How to ensure database security in IT project construction?

Cloud computing is a concentrated manifestation of the development of information technology and service model innovation, is an important change in the development of information technology and the inevitable trend. With the acceleration of the layout of the "new infrastructure" and the gradual deepening of the digital transformation of enterprises, how to deepen the use of cloud computing to further enhance the effectiveness of cloud computing has become the focus of the development of cloud computing at this stage. Cloud native with its efficient and stable, fast response characteristics greatly release the performance of cloud computing, become the driving force of the enterprise digital business application innovation, cloud native into the rapid development stage, like the container to accelerate the process of trade and globalization, cloud native technology is helping the popularity of cloud computing and enterprise digital transformation.

The Cloud Native Computing Foundation (CNCF) defines cloud native as cloud-native technology that facilitates organizations to build and run elastically scalable applications in new and dynamic environments such as public, private and hybrid clouds. Representative technologies for cloud native include containers, service grids, microservices, immutable infrastructures, and declarative programming APIs.

#Market Development in the Age of Cloud Security#

Cloud security has almost developed along with the cloud computing market, and the rapid growth of investment in cloud infrastructure is undoubtedly providing the soil for cloud security development. According to IDC data, in 2020, the global cloud security spending accounted for only 1.1% of cloud IT spending, indicating that the current cloud security spending is far from enough, assuming that this proportion is raised to 5%, then the global cloud security market space in 2020 can reach 5.32 billion U.S. dollars, and in 2023 up to 10.89 billion U.S. dollars.

Overseas cloud security market: technology innovation and mergers and integration are active. On the whole, overseas cloud security market is in the stage of rapid development, with active technological innovation and frequent mergers and integration. On the one hand, cloud security technology innovation is active and shows the trend of convergence. For example, the Prisma product line of PaloAlto, a comprehensive security company, unifies and integrates the three cloud security technology products of CWPP, CSPM and CASB, providing comprehensive solutions and a series of cloud security capabilities such as SASE, container security and micro-isolation. On the other hand, emerging cloud security companies are developing rapidly, while traditional security vendors are also strengthening their cloud security layout through self-research + mergers and acquisitions.

Domestic cloud security market: the market space is vast, and is still in the stage of technology following. In terms of market size, according to the data of the China ICT Academy, the overall market size of China's cloud computing reached 133.45 billion yuan in 2019, with a growth rate of 38.6%. It is expected that 2020-2022 will still be in the rapid growth stage, and the market size will exceed 375.42 billion yuan by 2023. Under the neutral assumption that security investment accounts for 3%-5% of cloud computing market size, China's cloud security market size is expected to reach 11.26 billion to 18.77 billion yuan in 2023. In terms of technological development, there is still a gap between China and overseas markets in terms of the development stage of cloud computing and the extent of cloud-native technologies. CWPP technology is widely used in China, while CASB and CSPM, some emerging cloud security technologies, are less widely used. However, with the accelerated development of the domestic public cloud market, the application of cloud-native technologies is becoming more and more widespread, and we believe that CASB, SCPM, SASE and other emerging technologies will also be more and more widely used in the country.

#Security on the cloud is on a native trend#

Cloud-native technologies are gradually becoming a new trend in the cloud computing market, and the security issues they bring are more complex. Cloud-native technologies represented by containers, service grids, and microservices are affecting IT infrastructure, platforms, and applications in all industries, and are also penetrating into new infrastructures such as the IT/OT-converged industrial Internet, IT/CT-converged 5G, and edge computing. As more and more cloud natives are being applied on the ground, the security risks and threats associated with them are also emerging, such as the exposure of Docker/Kubernetes services, the mining incident of the Tesla Kubernetes cluster, the container image in the Docker Hub being injected into a mining program by "poisoning", and the detection of the Microsoft Azure Security Center's detection of a mining program. The Microsoft Azure Security Center detected a large-scale Kubernetes mining incident, a Graboid worm mining propagation incident, and a host of other security attacks against cloud natives.

From the variety of security risks, we can get a glimpse of the security posture of cloud-native technologies, and there are still many security issues that need to be resolved in cloud-native environments. In the process of landing cloud-native technologies, security is an important factor that must be considered.

#Definition of cloud-native security#

There are slight differences in the interpretation of the concept of cloud-native security by organizations and enterprises at home and abroad, combined with the status quo and pain points of China's industry, cloud-native and cloud computing security is similar to cloud computing security, and cloud-native security also contains two layers of meaning: "security oriented to cloud-native environments" and "security with cloud-native characteristics".

The goal of cloud-native environment-oriented security is to protect the security of infrastructure, orchestration systems, and microservices in cloud-native environments. These types of security mechanisms, which do not necessarily have cloud-native characteristics (e.g., containerized, orchestra-able), they can be deployed in a traditional model or even as hardware appliances, but serve to protect the increasingly prevalent cloud-native environments.

