Codeofchina.com is in charge of this English translation. In case of any doubt about the English translation, the Chinese original shall be considered authoritative.
This standard is one of the series of standards for financial applications of cloud computing technology, which include:
——Financial application specification of cloud computing technology - Technical architecture;
——Financial application specification of cloud computing technology - Security technical requirements;
——Financial application specification of cloud computing technology - Disaster recovery.
This standard is developed in accordance with the rules given in GB/T 1.1-2009.
This standard was proposed by the People's Bank of China.
This standard is under the jurisdiction of the National Technical Committee on Finance of Standardization Administration of China (SAC/TC 180).
Financial application specification of cloud computing technology - Security technical requirements
1 Scope
This standard specifies the security technical requirements for the application of cloud computing technology in the financial field, covering the contents such as basic hardware security, resource abstraction and control security, application security, data security, security management function, security technology management requirements, and optional component security.
This standard is applicable to cloud service providers, cloud service users, cloud service partners, etc. in the financial field.
2 Normative references
The following documents for the application of this document are essential. Any dated reference, just dated edition applies to this document. For undated references, the latest edition of the normative document (including any amendments) applies.
JR/T 0131-2015 Financial information system room power system specification
JR/T 0166-2018 Financial application specification of cloud computing technology - Technical architecture
3 Terms and definitions
For the purpose of this document, the terms and definitions defined in JB/T 0166-2013 apply.
4 Abbreviations
For the purposes of this document, the following abbreviations apply.
API Application Programming Interface
CPU Central Processing Unit
DDoS Distributed Denial of Service
DoS Denial of Service
HTTPS Hypertext Transfer Protocol Secure
IaaS Infrastructure as a Service
IP Internet Protocol
MAC Media Access Control
PaaS Platform as a Service
SaaS Software as a Service
SQL Structured Query Language
VPN Virtual Private Network
XSS Cross-site Scripting
5 General
5.1 Graduation of security technical requirements for cloud computing
Cloud computing technology uses information technology and data resources on demand to reduce informatization costs and improve resource utilization efficiency, but it also brings new risks in service outsourcing, data leakage, service misuse and other aspects. Cloud service users shall fully evaluate the scientificity, security and reliability in application of cloud computing technology in combination with the business importance and data sensitivity of information systems, shall carefully select cloud computing technology to deploy business systems under the premise of ensuring system business continuity, data security and fund security, and shall select the deployment and service models that are compatible with the businesses to ensure that financial business systems using cloud computing technology are secure and controllable.
With a view to further enhancing the applicability and perspectiveness of the standard, this specification classifies the specific clauses into basic requirements, extended requirements and enhanced requirements according to the hierarchical and classified management ideas. The basic requirements are general and basic security requirements, which shall be met in all financial applications of cloud computing technology; the extended requirements are extended security technical requirements proposed for social service models such as community cloud based on the general requirements; the enhanced requirements are proposed starting from the development trend of security technology and the perspectiveness of financial users.
5.2 Basic requirements, enhanced requirements, and security framework for cloud computing
The security framework for cloud computing consists of basic hardware security, resource abstraction and control security, application security, data security, security management function and optional component security. Cloud service providers and users work together to achieve security. The security framework for cloud computing is shown in Figure 1. The security division of cloud service providers and users is different under different service categories such as IaaS, PaaS and SaaS. Financial institutions are the end providers of financial services, and their security responsibilities shall not be waived or mitigated by the use of cloud services.
Figure 1 Security framework for cloud computing
As a basic platform for carrying information systems in the financial field, the cloud computing platform shall have security requirements not inferior to those of the carried business systems. The cloud computing platform is still an information system in essence, which shall meet the requirements of the nation and financial industry related to the security of information systems. This standard proposes the security requirements for cloud computing platform mainly from the perspective of cloud computing technology. See Annex A for the security requirements for the optional components such as container, middleware and database of cloud computing platform; see Annex B for the cloud computing-related security risk analysis.
6 Basic hardware security
6.1 Machine room security
Basic requirements:
It shall be ensured that the physical data center and ancillary facilities deployed for the cloud computing platform meet the relevant requirements of JR/T 0131-2015. Extended requirements:
a) For the group cloud deployment model, the operating environment of cloud computing data center serving the financial industry shall be physically isolated from other industries;
b) It shall be ensured that the physical equipment used for the business operation, and data storage and processing of cloud service users are located in China;
c) It shall be ensured that the operation maintenance system and the operation system of the cloud computing platform are deployed in China.
