A public cloud that can be easily built and used by application developers themselves.However, because it is easy, security incidents caused by design mistakes and setting leaks are likely to occur.This problem will become more and more complicated if a multi -cloud environment with different functions and setting items between services.
Developers and engineers, who have not been very conscious of security so far, are also in the future need to raise security awareness and take part in measures.However, it is difficult to think about how to implement a comprehensive security countermeasure in a multi -cloud environment, and what should be especially careful from the developer's perspective.
This time, at Nomura Research Institute (NRI), which uses multi -clouds such as OCI, Nobuaki Sako, who is in charge of the security guideline formulation when using the cloud, the role of developers in the future in security measures.I asked about the comprehensive security concept and the points of practice.
Nomura Research Institute (NRI) Nobuaki Sako, the Information Security Department of the Quality Supervision Headquarters.Mr. Sako spoke and gave a lecture on the "OCIJP #16 I can't hear it now!?
Mr. Sako's security guidelines are a concrete item that NRI's internal engineers should consider and comply to use cloud services safely.At present, it offers guidelines on containers such as IaaS, GitHub, such as Amazon Web Services (AWS), Microsoft Azure, Google Cloud, and GitHub, and Docker / Kubernetes.
Behind this guidelines in the company are changes in roles in security measures.As mentioned earlier, not only the previous security and infrastructure staff, but also the developers must "participate" in security measures.Mr. Sako mentioned some of the reasons for such changes.
The first is that the application has shifted from on -premises to the cloud environment.The cloud environment is very different from the on -premises environment of the company's data center, which is isolated from the outside, physically and network.
"The information assets to be protected in both on -premises and cloud environments are the same. However, the cloud has the premise of" use over the Internet "and can be accessed from anywhere in the world. The Internet is always exposed to attacks.As soon as the authority is set, the environment can be fully opened. Therefore, from on -premises, on -premises, to multiple layers, including data protection such as authentication, approval and encryption., It can be said that the center of gravity of security measures is moving. "
The cloud native development style also has an effect on security thinking.In old -fashioned waterfall development, there were many cases where security checks were performed in the final stage before the release (before the Internet release) after a long development period.However, in order to respond to business changes, agile development, which repeatedly develops and releases in a short period of time, is being required.
"If the developer himself does not create security from the first stage, such as design and environmental settings, it will find a security problem in the final stage, and the release will be delayed. Furthermore.In order to always repeat security checks in a short development cycle, you will have to consider such work automation and labor saving. "
In addition, in the cloud, the development environment and sandbox environment are more likely to be inadequate than the production environment."Because we don't handle production data," we create a "hole" of security by reducing the security settings of the development environment with a light feeling or leaving the sandbox environment launched for trial.It's a case where you can go.This is also one of the reasons why developers themselves need to be conscious of security and take measures.
A comprehensive framework and guidelines are required to take a comprehensive security measure without omissions.
NRI's cloud security guidelines consist of two types, "Basic Guidelines" and "Individual Guidelines".The basic guidelines are seven items such as "access control by network" and "certification / approval by ID", while individual guidelines are "specific measures procedures" in each cloud such as OCI and AWS.ing.
The NRI basic guidelines classify the items to be considered in cloud security into seven types.
Mr. Sako said that it was based on the framework / documentation of "CIS Control" and "CIS Benchmark" in formulating this guideline.CIS (Central for Internet Security) is an organization that is used by US governments, companies, and academic institutions to standardize Internet security, and Cis Control and Cis Benchmark are one of the de facto standards in cloud security.ing.
Other famous security frameworks include "NIST Cyber Security Framework" and "PCI DSS", but Mr. Sako said, "CIS handles specific technical measures, and developers refer to it.It is suitable for. "
Features of major cloud security frameworks.CIS Control has a strength of specific technical measures for cyber attacks (Source: Quoted from NRI Secure Blog, partially modified)
Like the NRI's basic guidelines / individual guidelines, CIS controls are "thinking" for security, and Cis benchmarks summarize "specific measures procedures" for each cloud.
"In a simple example, Cis Control stipulates that" confirms that all accounts have an expiration date ", and the CIS benchmark is a specific measure" Rotate the authentication token within 90 days. "The setting procedure is introduced for each cloud vendor. By looking at the Cis Control "horizontal axis" and the CIS benchmark as a "vertical axis", the level is equal, and the level is equal to the level between multi -cloud.You can take measures against converted security. "
Because it is organized in this way, for example, if the developer is worried about "this kind of security setting in AWS, but what should I do in OCI?"You can also go back to the Cis Control what kind of concepts are based on the Cis benchmark.
