Dialogue with Ape: Alibaba cloud remote office zero trust landing, innovation and security

Time:2020-11-2

Introduction:Large scale actual combat scene verification, flexible response to complex environment.

In 2020, a sudden outbreak of the new epidemic has triggered the largest scale of telecommuting in history. The epidemic situation makes the security problems more prominent, and the confrontation with the epidemic situation is also the battlefield of Alibaba cloud’s security.

On September 18, the cloud habitat 2020 conference held a special technology release session. Xiao Li, vice president of Alibaba and general manager of Alibaba cloud’s intelligent business department, released the “zero trust solution for remote office”.

Based on the large-scale remote access security response of more than 100000 employees of Alibaba group every day, as well as the implementation of the security practice of serving many customers during the epidemic, the scheme helps millions of cloud users understand how to build a mature security system based on the constantly changing dynamic factors in the network, and then experience the security services with the same ability as Alibaba.

Epidemic situation catalyzes the normalization of remote office

In the first half of the year, the demand for telecommuting and distance teaching increased rapidly in a short period of time, and various signs also show that this phenomenon may be normalized.

-According to Gartner, 74% of the enterprises transferred at least 5% of the former field staff to permanent remote positions after the outbreak.

Modern complex business determines that remote office is not limited to the traditional access to the company’s OA system, approval system, company mail, video conference and other common requirements, but also includes more complex scenarios such as remote development, remote testing, remote operation and maintenance, remote customer service, etc.
Dialogue with Ape: Alibaba cloud remote office zero trust landing, innovation and security

When typical office scenes face security challenges
The global total number of users has exceeded 400 million, and the total number of employees has reached more than 30000. During the epidemic period, a large number of employees needed to work remotely in response to the call of “no school suspension”.

More than 100000 devices need to be accessed every day, and the internal IT construction is becoming more and more complex, and security risks are gradually emerging

·There are many employees but limited security force, and the pressure of management of employee’s entry, transfer and resignation is great;
·There is no comprehensive management and control system in the office network, and there is a risk of data leakage once the back door appears;
·The account system of each application system is scattered and the system is stuck;
·Employees need to switch between more than 20 applications in office, and the experience of repeated verification is poor;
·The system can’t automatically identify and control the mass use of iPad mobile terminal teaching;
·The cloud and SaaS of enterprise application make the environment more dynamic and changeable;
·……

Alibaba cloud remote office zero trust solution
Alibaba cloud remote office zero trust solution takes trust and dynamic as the core. Through the IP, equipment and application of the trusted authentication system, when accessing the office network for permission acquisition and data call, it obtains permissions by virtue of trusted authentication to realize dynamic security detection and protection.

The whole scheme includes three core modules: remote terminal security management, cloud dynamic decision management and control, and unified trusted network.

Remote terminal security management
Through the trusted authentication and identity management of the remote terminal, the device that passes the authentication can access the internal system. At the same time, the system collects and analyzes the terminal security data, and judges the security of the network equipment in real time rather than static state.

Cloud dynamic decision management and control
Unified high-strength security authentication for visitor information. Cross security authentication methods including face recognition, fingerprint recognition, voice recognition, dynamic two-dimensional code, SMS, token and other cross security authentication methods are adopted to enhance the strength of the whole identity authentication. At the same time, the system will analyze the results of trusted authentication with intelligent model, comprehensively judge the trust level of access identity, and realize the dynamic allocation of user rights.

For example, if an employee deviates from his daily login address and suddenly shows overseas login one day, the system will give different identity authentication and match different access rights.

Unified trusted network
Through IDA as products, the account authentication and authorization system between different application systems are opened up. Through the intelligent management center and a variety of security control nodes, centralized authority management and comprehensive audit capabilities are realized, so that all enterprise application systems can be trusted to access the office network and help enterprises improve security and convenience.

