Alibaba Cloud Enterprise Account: Alibaba Cloud Security Defense System Construction
Today, when the digital transformation has entered the deep water area, cloud computing is no longer a simple "cost reduction and efficiency increase" tool, but the digital heart of enterprise operation. However, as enterprise businesses move to the cloud, the traditional physical network boundaries are completely broken. Hackers' attack methods have evolved from simple DDoS and SQL injection in the early days to a three-dimensional and intelligent penetration that combines AI and automated scripts.
As a cloud service provider with the highest market share in China and the world, Alibaba Cloud has a large and complex family of security products. But for enterprise architects and security leaders,
Buying a bunch of security products is not the same as having a security defense system.
.
How to get rid of the passive situation of "headache cure head, foot pain cure foot"? This article will not talk about empty slogans, stripping manufacturers marketing tactics, from
Defense-in-depth architecture, core chassis configuration, data lifecycle protection, active threat perception, and daily operation governance
Five actual combat dimensions, for you to disassemble how to build a set of "advance can be attacked, retreat can be defended" Alibaba Cloud security defense system from scratch.
1. Deconstruction of "Defense in Depth": Three-dimensional Layout of Five-layer Security Network
There is an iron law in the security community: there is no single-point line of defense that is absolutely unbreakable. A truly mature architecture must be expected to "lengthen the attack path through layers of defense and increase the cost of hacker attacks". Based on the Alibaba Cloud ecosystem, a standard enterprise-level defense-in-depth system should be divided into five layers:
Alibaba Cloud Enterprise Account
1. Border network defense layer (the first level of traffic washing)
This is the forefront of the fight against external large traffic malicious attacks.
Anti-DDoS (new generation of high-security): deployed at the outermost layer, mainly to deal with SYN flood, UDP flood and other network layer and transport layer traffic bombing. Using Alibaba Cloud's near-source cleaning capabilities, you can resolve high-traffic attacks at the operator's edge to ensure service availability.
WAF(Web Application Firewall): Attacks against the application layer (HTTP/HTTPS). Not only to open the default OWASP Top 10 defense rules, but also to make deep use of its Bot management and AI forward rules engine. More than half of the current Web attacks are initiated by automated scripts (Bot). WAF can block more than 80% of front-end threats by analyzing the behavior of crawlers, bill brushing and malicious scanning (such as request frequency, JA3 fingerprint and device fingerprint).
2. Core network architecture layer (the "moat" of the enterprise intranet)
After entering the cloud intranet, the core principle is
Isolate and minimize exposed surfaces
.
Cloud Firewall (Cloud Firewall): This is the traffic police for traffic in the north-south direction (Internet to cloud) and east-west direction (between VPC and VPC, VPC to local IDC). Through Cloud Firewall, you can clearly sort out the mutual access relationship of business assets and strictly prohibit unnecessary cross-VPC access.
VPC and Security Groups (Security Groups): The business is based on "development, testing, production" or "front end, application, number
According to the "library" for VPC-level physical isolation. As a virtual firewall on the host boundary, the security group must follow the principle of "deny by default and explicitly allow". High-risk configuration of "streaking" with TCP 22(SSH) or 3389(RDP) of 0.0.0.0/0 is strictly prohibited.
3. Host and computing environment layer (server's "bodyguard")
When traffic crosses the network to reach an ECS instance, container (ACK), or function compute, the last mile of defense is left to host security.
Cloud Security Center (formerly Server Guard/Cloud Security Center): This is the core of the entire defense system. Enterprises must achieve 100 percent Agent coverage of all hosts. It is used for vulnerability scanning and automatic repair, baseline inspection, rebound shell monitoring and Trojan backdoor killing.
4. Application and asset logic layer (code and identity control valve)
RAM (access control) and application identity: strict implementation of the principle of minimal permissions. It is forbidden to use the Alibaba Cloud Root account (Alibaba Cloud account) for daily operations. All employees and program calls must use RAM users and enable MFA (multi-factor authentication).
5. Core data asset layer (the last physical line of defense)
The ultimate goal of all defense is to protect data. This layer focuses on storage encryption, transmission encryption, and desensitization of sensitive data.
