Xiao Li believes that going to the cloud is the best choice to improve the security level. The innovative cloud is intrinsically safe and can create an "oasis on the cloud" for enterprise users. Data storage is more logical, from the physical data center security to the core cloud platform security, and the cloud security capability is seamlessly integrated with the cloud platform ... Enterprises originally needed independent and complete security responsibilities, and moved to the Alibaba Cloud platform to embrace a higher level of security while reducing consumption.
"Upstream Thinking" of Cloud Native Security
The experience of cloud security is scarce and expensive. Alibaba has worked hard for this for many years and summed up the best practices in the industry. Cloud-based security construction, the core change of thinking lies in: the difference between traditional security and passive response, the change of cloud-based infrastructure, so that security has the ability to solve problems upstream. If we still adopt the traditional security thinking to build security control in the new environment, it will undoubtedly greatly weaken the advantages of the cloud.
The cloud is inherently safe, and the highest level of security capability penetrates the hardware layer to create a trusted environment with full environment and full life cycle. The hierarchy seen by users will also change, and security products will evolve accordingly. When building an enterprise security architecture based on cloud native capability, users only need to choose services to achieve their own security goals. Safety products are no longer plugged in, and the safety capability is open.
Cloud is a safer "oasis" environment, which can automatically help users solve homogeneous and complex security problems and let users concentrate on solving more valuable problems.
The following is the arrangement of the original text of this speech.
This epidemic has a great impact on all walks of life. In the first half of this year, all industries are accelerating the digitalization process. On the one hand, more industry users are embracing cloud computing and Alibaba Cloud; On the other hand, we see that network security has entered the three major issues that enterprises are most concerned about and need to solve. Many government customers and financial customers use the core capabilities of cloud security to build the next generation security architecture on the Alibaba Cloud platform. Next, we will focus on introducing Alibaba Cloud's security technology and cloud-based security capabilities, so as to help enterprises better solve the unresolved security problems in the past.
Expand 10000 servers within 2 hours.
Security service default override
The epidemic in February took on the responsibility of online education for millions of people and online work for hundreds of millions of people. Facing the exponential explosion of traffic, it took only two hours to fix and expand 10000 servers. Under the traditional architecture, it is impossible to achieve full coverage safely. Attacks will lead to the interruption of online meetings and online videos, and the risk of users' private data disclosure will also increase. Through the cloud's native security service capability, nails quickly intervene in cloud defense D, cloud WAF and other combined security protection means to ensure the stable operation of nails.
Imagine that an enterprise like Nail wants to deploy such a large-scale security device in the traditional security offline scene, and each device needs to be put on the shelf for debugging, including being connected in series on the link to play a defensive role. I believe it will take at least 1 month. Then cloud security services can make the whole business expand rapidly in hours, provide real-time services and escort the business.
Integration of security capabilities and infrastructure
0 ransom to solve the blackmail problem
The traditional enterprise security architecture has a large number of devices on the link, which is a very complex network. Large enterprises even have hundreds of security devices connected in series online and offline, so it is conceivable how big the link connectivity problem of the whole security device will be. This will lead to the problem of overall management and the problem of data islands with security capabilities. Security capabilities on the cloud can be directly integrated into cloud products. For example, cloud native security capabilities are further integrated with CDN and load balancing SLB, and users' security capabilities can be further improved when they use it, whether it is access or integrated management.
Alibaba has its own system called Unified Access Layer. At this level, we integrate security capabilities into this system. When all economic and business systems are online, they only need to access this system in a unified way, and security capabilities will follow. This new type of security is also very convenient and fast for business parties, which reduces a lot of workload. I also want to share another case. In fact, in the past six months, ransomware attacks have been rampant, with an increase of 72%. Attackers gain profits by encrypting enterprise data, which has become one of the most important threats faced by enterprises.
Garmin, an internationally renowned GPS company, recently had a safety accident. On a certain day, global users could not use it, and the service was interrupted. The ransomware encrypted Jiaming's related data and offered a ransom of tens of millions of dollars. In the end, Jiaming Company decrypted the data by paying the ransom, thus restoring the service, but suffered heavy losses.
Alibaba Cloud's anti-blackmail scheme is to integrate the security capability with the whole infrastructure cloud product to detect and protect the ransomware. Users can use the ability of container to mirror snapshots to create this security scheme. Even if the ability of detection and defense is challenged and some unknown worms encrypt user data, users of Alibaba Cloud anti-blackmail scheme can quickly recover data through mirror snapshots without paying ransom.
We have seen many such scenes. When security capabilities and technologies support the further integration of cloud products, there will be greater chemical reactions.
Reduce hardware security dimensions to counter firmware attacks.
The highest level of security protection
Just a few weeks ago, the British Cyber Security Center released a report and organized research institutions for COVID-19 vaccines. The way they use is to gain long-term control of the border network by replacing the firmware of all VPN servers on the network.
