Cloud Container Security Capability Advanced Certification
End-to-end cloud-native security architecture
As early as 2018, the Alibaba Cloud Container Service team took the lead in proposing the concept of "end-to-end enterprise-level security capabilities" and launched a three-dimensional end-to-end cloud-native security architecture.
Security challenges in the container and cloud-native era are different from traditional security in the following three points:
The first one is high dynamic and high density. In the traditional era, a machine only ran a few applications, but now a server can run hundreds of applications, which is more than ten times the original density. In addition, taking into account the automatic recovery of the container and other characteristics, the container at the last moment was in the A machine, and it will drift to another machine at any time in the next moment.
The second is agile and rapid iteration. Container DevOps-based applications are released very frequently, several times that of traditional ones.
Third, in the era of open standards and social division of labor in the software industry, the introduction of more and more untrusted third-party open source software has also aggravated security risks. These characteristics of containers will put forward higher requirements for cloud-native security.
In order to deal with these security risks, the Alibaba Cloud Container Service team launched a three-dimensional end-to-end cloud-native security architecture to solve security issues from three levels:
The bottom layer relies on the existing security capabilities of the Alibaba Cloud platform, including physical security, hardware security, virtualization security, and cloud product security capabilities;
In the middle is the container infrastructure security layer. Based on the principle of minimizing the attack surface, it provides important base security capabilities including access control, permission convergence, configuration hardening, and identity management. At the same time, it is aimed at issuing credentials, certificates, keys, and cluster auditing. The user accesses the security elements on the link and builds a corresponding automated operation and maintenance system;
On top of the security layer of the container infrastructure, corresponding security capabilities are provided for the life cycle of container applications from construction to operation in the supply chain and runtime. For example, image security scanning and image signature capabilities are provided during the construction phase; , provides an integrated security management capability that integrates runtime policy management, configuration inspection, and runtime security scanning. It also supports secure sandbox containers and TEE confidential computing technology, providing better security isolation and data security for enterprise container applications. privacy.
Defense in depth, protecting the entire life cycle of container applications
With the growing popularity of cloud-native technology, more and more companies have chosen to implement containerized cloud-native transformation in their own production environments, and the popularity of the K8s community has made it the target of many public opinion media. This makes it a prime target for many attackers.
Container security is now full of new challenges. On the one hand, high-risk vulnerabilities in open source projects such as Kubernetes, helm, etcd frequently appear, and relevant public opinion has attracted more and more attention. According to statistics, since 2018, the Kubernetes community has exposed more than 20 CVE vulnerabilities.
On the other hand, the extensive integration of Kubernetes, a new operating system in the cloud-native era, with different heterogeneous computing devices and the increasing development of serverless technology have also made the life cycle of container applications shorter and shorter, and the deployment density of container applications on cluster nodes is also increasing. The security scanning on the traditional supply chain side has been difficult to fully expose the risks. In the face of the above security challenges, it is necessary to build a clearer security protection system and corresponding security measures based on the characteristics of cloud-native container technology Technology upgrade.
Alibaba Cloud Container Service ACK and Container Mirroring Service ACR have done two major tasks on the basis of the above-mentioned three-layer cloud security architecture of infrastructure-software supply chain-runtime: defense in depth, building integration from supply chain to runtime Security process; minimize the attack surface and create a safe and stable container base platform.
In the application life cycle of enterprise-level users, based on the overall security architecture of Alibaba Cloud Container Service, users can first expose security risks in application images through image security scanning on the supply chain side during the application development, testing, and construction stages. At the same time, enterprise-level users can enable the image signature capability of the specified warehouse in the Alibaba Cloud Container Image Service Enterprise Edition ACR EE to automatically sign the pushed image; before application deployment, default security is an important principle of security design in the application system, and configuration security is also The main risk of container application in the production environment command. For this reason, the security administrator of the cluster can use the unified policy management platform provided by Alibaba Cloud Container Service to follow consistent rule configuration definitions to provide customized security governance for application systems in different clusters; after the application is successfully deployed, and This does not mean that our security work is over. Users can protect the runtime security of container applications through the runtime monitoring and alarming, configuration inspection, cluster auditing, and key encryption provided by the container service security management center. Defense-in-depth capabilities for the entire container security.
