The use of cloud computing is more and more widely, and more enterprises, organizations and individuals are expected to shift from traditional computing to cloud computing in the future. With the frequent occurrence of information security events, as well as the complexity, rapidity and automation of threat means, users' demand for cloud security is increasing.
The use of cloud computing is more and more widely, and more enterprises, organizations and individuals are expected to shift from traditional computing to cloud computing in the future. With the frequent occurrence of information security events, as well as the complexity, rapidity and automation of threat means, users' demand for cloud security is increasing.
How to plan for cloud security? Is there a general policy to follow? The author suggests that cloud security planning can be carried out from the following seven aspects to ensure the integrity of the focus of cloud security planning.
1、 Product orientation
Because the services provided by cloud computing companies are different, information security needs to consider the products provided, so as to effectively design supporting security products, that is, information security services should also be considered as products. For example: customers who use IAAs service and SaaS service have different requirements for supporting security service packages. Users of IAAs service usually purchase security function packages of infrastructure and application layer (such as firewall). For SaaS users, the function of firewall may be included in the service by default.
The productization of cloud computing also allows users to make appropriate choices and secondary configurations for their own differentiated needs. However, as a provider of cloud security, it should be noted that this secondary configuration may affect the local protection ability due to the ability of the configurator, and then affect the overall protection ability of the cloud.
2、 Tenant effective isolation
The basic concept of cloud computing is multi tenant, so one of the basic planning features of cloud computing information security is tenant isolation, including the logical isolation of a series of resources such as network and memory. Because cloud computing technology mostly adopts virtualization technology, it is difficult to achieve strict tenant isolation. Tenant isolation needs to be considered in the stage of cloud architecture design to balance the impact of security isolation on the architecture.
3、 Information security lifecycle
Life cycle based management, not only the concept of information security planning, is widely used in the IT field, as well as many other fields. Life cycle based management needs to run through all stages of strategy, planning, design, implementation, operation and exit, and cloud security is no exception.
4、 Compliance management
Cloud security is provided on the basis of cloud computing, and users of cloud may come from various industries, and different industries have different requirements for information security. When considering compliance, it is necessary to take into account the user's regulators, general laws and regulations, such as network security law, level protection, financial regulators; multinational companies also need to analyze jurisdiction management Characteristics. In compliance management, for all services in the same security domain, the basic architecture needs to be handled according to the highest security compliance requirements, which will bring additional costs. Therefore, the planning of security domain should be carried out as early as possible in combination with cost constraints.
5、 Security technology architecture differentiation
The choice of technology architecture is one of the important work of cloud security. In the process of technology architecture planning, how to balance closed architecture and open architecture is the key point of decision-making. Open architecture usually allows attackers to easily obtain samples, so as to study attack methods, while closed architecture increases attack difficulty to a certain extent, but also brings pressure of market and cost Power. When using the open architecture, we can evaluate the increased penetration cost of heterogeneous, and design the appropriate number of heterogeneous layers.
6、 Thinking based on confrontation
Cloud security is in a complex multi-party environment, so cloud security planning also needs to start from the thinking of confrontation, so that the defense method is more practical. The use of confrontation thinking can make the planning team more comprehensive and objective analysis of technical needs.
7、 Risk based cost management
Cost control is one of the important means for cloud service providers to make profits. However, the industry generally believes that system vulnerabilities cannot be avoided 100%. Based on the idea of confrontation, compensation security measures are adopted to increase the cost of attackers, so that attacks exceed expectations in terms of capital, time and other dimensions, which can reduce the risk of being attacked. Meanwhile, signs of attacks are found in time, and active intervention is carried out to reduce the risk Risk of invasion. Therefore, on the basis of cost management, it is necessary to introduce the risk-based cost analysis method to measure and balance technology, management, cost and risk.
I believe that through reasonable planning, deployment and operation and maintenance, secure cloud computing can be achieved.