2. Practice Pit-Avoidance Guide: Core Product Hardcore Configuration and Strategy Optimization
Many enterprises have bought Cloud Firewall, WAF, and Cloud Security Center, but they are still attacked by blackmail software because
Default configurations often fail to protect against custom attacks
. The following is a hard core configuration guide for Alibaba Cloud's three core security products:
1. Cloud Security Center: From "Only Seeing but Not Preventing" to "Active Interception"
Alibaba Cloud Enterprise Account
Many people regard the cloud security center as an "alarm" and manually repair it when they see the prompt, which is too slow in the face of automated attacks.
Anti-ransomware must be enabled: Configure anti-ransomware protection for core servers (such as databases and file servers). Cloud Security Center automatically backs up specified directories and directly blocks processes when it detects large-scale modification and encryption of files by unknown processes.
Application Runtime Self-Protection (RASP): Enable RASP for critical Java and Go applications. It injects security probes into the application. Even if a hacker exploits an unknown 0day vulnerability (such as Log4j2 in that year), as long as it tries to execute illegal system commands or unauthorized access to files, RASP can directly intercept at the memory level.
2. WAF 3.0: "Dynamic Refined Operation" under Alarm Normalization"
API security and automatic asset discovery: With the popularity of microservices, unregistered "shadow API" has become the biggest security vulnerability. The WAF API security function must be enabled to automatically identify all API interfaces exposed on the cloud and analyze whether there is unauthorized access or sensitive data leakage (such as ID card and mobile phone number not desensitized output).
Reconstructing the perception of the white list: strictly prohibited
To facilitate testing, add large IP addresses to the WAF whitelist. The test environment should pass independent test WAF or specific domain name protection. The whitelist of the production environment must be accurate to a single IP address and a single URL, and the expiration time must be set.
3. Cloud Firewall: Pull the Net to Blocking East-West Infiltration
After hackers break into an edge test server, they usually use this as a springboard to scan and penetrate the intranet.
Enable east-west traffic protection: In the Cloud Firewall console, enable traffic boundary protection between VPCs with one click.
Intelligent threat intelligence blocking: Enable the "active outreach" blocking of Cloud Firewall. When an intranet server is lost and tries to connect to an external C2 (command and control) server or mining pool IP, Cloud Firewall will instantly cut off the external traffic based on the threat intelligence of the entire Alibaba Cloud network and block the hacker's next instructions.
3. Data Security Lifecycle Protection: Building a "Safe" for Digital Assets"
Data is the lifeline of enterprises, the construction of data security defense system needs to follow the life cycle management, focusing on the implementation of "encryption and decryption" and "audit" two main lines.
Stage
Core threats
Alibaba Cloud best practice configuration
Data transmission
Traffic monitoring, man-in-the-middle attack
Enforce HTTPS / TLS 1.3 in the whole station; SLB (load balancing) enforces security certificates; Sensitive intranet traffic goes through encrypted VPC peering connections.
Data storage
Drag library, physical media loss
Enable KMS (Key Management Service) and enable TDE for cloud disks (EBS), object storage (OSS), and relational database (RDS) with one click. The key is managed by the user.
Data usage
Internal employees overstepping their authority to view and disclose
Deploy sensitive data protection (SDP); dynamically desensitize sensitive fields (such as name and card number) in the background management system and BI reports at the presentation layer.
Data outflow
Database collision, external illegal download
Strictly restrict the permissions of OSS buckets. It is strictly forbidden to set the "public read" (Public Read). Download restrictions are implemented through RAM policies and IP whitelists.
Special emphasis: the ultimate weapon against ransomware is the three-stage backup.
Using Alibaba Cloud's
HBR (Hybrid Cloud Backup)
to perform periodic snapshots and backups of the core ECS system disks and databases. More importantly, the Backup Library Lock (WORM) feature must be turned on. Once enabled, no one (including the cloud account root) can delete or tamper with the backup data during the specified retention period. Even if the front line is lost, the enterprise still has the card to reopen the system.
Zero Trust for 4. identities and permissions
In the modern security system, the network boundary is diluted, and
Identity becomes the new frontier.