The choice of customers, the recognition of the industry, and the mission of Alibaba Cloud
Since the start of the containerization process in 2011, Alibaba has pioneered the large-scale application of cloud-native technology systems in e-commerce, finance, manufacturing and other fields by Chinese companies. Alibaba Cloud has accumulated the richest cloud-native product family and the most comprehensive cloud Native open source contributions, the largest container cluster and customer base, and extensive cloud-native application practices.
Many customers who choose Alibaba Cloud Container Service also have various security scenarios:
An international new retail giant cares about the security of the company's internal IT assets. It uses the container image service ACR to sign and scan the image of the security software supply chain. The RAM role performs a series of RBAC permission control, and the service grid full-link mTLS authentication, certificate management and auditing .
An international financial bank pays attention to the security of data operation. It not only uses full-link data encryption based on Alibaba Cloud Container Service ACK and cloud security center runtime alarm monitoring, but also uses managed service grid ASM for fine-grained control of application east-west traffic. .
An international game manufacturer wanted to manage and control the permissions of all parties more efficiently, and implemented permission isolation of cloud resources at the control plane at the pod level, synchronous import and update of keys in the external KMS system, serial permission control of the data plane, and key management to ensure container sensitivity Information will not be disclosed.
In May 2020, Gartner released the "Solution Comparison for the Native Security Capabilities" report, the first comprehensive assessment of the overall security capabilities of global TOP cloud vendors. As the only Asian vendor shortlisted, Alibaba Cloud ranked second in the world in terms of overall security capabilities, and 11 security capabilities were evaluated as the highest level (High).
As early as 2018, the Alibaba Cloud Container Service team took the lead in proposing the concept of "end-to-end enterprise-level security capabilities" and launched a three-dimensional end-to-end cloud-native security architecture.
Security challenges in the container and cloud-native era are different from traditional security in the following three points:
The first one is high dynamic and high density. In the traditional era, a machine only ran a few applications, but now a server can run hundreds of applications, which is more than ten times the original density. In addition, taking into account the automatic recovery of the container and other characteristics, the container at the last moment was in the A machine, and it will drift to another machine at any time in the next moment.
The second is agile and rapid iteration. Container DevOps-based applications are released very frequently, several times that of traditional ones.
Third, in the era of open standards and social division of labor in the software industry, the introduction of more and more untrusted third-party open source software has also aggravated security risks. These characteristics of containers will put forward higher requirements for cloud-native security.
In order to deal with these security risks, the Alibaba Cloud Container Service team launched a three-dimensional end-to-end cloud-native security architecture to solve security issues from three levels:
The bottom layer relies on the existing security capabilities of the Alibaba Cloud platform, including physical security, hardware security, virtualization security, and cloud product security capabilities;
In the middle is the container infrastructure security layer. Based on the principle of minimizing the attack surface, it provides important base security capabilities including access control, permission convergence, configuration hardening, and identity management. At the same time, it is aimed at issuing credentials, certificates, keys, and cluster auditing. The user accesses the security elements on the link and builds a corresponding automated operation and maintenance system;
On top of the security layer of the container infrastructure, corresponding security capabilities are provided for the life cycle of container applications from construction to operation in the supply chain and runtime. For example, image security scanning and image signature capabilities are provided during the construction phase; , provides an integrated security management capability that integrates runtime policy management, configuration inspection, and runtime security scanning. It also supports secure sandbox containers and TEE confidential computing technology, providing better security isolation and data security for enterprise container applications. privacy.
Defense in depth, protecting the entire life cycle of container applications
With the growing popularity of cloud-native technology, more and more companies have chosen to implement containerized cloud-native transformation in their own production environments, and the popularity of the K8s community has made it the target of many public opinion media. This makes it a prime target for many attackers.
