安全产品竞争力分析培训解说
本培训分为三个部分:华为云安全体系概述、主要安全产品及竞争力分析、产品套餐及offering。
This training is divided into three parts: Overview of Huawei Cloud Security System, Analysis of Main Security Products and Competitiveness, Product Packages and Offerings.
安全体系概述(Security system overview)
我们先看第一部分:华为云安全体系概述,在这一部分里我们将会了解到华为的安全体系是如何构建的,为什么华为云是一个安全的云、合规可信的云?通过以下几个方面实现:
-
威胁事件秒级处置:通过 30W+ 威胁情报源可以实时获取各种威胁事件,结合内部的三个主要安全平台可以针对发生的威胁事件立即做出回应。同时我们在全球成立了三大响应中心,可以实现 7X24 小时监控和响应危机事件。这可以实现 70% 威胁事件1分钟闭环,99% 威胁事件 5 分钟闭环。这里也列出了华为云处理的安全事件的一些数据。
-
网络数据合规:随着网络安全规模快速增长,各国积极立法进行网络安全数据保护,华为云在世界各地经营云服务时,会遵从各地的安全法规,保护云上数据隐私。
-
七层防线安全运营:从这个图里我们可以看到这七层防御分别是xxx,这涵盖了事个云数据中心的方方面面,通过SOC安全运营中心进行一统一管理和监控,确保云平台安全可信。
-
全面保护云上租户安全:通过合规建设、安全运营确保云基础设施的安全,在租户应用层通过提供面向不同应用层面的安全服务,保护租户面临的各种安全威胁。
Let’s see the first part: Overview of Huawei Cloud Security System. In this part we will learn how Huawei’s security system is built. Why is Huawei Cloud a secure cloud, a compliant and trustworthy cloud? This is achieved through the following aspects:
-
Second-level processing of threat events: Various threat events can be obtained in real time through 30W+ threat intelligence sources, and combined with the three main internal security platforms, it can respond immediately to the threat events that occur. At the same time, we have established three major response centers around the world, which can monitor and respond to crisis events 24/7. This can achieve a 1-minute closed loop for 70% of threat events and a 5-minute closed loop for 99% of threat events. Some data on security incidents handled by Huawei Cloud are also listed here.
-
Network data compliance: As the scale of network security grows rapidly, countries are actively enacting laws to protect network security data. When Huawei Cloud operates cloud services around the world, it will comply with local security regulations to protect data privacy on the cloud.
-
Seven layers of defense security operations: From this picture we can see that the seven layers of defense are xxx, which covers all aspects of the cloud data center. It is managed and monitored through the SOC security operation center to ensure the security of the cloud platform. Believable.
-
Comprehensively protect the security of cloud tenants: ensure the security of cloud infrastructure through compliance construction and safe operations, and protect various security threats faced by tenants by providing security services for different application levels at the tenant application layer.
主要安全产品介绍(Introduce main security products)
在开始介绍华为云主要的安全产品之前,我们先看下LATAM的安全现状,MAPFRE公司做过一次调研,LATAM每秒遭受1600次,攻击次数以94%的年化增长。以下也列出了Dark web上的关于拉美发生的主要安全事件,可以发现每月、每天都在发生安全攻击、数据泄露勒索事件。右边这张图列出了针对IT领导者关于面临安全挑战事件的百分比统计数据。从这些数据也可以看到防入侵和防勒索是多数企业的主要安全诉求。
Before introducing Huawei Cloud's main security products, let's first take a look at the current security situation of LATAM. MAPFRE conducted a survey and found that LATAM suffered 1,600 attacks per second, with the number of attacks increasing at an annual rate of 94%. The following also lists the major security incidents in Latin America on the Dark Web. It can be found that security attacks, data leaks and ransomware incidents occur every month and every day. The chart to the right lists statistics on the percentage of incidents IT leaders face with security challenges. From these data, we can also see that preventing intrusion and extortion are the main security requirements of most enterprises.
