Alibaba Cloud Xiao Li: Native Security Creates an Oasis on the Cloud
Catch the replay of the Apsara Conference 2020 at this link!
On September 17–18, 2020, the Apsara Conference 2020 was held online. In the light of the digital transformation accelerated by COVID-19, cloud-native brings a more dynamic, efficient, and vital architecture to all industries with high visibility. What advantages does cloud-native security have? Could it solve the security dilemmas of offline business scenarios? As the first security enginee of Alibaba, Xiao Li, Vice President of Alibaba and General Manager of Alibaba Cloud Security, delivered a speech entitled, “Accelerating Cloud-Native, Innovating Security Capabilities.”
Xiao Li believes that migration to the cloud is the best way to improve security. The innovative cloud-native security can create an “oasis on the cloud” for enterprise users. With that said, data can be stored more logically with security protection from physical data centers to core cloud platforms, and have seamless integration with the cloud platform. Previously, enterprises needed to be fully responsible for security, including securing their infrastructure, data, and applications. After migration to the Alibaba Cloud platform, less loss and higher-level security can be achieved at the same time.
“Upstream Thinking” of Cloud-Native Security
Cloud security requires experience and tons of high cost. Alibaba has worked for years to summarize industry-leading practices. Traditional security systems can only respond passively, but cloud-based infrastructures allow security systems to actively solve upstream problems. This is the core change in cloud-based security construction. Therefore, building security control in the new environment with a traditional security mindset will undoubtedly weaken the advantages of the cloud.
Cloud-native security can create a trusted environment for all environments and a full lifecycle with the highest level of security capabilities from the hardware layer to the SaaS layer. As a result, the hierarchy from the users’ perspective will be different and security products will evolve and change accordingly. Enterprise users can build enterprise security architectures based on cloud-native capabilities and customize services to achieve their security objectives. By doing so, they can develop security products and obtain security capabilities.
The cloud is an “oasis” that is more secure and can automatically solve homogeneous and complex security issues, allowing users to solve issues deserving more attention.
The following is a summary of the original speech:
COVID-19 has had a great impact on all walks of life. In the first half of this year, all industries were accelerating their digitalization process. On the one hand, more and more users from different industries are embracing cloud computing and Alibaba Cloud. On the other hand, network security has become one of the top three issues that concern enterprises. This needs to be solved urgently. Many government and financial customers use the core capabilities of cloud security to build the next-generation security architecture on the Alibaba Cloud platform. Now, I will focus on technologies and cloud-native security capabilities developed by Alibaba Cloud Security. These technologies and capabilities can help enterprise customers better solve security issues that could not be solved in the past.
DingTalk Added 10,000 Servers in 2 Hours, with Default Coverage for Security Services
In February, when COVID-19 was at its peak in China, DingTalk took charge of online education for millions of students and employees. Facing exponential traffic surges, DingTalk added 10,000 servers in just two hours. In the traditional architecture, the implementation of full-coverage security is an impossible task at this speed. Attacks can result in the interruption of online meetings and videos in DingTalk, increasing the risk of private data leakage. By applying service-based cloud-native security capabilities, DingTalk quickly combined security protection measures, such as Cloud Anti-DDoS and Cloud WAF, to ensure stable operation.
In a traditional offline security scenario, it may take at least one month to deploy such large-scale security devices for an application like DingTalk. Each device needs to be put on racks and debugged, and the defense effect of connected devices needs to be tested. The service-based cloud security can quickly scale up the security capabilities of the entire business in hours and provide real-time services.
Integration of Security Capabilities and Infrastructure ¨C Ransomware Problems Can Be Solved with 0 Ransom
The traditional enterprise security architecture is a very complex network with a large number of devices. A large enterprise may have hundreds of offline security devices connected to the network. We can imagine how difficult it would be to connect all of the security devices from end to end. This could lead to problems in comprehensive management and data silos in security capabilities, but cloud security capabilities can be directly integrated into cloud products. For example, cloud-native security capabilities can be further integrated with the Content Delivery Network (CDN) and Server Load Balancer (SLB). When users use these cloud products, the security capabilities can be further improved both for access and comprehensive management.
Alibaba has a system called the Unified Access Layer. At this layer, we integrate security capabilities into the system. All Alibaba economies and business systems only need to access the system when they go online, and security capabilities will be provided. This new type of security is very convenient for customers since it reduces the workload. I would also like to share another case. In the past six months, ransomware attacks have been rampant, with a 72% increase. Attackers made profits by encrypting enterprise data, which has become one of the major threats to enterprises.
The world-renowned GPS company, Garmin, recently had a security indident. One day, Garmin’s GPS service was interrupted. The ransomware software encrypted Garmin’s data and the attacker asked for a ransom of tens of millions of dollars. In the end, Garmin decrypted the data by paying the ransom to restore the service. Garmin suffered severe losses.
Alibaba Cloud’s anti-ransomware solution integrates security capabilities with all basic cloud products to detect ransomware and provide security protection. Users can apply snapshots provided by the Container Registry to create a security solution. Even if the detection and defense capabilities are challenged and some unknown worms encrypt customers’ data, Alibaba Cloud’s anti-ransomware solution allows customers to quickly restore the data by using the image snapshot feature, without having to pay the ransom.