Security with cloud-native characteristics refers to various types of security mechanisms that have cloud-native characteristics such as elasticity and agility, lightweight, and programmability. Cloud-native is a conceptual innovation that reconfigures the traditional development and operation system through containerization, resource orchestration, and microservices to accelerate the speed of business on-line and change, and thus the various excellent features of cloud-native systems will also bring great inspiration to security vendors to reconfigure the security products and platforms, and to change the mode of their delivery and updating.

#Cloud native security concept construction#

In order to alleviate the pain points existing in the construction of traditional security protection, promote cloud computing to become a more secure and trustworthy information infrastructure, and help cloud customers to use cloud computing more securely, the concept of cloud native security has risen, and domestic and foreign third-party organizations and service providers have put forward to native as the core of the construction and development of cloud security.

Gartner advocates building a cloud security system with cloud-native thinking

Based on cloud-native thinking, Gartner proposes a cloud security system covering eight aspects. Among them, the infrastructure configuration, identity and access management two parts by the cloud service provider as the basic ability to provide, the other six parts, including continuous cloud security posture management, a full range of visualization, logging, auditing and assessment, workload security, application, PaaS and API security, extended data protection, cloud threat detection, the customer needs to be based on the implementation of security products.

Forrester Evaluates Public Cloud Platform Native Security Capabilities

Forrester believes that public cloud platform native security (PCPNS) should be measured in three broad categories and 37 dimensions. As can be seen from the products and features that have been provided, as well as future strategic planning, one examines the cloud provider's own security capabilities and construction, such as data center security, internal staff, etc., the second is the basic security features that the cloud platform has, such as Help and Documentation, Authorization and Authentication, etc., and the third is the native security offerings for the user, such as Container Security and Data Security.

Security Dog builds cloud native security with four work protection systems

(1) Combining the specific landing situation of cloud native technology to carry out and implement the work of the least privilege and deep defense, for various components in the cloud native environment, can implement the principle of "security left", and carry out the baseline security configuration to prevent the problem before it occurs. For the various components of the cloud-native environment, the principle of "security left shift" can be implemented, and a security baseline can be configured for prevention. For the protection of microservice architecture Web applications and Serverless applications, the focus is on application security.

(2) DevSecOps construction around the lifecycle of cloud-native applications, analyzing the current cloud-native environment of the key technology stack "K8S + Docker" as an example. We should pay attention to "configuration security" in the whole lifecycle of containers, "image security" in project construction, "container access" in project deployment, and "container security" in the running environment of containers. Focus on the three elements of cloud computing "computing" "network" and "storage" and other aspects of security.

(3) Constructed around the security implementation guidelines before, during and after the attack, which can be based on the security implementation guidelines for the detection and defense of the three phases of the attack before, during and after.

(4) Adapt and synthesize existing cloud security technologies. "Cloud-native security" should not be seen as a separate proposition, and technologies such as host security and micro-isolation, which provide more support for cloud-native environments, can be empowered for cloud-native security.

#New Risks in Cloud-Native Security

The security risks of cloud-native architectures include the security risks of the cloud-native infrastructure itself, as well as the new and expanded security risks of the cloud-native transformation of the upper layers of applications. Cloud-native environments face serious security risk issues. Important attack surfaces that may be exploited by attackers include, but are not limited to: container security, orchestration systems, software supply chains, etc. The following is a compendium of important attack surface security risk issues.

#Cloud Native Security Issues Sorting Out#

Issue 1: Container Security Issues

During the construction of cloud native applications and service platforms, container technology, with its highly elastic and agile characteristics, has become an important technical support for cloud native application scenarios, and thus container security is also an important cornerstone of cloud native security.

(1) Container image insecurity

Sysdig's report mentions that in users' production environments, public image repositories are used as software sources, such as Docker Hub, the largest container image repository. on the one hand, a lot of open-source software publishes container images on Docker Hub. On the other hand, developers usually directly download container images from public repositories or customize their own images based on these base images, and the whole process is very convenient and efficient. However, the security of mirrors on Docker Hub is not ideal, and a large number of official mirrors have high-risk vulnerabilities. If you use these mirrors with high-risk vulnerabilities, you will greatly increase the risk of invasion of containers and hosts. The current container image security issues are mainly the following three points:

1. Insecure third-party components

In the actual containerized application development process, rarely build mirrors from scratch, but in the base image on top of the increase in their own programs and code, and then unified packaging of the final business image and on-line operation, which leads to many developers do not know how many components are included in the base image, and which components are included, and how many components are included, and how many components are included, and how many components are included, and how many components are included. This results in many developers having no idea how many components are included in the base image and which components are included, and the more components there are, the more vulnerabilities there may be.