我们知道应用有三层架构,对应的华为云在这三层分别开发安全云服务以保护租户在应用各层不遭受攻击,客户开箱即用、简单快捷。
We know that applications have a three-layer architecture. The corresponding Huawei Cloud develops secure cloud services at these three layers to protect tenants from attacks at each layer of the application. Customers can use it out of the box, quickly and easily.
1.WAF
在日常生活中我们每天都要浏览网站,打开手机上的不同APP,这都会涉及到HTTP/HTTPS调用,所以web应用是互联网上最常见的应用,而针对web应用的安全防护主要通过WAF实现。我们看下华为云的WAF,华为云WAF提供了三种模式,接入方式上支持IP、域名和ELB,这三种模式可以针对客户的不同web应用场景提供方便的接入保护。特别提下独享模式,常见的云厂商WAF是多个租户的web应用接入到同一个WAF引擎下的,独享模式下客户创建的WAF引擎仅给该客户使用,不与其他租户共享WAF资源,这使客户的数据安全和可用性更能得到保障,AAG是没有独享模式的。
In daily life, we browse websites every day and open different APPs on our mobile phones, which all involve HTTP/HTTPS calls. Therefore, web applications are the most common applications on the Internet, and security protection for web applications is mainly implemented through WAF. Let's take a look at Huawei Cloud's WAF. Huawei Cloud WAF provides three modes. The access method supports IP, domain name, and ELB. These three modes can provide convenient access protection for customers' different web application scenarios. Special mention is made of the dedicated mode. Most of cloud vendor's WAF is that the web applications of multiple tenants are connected to the same WAF engine. In the dedicated mode, the WAF engine created by the customer is only used by that customer and does not share the WAF with other tenants. resources, which ensures customer data security and availability. AAG does not have an dedicated model.
华为云WAF相较于AAG的WAF具有5个方面的优势,分别是:xxx,这些都是华为有而友商没有的。
Compared with AAG's WAF, Huawei Cloud WAF has five advantages, namely: xxx, which Huawei has but its competitors do not.
接下来再看华为云WAF和A1 WAF的计费项对比:华为云支持按需和包周期两种模式,而A1只支持按需计费。计费项上这里需要注意下,乍一看AWS是便宜的,不过这里使用的计费项是不一样的,我们是根据域名数收费的,而aws是根据ACL数收费的。通过使用华为云的包周期和AWS按需模式计算对比发现客户访问量越大AWS越贵,分别以 google hao123 unam 同花顺(金融财经类)为例,能过简单的页面分析说明中型企业是可以达到对应的请求量的。(忽略小企业,因为小企业单月的云用量一般也超不过200美金)
Next, let’s look at the comparison of billing items between Huawei Cloud WAF and A1 WAF: Huawei Cloud supports both pay-per-use and monthly/yearly models, while A1 only supports on-demand model. You need to pay attention to the billing items. At first glance, AWS seems cheap, but the billing items used here are different. We charge based on the number of domain names, while AWS charges based on the number of ACLs. By comparing Huawei Cloud's monthly and AWS on-demand model calculations, we found that the more requested quantity, the more expensive AWS is. Taking google hao123 unam Flush (financial and economics) as an example, a simple page analysis shows that medium-sized enterprises can achieve corresponding to the request volume. (Ignore small businesses, because their monthly cloud usage generally does not exceed US$200)
( 对于24小时计算设置不合理如何答疑: 1.考虑到买安全服务的用户一般都不可能太小,如果只是一个个人博客站或者只有3到5个员工的公司站,一般一台服务器就搞定了,不太多考虑买WAF这样的安全产品,这也是为什么我们要对 MRR 大于5K以上的用户; 2. 以Unam大学为例,会发现其会有多个子域名,都会涉及访问,叠加起来访问量就上去了,对于一般企业也会有门户、OA、CRM、ERP、邮件、考勤、费用报销、工作流等系统;3. 页面打开不动也会有请求,比如金融类的,行情数据实时在刷新的,只要客户打开了对应的页面请求会自动进行并刷新;4. 手机App类的访问,很多时候不停的会有人在点击页面)