We have seen a lot of these scenarios. When security capabilities and technologies support the further integration of cloud products, they will have significant changes.
Hardware Security against Firmware Attacks ¨C The Highest Level of Security Protection
Just a few weeks ago, the British National Cyber Security Centre released a report that research institutes of the COVID-19 vaccine were targeted for an attack. They replaced the firmware of all of the VPN servers on the network to gain long-term control of the perimeter network.
As we all know, this kind of firmware-based attack is very difficult to detect for system-layer security software. In defending against attacks, it is most effective to attack lower dimensions from higher dimensions. The lower-level detection and defense capability are more effective for upper-level attacks.
The hardware security capability of Alibaba Cloud allows security detection when the system is started and can effectively detect this type of high-security-level backdoors and Trojans. Such examples are numerous, and we hope that the high security capability of Alibaba Cloud in the hardware layer can provide high-level security protection for all users on the cloud.
Enable “Identity” as the New Security Boundary — Create a Zero-Trust Network Environment
Traditional network boundaries and access control, including isolation, will gradually become weak as the business develops. Enabling identity as the new security boundary for enterprises will become one of the core dimensions of building a new security system. In the past months, 80% of enterprises chose telecommuting. Security problems, including the security of employees’ terminal devices at home, the entire office’s network traffic, and the data leakage risk of application systems on the cloud, have become great challenges for enterprises.
Yuanfudao is a client of Alibaba Cloud. It is a leading enterprise in online education. Globally, it has more than 30,000 employees. Many of them worked at home during the last several months, so unified remote management was needed. After several rounds of verification in the production environment, Yuanfudao finally chose the complete set of zero-trust telecommuting solutions of Alibaba Cloud to solve this problem.
The Alibaba Cloud zero-trust solutions implement trust authentication for all employees’ terminals. The solutions perform two-factor strong authentication for each user’s identity, interconnect all core application systems in the cloud-based decision-making engine, and unify ID and authorization. The cloud-based intelligent decision-making engine can also determine permissions granted to each user based on the current security factors. This improves office efficiency, employee experience, and security level.
Default data encryption and key rotation makes privacy leakage impossible
All enterprises are concerned about cloud data security. The default data encryption method shows a trend in data security. I’d like to share a case of a mobile phone manufacturer in China. We all store photos on the cloud, and these photos are important privacy data. This mobile phone manufacturer stores cloud data through our Object Storage Service (OSS) and uses the default encryption function of OSS.
Private photos of users on the cloud are encrypted by default when stored in Alibaba Cloud OSS, and customers keep their keys, which can effectively prevent all security risks caused by data leakage on the cloud. Currently, all 17 cloud products provide the default encryption function and the key rotation function. Users can manage their keys through the key management system. Once the key on the cloud is leaked, users can further improve data security on the cloud through one-click key rotation.
Data Intelligence Drives Security Technology
The main security challenge encountered by enterprises previously was large amounts of data. It is necessary to effectively identify threats in massive traffic, accurately find out where the threats are, and intercept them in the first place. Alibaba Cloud has applied data technology to multiple security fields with good results.
In the DDoS defense and web security defense aspects, Alibaba Cloud can use the algorithm model to identify and block attack traffic very accurately. In terms of threat intelligence, Alibaba Cloud can identify malicious IP addresses on the entire network, automatically analyze threats, and generate “security vaccines”. For content moderation and risk control, Alibaba Cloud can analyze and understand images and videos to help users identify illegal content that involves pornography, terrorism, and violence, and can provide ID verification of videos for users. These are the “six core advantages” of cloud-native security summarized in the practice over the past year. Based on many security product capabilities and frameworks implemented, today, I will also focus on releasing the Alibaba Cloud-Native Security Architecture.
Every enterprise can build cloud-based innovative security architecture for the next generation based on this architecture and the requirements of their business. The architecture is divided into three major layers:
Layer 1: Cloud Platform Security
Alibaba Cloud provides a more secure underlying cloud platform by applying hardware security capabilities and the threat detection and response capabilities of the overall cloud platform.
Layer 2: Cloud Product Security
Modeling capabilities for security and threat have been incorporated into the product development process during the design period.
Layer 3: Built-In Native Security
Security capabilities are integrated into scenario-based solutions and provided to users in various industries at all levels, such as the host layer, the network layer, the application layer, the data layer, and the business layer.
Today, Alibaba Cloud Security has been recognized by leading international third-party consulting organizations, such as IDC, Gartner, and Forrester, and representative enterprise users from China and other countries are using Alibaba Cloud Security. There is no doubt that Alibaba Cloud Security is already leading the cloud security field.
Alibaba is implementing full-stack migration to the cloud. On the one hand, we hope to help various enterprises solve security problems based on the cloud platform and cloud-native security capabilities. On the other hand, we hope to provide the same security capabilities obtained by Alibaba for millions of users through the cloud platform.
On today’s cloud, the changes to the underlying infrastructure have brought dramatic changes to security. I believe that all enterprises will enjoy the highest level of security on the cloud in the future.
More innovations will flow into the cloud security field. I also look forward to using cloud-native security capabilities to help users build next-generation security architecture. We use the cloud and we should use it better. Let’s fully release the business competitiveness of enterprises in “oasis on the cloud”!