2. Malicious mirrors

There may be malicious mirrors uploaded by third parties in the public *** mirror repository, and if these malicious mirrors are used to create containers, the security of the containers and applications will be impacted

3. Leakage of sensitive information

For the sake of development and debugging convenience, developers will have sensitive information in their configuration files, such as database Passwords, certificates and keys, etc. When building images, this sensitive information follows the configuration file and is packaged into the image, thus causing leakage of sensitive information

(2) Container lifecycle is short

Cloud-native technology drives and leads the business development of the enterprise with its agile and reliable characteristics, and becomes the driving force of the innovation of the enterprise's digital business applications. In the container environment, part of the container is to docker's command to start and manage, there are a large number of containers is through Kubernetes container orchestration system start and manage, brings the container in the construction, deployment, operation, fast and agile characteristics, a large number of containers lifecycle is shorter than 1 hour, so that the container life cycle protection than the traditional virtualization environment has changed dramatically, the There is a great deal of variability in the full lifecycle protection of containers. For defenders, a combination of traditional anomaly detection and behavioral analysis is needed to adapt to short container lifecycle scenarios.

Traditional anomaly detection uses devices such as WAFs and IDSs, whose rule bases are already well established, and through this detection method can visually demonstrate the presence of threats, which is still applicable in the container environment.

Traditional anomaly detection can quickly and accurately find known threats, but most unknown threats cannot be matched by the rule base, and thus require a behavioral analysis mechanism to analyze anomalous patterns from a large number of patterns. Generally speaking, the business patterns within a period of production operation time are relatively fixed, which means that the business behavior can be predicted, and no matter how many containers are started, the behavior inside the containers is always similar. Through machine learning and collecting process behavior, reasonable baselines are automatically constructed, and these baselines are used to detect unknown threats inside containers.

(3) Container runtime security

Container technology brings convenience at the same time, often ignoring the container runtime security reinforcement, due to the container's short lifecycle, lightweight features, the traditional in the host or virtual machine installed antivirus software to run one or two processes of a container to protect, show time-consuming and resource-consuming, but in the eyes of the hacker containers and naked running There is no difference. Container runtime security main concerns:

1. Insecure container applications

Similar to traditional Web security, there are vulnerabilities in container environments such as SQL injection, XSS, RCE, XXE, and so on, which can be exploited by attackers while the container is providing services to the outside world, leading to the invasion of containers

2. Container DDOS attacks

By default, containers can be used to protect themselves from the attackers. /p>

By default, docker does not limit the use of resources for containers, and by default it can use unlimited CPU, memory, and hard disk resources, resulting in DDOS attacks at different levels

(4) Container micro-isolation

In a container environment, compared with traditional networks, the life cycle of containers has become a lot shorter, and the frequency of their changes is much faster . Containers have complex access relationships with each other, especially when the number of containers reaches a certain size, the east-west traffic brought about by this access relationship will become unusually large and complex. Therefore, in the container environment, the need for network isolation is no longer just the isolation of the physical network, but has become the isolation between containers and containers, between container groups and hosts, and between hosts and hosts.

Issue 2: Cloud-native Equal Protection Compliance Issues

In Level Protection 2.0, security extension requirements are proposed for the individualized security protection needs of new technologies and new application areas, such as cloud computing, to form a new basic requirement standard for network security level protection. Although the security extension requirements for cloud computing are written, due to the long writing cycle, the mainstream is still virtualization scenarios when writing, and cloud-native scenarios such as containerization, microservices, and no services are not taken into account, and all the standards in Level Protection 2.0 can not be fully guaranteed to be applicable to the current cloud-native environment;

By means of the security dog's experience and specific practice in the field of cloud security, for the cloud computing security extension

For the control points of access control in the requirements, it is necessary to detect the host account security, set the access rights of different accounts to different containers, and ensure that the containers migrate along with the access control policy when they are built, deployed, and run;

For the control points of intrusion prevention system, it is necessary to visualize the management, draw the business topology map, carry out all-around prevention of the host intrusion, control the access to the business traffic, and detect the malicious code

The control point for mirror and snapshot protection needs to protect the mirror and snapshot, guarantee the integrity, availability and confidentiality of the container image, and prevent the leakage of sensitive information.

Issue 3: host security

Containers and host **** enjoy the operating system kernel, so the host's configuration has an important impact on the security of the container operation, such as the host installation of the vulnerability of the software may lead to the risk of arbitrary code execution, the port unlimited open may lead to the risk of arbitrary user access. Through the deployment of host intrusion monitoring and security protection system, to provide host asset management, host security reinforcement, risk vulnerability identification, prevention of intrusion behavior, problem host isolation and other functions, the linkage between the various functions, the establishment of the collection, detection, monitoring, defense, capture integrated security closed-loop management system, the host for a full range of security protection, to assist the user in a timely manner to locate hosts that have been out of order, respond to the known and unknown threat risks, to avoid the occurrence of internal large-scale host security events.