Dialogue with Ape: Alibaba cloud remote office zero trust landing, innovation and security

Typical application scenarios of Alibaba cloud remote office zero trust solution

Ape guidance to build a new office security system
In order to achieve the unity of perfect office security, business fluency and employee experience, Alibaba cloud’s remote office zero trust solution has entered the vision of ape counseling.

Automatic coverage of all staff Linkage Management
Based on the centralized identity management service of the idaas platform, Alibaba cloud has established a unified identity management center for ape guidance. Based on the binding relationship between devices and people, it can batch cover the linkage management of all employees, and comprehensively improve the visibility of access.

Fine grained hardware equipment network management
In the online live broadcast course of ape tutoring, in order to ensure the network transmission speed, the terminal asset management and network security requirements of large-scale and large-scale use of iPad through wired network connection are proposed. By controlling the network access network, Alibaba cloud realizes the breakthrough identification of the network access of mobile device adapter, and monitors the equipment status, so as to do a good job for the possible abnormal state of the device Dynamic hierarchical privilege management, combined with terminal security detection and anti-virus, realizes the whole ecological mobile device management.

Cross application verification free high speed handover improves experience
Various template applications are preset in the idaas platform. At the same time, the platform has its own developer service function module to support application integration. Combined with internet behavior management and terminal data leakage prevention ability, it can efficiently and safely realize convenient switching and unified management among more than 20 ape counseling applications.

Continuous monitoring ensures full link reliability
The ability to segment, isolate and control the network is still the key point of zero trust network security. The combination of Alibaba cloud remote office zero trust policy uses a variety of existing technologies and methods. The network segmentation based on micro isolation technology is supplemented by continuous access control, security monitoring and audit to help ape tutor realize the trust of network links in the process of remote access.

Dialogue with Ape: Alibaba cloud remote office zero trust landing, innovation and security

Through the principle of minimum authorization, the scheme can continuously monitor and audit any person and action entering the system, and no longer judge the security by boundary protection and IP trust mode, so as to realize adaptive security protection. Users do not need to configure the intranet access and VPN, and can access the office network by using the public network, which avoids the network delay caused by the cumbersome configuration and technical limitations, and improves the office, business efficiency and user experience.

Three characteristics of mature zero trust remote office solutions:

Feature 1: verified by large-scale actual combat scenarios
After years of “double 11” and covid-19 epidemic, Alibaba cloud remote office zero trust solution continuously optimizes the practice of user identity management, equipment management, application and network management in daily office, and successfully supports the remote office demand of more than 100000 employees and hundreds of thousands of devices of Alibaba group.

The second feature is to achieve business efficiency in the face of peak traffic, and employees are insensitive
It has withstood the test of withstanding more than 10 billion attacks a day during the period of October 1, and the office system and business system are still unaffected. Alibaba cloud helps the group’s internal employees to achieve insensitive, smooth and efficient office network access. This kind of rich experience based on years of practice has achieved further accurate landing in different industries.

Third, understand the cloud environment and flexibly deal with complex scenes
“Cloud” and large branches and other situations have gradually melted the security boundary. The protection concept based on border security is struggling to cope with flexible and dynamic use standards and stricter requirements for security

·All devices, users and network traffic should be authenticated and authorized;
·The security policy must be dynamic and calculated based on as many data sources as possible.


“Cloud nail”Alibaba cloud remote office zero trust solution is an important practice of enabling the industry in the environment of new digital infrastructure. It has provided multi-dimensional solutions for government affairs, education, medical care, new retail, manufacturing and other industries.

Based on the refined polishing and landing experience of Alibaba cloud’s own office network management in the practice of zero trust architecture, the scheme proposes a customized strategy design for diversified business types and operating systems in different industries, which perfectly adapts to the complex office scene with multiple workplace divisions, uncertain office locations, many collaborative manufacturers, large amount of Internet applications and complex asset information Large scale business data and other architecture features help enterprises in various industries to improve the visibility of asset information, user information and business data, and realize dynamic, intelligent and insensitive protection in remote office scenarios.

Link to original text
This article is the original content of Alibaba cloud and can not be reproduced without permission.