First exposure! The only Alibaba cloud native security panorama behind the highest level in the whole domain

• Lack of systematic cloud native security capability construction ：
    Traditional enterprise application security model usually divides security boundaries based on different trust domains , East West Service interactions within the trust domain are considered secure . Container applications may need to be deployed in the cloud  IDC  And cloud drift , Static identifier in traditional border based security model （ such as  IP  Address ） It is no longer feasible in cloud native scenarios , Enterprise security protection needs to be closer to attribute based and meta cluster （ Such as labels and marks ） Identify changing dynamic loads , And take zero trust security measures .

• Lack of application side full life cycle security protection means
  ： The container provides elasticity 、 Agility and dynamic extensibility , It also changes the deployment mode of the application . The application life cycle is greatly shortened , The life cycle of a container application is usually at the minute level . This requires more automated security controls in the enterprise application lifecycle and security design architecture , From the identity system 、 Asset management 、 Authentication 、 Application side full life cycle security protection such as threat analysis, detection and blocking .

• Lack of understanding of the cloud security responsibility sharing model
  ： In the process of enterprise application cloud original biochemical architecture transformation , Enterprise application developers and security operation and maintenance personnel need to understand the responsibility boundary between the enterprise itself and the cloud service provider . From application design 、 Development 、 structure 、 distribution 、 Deploy to the various stages of the runtime , On the one hand, cloud service providers are required to provide security protection productization capabilities under the cloud native , On the other hand, enterprises need to enhance the security concept under the cloud 、 Continuous learning of tools and processes and real long-term practice into application .

Cloud native security maturity model

Cloud native security panorama

• Infrastructure security ：
    Alibaba cloud is computing 、 Storage 、 The network and other cloud infrastructures have built a solid platform base security capability . In the direction of computing security , Cloud security center and container image service support automated detection of vulnerabilities , The alarm , Traceability and attack analysis , At the same time, it supports automatic intelligent repair of image vulnerabilities ; Support multiple at the same time OS, Baseline scanning and rich policy configuration of hybrid Cloud Architecture ; In the direction of network security , The cloud firewall service supports multiple boundary protection and adaptive intelligent policy recommendation based on traffic learning results ; In the direction of storage security , The container service backup center supports remote backup and rapid recovery of application data ,ACK One It provides the backup and disaster recovery capabilities of two places and three centers in a multi cloud and mixed cloud scenario , meanwhile ACK-TEE It also provides confidential computing technology based on the integration of software and hardware to help protect the remaining information in the memory dimension .

• Infrastructure security / Supply chain security ：
    First, on the cloud native network side , Container services and cloud security center provide pod The East-West strategy control and intelligent blocking ability of the dimension , At the same time, it supports the visual display of cluster network topology ;ASM Grid services provide Service Mesh Full link traffic encryption under the framework 、 observation , Monitoring and seven layer access control capabilities ; In the direction of orchestration and component safety ,ACK Container services support multi-dimensional automated security patrol capabilities , Help identify potential risks of cluster application and provide reinforcement suggestions , At the same time, ensure that all system components are based on CIS And other compliance specifications . Cluster nodes can be realized by using the managed node pool CVE Automatic self-healing capability . On access control ,ACK Clustered RRSA The function supports the cluster application side pod Cloud resource permission isolation of dimension ; In the mirror safe direction ,ACR Container image service enterprise edition provides cloud native delivery chain function , In combination with image integrity verification and other production capabilities , Build an enterprise level supply chain DevSecOps Ability ; Safe direction at runtime , The cloud security center supports container dimension runtime Real time threat detection 、 Alarm and intelligent processing , Help enterprises resist container escape 、 Sensitive file operations 、 Abnormal connection and other in container attacks .

• Cloud native application security ：
    Cloud native application security includes all aspects of enterprise application side protection . First, in the direction of general security , By using cloud firewall and Web Application firewall and other services can realize north-south and east-west attack protection and fine-grained access control of enterprise applications , Support API Loophole 、 Monitoring of injection attacks and sensitive data breaches 、 Analysis and automatic repair recommendations , At the same time, enterprise applications can access ARMS RASP service , Realization API Call chain monitoring and API Service asset management ; In the direction of microservice security ,MSE The microservice engine ensures the communication security of the microservice network through the cloud native gateway combined with the cloud firewall and other services , While providing rich microservice governance capabilities, it also provides security monitoring and application code layer RASP Protection capability . stay Serverless Safety direction , Functional computing services support storage 、 Fine grained access control and tenant isolation of functional resources such as network , It also supports function resources 、 Real time monitoring and complete audit of traffic .

• Cloud native security operation and maintenance
  ： How to conduct security operation and maintenance of cloud native applications is a key issue that enterprises are concerned about . In the direction of safety management , Services such as container service and cloud security center support rich and detailed visual asset management capabilities , At the same time, the log service provides complete audit logs on the control side and the business side , And support intelligent analysis based on audit 、 Alarm and graphic display capability . In policy management , Container service support is based on OPA Cluster deployment time Policy Governance engine , At the same time, cloud effect services are developed for cloud nativity 、 The test process provides policy based operation process configuration and security detection functions . Identity management is the foundation of zero trust security , Alibaba cloud RAM and IDaaS Service support enterprise LDAP docking , In the service grid, it supports the customization of identity based inter service access policy rules and the real-time detection and alarm of identity credential leakage . In the direction of safe operation , The cloud security center supports the use of cloud honeypots to induce and capture attackers and customize attack Countermeasures , At the same time, it supports multi-dimensional visual detection, early warning and traceability analysis , In addition, Alibaba cloud threat intelligence platform supports IOC Search for 、 The verdict , It can obtain vulnerability intelligence through multiple channels and support the offline subscription of industry security event reports , Help the enterprise security operation and maintenance team improve the efficiency of operation and management .

• R & D and operation security ：
    The Alibaba cloud security team conducts strict security audit and management of the platform's internal R & D and operation processes . In the direction of security requirements , The security team customizes the demand list for cloud products , Support application scenario specific customization requirements and automated test cases , At the same time, it supports multi-channel demand collection and systematic management ; In the direction of development security , First, implement the automatic inspection of component vulnerabilities in the product security 、 Integrity verification and identity traceability , Support systematic threat modeling and internal standardized security design specifications and technology stacks in security design ; In the direction of test safety , There is an end-to-end testing tool chain in the R & D operation process , Cooperate with daily manual penetration test , Find the vulnerability in time and automatically enter it into the system to notify the repair . Whole DevSecOps The process can realize risk identification and operation through policy configuration , No manual intervention required .

Alibaba cloud container product family  -  Efficient and safe 、 Intelligence is unbounded