foreword
With the widespread deployment of public clouds and private clouds, cloud computing infrastructure has become the first choice for enterprises to deploy new services. It can be said that cloud computing has entered the second half, and the competition among major cloud computing service providers is becoming increasingly fierce, and new concepts are constantly emerging. In recent years, cloud native security (Cloud Native Computing) has increasingly appeared in people's field of vision. It can be said that cloud native security is the second half of the cloud computing era. We can call it cloud computing 2.0. As more and more enterprises and services go to the cloud, the security of the cloud is becoming more and more serious. According to Statista data, the public cloud market is expected to reach 500 billion US dollars in 2023, and there will be an annual growth rate of 13.81% from 2023 to 2027. According to the rule of 70 in economics, it is not difficult to calculate that this growth rate means that it will double every 5 years, which means that by 2028, the market may reach trillions. Of course, this is just a simple estimate, and it may not be true in the future, but one thing is certain is that this market is currently expanding rapidly, both at home and abroad. Due to the accompanying characteristics of security, the development of the cloud computing market will most likely drive the development of cloud security, as well as changes and shifts in offensive and defensive scenarios. In the future, in the field of offense and defense, there will definitely be more and more offenses and defenses related to the cloud environment. Therefore, cloud security offense and defense will also develop into an indispensable field in the future.
cloud native
In recent years, the cloud computing model has gradually been recognized and accepted by the industry. In China, large enterprises and institutions in many fields, including government, finance, communications, and energy, as well as various small and medium-sized enterprises have cloudified their hosting business infrastructure to varying degrees. However, most of them use open source or commercial IaaS systems to build cloud computing platforms, and simply transform traditional physical hosts, platforms, and applications into virtualized forms. The benefit of this approach is that the utilization of overall resources is more reasonable, and intensive operations will reduce costs and improve overall operational efficiency and maturity. In the second half of cloud computing, we should make full use of the characteristics of cloud computing, such as elasticity, agility, resource pooling, and service, to solve the problems encountered in the entire life cycle of business development and operation. For example, in the traditional environment, there are problems such as slow application upgrades, bloated architecture, and inability to iterate quickly. Therefore, the concept of cloud-native security came into being.
When it comes to cloud-native security, an organization that has to be mentioned is CNCF (Cloud Native Computing Foundation, Cloud Native Computing Foundation), which promotes cloud-native development. CNCF is a neutral organization that incubates and operates a cloud-native ecosystem, and it is a cloud computing organization that covers a wide area.
Representative cloud-native technologies include containers, service grids, microservices, immutable infrastructure, and declarative APIs. These techniques enable the construction of loosely coupled systems that are fault-tolerant, manageable, and observable. Cloud native advocates agile, reliable, high elasticity, easy scalability and continuous update of applications. In the process of building cloud-native applications and service platforms, the container technology that has emerged in recent years has become an important supporting technology in cloud-native application scenarios due to its high elasticity, agility, active and strong community support. New deployment forms of services such as serverless and service grid are also changing the design, development and operation of cloud applications, thereby reconfiguring cloud services.
Unlike traditional cloud computing systems based on virtualization, cloud-native systems generally have the following characteristics:
Light, Fast, Unchanging Infrastructure
In a cloud-native environment, the supporting infrastructure is usually container technology. The container life cycle is extremely short, mostly in seconds or minutes, and occupies much less resources than virtualization, so the biggest feature of containers is lightness and speed. Because of the lightness and speed of containers, in practice, applications are usually not installed or updated in containers, but are updated to persistent images. The orchestration system downloads new images and starts corresponding containers, and deletes old containers. This mode of only updating the image without changing the container runtime is called immutable infrastructure. It can be seen from the unchanged infrastructure that the operation of cloud native is completely different from that of traditional virtual machines.
Elastic Service Orchestration
The focus of cloud native is business, not infrastructure, and the core of business is business management and control, such as service exposure, load balancing, application update, application expansion, grayscale release, etc. Service orchestration (orchestration) provides distributed computing, storage, and network resource management functions, which can flexibly control the location, capacity, and version of services on demand, and monitor and ensure business accessibility. Service orchestration hides the details of the underlying infrastructure from the application layer, but it also provides strong business support capabilities, as well as fault tolerance, expansion, and upgrade capabilities that allow the business to run normally, allowing developers to focus on the logic of the business itself.
Integration of development and operation
Development Integrated Operations (DevOps) is a set of practices that combine software development and IT operations, with the goal of shortening the software development cycle and providing continuous delivery of high-quality software. Although DevOps is not the same as agile development, it is a useful supplement to agile development. Many DevOps development concepts (such as automated construction and testing, continuous delivery, etc.) come from agile development. Unlike agile development, DevOps is more about eliminating the gap between development and operations, focusing on accelerating software deployment.
microservice architecture
Traditional WEB applications are usually monolithic application systems, such as using WebSphere, WebLogic, or .Net Framework, etc. From the front end to the middleware to the back end, each component is generally deployed on the server in a centralized manner. Later, with the introduction of the Web Service standard, applications were delivered with standard services, and applications interacted through remote service calls (RPC), forming a service-oriented architecture (Service-Oriented Architecture, SOA), which greatly improved the standardization of application components and the efficiency of system integration. In the cloud-native application design, the application volume is smaller, so the traditional single application functions are disassembled into a large number of independent services. The microservice architecture enables each service to focus on its own functions, making it small and precise, and then assembles it through application orchestration to realize complex functions equivalent to traditional single applications. Its advantage is that existing microservices can be reused at the time of subsequent business modification, which can greatly reduce the cost of reconstruction.
serverless model
Serverless is an abstract model of cloud computing based on code and computing task execution, corresponding to a computing model based on servers (virtual machines, containers). Serverless has corresponding services on both public and private clouds, such as AWS Lambda, Alibaba Cloud's Function Compute, Kubernetes' Kubeless, Apache OpenWhisk, etc. Serverless focuses on function computing and hides the underlying complex implementation methods, enabling developers to focus on the business itself.
In general, cloud-native truly deploys resources in the cloud mode and management. Users will not see individual IT systems or virtual hosts, but individual business units. Developers only need to focus on the business itself. It can be said that the design of microservices and non-service functions are the core manifestations of the cloud-native concept, while containers, orchestration, and service grids are all supporting technologies for realizing cloud-native.
Reference: Cloud native security: offensive and defensive practice and system construction