• UID9865
  • Fans0
  • Follows2
  • Posts17

Cloud Security--- How to protect your public cloud applications and systems.

More Posted time:Jul 20, 2020 14:54 PM

Hi firends, I want to share some experiences about how to protect  public cloud applications and systems.
our all know security is more and more important today.  so what could we do to improve our cloud security ?
Some parts you could pay attentions:
Basic Security: DDoS, WAF, Host Security, Monitor, Log ,Security Group.
Data Security: SSL certificate, Database, KMS, RAM.
Application Security: content security, API security.
Security Service: vulnerability scan,penetration test.I had summarize a table l for your reference

Big categorySubclasscontentRemarks
Equipment and computing securityIdentification
1. When remotely managing the equipment in the cloud computing platform, a two-way authentication mechanism should be established between the management terminal and the cloud computing platform.
2. MFA authentication should be enabled for all accounts
. 3. Set an appropriate password (the password must be at least 8 digits long, and the password contains numbers. , Letters, special symbols, etc.)
4. Passwords and keys should be rotated regularly every 90 days
Avoid account sharing, recording and auditing operation and maintenance operations are the most basic security requirements. The necessary security measures are necessary to ensure system-level security and prevent server intrusion.
(Mainframe protection software vulnerabilities are regularly scanned and updated, bastion host)
Access control1. Different accounts should be established and assigned permissions
according to the role of the management user. 2. According to the principle of least permission, different roles (administrator, operation and maintenance, development, finance, etc.) should be given different authorizations (read, write, modify, comprehensive control, etc.)
3. According to the principle of least privilege, grant different resource permissions to different roles (for example, separate from the project and business dimensions)
security audit1. The privileged commands executed by cloud service providers and cloud service customers during remote management should be audited, including at least virtual machine deletion and virtual machine restart
. 2. Centralized monitoring of the operation of virtual machines, virtualized security devices, etc.
Intrusion prevention1. It should be able to detect the failure of resource isolation between virtual machines and give warnings
. 2. It should be able to detect unauthorized new virtual machines or re-enable virtual machines and give warnings
. 3. It should be able to detect malicious code infections and spread between virtual machines. Situation and give an alert
Mirror and snapshot protection1. Reinforced operating system images or operating system security reinforcement services should be provided for important business systems.
2. The virtual machine image and snapshot integrity check function shall be provided to prevent the virtual machine image from being maliciously tampered with.
3. Password technology or other technical means should be adopted to prevent virtual machine mirroring and sensitive resources that may exist in snapshots from being illegally accessed.
Cloud host security protection1. Confirm the compliance baseline of the cloud host deployed by the application.
2 The cloud host deployed by the application should pass security protection tests such as copper leak scanning and penetration testing.
Cloud host operation and maintenance
1. Measures should be taken to identify the security vulnerabilities and hidden dangers of cloud hosts, pay attention to the newly released system vulnerabilities in a timely manner, and evaluate the possible impact before patching
Network and communication securityNetwork ArchitectureDifferent network areas should be divided, and addresses should be assigned to each network area in accordance with the principle of convenient management and controlAccording to the role and importance of the server, the network is divided into security domains
. The security domain boundaries of the internal and external networks are set up with access control policies, and the requirements are specific to the port. Record and audit user behavior logs and security event information in
Access control1. Access control rules should be set based on access control policies between network boundaries or areas. By default, the controlled interface denies all communications except for allowing communications (by security group configuration, default Deny all)
2. Security group policy is not necessary In this case, public network traffic is not allowed (
3. It should be able to provide explicit permission/deny access for incoming and outgoing data flows based on session state information,
Communication transmission1. Check code technology or encryption and decryption technology should be used to ensure the integrity of the data during the communication process and boundary protection. (SSL certificate, etc.)
2. The access and data flow across the border should be guaranteed, and communication should be carried out through the controlled interface provided by the border protection device (security devices such as fortresses)
Intrusion prevention1. It should be detected at key network nodes to prevent or limit network attacks initiated from the outside.
2. It should be able to detect network attacks on virtual network nodes and record the attack type, attack time, attack traffic, etc.
3. It should be able to detect abnormal traffic between the virtual machine and the host machine, and between the virtual machine and the virtual machine.
4. Alarms should be issued when network attacks or abnormal traffic conditions are detected (third-party application probes on the network side)
security audit1. To record changes to the virtualized network
2. To centrally monitor the operating status of the virtualized network

Application and data securityData integrity and confidentiality1. Encrypted storage of important and sensitive data.
2. Access to the public network by open storage is not allowed unless necessary.
3. Check code technology or encryption and decryption technology should be used to ensure the integrity and confidentiality of important data during transmission, and necessary recovery measures should be taken when integrity damage is detected.
4. Cloud service customers should be supported to deploy key management solutions to ensure that cloud service customers implement the process of data encryption and decryption by themselves.
Application is the direct realization of specific services, and does not have the characteristics of relatively standardized networks and systems.
The identity authentication, access control, and operation audit functions of most applications are difficult to replace with third-party products; for data integrity and confidentiality, in addition to security protection at other levels, encryption is the most effective method. Remote backup is one of the most important requirements that distinguishes the third-level guarantee from the second-level guarantee, and is the most basic technical guarantee for business continuity.
Data backup and recovery1. Cloud service customers should save the backup of their business data locally
. 2. After some components of the application fail, they can continue to work (the application can decouple the components by adding message queues, workflow, load balancing, etc.), and automatically restore (Auto Healing). ), the fault is weakened. When the dependency of the component is abnormal, the component itself will not be reported as abnormal. It can continue to service the request in a degraded manner)
Log service1. Collect common log sources, such as virtual machine logs, load balancing logs, network logs, and other cloud application logs
. 2. Log monitoring of important changes, monitoring of abnormal conditions, and alerting
Disaster recovery plan1. The RTO and RPO recovery time of the corresponding application should be defined
. 2. There should be a disaster recovery plan and steps for the corresponding application
Security Policy Systemsecurity strategyCloud Service Level AgreementSecurity strategies and systems are a very important foundation for ensuring continuous security.
Confidentiality managementA confidentiality agreement should be signed with the selected cloud service provider, requiring them not to disclose cloud service customer data
Asset management, compile, save and update the cloud asset list in time
Configuration management, basic configuration information should be recorded and saved
Emergency plan management and security incident handling