(How to answer questions about unreasonable 24-hour calculation settings: 1. Considering that the number of users who buy security services is generally not too small, if it is just a personal blog site or only 3 to 5 A company website with an employee can usually be run with just one server. We don’t think much about buying security products like WAF. This is why we have to focus on users with MRR greater than 5K; 2. Taking Unam University as an example, you will find that it will If there are multiple subdomains, they will all involve visits, and the number of visits will increase when added up. For general enterprises, there will also be portal, OA, CRM, ERP, email, attendance, expense reimbursement, workflow and other systems; 3. The page cannot be opened. There will be requests, such as financial ones, and the market data is refreshed in real time. As long as the customer opens the corresponding page, the request will be automatically made and refreshed; 4. For mobile app visits, many people will keep clicking on the page)
2.CFW
华为云CFW是云原生防火墙,从架构图上可以看到,CFW可以实现内外部、东西向和南北向流量的防护。这里主要特别注意到的是云原生防火墙优于传统防火墙的一个点是:传统防火墙无法实现东西向流量的防护。
Huawei Cloud CFW is a cloud-native firewall. As you can see from the architecture diagram, CFW can protect internal and external, east-west, and north-south traffic. The main thing to note here is that one of the advantages of cloud-native firewalls over traditional firewalls is that traditional firewalls cannot protect east-west traffic.
CFW相较于AAG厂家有2个优势点,相较于传统网络防火墙厂商有3个优势点,分别是xxx。
CFW has two advantages over AAG and three advantages over traditional network firewall manufacturers, namely xxx.
再看费用方面的对比,A1仅有按需付费,而且A1实例价格更贵,同时又有流量费。这里以200GB/月的用量为例计算出A1比华为贵13%(页面备注里有计算公式),流量越高华为云CFW越便宜。
Looking at the cost comparison, A1 only pays on-demand, and A1 instances are more expensive and have traffic fees. Taking the usage of 200GB/month as an example, we calculate that A1 is 13% more expensive than Huawei (there is a calculation formula in the notes on the page). The higher the traffic, the cheaper Huawei Cloud CFW is.
3.HSS
HSS是云原生主机安全,主要用于保护云主机和云容器的安全(CGS已合并到HSS里),HSS主要有5大关键能力:资产管理、漏洞管理、基线管理、入侵检测、高级防御。
HSS is cloud-native host security, mainly used to protect the security of cloud hosts and cloud containers (CGS has been merged into HSS). HSS has five key capabilities: asset management, vulnerability management, baseline management, intrusion detection, and advanced defense.
HSS相较其他云厂商有4个主要优势:防勒索、网页防篡改、双因子认证、防护场景覆盖全面(版本设计上可以看出)。HSS当前在基础版和企业版上相较友商是有价格优势的,同时由于功能上比A1/A2更多,部分版本上价格较友商更高。
HSS has four main advantages over other cloud vendors: anti-ransomware, anti-tampering of web pages, two-factor authentication, and comprehensive coverage of protection scenarios (as can be seen in the version design). HSS currently has a price advantage over its competitors in the basic and enterprise editions. At the same time, because it has more functions than A1/A2, some versions are more expensive than its competitors.
4.DBSS
DBSS 主要实现对数据库的安全审计和敏感数据保护等能力,AAG暂时无直接对标产品。DBSS主要有两个版本,每个版本对应的能力可以在表格中看到。
DBSS mainly implements capabilities such as database security auditing and sensitive data protection. AAG currently has no direct benchmarking products. There are two main versions of DBSS, and the capabilities corresponding to each version can be seen in the table.
