Alibaba Cloud Cloud Native Partners with Salesforce

On June 17, 2022, the 2022 first 3SCON "Software Supply Chain Security Forum" sponsored by China Academy of Information and Communications Technology and China Communications Standards Association was held online. At the meeting, the container ISV software supply chain security practice case declared by Alibaba Cloud and Salesforce "Alibaba Cloud Helps Salesforce Software Supply Chain Security Implementation Practice" was successfully awarded the "2022 Security Excellent Case of the Guardian Project".

Salesforce, founded in March 1999, is a customer relationship management (CRM) software service provider that provides an on-demand application customer relationship management platform. Salesforce allows customers and independent software vendors to customize and integrate its products while building the applications they need.

In the process of Salesforce and Alibaba Cloud jointly releasing the software "Salesforce Social E-Commerce" for the Chinese market, through close cooperation with Alibaba Cloud's container team, the complex and diverse challenges of cloud-native scenario software have been successfully implemented. Cycle software supply chain security practices. In the development and delivery phase, static governance and access of codes and images are applied; in the delivery phase, image scanning and signing, cross-account synchronization, and signing verification are used to ensure the security and trustworthiness of image content, and policy management ensures the security of image deployment and startup; In the runtime stage, the container operation based on the security sandbox improves the isolation of the container application, and uses the security monitoring and alarm capabilities of the container runtime to discover security threats and trends in assets in real time.

Risks in the cloud-native software supply chain

With the evolution of enterprise IT digital transformation, more and more enterprises are adopting cloud-native architecture upgrades to improve the efficiency of application development, operation and maintenance iterations, accelerate enterprise business innovation iterations, improve the efficiency of resource elastic management and migration, and help enterprises Reduce costs and increase efficiency. However, due to the characteristics of cloud-native elasticity, agility, and dynamic scalability, it also introduces new challenges to cloud-native software supply chain security:

Three-party and open-source components bring security risks: Enterprise software projects increasingly rely on third-party or open-source community components from suppliers, and these components are often delivered in the software supply chain in the form of basic images. Attackers may exploit vulnerabilities in components to inject malicious code or control the environment of third-party machines, performing everything from cryptocurrency mining, sending spam, to launching DDoS attacks through large botnets.

The complexity of the software supply chain creates risks: from requirements analysis, code development, integration, and testing in the software development stage, to specific channel software delivery in the supplier delivery stage, end-customer acceptance, and end-customer software operation, operation and maintenance in the final operation stage. maintain. The entire software supply chain cycle is long, and there may be security risks in each link, leading to security threats such as software vulnerabilities, software backdoors, malicious tampering, intellectual property risks, and information leakage.

Containerized operation introduces more risky attack surfaces: container application deployment relies on Linux kernel features, and many exploit kernel system vulnerabilities to launch targeted escape or intrusion attacks from multiple dimensions such as container runtime components and container application deployment configuration. In recent years, many high-risk vulnerabilities have been exposed in open source communities such as K8s, Docker, and Istio, which provide opportunities for attackers.

The entire software supply chain life cycle should reduce the security risk of the software supply chain on the basis of ensuring software availability, integrity, and confidentiality, and realize the auditable, traceable, and automated security operations of the entire link. Ensure that the entire software supply chain has defense-in-depth security capabilities from software development, delivery to operation. Once a problem occurs in any link, the problem can be located and traced in a timely and accurate manner, and risks of related parties can be identified and security reinforced in a timely manner.

Alibaba Cloud Cloud Native Software Supply Chain Solution

In order to help customers practice software supply chain security more conveniently, the Alibaba Cloud Container Service team provides an end-to-end solution. Enterprise customers can develop iterative scenarios in cross-enterprise delivery or within the enterprise, improve security governance efficiency and security hardening capabilities, and realize secure and trusted delivery of full-link container applications.

In the container application delivery phase, the container image service ACR Enterprise Edition provides cloud-native application delivery chain capabilities, integrates capabilities such as access control, image construction, content security, binary authentication, and global distribution, supports preset risk interception strategies, and realizes instant discovery. Block, safety control shift left.

