Based on years of practical experience, Qingteng proposed a "1, 2, 4" cloud native security system for the Qingteng Honeycomb Cloud Native Security Platform. It follows 1 system (DevOps), focuses on 2 directions (dev-build time, ops-run time), and carries out full life cycle management based on 4 links (security development, security testing, security management, and safe operation).

1. In the development stage (Dev), follow the "safe left shift" principle so that online is safe
By identifying and resolving security issues at an early stage, the attack surface and potential operational issues are reduced, so that "going online is safe" rather than leaving all security issues in the online environment to be solved. For example, through mirror-layer security checks, application-layer risk checks, and infrastructure-layer security.
(1) Mirror layer security
Through "image security", software vulnerabilities, Trojan viruses, sensitive information, etc. of images are discovered.
Through "container risk", problems such as application vulnerabilities and weak application passwords in running containers were discovered.
(2) Application layer risk check
Microservice security uses web scanning components to discover web vulnerabilities in microservices.
(3) Infrastructure security (including host, K8S orchestration tools, etc.)
Through the "Cluster Risk" function, the security vulnerabilities of each component in the cluster are checked.
Use the "Compliance Baseline" to set a security baseline and check for unsafe configuration issues.
2. In the operation phase (OPS), follow the "continuous monitoring&response" principle to achieve adaptive security
At the time of implementation of overall security, as shown in the figure above, full lifecycle management of cloud-native security is carried out, including workload inventory and visualization, microisolation, intrusion detection, security response, and traceability analysis.
(1) Workload inventory and visualization
Take a fine-grained inventory of workloads and visualize container access relationships.
(2) Microisolation
Network access to containers can be controlled using microisolation.
Incident response is carried out. Once a problem occurs, quarantine methods can be used to prevent the threat from spreading further.
(3) Intrusion detection and response
Detects and discovers intrusion behavior at run time and provides response processing methods.
(4) Traceability analysis
Through threat hunting, unknown threats are actively discovered, like a “black box” in cyberspace. Various log data can be recorded, which can be used to analyze various cybersecurity incidents and trace the entire attack process.