Cloud computing security compliance, these four models you need to know
In the traditional information environment, when it comes to security and compliance issues, people generally think of ISO 27001, graded protection, graded protection, as well as third-party payment security compliance for specific industry environments, payment card industry (PCI) data security standards (DSS), non-financial institution payment service system testing standards, interim measures for the management of business activities of online lending information intermediaries, mobile finance testing and certification systems, and so on.
But with the evolution of the information environment from traditional to cloud computing, the deployment mode, service mode, physical location of basic resources, and management of resources of cloud platforms have presented different forms and consumption patterns, making cloud computing have different security risk characteristics, security control responsibilities, and security control scopes.
Therefore, there is an urgent need for a new security model to guide the process of risk identification, risk analysis, and risk disposal in cloud environments, to achieve mapping between cloud service architecture and security architecture, and to achieve security compliance in cloud computing environments. Next, I will introduce the four most popular cloud computing security compliance models both internationally and domestically.
CSA Cloud Computing Key Area Security Guidelines
The Cloud Security Alliance (CSA) is the most recognized cloud security research forum in the industry. On December 17, 2009, the alliance released a security practice manual for cloud computing services - the "Cloud Computing Security Guide". This guide proposes possible methods for achieving consistency in implementation under different cloud deployment models based on the management, ownership, and location of resources or services.
This guide highlights the areas of concern for cloud computing security from 12 aspects, including governance and operations. The governance aspects include: governance and enterprise risk management, legal and electronic evidence discovery, compliance and auditing, information lifecycle management, portability and interoperability; Operational aspects include: traditional security and business continuity and disaster recovery, data center operations, emergency response and notification and remediation, application security, encryption and key management, identity and access control, virtualization.
The governance aspect mainly addresses the strategy and tactics of cloud computing environments, while the operational aspect focuses more on the implementation of specific security architectures and solutions.
The CSA Cloud Computing Key Area Security Guidelines are applicable to guide organizations in carrying out cloud computing security governance and management work.
Cloud Cube Model
The cloud cube model is divided into 16 possible cloud computing forms from the perspective of security systems, based on four dimensions that affect security systems: the physical location of data, all relationship states of cloud related technologies and services, boundary states of application resources and services, and the operation and management of cloud services, as shown in the following figure:
Dimension 1: Internal/External, which mainly refers to the security features related to the physical location of data; Dimension 2: Privacy/Openness, which expresses the technological roadmap; Dimension 3: Convenient/de convenient architecture, which expresses the system concept of boundary changes; Dimension 4: Self supply/outsourcing, which expresses operation and maintenance management;
The cloud form dimension defined by the cloud cube is mainly used for business decision-making, but the overview of the technology is relatively weak.
Extended security requirements for information systems using cloud computing technology for level protection
When it comes to cloud computing security standards, we cannot ignore discussing the level protection work based on cloud computing. Grade protection is the main basis for security assessment and construction of important information systems in China. Since 2014, the Ministry of Public Security has organized relevant research units to develop extension requirements standards for grade protection for cloud computing. So far, the standards have been basically completed and distributed to national evaluation institutions for reference and implementation.
The level protection in cloud computing environment divides the implementation objects into two parts: cloud platform and tenant business system. The level of the cloud platform is not lower than that of the tenant business system it carries. So what should cloud platform builders, cloud platform operators, and tenants do respectively to ensure that cloud platforms and business systems meet the requirements of level protection?
Overall, cloud platforms not only need to establish their own compliant protection capabilities, but also need to build a set of protection capabilities that can provide tenants with relevant requirements for their business systems. When tenants need it, they can apply to the cloud platform operator to purchase relevant security protection measures.
Firstly, the construction party of the cloud platform should ensure that the infrastructure and network architecture meet the basic requirements of level protection and all the terms of cloud computing expansion requirements, such as physical equipment for business operation, data processing, and storage located within China; Log in to the management users of hypervisors, cloud management platforms, etc. for corresponding level identity authentication; When conducting remote management, a two-way authentication mechanism should be established between the management terminal and the cloud platform boundary devices.
Secondly, cloud platform operators should establish a set of protection capabilities that can provide tenants with the necessary protection capabilities for their business systems. This includes enabling tenants to deploy access control mechanisms and set access control rules at virtualized network boundaries and different levels of network area boundaries; Allow cloud tenants to set access control policies between different virtual machines; When tenants manage remotely, a two-way authentication mechanism should be established between the management terminal and the boundary devices of the cloud computing platform; According to the division of responsibilities between cloud service providers and cloud tenants, tenants are able to collect audit data for their self-control parts, enabling centralized auditing of tenant control parts.
Finally, tenants should request corresponding security measures from the cloud platform operator based on the security level requirements of their cloud based business systems. These security measures should be able to meet the specific requirements of the level protection standards and require the cloud platform operator to assist tenants in storing backups of their business data locally. Shenxin is not only a leading cloud computing technology provider in the industry, but also actively engages in technological innovation in cloud security. At the same time, it combines the most advanced cloud security models and standards in the industry to propose a comprehensive solution for cloud platforms and cloud based business systems. In response to the security requirements for the infrastructure and network architecture of cloud platforms, Shenxin has proposed a comprehensive solution centered around next-generation firewalls, internet behavior management, application delivery, SSL VPN, and other products to assist cloud platform developers in building a cloud computing data center that meets level protection standards; In response to the security requirements of tenant business systems, the security resource pool jointly built by Shenxin and the cloud platform operator can provide tenants with security protection measures that meet the third level of protection. Tenants only need to apply to the cloud platform operator according to their own needs.
The Level Protection 2.0 series standards are about to be released, which will comprehensively ensure the security of critical information infrastructure. We believe that with such changes, more and more practical experience will emerge. Shenxin will share more practical experience of level protection in cloud computing environments with everyone in the future.