For image content security, ACR and Cloud Security Center jointly provide an enhanced container image scanning engine, covering system vulnerabilities, application vulnerabilities, baseline checks, malicious samples and other risk types, with high recognition rate and low false alarm rate vulnerability scanning capabilities. At the same time, it provides container image repair capabilities, supports automatic and efficient repair of risk vulnerabilities, and realizes a closed security loop from discovery to repair.

Cross-account delivery of images. For inter-enterprise ISV application delivery scenarios, ACR provides cross-account synchronization capabilities to ensure safe distribution of container images and signatures. The ISV delivers the image and corresponding signature information to the ISV's customer instance through the ACR cross-account synchronization capability. The corresponding image has an immutable image version enabled to ensure that the image version cannot be overwritten. When an ISV customer deploys an image on the ACK, it will verify the signature based on the ISV's public key to ensure that the image is complete and comes from the ISV.

During the running phase of container applications, Container Service ACK provides deployment policy management, security inspection, and security policies to ensure the consistency of container applications on top of the default control components and system component security hardening. The ACK integrated cloud security center provides container runtime security monitoring and alarm capabilities, covering more than 200 security detection models of the ATT&CK kill chain, improving the security of the overall business load operating environment. Based on ISV application running scenarios, ACK also provides a security sandbox container as a runtime solution to ensure better security isolation and higher stability.

Deployment policy management: ACK is based on the OPA policy engine and rich preset policy templates, effectively constraining application configuration security, supporting container business YAML multi-dimensional deployment policy management, avoiding risky behaviors such as privileged containers and risky image deployment, and strengthening container security on the cluster side proactive governance capabilities.

Security sandbox container: End customers use a security sandbox container as the runtime. Compared with the original Docker runtime, the container application can run in a lightweight virtual machine sandbox environment with an independent kernel and more Good security isolation capability, and stronger stability than the community Kata Container.

Container runtime security: End customers have used the cloud security center’s container runtime security monitoring and alerting capabilities, including virus and malicious program attacks that occur in containers or at the host level, intrusion behaviors inside containers, container escapes, and early warnings of high-risk operations and other major container-side attacks to help customers discover security threats in assets in a timely manner and grasp the security situation of assets in real time.

In the security operation stage, customers can realize the containerized DevSecOps automation process through automatic ACR synchronization, automatic scanning, automatic signing, ACK automatic signature verification, automatic policy implementation, and automatic blocking of subsequent processes after risk identification. By subscribing to ACR, ACK, and risk events of the cloud security center, the risk awareness of the entire process security of image content, image delivery, container deployment, and container runtime can be realized, and security risks can be handled in a timely and efficient manner to achieve global risk awareness.

Alibaba Cloud Container Family: Cloud Native Security Advanced Technology Products

At the 2022 Cloud Native Industry Conference on June 15, Alibaba Cloud also obtained the only domestic highest-level certification in the entire domain in the evaluation of "Cloud Native Security Maturity" by the Institute of Information and Communications Technology. The "Cloud Native Security Maturity" of the Institute of Information and Communications Technology examines the security of enterprise cloud native architecture from 5 dimensions of infrastructure security, cloud native infrastructure security, cloud native application security, cloud native R&D and operation security, and cloud native security, with a total of 315 subdivision items level. Through the accumulation of large-scale enterprise customer services and innovative technologies, the Alibaba Cloud cloud-native application platform has accumulated a full-link cloud-native security solution, fully demonstrating the richness and leadership of Alibaba Cloud's cloud-native product security capabilities.

From container image service ACR, container service ACK to cloud security center, Alibaba Cloud's rich cloud-native security product family guarantees Alibaba's own large-scale cloud-native practice and ensures cloud-native security throughout the application life cycle. At the same time, these cloud-native security capabilities have also supported millions of enterprises in the cloud, improving the security and security governance efficiency of the entire link of the software supply chain within and between enterprises. Alibaba Cloud will continue to innovate in the field of cloud-native security. Through the deep integration of products, technologies, and security operations, it will provide more in-depth, more intelligent and autonomous software supply in cloud-side multi-deployment scenarios, micro-services, and non-service multi-business forms. Chain security, guaranteeing the upgrading of enterprise customers' cloud-native architecture.

Related Articles

Explore More Special Offers

  1. Short Message Service(SMS) & Mail Service

    50,000 email package starts as low as USD 1.99, 120 short messages start at only USD 1.00

phone Contact Us