As we all know, this kind of firmware-based attack is difficult for system-level security software to find. In security countermeasures, high-dimensional attacks on low-dimensional are the best, and the lower the detection ability and defense ability, the more effective the attacks on upper layers.
Alibaba Cloud's hardware security capability supports the security detection when the system is started, which can effectively find such high-security backdoors and Trojans. There are countless such examples. We expect to give all users on the cloud a high level of security protection through the high security capability of Alibaba Cloud hardware.
Enable identity as a new security boundary
Create a zero-trust network environment
As the business becomes more and more complex, the traditional network boundary and access control, including isolation, will become weaker and weaker. Enabling identity has become a new security boundary for enterprises and will become one of the core dimensions of building new security. In this epidemic, 80% of enterprises choose telecommuting, and the security challenges they face include the security of employees' home terminals, the security of the entire office network traffic, and the risk of data leakage of cloud-based application systems ... This is a very big challenge for enterprises.
Alibaba Cloud has a client named Ape tutor. As a leading online education enterprise, many employees worked from home during the epidemic, with more than 30,000 employees worldwide, which required unified remote management. After several rounds of production environment verification, Ape Tutor finally chose a complete set of zero-trust telecommuting solutions in Alibaba Cloud to solve this problem.
Alibaba Cloud's zero-trust scheme authenticates the trust of all employees' terminals, and uses two factors to strongly authenticate the identity of each user. The decision engine in the cloud opens all the core application systems in the back end to realize unified ID and unified authorization. The cloud intelligent decision engine can also judge what kind of corresponding authority to give each user through the current security factors, so as to realize the overall improvement of office efficiency, employee experience and security level.
Data default encryption * key rotation
Make privacy disclosure impossible.
Data security on the cloud must be of great concern to all enterprises, and default data encryption is an obvious trend of data security. I share a case of a domestic mobile phone manufacturer. Everyone's mobile phone photos will be stored in the cloud, which must be very important private data for individuals. This mobile phone manufacturer stores cloud data on our OSS cloud products, and customers use the default encryption function of OSS.
All private photos of users in the cloud are encrypted by default when stored on OSS in Alibaba Cloud, and all keys are kept by customers themselves. This effectively prevents all security risks caused by data leakage in the cloud. At present, we support the default encryption function in 17 cloud products and provide the key rotation function. Users can manage their own keys independently through the key management system. Once the cloud key is leaked, the security of cloud data can be further improved through one-key key rotation.
Data Intelligent Drive Security Technology
It turns out that the security challenge faced by enterprises is too much data. In massive traffic, it is necessary to effectively find threats, accurately detect where threats are, and intercept them at the first time. Alibaba Cloud has applied data technology to many security fields and achieved good results.
In DDoS defense and Web security defense, we can identify and intercept attack traffic very accurately through the algorithm model. In terms of threat intelligence, Alibaba Cloud can identify malicious IP in the whole network, automatically analyze threats and automatically produce "safety vaccines". Content security and risk control scenarios, through the analysis and understanding of images and videos, help users identify prohibited content related to pornography, terror and violence in business, and authenticate users with videos. The above are the "six core advantages" of cloud native security summarized from the practice in the past year. Based on many security product capabilities and frameworks that have already landed, today I also focus on releasing Alibaba Cloud's native security architecture.
Based on this architecture, every enterprise can build the next generation innovative security architecture based on cloud according to its own business requirements and business scenario characteristics. The whole structure will be divided into three levels:
The first layer: cloud platform security
Alibaba Cloud makes use of hardware security capabilities and threat detection and response capabilities of global cloud platforms to build a safer bottom layer of cloud platforms.
Layer 2: Cloud product security
Security function and security threat modeling function have been integrated into the product development process in the product design stage. Make sure all codes are secure before going online, and give users a secure cloud product.
Layer 3: Built-in local security
In the host layer, network layer, application layer, data layer and business layer, security capabilities are integrated into scenario solutions at all levels and provided to users in various industries.
Today, Alibaba Cloud Security has undoubtedly become the leader of cloud security, whether it is recognized by the leaders of international third-party consulting organizations such as IDC, Gartner and Forrester, or the choice of head users at home and abroad.
Alibaba's whole stack is on the cloud. On the one hand, we help all business entities solve security problems based on the cloud platform and cloud native security capabilities; On the other hand, it is also hoped that through the cloud platform, millions of users on the cloud will enjoy the same security protection as Alibaba.
With the development of the cloud today, the changes in the underlying infrastructure have brought earth-shaking changes to seat belts. I believe that all enterprises in the future will enjoy the highest level of security in the cloud.
There will be more innovations in the field of cloud security, so I also look forward to helping users build the next generation security architecture through the native security capabilities of the cloud. More importantly, control the cloud when using it, and fully release the business competitiveness of enterprises in the "oasis on the cloud"!