Issue 4: Orchestration System Issues

Orchestration systems support many cloud-native applications, such as serviceless and service grids, etc. These new microservice systems also have the same security issues. For example, an attacker can write a piece of code to gain shell access to a container and then infiltrate and move across the container network, causing significant damage.

The complexity of the Kubernetes architecture design, start a Pod resource needs to involve API Server, Controller, Manager, Scheduler and other components, so the security capabilities of each component is particularly important. API Server component provides authentication authorization, access control, fine-grained access control, Secret resources to provide passwords and security features. The API Server component provides authentication authorization, access control, fine-grained access control, secret resources for key management, and the Pod itself provides security policies and network policies, and the reasonable use of these mechanisms can effectively realize the security reinforcement of Kubernetes.

Problem 5: Software Supply Chain Security

Often a project will use a large amount of open source software, according to Gartner statistics, at least 95% of the enterprises will use open source software in critical IT products, these open source software from the Internet may be with its own virus, the open source software used in the components do not know, resulting in the open source software when there is a 0day or Nday vulnerability in the software. The result is that when a 0day or Nday vulnerability exists in open source software, we have no way of knowing about it.

Open source software vulnerabilities can not be cured, the container's own security problems may bring risks to the development phase of the various processes, we can do is based on the SDL principle, from the development phase on the software security to start a reasonable assessment and control, in order to improve the quality of the entire supply chain.

Issue 6: Security Operation Cost Issues

Although the lifecycle of containers is short, it is all encompassing. When the full life cycle protection of containers, anomaly detection and security protection will be carried out when containers are built, deployed, and run, and with this comes high cost investment, process detection and analysis of the behavior of processes in thousands of containers will consume host processor and memory resources, log transmission will occupy network bandwidth, and behavioral detection will consume computational resources, and when the number of containers in the environment is huge, the corresponding security operation cost increases dramatically.

Question 7: How to improve the effectiveness of security protection

On the question of security operation cost, we understand that the container security operation cost is high, how do we reduce the security operation cost at the same time, improve the effectiveness of security protection? This introduces a more popular word in the industry "security left", the software lifecycle from left to right, that is, development, testing, integration, deployment, operation, security left means that the security protection from the traditional operations to the development side, the development side of the main design and development of the software, the software supply chain security and mirroring security.

So, if you want to reduce the cost of security operations in cloud-native scenarios and improve operational efficiency, you first need to make a "security left shift", that is, from operational security to development security, mainly considering development security, software supply chain security, mirror security and configuration verification:

Development security

The team needs to focus on the code, testing, integration, deployment, and operation. >

The team needs to focus on code vulnerabilities, such as the use of conducting code audits to find vulnerabilities caused by a lack of security awareness and code logic vulnerabilities caused by logic problems.

Supply chain security

Code inspection tools can be used to conduct ongoing security assessments.

Mirror security

Using a mirror vulnerability scanning tool to continuously assess the mirrors in the free repository on an ongoing basis, and update the mirrors that are at risk in a timely manner.

Configuration verification

Verification includes exposure surfaces, host hardening, asset management, etc., to enhance the difficulty for attackers to exploit vulnerabilities.

Issue 8: Security Configuration and Key Credential Management Issues

Unstandardized security configurations and suboptimal key credentials are also a major risk point for cloud-native. Cloud-native applications will have a large number of interactions with middleware and back-end services. For the sake of simplicity, many developers store access credentials and key files directly in the code, or set the access credentials of some online resources as a weak password, which leads to an attacker easily obtaining access to sensitive data.

#Future outlook for cloud-native security

From the increasingly new attack threats, cloud-native security will become the key to future network security protection. Along with the continuous accumulation of ATT&CK and the increasing improvement of related technologies, ATT&CK has also been added to the container matrix.ATT&CK stands for Adversarial Tactics, Techniques, and Common Knowledge, a Attack Behavior Knowledge Base and Threat Modeling Model that contains numerous threat organizations and the tools and attack techniques they use. This open source knowledge base of adversarial tactics and techniques has already had a broad and profound impact on the security industry.

The intense focus on cloud-native security makes ATTACK Matrix for Container on Cloud timely.ATT&CK gives us a behavioral perspective on attackers and defenses, making relatively abstract container attack techniques and tools tangible. Combined with the ATT&CK framework for simulated red and blue confrontations, assessing the current security capabilities of enterprises is a good reference for improving their security protection capabilities.