attacker, we also have a contingency mechanism.

3 The Sensitive business compulsory manual audit. For example, brain systems have been analyzed to determine that a security device strategy should be adjusted, followed by an experienced administrator to confirm the policy adjustment manually. This can also be seen as a semi-automatic.

In fact, absolute security may not exist, so we have to use the above three principles to find ways to increase the cost of attack, ultimately allowing attackers to weigh the cost of attack and steal information value after the choice to give up.

To sum up, in the traditional IT architecture developed to the cloud architecture today, the traditional information security decentralized, the application of the Closed, hardware box is no longer suitable for the needs of a new generation of applications. The relationship between information security and application needs a change, from the goal of change, information security and application of Cross-border integration is the mainstream direction, security will ultimately be driven by the business and application. And this cross-border integration of security and application, it has spawned three dimensions of information security: the defense of Information security itself (DiD), the software defined by the combination of application and information security (SDIS), security device virtualization driven by virtualization technology and Information Security (SDV). Information security in these three dimensions evolved from the fusion of new technologies, whether to form a more secure, agile, economic next generation cloud platform security system? This requires further practice and exploration.