. To build an Alibaba Cloud security defense system, you must implement the zero-trust concept of "continuous verification, never trust.
Alibaba Cloud Enterprise Account
Refined cutting of RAM users: separation of duties (SoD): operation and maintenance personnel only have the management rights of ECS and VPC,
DBA only has RDS management permissions, and financial auditors only have expense viewing permissions. Restriction control: Introduce Acs:SourceIp restrictions in the RAM policy. For example, it is stipulated that certain core high-risk operations (such as deleting databases and modifying the network architecture) can only be performed under the company's intranet IP (or designated bastion IP).
Fully convergent remote management portal (rejects public network exposure): Resolutely close the ECS port 22/3389 on the public network side. Remote operation and maintenance must pass through cloud effect/bastion machine (Bastion Host). unified identity authentication and two-factor authentication are carried out through the bastion machine, and all percussion command lines (such as rm -rf) of operation and maintenance personnel are videotaped and audited. For temporary emergency operation and maintenance, you can use Aliyun's system operation and maintenance management (OOS)-session management (Session Manager), which allows operation and maintenance personnel to connect to ECS directly and securely in the browser without opening any public network ports. ECS without public network IP can also be used.
5. from "Static Defense" to "Dynamic Operation": The Daily Governance of SecOps
Security is not a static project, but a dynamic process that continues to evolve. After building a good system, how to ensure that the machine can run efficiently?
1. Unified log aggregation and threat response: cloud-native SIEM (log audit)
Connect WAF, Cloud Firewall, Cloud Security Center, Operations Audit (ActionTrail), and VPC flow logs to Alibaba Cloud
Log Service (SLS) Security Center
or
Security Butler Service
.
Use cloud-native SIEM capabilities to perform cross-product correlation analysis. For example, when WAF discovers that an IP address is making a crazy SQL injection attempt (alarm A), Cloud Firewall discovers that the IP address has initiated SSH blasting (alarm B) to an ECS instance in the intranet, and finally Cloud Security Center prompts the ECS instance for abnormal login behavior (alarm C). The system will automatically associate A, B and C, determine it as a successful intrusion event, and trigger the whole network linkage block.
Automated Security Orchestration and Response (SOAR)
Relying on manual work to block IP and isolate hosts is hard to cope with hacker attacks that respond in seconds. Enterprises should gradually establish automation plan (Playbooks):
When Security Center detects that an ECS instance has a rebound shell (extremely high risk), it automatically triggers Function Compute (FC) or Cloud Assistant script.
The script immediately performs two operations: a. Modify the security group of the ECS, pull it into the isolated VPC, and cut off its connection with other intranet machines; B. automatically create a system disk snapshot of the ECS and keep the scene for subsequent traceability forensics.
3. Normalized baseline drills against the Blues
No matter how perfect the line of defense is, there are human loopholes. Enterprises should maintain two long-term mechanisms:
Automated configuration compliance check: Use the core configuration audit (Config) function of Alibaba Cloud to monitor the cloud in real time.
compliance of the asset. Once a new employee creates a "full-network open" object storage bucket for convenience, or opens a high-risk port, Config will immediately issue an alarm or even automatically correct (Remediation).
Regularly conduct offensive and defensive drills: Introduce an external professional security team (Blue Army) to conduct actual combat penetration without notifying frontline operation and maintenance in advance, and verify the entire security team's proficiency and response timeliness of Alibaba Cloud consoles and security tools.
Conclusion: Security is the underlying logic of business, not an additional cost.
Building an Alibaba Cloud security defense system is definitely not a simple "product lianlianyou". It takes businesses from the bottom of
Zero Trust Identity Governance
Start, through
Three-dimensional depth of network and host
Blocking external threats, relying on
Comprehensive encryption and anti-ransomware backup
The bottom data is safe and eventually closed in.
Unified SecOps Automated Security Operations
.
Alibaba Cloud Enterprise Account
The business war in the digital age is not only about the speed of business running, but also about who can have a more stable chassis in the event of a storm. The security defense system is deeply embedded in every cell of the cloud architecture, which is the most solid technology moat for enterprises to go to sea and digital evergreen.