"In the field, it may not be possible to set as the rules for the convenience of the system, but if you follow the concept of the rules, you can also take measures with alternative controls."
List of security areas that CIS control features (Source: NRI Secure Blog)
An example of a security recommendation described by the CIS benchmark.Documents corresponding to each of the major cloud vendors are provided (Central for Internet Security)
By the way, the CIS benchmark introduces the setting procedure using the command line (CLI) operation along with the web console (GUI) operation.CLI operations are easy to diversify to automation using shell scripts.Mr. Sako explains that the CLI operation automation tools and services have already been provided.
Apart from industry standard security frameworks, cloud vendors also offer their best practices as their own service.Mr. Sako recommends that these are also combined in the "three -stage configuration" to provide more comprehensive rules.
Specifically, the idea is to first use the common measure policy of the CIS benchmark, combine the best practices of the cloud vendors to each other, and finally add their own individual requirements as their own rules.It is said that NRI actually stipulates guidelines in the concept of this three -stage configuration.
Highly rounded rules can be made by the "three -stage configuration" of the CIS benchmark + the best practices of the cloud companies + their own rules.
Another emphasis was that security measures did not end with rules.Whether the formulated rules have been applied at the time of application, work to continue monitoring and detect rules, work to continue updating settings on the user (developer) side, and have a company -wide security.It is also necessary to educate and enlightenment activities that ensure level unification, continuity, and comprehensibility.
"These initiatives are not the end once done. In the cloud, new services will appear one after another, so the rules and settings must be updated continuously, and in terms of education and enlightenment.It is important to learn the latest security incidents and cyber attack examples on the subject. It will be necessary to create a system that allows you to continue four efforts. "
He explained that it is necessary to work on the rules as well as the application and monitoring of the rules, continuous updates, and educational and enlightenment at the same time.
As mentioned at the beginning, NRI is also actively working on multi -cloud utilization.When comparing multiple vendors IaaS from a security point of view, where is the characteristics and advantages of OCI?Sako says:
"OCI is a relatively late cloud, so there is an image that the preceding vendor is taking the security measures, and the issues have been solved, and then services."
Sometimes it is better to make a more detailed setting, but in general it says, "I don't think there is so much difference with the preceding vendors."
One of the good points in OCI is that the data encryption is not treated as an option, and the user cannot be released.The OCI has a basic policy called "end -to -end data encryption", and all data stored in storage, databases, and data through global backbone networks are all encrypted.
"In security, the encryption of data can be said to be" the last fort ". On the other hand, Oracle has a clear message that" always encrypts any data. "Therefore, I feel that I am strongly conscious of the handling of data. "
Not only the encryption of the data, the security of OCI is generally a default setting of "safety -related", and there are many setting items that cannot be changed at risk.Mr. Sako pointed out that the number of recommended setting items featured in the CIS benchmark is significantly smaller than other companies, and said, "Because security measures have been taken by default, there are few points that are simple and troublesome for users.Then, "he said.
It is also a good idea that the Oracle Cloud Guard, which is a service that automatically detects and corrects risk settings and activities, is provided to OCI users for free.Oracle Cloud Guard is a tool that continues to set up each service settings and activities to visualize the security status of the overall OCI environment.For example, it can be detected when a multi -factor authentication (MFA) is not set for users using OCI.Similar security tools are also provided by other vendors, but Oki says that the OCI can be used without additional costs.
"In a small environment such as the development environment, it tends to have a psychological barrier to paying for security, even though the cloud usage fee is not so much. If it is free of charge like Oracle Cloud Guard, even in such an environment.It is easy to introduce, and visualization will be a security task and will lead to the awareness that you have to take measures. "
"Oracle Cloud Guard" supports safe cloud use by centrally monitoring and correcting various services and activities in the entire global OCI.
* * *
Mr. Sako has summarized that it is necessary for developers and security officers to approach and eliminate "division" and promote security awareness.It is said that Sako himself also participated in the cloud study sessions in the company and actively talked about security topics.
"The later process of development, the greater the cost of modifying security issues. The more developers can talk about what to do for a security shift slope, and how to do it for that.We are working on creating a relationship. "
Nippon Oracle offers knowledge for developers on various themes, including security, at the Oracle Code Online community meetup seminar held every week online.I would like the developers to register as a member in this community and use them in a wide range of learning in the future.
■ Oracle Code Online https: // Oracle-code-tokyo-dev.conconpass.COM/
(Provided: Oracle Japan)
To List
Display format: PC ⁄ Smartphone