mylamour
commented
4 years ago 限于英语水平,其实有些东西没能很好的表述出来。 大安全的视角一定是先结合计算机的发展趋势来看,从算力,网络,存储的发展趋势中。结合安全行业的发展,以及安全服务面向的对象。安全本身存在的问题,项目以及工程中问题。混到一起算是大安全吧。(当然一面之词,欢迎新的观点)存储上的暂时不谈。
算力提升:
- 质-> 垂直提升, FPGA的研制,芯片研制等,涉及到服务器,移动设备,算力都在明显的提升。
- 量->横向提升,堆叠机器,因此需要将单节点算力进行资源虚拟化,批量的机器,批量的边缘节点。
网络:
- 质: 针对传输协议和序列化协议进行优化。tcp拥塞算法的改进等等
- 量: 针对网络边界设备的路由要靠软件定义网络进行控制。 海量的网络设备XGW, route等等。怎么做到能够IAC的控制。(IAC之前只是关注在服务端,怎么把网络基础设施也IAC化)
算力和网络就相当于供能和分享。供能不足,靠量堆积。分享不足,有力无处出。而为了减少层间的效率。裸金属编程出现了(Bare metal),使得资源的虚拟化能够在系统层面进行优化,缩减甚至去除系统层。以往需要kernel和os的交互,内存分配,垃圾回收变成了资源直接在机器上的调度。发动机的能量可以直接转化了。这在很大程度上提升了算力的性能。使得通过削减的方式实现了本来100%的可以发挥到了120%,除此之外。网络上的设备性能的提升,在IDC批量的网络设备,网关设备,三四层的交换机等等,目前也能通过SDN的方式进行控制。(还需要添加一部分,先不展开了)
这是大安全的行业背景。然后再考虑安全行业的安全技术和安全团队的角色等等。如果运势,管理到一起。解决当前的一些问题,比如说很多公司的安全不是贴合业务的。没办法凸显价值,对于团队来说,其实是没有目标的行为。对于公司来说,属于投入没有产出。这种情况持续久的话,就会经常出现“推倒重来”的现象。那么从企业安全的现状看甲方安全,甲方安全之外的乙方安全是什么样的?整个安全行业里依旧存在娱乐圈现状,甲方乙方之间除了一些通用的防护产品之外(例如WAF,HIDS),没有能够很好的贴切到企业本身,也就是说定制化服务是很大一个要关注的点。其实不仅如此,安全市场本身就仍是一片很大的市场。可以挖掘。安全技术也是,比如为什么现在SDL不能像Devops和SRE一样关注到全链路,从产品的开始就投入其中,而仍是通过流程的方式去管控? 那么又应该如何改进。工程化的实践经验和方法论又怎么样能结合到AI,大数据?
最后,下次碰到老外聊天时,不要说my english is poor, 应该改为 my english is not well.
In recent few days, i am gonna to thinking about "big security". So, what is "Big security"? My friend told me that was meaningless. It shouldn't be that clear. In other side, There is no doubt about a clearly point which big security is massive. Then, I am try to figure about it from Computing performance and Network. Now you can see this picture(If you have any questions, please feel free to point them out).
In the current society,With the high development of computer science and technology. We have experienced an change from Mainframe to PC, also another new breakthrough in FPGA and Quantum computation.
Let's make a long story short(Leaving aside storage):
And, I believe Cloud Native、SDN、IAC would be the most important of technology in our future, AI and Big Data would be a basic service. So, what is big security in this situation?
That's We Call Big Security
Security Realms & Security Technology
Infrastructure, Product & Services and Human was three part of Big Security, Everything else is derived from that and it's necessary for us to build a security system between this relationships.
This is a basic picture:
As you can see, it's lot of area and it's important in details. For example, when we talk about application security. immediately, we would thinking about mobile security ( also ios security and android security) , web security and so on. In detail, OWASP Top 10,
Security Role & Security Engineer
and so on. but when you look at Devops or SRE Engineer. you would found that's lot problem in curren tenterprise work.
As fo yourself, you would found that was a big problem. Organizational structure adjustment again and again, but nothing was deserved. Security team be the one who didn't have a voice in enterprise. That's part we call "Masiive Work"
Security Industry & Security Services
Compared with other industries there is still much space of interest