Cloud computing has become a big data applications, the main solution, cross-platform application and characteristics such as virtualization, large-scale, open, bring more security threats and challenges, through the analysis of cloud computing architecture, security defense model respectively for cloud computing security technology characteristics, operation characteristics, the security model are studied, The key technologies of cloud computing security capability, such as software definition, guarantee servitization, service intelligence and dynamic defense, are proposed to support flexible deployment, efficient guarantee and rapid response of cloud security protection, improve the response capability of cloud computing environment to diversified security requirements, and cloud computing continuous service capability in strong countermeasures environment.
At present, cloud computing, as a new distributed computing mode based on the Internet, has developed into a major solution for big data applications and cross-platform applications by virtue of its characteristics of high efficiency, reliability and easy maintenance. Due to the characteristics of virtualization, large-scale and openness, cloud computing faces greater security threats and challenges than traditional network information systems, and brings more security risks. For example, in October 2019, AWS, the world's largest cloud service provider, was attacked by DDoS attacks, posing a huge challenge to DNS security. Malicious attackers sent a large amount of junk traffic to the system, affecting the service for a long time.
Meanwhile, the Cloud Security Alliance (CSA) released its 2019 Report on threats to Cloud computing, Including data leaks, configuration errors, or lack of change control, lack of cloud security architecture and strategy, identity, vouchers, access, and lack of key management, account hijacking, internal threats, unsafe interface and API, control plane is weak, the structure of the structure and application failures, abuse and malicious use of cloud services and other 11 great threat. In order to better deal with the constantly exposed security threats and security attack means in the process of cloud computing promotion and application, it is of great and far-reaching significance to study the key technologies of cloud computing security defense.
- Cloud computing security defense system
Because there are a network interconnection open cloud computing application, resource sharing, information comprehensive comprehensive service, facing the network space target focus, many means, change faster, more capable, more destructive, more effective, build a reasonable and complete cloud security system, key technology breakthrough, solve various relevant safety, Only in this way can complex security risks in the cloud environment be effectively addressed and security service requirements of the cloud ecosystem composed of cloud service providers, operators, security vendors, and users be met.
Cloud computing environment consists of hardware facilities, virtual resources, virtual computing resources, software platforms and application software, etc. Its Service types mainly include software-as-A-Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (Infrastructure as a Service). IaaS) three service modes. In different service modes, cloud service providers and cloud tenants/customers have different resource access capabilities, and their security protection requirements vary. According to the latest requirements of national information security technology, network security level protection and security design technology, cloud computing environment security services need to be based on unified full-service policies, regulations and standards, and a series of basic security services to support and collaborate with each other.
Security defense in cloud computing environment requires security protection based on traditional information system security management, identity authentication and access control, system disaster recovery and backup, security audit, intrusion detection and other general security protection, and security protection based on cloud computing environment virtualization and on-demand service characteristics. According to the national level protection requirements, the security computing environment part of the general security requirements is the security control requirements for the internal boundary.
Cloud computing environment requires regional border through the network access control, intrusion prevention, safety audit, centralized control, and computing environment identity authentication, access control, intrusion prevention, mirror and snapshot protection, data security, data backup, restore, surplus information protection, cloud credible, virtualization, security, malicious code protection and other security protection technology, as shown in figure 1, The security of hardware facilities, virtual resources, virtual computing resources, software platforms, application software and data in the cloud computing environment is ensured from the physical layer, virtual resource layer and service layer respectively. The cloud computing environment should be based on a unified security base, with security as the core and intelligent security management as the guarantee. Supported by security detection and early warning, a dynamic defense system of "monitor-decision-response-defense" can be formed.
- Cloud security defense software definition
Traditional network Security protection methods can no longer cope with the requirements of cloud computing Security. Under the development trend of Software Defined Security (SDS), Software Defined Security (SDS) provides support for cloud computing Security. Its core is the physical security devices and their way of accessing and deployment location decoupling, the hardware platform and software function component decoupling, layered abstraction for safety resource pool of resources, through unified programming way for management of maintenance, security resources, the security service model based on open standard interface definitions, between support security features flexible deployment and security capabilities according to need to offer, Implement security as a service.