Enhanced requirements:
None
6.2 Network security
Basic requirements:
a) Network redundancy design shall be supported, and network communication links, network equipment, etc. shall be redundantly deployed;
b) The network shall be divided into different network areas according to security requirements to support network security isolation;
c) It shall be ensured that the business network of the cloud computing platform is securely isolated from the management network;
d) It shall be ensured that network control measures are taken to prevent unauthorized equipment from connecting to the internal network of the cloud computing platform and to prevent unauthorized outward connection of the physical server of cloud computing platform.
Extended requirements:
a) The provision of private line or VPN access for cloud service users shall be supported;
b) For the group cloud deployment model, it shall be ensured that the network physical hardware serving the financial industry, except the WAN, is not shared with other industries;
c) It shall be ensured that the network resources serving the cloud service users are securely isolated from other network resources.
Enhanced requirements:
Network bandwidth priority allocation shall be supported.
6.3 Equipment security
Basic requirements:
a) Redundant deployment of critical equipment shall be ensured to ensure system availability;
b) The operating state, resource usage, etc. of equipment shall be monitored so as to issue an alarm when an abnormal situation occurs;
c) Equipment and storage media shall be ensured of being capable of completely removing the data they carry when they are reused, scrapped or replaced. Extended requirements:
For the community cloud deployment model, it shall be ensured that the physical equipment used in the financial industry are not shared with other industries.
Enhanced requirements:
a) The equipment shall be ensured of secure startup, i.e., the version at the time of startup is consistent with expected one and the integrity is not compromised;
b) Integrity protection shall be performed on the important configuration files of equipment.
7 Resource abstraction and control security
7.1 General requirements
The clause proposes the general requirements that shall be met for network resource pool, storage resource pool and computing resource pool.
Basic requirements:
a) The kernel patch detection reinforcement and prevention of kernel privilege escalation shall be supported;
b) Secure and reliable identity authentication measures shall be ensured of being taken during access to the cloud computing platform through interfaces such as Web and API.
Extended requirements:
a) It shall be ensured that the API interface is called remotely using the HTTPS protocol;
b) Timely detection and fixing of software vulnerabilities shall be supported.
Enhanced requirements:
It shall be ensured that users remotely access the cloud computing platform for management in an encrypted way, and at least two or more combined mechanisms are used for identity authentication.
7.2 Network resource pool security
7.2.1 General
Network resource pool security includes security requirements for network resource configuration and operation, as well as security requirements for security products, functions or services that ensure the network security. The cloud service user will obtain virtual network resources and control rights in the network resource pool from the cloud service provider.
7.2.2 Architecture security
Basic requirements:
The virtual network shall be ensured of full redundancy design to avoid single point fault.
