Multi Cloud Security Technology Requirements. from Rasool Irfan

Its multi cloud world

According to IDC CloudView; 85% of enterprise evaluating or using public cloud, 87% of them taken steps towards a hybrid cloud strategy and 94% of than have plan to use multiple clouds.

Based on the public cloud market research ( Gartner : ID G00336148)

• Gartner predicts IaaS spending in public cloud will reach $45.8 billion in 2018
• The share of enterprise workloads moved to the public cloud is expected to triple over next five years – JP Morgan Research
• Enterprises’ adoption of IaaS as the primary environment for workloads will Jump from 10% in 2015 to 51% in 2018 – McKinsey

Security Technology Requirements

1. Physical Security
   1. Environment security requires protection against related physical damage threats and physical access risks. Device security requires protection of systems, buildings, and related infrastructure
2. Network Security
   1. For network border protection, the system should filter information entering or exiting the DC/cloud network, limit the maximum traffic of the management network and the number of network connections per user of the cloud computing platform, control administrators’ access to the management network, and detect and block invalid links of service and management networks. The system should also automatically update access control lists (ACLs) or traffic flow policies on managed interfaces of border management devices, isolate malicious virtual machines (VMs), defend against DDoS attacks, monitor traffic, and detect attacks and intrusion on borders.
   2. For network communication security, the system should support secure transmission between areas of different security levels to enable data transmission confidentiality, integrity protection, and trusted access protection. Users can be authenticated and authorized before accessing cloud computing resources. Direct access to the physical network of the cloud computing platform through the internet is forbidden. Open interfaces should be provided to allow access of trusted third-party security products
3. Virtualization Platform Security
   1. For virtualization platform security, the platform should support API security and tenant isolation of VMs/containers. Security hardening is required to ensure the integrity and confidentiality of resource data on the virtualization platform
4. Virtual Network Security
   1. Secure isolation of multi-tenant network services is required. Network resources and network topology can be updated and monitored centrally. The system should provide protection against DDoS attacks. Secure transmission is supported during communication between areas with different security levels
5. Virtual Storage Security
   1. User data on different VMs is isolated at the virtualization layer to prevent data theft and ensure data security. The system manages data location and home location and supports backup and service continuity
6. Host Security
   1. Host antivirus and malicious code prevention
   2. Host intrusion detection and prevention
   3. Host security hardening and patch management
7. Container Security
   1. The security of underlying physical infrastructure (computing, network, and storage) and manager should be ensured. The container repository should be properly protected and located in a secure location where appropriate access control is configured.
8. API Security
   1. The system should support API lifecycle and security policy management, API request management, IAM, validity verification of API requests by background services, and security analysis of monitoring and log data.
9. Database Security
   1. The database audit can parse the traffic entering and exiting the core database at the packet field level, completely restore the operation details, and provide detailed operation return results. In this way, all access is presented to the administrator in a visualized manner so that databases can be controlled and data threats can be quickly detected and handled.
10. Application System Security
    1. The system should support user management identity authentication, account management, role authentication, API access security, service management plane isolation, web security, and behavior audit. The cloud security service provider can provide web attack defense, cloud WAF, cloud WTP, and two-factor authentication services.
11. Data Security
    1. Data security is important. Key or sensitive data (static and dynamic) must be protected and risks of data leakage and damage must be minimized to ensure the reliability and security of service systems on the cloud. During network transmission, data integrity, confidentiality, and validity must be ensured to prevent interruption, replication, tamper, forgery, interception, and monitoring.
12. Network Audit
    1. If users affect network efficiency by performing irrelevant operations or using hosts to set up irrelevant services, technical capabilities need to be developed to record and restore network resource usage for audit
13. Network Behavior Management
    1. If users transfer sensitive information through the network, publish inappropriate comments in forums, and conduct behavior that supervisors forbid, related technical capabilities should be built to record and restore network resource usage and network behavior
14. Traffic Control Management
    1. Web servers in the cloud internet area carry websites. Within a given time window, a great number of normal access requests may be initiated and a single host may fail to handle mass volumes of concurrent requests quickly, reliably, and securely. For the website, a key application on the cloud, the system should eliminate service interruption risks caused by single point of failures (SPOFs). Similarly, applications such as the OA system carried by the extranet area are also facing risks caused by host overload and server SPOFs.
15. Key and Certificate
    1. The system limits the administrator login address of network devices (including virtualization network devices), handles device login failures, and uses two or more authentication technologies to authenticate the identity of administrators of these network devices. It also implements secure transmission of the devices in remote management, restricts privileged commands, minimizes administrator rights, and supports log records and audit reports.
16. Identity Authentication Management Platform
    1. The identities of system users are managed in a unified manner. According to the service division, personnel are classified into different types or groups and different access rights to modules are assigned. The rights can be set by the role, such as the common user, system administrator, security administrator, and audit administrator.
17. Database Audit
    1. Data security is important. Key or sensitive data (static and dynamic) must be protected and risks of data leakage and damage must be minimized to ensure the reliability and security of service systems on the cloud. Data isolation and security sharing between different tenants should be ensured. The database audit system is used to audit the behavior of accessing database servers.
18. Host Security Management (Bastion Host)
    1. The cloud platform needs to provide centralized and unified access control policies, which can perform identity authentication and authorization, audit operation behavior, and record user operations to prevent adverse impact on the production system due to incorrect operations, permission abuse, and mis-operations of O&M personnel. The operation records can be used for troubleshooting and fault recovery