SDS refers to SDN/FLOW architecture and separates the traditional security service function and security protection control function into business side and control side. Based on software defined architecture safety protection system can also be the security of control plane and data plane separation, business consists of the platform layer and execution layer, service layer, through the security ability to abstract and resource pooling, will all kinds of safety equipment for abstract resource pool with different security capabilities, and according to the specific business scale horizontally to expand the size of the resource pool Meet the safety performance requirements of different customers.
The platform layer consists of various physical or virtual security platforms, computing platforms, storage devices, and secure routing and switching platforms. The intelligent security management center is deployed, managed, and scheduled in a unified manner to form a security facility resource pool. Related resources can be obtained on demand, which is flexible and scalable. Provides a virtualized operating environment for security service function components at the executive layer.
Executives by virus protection, password service, data backup, intrusion detection, firewall, flow control and other security services functional components and situational awareness, vulnerability management, event audit, certificate authority, identity management, key management facilities safety management function components, the various security functional components and hardware resources fully decoupled, standardized design, It supports unified programming control interface and adopts open architecture design to integrate third-party security service components, realizing complementary advantages and joint prevention and control among security vendors. Service layer is based on the cloud tenant demand, based on the control of the security service choreography, executive level security functional components, to control network, virtual machine access to the Internet, information flow, etc., to provide safe access and isolation security services, provide applications such as access to the operation of the applications, data access control and data security service.
The control plane focuses on the choreography, deployment, management, operation and maintenance of security service applications, intelligently analyzes user tasks and real-time security service requirements during operation, and converts them into specific security resource scheduling and security policy configuration schemes. Based on the programming interface provided by the control layer, service arrangement is carried out on the vertical resources of each layer of the business plane, and the correct contracting relationship is formed among the discrete security service resources, so as to build the systematic security protection system, realize the overall coordination and linkage of security services, and achieve intelligent, service-oriented and dynamic cloud security protection. The scope of security management will vary with service delivery patterns and provider capabilities.
- Cloud security defense as a service
Cloud computing security protection and the traditional network security protection in the aspect of the functional requirements are similar, but due to the virtualization of cloud computing and data centralized, large-scale, the cloud security in the access control, deployment, security model and the traditional network security are different, the cloud tenant demand for characterization, customized safety protection is more outstanding, Based on the definition of security software, the service-oriented and composite cloud security guarantee mode can better adapt to the application mode of cloud computing architecture.
Based on unified security infrastructure, the cloud security Architecture of Service-oriented Architecture (SOA) is constructed by encapsulating and combining centralized, standardized and service-oriented security functional component design, using standard northbound interface to realize automatic orchestration of policies. To achieve the capability of delivering user security services, it provides users with multi-level security services such as secure access control and application security protection from IaaS, PaaS and SaaS.
The service-oriented cloud security architecture provides required security services for service requesters through service registration, service publication, service query, service request, service pull, service push or binding, as shown in Figure 3. Security services, including network intrusion detection, host firewall, password service, security audit and other basic security service functions, form a security service resource pool based on a unified platform. Cloud tenants apply for security solutions based on service query and service request.
Based on the cloud computing security protection architecture, the cloud security management system synchronizes the scheduling of security service resource pools. By on-demand scheduling and dynamic deployment, virtual security service devices at different levels interact and interact with each other to form a multi-angle and all-round cloud security defense capability that is proactive, comprehensive, and coordinated. Through the cloud security service for the tenants, meet a cloud environment network security isolation, tenant isolation, application security, data security protection requirements, as needed for each tenant, flexible, easy to use security services, cloud monitoring, implement advance matter cloud protection and afterwards audit of cloud, virtual computing environment for the tenants, network and data, such as the provision of full lifecycle safety protection. Under the security guarantee mode of service-oriented cloud, unified security operation, maintenance and management can not only provide precise security guarantee, but also accelerate the response capability of security incident disposal and promote the improvement of overall security protection capability.
