Alibaba Cloud Zero Trust Practice: Identity and Network Micro-Isolation in Production Networks

Overview:

Since Forrester analyst John Kindwig proposed the term "Zero Trust" in 2010, with the rise of the digital economy and remote working, Zero Trust has gradually moved from concept to implementation. As a new generation of network architecture concept, its core idea is that all assets areidentityThe network connection between all assets must go through theauthenticate, authorization.

It needs to be clear that zero trust is not a specific security product, but a security management concept or security management method that uses a combination of access control, identity management, background data, etc. to verify network requests. Any specific technical means that can achieve "never trust, verify everywhere" can be considered as adopting zero trust.

As the largest cloud vendor in China, Alibaba Cloud has a diverse internal business structure, complex access traffic, and frequent identity changes, which pose great security challenges. After years of exploration, the cloud security team has combined zero trust and cloud native, implemented and implemented a solution that combines identity and micro-isolation to solve the isolation problem in the production network of large enterprises.

Understanding the Zero Trust Core: 5 Assumptions

The definition of zero trust is generally based on the following five assumptions:

• The Internet is in a dangerous environment all the time
• External or internal threats are always present in the network
• The location of the network is not enough to determine the trustworthiness of the network
• All devices, users and network traffic should be authenticated and authorized
• Security policies must be dynamic and calculated based on as many data sources as possible

It is important to emphasize that the location of the network is not enough to determine the trustworthiness of the network. Because from the perspective of security operation practices, there are common misunderstandings in enterprise intranet management: "The internal network is secure (office network and production network), and security can be improved at the border.". But from the perspective of security incidents, targeted intrusions will definitely involve further lateral penetration into the intranet. If the intranet is unobstructed and there are no security protection measures, it will definitely lead to serious security problems.

Zero trust practice in office network: BeyondCorp & Istio

In the on-the-ground practice of zero-trust security, the now widely knownZero Trust ProgramThe main focus is on office networks to address security issues on office networks. For example, Google BeyondCorp, which is often mentioned, enables users to securely work from virtually any location without having to use traditional VPNs to securely access systems on the office network by moving access controls from the network perimeter to the specific user (based on the identity of the user, device, rather than the location of the device).

For zero-trust solutions between services within the production network, there are relatively few mature solutions in the industry. It seems that Google BeyondProd is the only one that is open, large-scale, and mature.

Under the open source k8s architecture, Istio attempts to introduce zero trust into the production network through service mesh. The core idea is to use the k8s architecture to deploy service mesh sidecar on each Pod in the production network. Since service mesh naturally takes over the RPC communication between Pods, network access authentication, authentication and security logs can be added to it. Record. But in practice we also found that native Istio has some problems:

• The security functions of Istio itself have not been verified in the production environment and are only in the Demo stage.

2. Istio implements identity authentication between workloads (Peer authentication) by encapsulating the RPC protocol in mtls. The additional computing cost and delay overhead brought by mtls are relatively large, which is difficult for many businesses to accept.

3. Istio only takes over RCP traffic, and the non-RPC traffic authentication mechanism is incomplete.

By referring to industry practices and combining Forrester's three basic concepts of the "zero trust model", the Alibaba Cloud team implemented zero trust in the enterprise intranet step by step:

• Check and log all network traffic
• Verify and check all sources
• Limit and strictly enforce access controls

Network micro-isolation based on zero trust

The north-south data in the production network can be network isolated through WAF and firewall. For communication between workloads, that is, east-west traffic, there is a lack of effectivecyber securityIsolation means, so the core capability of micro-isolation is naturally focused on the isolation and control of east-west traffic.

For general enterprise production networks, only border defense devices, such as Waf and firewalls, are often deployed. First, if an attacker breaks through perimeter defenses (WAF, firewall), or if a malicious employee connects to the production network, they can directly access all workloads on the intranet. The vulnerability of the intranet will be directly exposed to attackers, and there is no effective isolation method to control the explosion radius. Secondly, due to the rapid development of businesses, especially Internet companies, traditional isolation methods based on security domains and VPCs cannot effectively adapt to the rapid changes in business, resulting in the inability to effectively isolate. Finally, with the gradual popularization of cloud native technology, k8s began to be applied on a large scale. In a cloud-native environment, the workload of application instances is portable and even exists for a short period of time. Thousands or even tens of thousands of Pods may be created and destroyed in a day. The traditional method of isolation through IP will lead to frequent policy changes, making the policy almost unmaintainable.

So we're banking on the fact that by combining cloud-native technology withnetwork microisolationSplit the enterprise production network into resilient and variable N-networks to meet the elastic isolation of rapid business changes, and to reduce the attack surface after intrusion and control the explosion radius.

In practice, Alibaba Cloud will use zero-trustCombining identity-based access control with network micro-isolation, use identity for network micro-isolation, reduce the attack surface after an intrusion, and improve the security defense level of the enterprise's production network.

At the same time, drawing on the idea of Istio sidecar, the network micro-isolation based on zero trust will be sunk into the Pod of each workload, which will bring several benefits from the architectural level:

1. Deploy with business workloads and perform network management at the granularity of application identity
2. Security capabilities can be automatically deployed as the business elastically expands and shrinks.
3. Security capabilities are decoupled from business code and are non-intrusive to business systems.

In the workload communication stage, we also build two-layer authentication and authentication capabilities:

1. At the L3/4 communication level, additional application identities are added to ensure connection-level authentication and authentication.
2. At the L7 communication level, application identities are added to ensure request-level authentication and authentication.
3. If request-level access control is not required at the L7 layer, network performance can be almost loss-free when only L3/4 layer authentication and authentication are enabled, and various application layer protocols are supported.

At the security operation level, Alibaba Cloud conducts phased deployment and construction:

1. First, identify Internet boundary applications and core business applications as priority protection objects.
2. Through the deployment of micro-isolation security containers, complete intranet east-west traffic data is collected
3. The original east-west traffic data converts the access relationship between IPs into the access relationship between application identities through application identity + asset library information, and establishes the access baseline between applications through a period of observation
4. At the security policy execution level, priority is given to mandatory authentication and authentication of high-risk services (SSH, SMB, LDAP, Kerberos, etc.) and key services (sensitive data interfaces, etc.) to improve the security isolation level of key systems.
5. Finally, ongoing operational monitoring was conducted. On the one hand, in order to prevent business damage caused by mistaken interception, on the other hand, by monitoring high-risk service traffic on the intranet, we can detect possible lateral intrusion behavior or worm infection events.

future outlook

After continuous exploration, we found that combining cloud native technology can make new innovative practices in the security field. In the past period of time, various security companies have been thinking about the security issues of cloud native architecture and how to protect cloud native systems. In fact, security can take advantage of the cloud native architecture to make new security solutions. For example, WAF and firewall capabilities can be moved to the sidecar and deployed quickly and flexibly with the business. If the security sidecar has WAF and firewall capabilities in addition to authentication capabilities, then the security level of the internal network can be equal to the security level of the border, and each workload can be protected to the maximum extent.

Alibaba Cloud will continue to explore on the road to cloud native security.