Container security is now full of new challenges. On the one hand, high-risk vulnerabilities in open source projects such as Kubernetes, helm, etcd frequently appear, and relevant public opinion has attracted more and more attention. According to statistics, since 2018, the Kubernetes community has exposed more than 20 CVE vulnerabilities.
On the other hand, the extensive integration of Kubernetes, a new operating system in the cloud-native era, with different heterogeneous computing devices and the increasing development of serverless technology have also made the life cycle of container applications shorter and shorter, and the deployment density of container applications on cluster nodes is also increasing. The security scanning on the traditional supply chain side has been difficult to fully expose the risks. In the face of the above security challenges, it is necessary to build a clearer security protection system and corresponding security measures based on the characteristics of cloud-native container technology Technology upgrade.
Alibaba Cloud Container Service ACK and Container Mirroring Service ACR have done two major tasks on the basis of the above-mentioned three-layer cloud security architecture of infrastructure-software supply chain-runtime: defense in depth, building integration from supply chain to runtime Security process; minimize the attack surface and create a safe and stable container base platform.
In the application life cycle of enterprise-level users, based on the overall security architecture of Alibaba Cloud Container Service, users can first expose security risks in application images through image security scanning on the supply chain side during the application development, testing, and construction stages. At the same time, enterprise-level users can enable the image signature capability of the specified warehouse in the Alibaba Cloud Container Image Service Enterprise Edition ACR EE to automatically sign the pushed image; before application deployment, default security is an important principle of security design in the application system, and configuration security is also The main risk of container application in the production environment command. For this reason, the security administrator of the cluster can use the unified policy management platform provided by Alibaba Cloud Container Service to follow consistent rule configuration definitions to provide customized security governance for application systems in different clusters; after the application is successfully deployed, and This does not mean that our security work is over. Users can protect the runtime security of container applications through the runtime monitoring and alarming, configuration inspection, cluster auditing, and key encryption provided by the container service security management center. Defense-in-depth capabilities for the entire container security.
The choice of customers, the recognition of the industry, and the mission of Alibaba Cloud
Since the start of the containerization process in 2011, Alibaba has pioneered the large-scale application of cloud-native technology systems in e-commerce, finance, manufacturing and other fields by Chinese companies. Alibaba Cloud has accumulated the richest cloud-native product family and the most comprehensive cloud Native open source contributions, the largest container cluster and customer base, and extensive cloud-native application practices.
Many customers who choose Alibaba Cloud Container Service also have various security scenarios:
An international new retail giant cares about the security of the company's internal IT assets. It uses the container image service ACR to sign and scan the image of the security software supply chain. The RAM role performs a series of RBAC permission control, and the service grid full-link mTLS authentication, certificate management and auditing .
An international financial bank pays attention to the security of data operation. It not only uses full-link data encryption based on Alibaba Cloud Container Service ACK and cloud security center runtime alarm monitoring, but also uses managed service grid ASM for fine-grained control of application east-west traffic. .
An international game manufacturer wanted to manage and control the permissions of all parties more efficiently, and implemented permission isolation of cloud resources at the control plane at the pod level, synchronous import and update of keys in the external KMS system, serial permission control of the data plane, and key management to ensure container sensitivity Information will not be disclosed.
In May 2020, Gartner released the "Solution Comparison for the Native Security Capabilities" report, the first comprehensive assessment of the overall security capabilities of global TOP cloud vendors. As the only Asian vendor shortlisted, Alibaba Cloud ranked second in the world in terms of overall security capabilities, and 11 security capabilities were evaluated as the highest level (High).
Related Articles
-
A detailed explanation of Hadoop core architecture HDFS
Knowledge Base Team
-
What Does IOT Mean
Knowledge Base Team
-
6 Optional Technologies for Data Storage
Knowledge Base Team
-
What Is Blockchain Technology
Knowledge Base Team
Explore More Special Offers
-
Short Message Service(SMS) & Mail Service
50,000 email package starts as low as USD 1.99, 120 short messages start at only USD 1.00