5.安全云脑
通过三层架构图及主要安全产品的介绍可以了解到会有较多的安全产品,每个产品的安全分析结果和告警信息分别去看和操作是比较麻烦的,安全云脑提供了日志采集、资产管理、安全治理、态势感知、威胁运营、编排响应等能力,通过一个工具平台实现整个安全工作的运营和管理。
Through the three-layer architecture diagram and the introduction of major security products, we can understand that there will be many security products. It is troublesome to view and operate the security analysis results and alarm information of each product separately. Security SecMaster provides log collection, Asset management, security governance, situational awareness, threat operations, orchestration response and other capabilities realize the operation and management of the entire security work through a tool platform.
- P25:安全云脑服务架构、产品竞争力
- P26:安全经验即服务,助力企业构建安全中心
-
P27:安全云脑关键功能
-
P25: Security SecMaster service architecture and product competitiveness
- P26: Security experience as a service, helping enterprises build security centers
- P27: Key functions of security SecMaster
产品套餐及offering
企业上云应用多种多样,华为云的安全产品也有数10个可供选择。对于不熟悉华为云安全产品的消费者会面临选择困难。针对企业遇到的常见攻击,我们推出了防入侵和防勒索两个套餐。
Enterprise cloud applications are diverse, and Huawei Cloud has dozens of security products to choose from. Consumers who are unfamiliar with Huawei cloud security products will face difficulty in making a choice. For common attacks encountered by enterprises, we have launched two packages: anti-intrusion and anti-ransomware.
防入侵套餐分别从网络访问防护、Web应用攻击防护、主机安全防护三个维度屏蔽恶意程序的攻击。防勒索套餐使用了4个云服务,HSS必须选择旗舰版及以上版本才有防勒索能力,同时增加CBR备份对重要数据进行定期备份,备份做为最后一道防线,在出现数据遭到破坏、加密的情况下,也可以通过备份进行恢复。
The anti-intrusion package blocks attacks from malicious programs from three dimensions: network access protection, web application attack protection, and host security protection. The anti-ransomware package uses 4 cloud services. HSS must choose the flagship version and above to have anti-ransomware capabilities. At the same time, CBR backup is added to regularly back up important data. Backup serves as the last line of defense. In the event of data damage and encryption, In this case, you can also restore through backup.
相关名词
- SOC(security operations center):安全运营中心
- SA (Situational awareness): 态势感知
- CERT (Computer Emergency Response Team):计算机应急响应组
- Runtime Application Self Protection (RASP) : 执行期间应用程式自我防护(用于抵御未知攻击,实现逻辑类以于APM、selinux)
- ICSL(Internal Cyber security Lab): 内部网络安全实验室(华为内部实验室,敏感区域发布版本需要100%通过ICSL测试)
- Attribute-based Access Control (ABAC): 基于属性的访问控制,该策略基于用户属性来定义权限,会基于标签、动作(读、写、删等)、角色、资源等进行较细粒度的控制,一般大型企业用。与之相对应的是RBAC基于角色的控制,一般中小型企业用。ABAC概述和配置流程
- Privacy Impact Assessment (PIA):隐私影响评估是一个帮助组织识别和管理由新项目,计划,系统,流程,策略,策略,业务关系等引起的隐私风险的过程。它以多种方式使各种利益相关者受益,包括组织本身和客户。在美国和欧洲,已经发布了强制执行隐私影响评估并使之标准化的策略。
-
Privileged Access Management/Privileged Access workstation (PAW):PAM 通过人员、流程和技术的组合运作,使你能够了解谁正在使用特权帐户,以及他们在登录时执行什么操作。限制可访问管理功能的用户数量可提高系统安全性,而额外的保护层可缓解威胁行动者造成的数据泄露。
-
https://www.jrasp.com/guide/
- https://www.checkpoint.com/cyber-hub/cloud-security/what-is-runtime-application-self-protection-rasp/
- https://www.freebuf.com/articles/web/197823.html
- https://zhuanlan.zhihu.com/p/620155136
捐赠本站(Donate)
如您感觉文章有用,可扫码捐赠本站!(If the article useful, you can scan the QR code to donate))