- Intelligent cloud security defense
With the popularization of cloud computing applications, cloud massive enterprise and user data has huge asset value, attracting a large number of hackers to attack and steal. Various security vulnerabilities bring potential security threats and new network attack means are constantly introduced. The cloud computing environment is facing increasingly complicated security forms. It is necessary to utilize intelligent protection means, take artificial intelligence as the engine, and analyze internal and external threat intelligence data deeply based on expert knowledge base, deep learning and big data analysis. Providing intelligent awareness, intelligent warning, intelligent decision-making and intelligent response for the cloud computing environment, the intelligent level of cloud computing system security protection should be improved to deal with complex and changing cloud computing security threats more quickly.
One is through the perspectives of multi-granularity network security monitoring, based on the distributed probe of log, flow, performance, such as data acquisition, data automatic identification, completion, screening and polymerization, ensure the integrity of the basic data and reliability of network security situation monitoring more clearly, can more quickly find the network security threats.
Combining spatial intelligence big data network, integrated more complex event correlation analysis, multiple model behavior analysis, and based on a variety of statistical analysis, machine learning, such as depth analysis, perception of huge amounts of information to carry on the fine granularity, the depth of the multi-dimensional analysis, data mining value, and to a more accurate security situation.
Third, based on expert knowledge base, security protection rule template and library, dynamic security protection schemes are formulated for users, and suggestions for security protection policy modification are put forward to assist users to deal with various security threats and incidents more quickly and accurately, and to improve or consolidate the security protection capability of cloud computing environment.
Fourth, security services are arranged and reconstructed based on security intelligent operation and maintenance management to ensure proper deployment of cloud security defense measures and timely and efficient execution of defense policies, so as to avoid greater impact of cyber space security threats on cloud services and minimize economic losses caused by cyber security threats.
- Dynamic security defense
Through the unified security design for each action link of cloud security, security is integrated into the cloud link and its operation service behavior as a basic attribute. Based on the linkage of security management, security services, security platform and monitoring and early warning, a cloud security dynamic defense system of "monitoring-early-warning - decision-making - response" is established.
First, through real-time "monitoring" of the cloud environment, comprehensive collection of security situation data such as illegal operations and network attacks, and data cleaning, normalized processing and fusion processing, mining important information. Second, it integrates internal and external threat intelligence to analyze and predict security risks from big data generated by perception monitoring, so as to alert security threats and analyze security trends to provide users with "early warning" of risks. Third, the security management layer in the cloud security dynamic defense system implements security service planning based on intelligent defense auxiliary decisions, dynamically generates security defense deployment, defense policies, defense resources and other guarantee schemes, and forms defense "decisions". Fourth, the security service layer makes "response" according to the security defense adjustment plan, delivers corresponding security service functions to the security platform, and implements security defense based on the software-defined security service platform to resist various security risk events.
The integration of real-time intelligent monitoring, detection and analysis, and security defense against security risks such as network attacks and system vulnerabilities can be realized through multi-functional overall linkage, effectively improving the dynamic intelligent detection, identification, and defense capabilities of the cloud environment, and enhancing the overall efficiency of intelligent defense.
Based on the cloud computing security infrastructure framework, this paper proposes an intelligent, service-oriented and dynamic defense system based on software defined architecture to achieve flexible deployment, efficient guarantee and rapid response of security defense, and improve the response ability of cloud computing environment to diversified security requirements and security situations. In response to the strong against the network security game in space, big data technology needs to be further studied, such as artificial intelligence in the application of cloud security and trusted computing and cloud computing , realize the multifunction organic fusion depth, to support the building intelligent dynamic defense system, provide the cloud environment with stereo, deep, dynamic protection.