Challenge and practice of cloud original safety

Cloud primary applications based on containers and unstarting platforms are being deployed in rapidly being globally organized. Although the cloud symptomatic application will bring easy delays, unparalleled toughness, as well as fast development speed, cloud masticinal application also brings challenges. There are a variety of ways to protect cloud original applications, including: safe left, applied border security, implementing minimum roles and minimum authority, protecting application dependence, and safety responsibility.

Yun quasi-production applications will have a large number of removable components and based on those short-live architectural components. This will have difficulty for operations and maintenance; in addition to this, there is naturally safe hidden dangers. Cloud original safety requires new solutions, strategies and tools. Here, there are five small recommendations that can help improve corporate cloud.


What is Yunyuan?

Yun train is created for clouds, and the entire software development lifecycle – development, deployment, testing, and upgrades will be completed in the cloud environment. The concept of “cloud” is not limited to public clouds, and it can also mean a mixed cloud or more than a cloud provider.

Yunhua Calculation Foundation (CNCF) believes that three tools should be used in cloud primary calculations: container, micro-service structure and dynamic. The container means software and its associated dependencies, thereby implementing software movable, scalable; dynamic arranging includes tools to manage cloud containers using Kubernetes; while micro service structures are optimized. The container can be replaced by another cloud primary computing capacity – no server function.

Yunyan’s safety challenge

Yun quasi-production has brought extra challenges to infrastructure and application security. Here are some key challenges:

    A number of entities that need to be protected: The Devops team and infrastructure team use micro-service to run Yun train. In the past, multiple processes or software features will run on a virtual machine. Now, each process or capabilities will be packaged into a container or no server function. Each entity is easy to be broken, therefore requires the protection of the whole development cycle.
    Different structures: Yunjing system will involve many public clouds and private clouds, cloud services, and application structures. Each structure has different hidden dangers and safety needs. The security team must understand this complex attack surface and find solutions for each different structure.
    Environment-changing environment: public clouds and private cloud environments continue to change. Fast software publishing cycles means that each component of the micro service application must be upgraded daily. In addition, the use of invariance and infrastructure means that the application will continue to decompose and reconstruct. The security team will find that it is difficult to protect these technologies without slowing the release cycle.
How to protect the cloud primary application

There are a variety of ways to protect cloud primary applications, including: safe left, application border security, minimum role and minimum authority, protect application dependencies, and security.

1. Safety left shift

Many companies are still using existing tools, but can not process the speed, scale, and dynamic network of cloud primary application environments. If you add no server, you will make the entire infrastructure more abstract and your problem is more serious.

The network attacker will look for hidden dangers in containers and unstimeric code, as well as errors in the cloud infrastructure to access entities that include sensitive information, and use them to increase permissions, attack other entities.

Another problem is that companies continue to develop, test and release applications with CI / CD tools. When using containers to deploy cloud primary applications, developers will get mirrored from local or public libraries, but generally do not check if these images contain security hazards.

A solution is to provide some tools to the security team to prevent untrusted images from entering the CI / CD pipe, and enabling some mechanisms to prevent untrusted images to avoid security issues before entering production. Developers can implement safety standards by scanning vulnerabilities in the development process.

2. Application Boundary Security in Functions and Container Levels

In a server application, the system is decomposed into several adjustable components that can be triggered from different resources. This gives an attacker’s larger attack choice, as well as more ways to implement malicious behavior.

A very important way is the API and application security tools that use as cloud primary environments. In addition, a very common operation is to trigger the functional level to use the boundary security-identification function to be triggered by a different source of peace, and then monitor the abnormal conditions existing in the event trigger.

In the containerized environment, an important point is to implement security-arranging control panels, physical hosts, PODs, and containers at different levels. Some of the best security practices include nodes, restrictions and monitoring traffic between containers, and use third-party authentication mechanisms to API servers.

3. Minimum role and minimum authority

There will be a lot of frequent interactions between cloud primary resources. If you can configure some unique licenses for each without server function, you can have a maximum probability to increase security. Access control can be enhanced by using IAM based on each function or permission to granularize the container. It takes a little time to create a minimum role or create a series of licenses for each function or container. This ensures that even if there is a point in the cloud, it is the smallest, and it will prevent other components from generating a rights issue.

4. Protection application

Codes without server functions and applications often get a packet with dependencies from NPM or PYPI libraries.

In order to protect the application, it is necessary to include an automation tool for complete open source components and their vulnerabilities. Similarly, it is also necessary to trigger a cloud maternity arrangement tool for security behavior in the development process. By continuous operation of these tools, you can prevent hidden code packages or containers running on the line.

5. Safety

Establish intimate relationships between developers, DevOps, and security teams. Developers are not safety experts, but they can be taught for safety operations, ensuring that they can safely write code. The security team should know how the application develops, tests, and deploys, and what tools are used in the process, so that the security team can effectively join the security element in these processes.

Yun quasi-Japanese demanded a variety of enterprises to manage security and development, so it is critical to reducing different teams as soon as possible. The launch of Yun City is a rare opportunity to form cooperation and sharing culture.

Cloud Safety Conclusion

This article refers to the challenges faced by cloud, including a large number of entities that need to be protected, as well as sustained environmental and structures. Similarly, five best practices that improve cloud primary environment:

    Safety left shift, avoid avoiding the problem.
    Apply boundary security at the function and container level.
    Implement minimum roles and minimum authority on the entities in Yunjing.
    Protect application dependencies.
    Encourage security between development, operations and security teams.
Cloud Security Reviews

The business rhythm is accelerating such that Yunjing, such as a server application will be more and more enabled by the company, and the security of Yunyu will also pay more attention. It is not difficult to find that the five security recommendations mentioned in this paper, the software security related recommendations account for most: whether it is safe left, application-dependent protection, or achieving the entire security association of DEVSECOPS, eventually inseparable from development security . In this point, the importance of DEVSECOPS and API security will be further improved with the use of cloud.

This article address: