Cloud computing represents a great transformation in the IT field. Since the inception of cloud computing, security issues have become a major obstacle to its development. However, there are two main voices in the cloud security industry: one focuses on the security protection of the cloud itself, known as cloud computing security; the other refers to the provision and delivery of security through the use of the cloud, which is the specific application of cloud computing technology in the security field, commonly referred to as secure cloud. Recently, Security Cow interviewed Wu Lei, the head of the cloud security product line at Anshuyun, an outstanding vendor in the secure cloud field, to explore what kind of security the secure cloud truly offers to users.

1. The Rise of Cloud Security
What is Cloud Security?
Cloud security is a network security defense solution that has evolved from cloud computing technology. Currently, most application scenarios involve the cloud service provider offering the security of the cloud itself, also known as “cloud-native security,” while the security of tenants on the cloud is provided by security vendors. Enterprises need to understand the implementable details of cloud computing security, and the deployed cloud platform can ensure security through appropriate policies.
In other words, the standard form of cloud security is:
1) The basic security attributes of the cloud itself
2) The system security of tenants on the cloud.
What Challenges Does Cloud Security Face?
So, is cloud computing itself secure? The premise is that cloud service providers can effectively protect customer data. Organizations must decide which security features they need; for instance, basic cloud security includes fundamental security functions, but enterprises need enterprise-level security options.
Wu Lei believes that in a multi-tenant environment, data is stored in shared infrastructure, similar to shared physical disks or databases, which carries a high risk of inadvertently mixing data from other tenants. This could unintentionally expose important business information to unauthorized entities. Data stored in outsourced locations may be accessed by third-party operators, leading to potential confidential information leaks. Users within the enterprise need to verify the integrity and source of the content before use, and whether information stored with outsourced storage providers that has resale value can be protected is also questionable.
Cloud Security Requirements in Multi-Level Protection 2.0
Cloud computing occupies a very important position in Multi-Level Protection 2.0, with significant adjustments made based on Multi-Level Protection 1.0, expanding the protection scope while clarifying the four components that constitute cloud security requirements: network communication security, regional boundary security, computing environment security, and management center, proposing corresponding protection requirements and a “shared responsibility model”.
Wu Lei stated that the network architecture of cloud computing systems is flattened, with business application systems and hardware platforms loosely coupled. Anshuyun has identified the demand for personalized tenant security service capabilities, where the security policies of the secure cloud can be defined according to their needs, which is difficult to achieve with traditional security (personalized for tenants); cloud security requires a security management center to conduct systematic unified mobilization. To delineate responsibilities, the cloud management system and the cloud platform are separated, ensuring that security services are complete and reliable.
2. What is Secure Cloud?
Customized Security Services in Secure Cloud
Due to the rapid growth of information technology, the rapid development of security technology, and the constantly evolving hacker strategies, relying on the security capabilities provided by cloud computing is a reasonable choice. If managed properly, secure cloud can offer minimized management costs and reduced interference from service providers.
Wu Lei believes that as the boundaries of security protection become blurred and protection needs continue to evolve, the secure cloud was born to meet the customization demands of multi-tenant security services. Traditional security devices operate independently, and the upgrade of security devices leads to severe resource waste and overly complex operations, resulting in a very complicated network topology and high maintenance costs for users. By applying cloud computing in the field of network security, network security capabilities and resources are cloudified, providing on-demand network security services to users.
To this end, Anshuyun proposed the concept of a cloud security resource pool and quickly developed products for implementation in 2017. The so-called security resource pool utilizes the container characteristics of cloud computing technology to build a cloud resource pool, deploying user networks, private clouds, and IDC, virtualizing network security products within the resource pool. When users need a certain security function, dynamic scheduling is performed. This approach fully utilizes software-defined technology, establishing a dynamic, closed-loop software-defined cloud security service system that simplifies, accelerates, and ensures compliance in solving cloud security issues.
Wu Lei stated that based on the security resource pool, Anshuyun collaborates with various security products, which include security capabilities that meet the protective needs of various users, such as Anshuyun’s independently developed WAF, NGIPS, CASB, etc. Additionally, the secure cloud has the capability to provide various security protection capabilities on demand, allowing users to flexibly choose security services based on their business characteristics and cost budgets. Users can save on the costs of investing in and maintaining security devices, opting instead to directly purchase security services provided by the secure cloud. Traditional security tools cannot offer the freedom of customization and effective management of multiple security products, especially when enterprises use security products from multiple vendors.
He said the uniqueness of secure cloud lies in the fact that security services can be customized on demand for users, and for operators, there is no need to purchase multiple security products; each tenant can share a virtual security device, saving security resources and achieving efficient operation.
3. Core Technologies of Secure Cloud
Only SDN-Based Cloud Platforms Can Be Considered Secure Cloud
SDN has brought an opportunity for the management of cloud platforms, transforming previously vague boundaries into a structured network, allowing security to find a new focal point. It effectively improves the complexity of security policies and management, reducing the IT operational costs for enterprises.
Wu Lei mentioned in the interview that the pooling and virtualization of resources in cloud platforms can only be called secure cloud after being software-defined. This is because after introducing SDN, cloud platforms can enhance their capabilities in management, networking, and collaboration, achieving effective rapid response, resource scheduling, and demand sensing. Users have different requirements for security service capabilities; achieving point-to-point regional security within the enterprise is difficult, increasing the complexity of security operations. Only SDN can simplify and commercialize the final system; otherwise, even the most complete design will remain theoretical. In contrast, SDN has fine granularity, high elasticity, and flexibility, making it easier to partition networks; traditional protocols cannot meet the core demands of secure cloud development. SDN inherently possesses the genes for easy security policy management, thus only SDN-based cloud platforms can be considered secure clouds.
Multi-Point Linked Security Depth Defense Capability
In fact, the greatest advantage of secure cloud is cost reduction while improving agility and even enhancing concurrency performance (such as the elastic expansion of cloud resources). However, compared to security devices, secure cloud increases the attack surface and reduces the trusted boundary, making the overall design of secure cloud particularly important, which means careful management of secure cloud throughout its lifecycle to avoid introducing new threats. The depth defense system can enhance security protection capabilities and tighten the attack surface. Wu Lei discussed Anshuyun’s depth defense capabilities, which mainly manifest as multi-point linked defense:
A. Support for third-party security service capabilities
B. Ability to provide users with a combination of various security products
C. Can link multiple security manufacturers for protective types, ensuring users’ depth defense capabilities
Security Cow Review
The integration of virtualization technology and security devices drives security virtualization and hybridization in the cloud. Absolute security does not exist; although secure cloud reduces the cost of deploying security products for enterprises and enhances the manageability of using multiple security products, it also increases the complexity of secure cloud design. The relationship between information security and applications is undergoing a transformation, whether it is depth defense, software-defined networking, or security virtualization. The results of the integration of network security with new technologies await further exploration and practice.
Related Articles
Top Twelve Mainstream Cloud Security Threats
Google GCP: The Most Secure Cloud Platform?