Extended requirements:
a) The isolation of networks of different tenants and that of different networks of the same tenant shall be supported;
b) Cloud service users shall be supported to divide their security zones by themselves;
c) VPC-related security functions shall be supported, and VPC operations (such as creating or deleting VPC, custom route, security group, and ACL policy) require verifying the cloud service user credentials;
d) Creation of VPN or private line connection between VPCs and between VPC and other networks shall be supported;
e) Cloud service users shall be supported to monitor the traffic between the various network nodes they own.
Enhanced requirements:
a) Traffic between virtual machines shall be identified and monitored;
b) Open interfaces shall be supported to allow access of third-party security products.
Foreword II
1 Scope
2 Normative references
3 Terms and definitions
4 Abbreviations
5 General
6 Basic hardware security
7 Resource abstraction and control security
8 Application security
9 Data security
10 Security management function
11 Security technology management requirements
Annex A (Normative) Security requirements for the optional components of cloud computing platform
Annex B (Informative) Security risks of cloud computing
云計算技術金融應用規(guī)范 安全技術要求
1 范圍
本標準規(guī)定了金融領域云計算技術應用的安全技術要求,涵蓋基礎硬件安全、資源抽象與控制安全、 應用安全、數據安全、安全管理功能、安全技術管理要求、可選組件安全等內容。
本標準適用于金融領域的云服務提供者、云服務使用者、云服務合作者等。
2 規(guī)范性引用文件
下列文件對于本文件的應用是必不可少的。凡是注日期的引用文件,僅注日期的版本適用于本文件。 凡是不注日期的引用文件,其最新版本(包括所有的修改單)適用于本文件。
JR/T 0131—2015 金融業(yè)信息系統機房動力系統規(guī)范 JR/T 0166—2018 云計算技術金融應用規(guī)范 技術架構
3 術語和定義
JR/T 0166—2018界定的術語和定義適用于本文件。
4 縮略語
下列縮略語適用于本文件。
API 應用程序編程接口(Application Programming Interface) CPU 中央處理單元(Central Processing Unit)
DDoS 分布式拒絕服務攻擊(Distributed Denial of Service) DoS 拒絕服務(Denial of Service)
HTTPS 安全超文本傳輸協議(Hypertext Transfer Protocol Secure) IaaS 基礎設施即服務(Infrastructure as a Service)
IP 互聯網協議(Internet Protocol)
MAC 媒體訪問控制(Media Access Control) PaaS 平臺即服務(Platform as a Service) SaaS 軟件即服務(Software as a Service)
SQL 結構化查詢語言(Structured Query Language) VPN 虛擬專用網絡(Virtual Private Network)
XSS 跨站腳本攻擊(Cross-site Scripting)
5 概述
5.1 云計算安全技術要求分級
云計算技術按需使用信息技術和數據資源,降低信息化成本,提高資源利用效率,但同時也帶來了服務外包、數據泄露、服務濫用等方面的新風險。云服務使用者應結合信息系統的業(yè)務重要性和數據敏感性,充分評估應用云計算技術的科學性、安全性和可靠性,在確保系統業(yè)務連續(xù)性、數據和資金安全 的前提下,謹慎選用云計算技術部署業(yè)務系統,選擇與業(yè)務相適應的部署和服務模式,確保使用云計算 技術的金融業(yè)務系統安全可控。
為進一步增強標準的適用性和前瞻性,規(guī)范按照分級分類管理思路將具體條款分為基本要求、擴展 要求和增強要求。基本要求是通用性和基礎性的安全要求,云計算技術金融應用均應滿足;擴展要求是 在通用要求基礎上,針對團體云等社會化服務模式提出的擴展性安全技術要求;增強要求是從安全技術 的發(fā)展趨勢和金融用戶的前瞻性需求入手提出的增強要求。
5.2 基本要求增強要求云計算安全框架
云計算安全框架由基礎硬件安全、資源抽象與控制安全、應用安全、數據安全、安全管理功能以及 可選組件安全組成。云服務提供者和使用者共同實現安全保障。云計算安全框架如圖1所示,在IaaS、 PaaS、SaaS等不同服務類別下云服務提供者和使用者的安全分工有所區(qū)別。金融機構是金融服務的最終 提供者,其承擔的安全責任不應因使用云服務而免除或減輕。
圖 1 云計算安全框架
云計算平臺作為承載金融領域信息系統的基礎平臺,其安全要求應不低于所承載業(yè)務系統的安全要 求。云計算平臺本質上仍是一種信息系統,應滿足國家和金融行業(yè)信息系統安全相關要求,本標準重點 從云計算技術角度提出了云計算平臺應符合的安全要求。容器、中間件、數據庫等云計算平臺可選組件 的安全要求見附錄A,云計算相關安全風險分析參見附錄B。
6 基礎硬件安全
6.1 機房安全
基本要求:
應保證云計算平臺部署的物理數據中心及附屬設施符合 JR/T 0131—2015 相關要求。 擴展要求:
a) 對于團體云部署模式,應保證用于服務金融業(yè)的云計算數據中心運行環(huán)境與其他行業(yè)物理隔 離;
b) 應保證用于云服務使用者業(yè)務運行、數據存儲和處理的物理設備位于中國境內; c) 應保證云計算平臺的運維和運營系統部署在中國境內。
增強要求: 無。
6.2 網絡安全
基本要求:
a) 應支持網絡冗余設計,將網絡通信鏈路和網絡設備等冗余部署; b) 應按照安全需求劃分為不同的網絡區(qū)域,支持網絡安全隔離; c) 應保證云計算平臺的業(yè)務網絡與管理網絡安全隔離;
d) 應保證采取網絡控制措施防止非授權設備連接云計算平臺內部網絡,并防止云計算平臺物理服 務器非授權外聯。
擴展要求:
a) 應支持為云服務使用者提供專線或 VPN 接入;
b) 對于團體云部署模式,應保證除廣域網外為金融業(yè)服務的網絡物理硬件不與其他行業(yè)共享; c) 應保證向云服務使用者提供服務的網絡資源與其他網絡資源安全隔離。
增強要求:
應支持網絡帶寬優(yōu)先級分配。
6.3 設備安全
基本要求:
a) 應保證關鍵設備冗余部署,保證系統可用性;
b) 應對設備運行狀態(tài)、資源使用等進行監(jiān)控,能夠在發(fā)生異常情況時發(fā)出告警;
c) 應保證設備和存儲介質在重用、報廢或更換時,能夠對其承載的數據完全清除。 擴展要求:
對于團體云部署模式,應保證用于金融業(yè)的物理設備不與其他行業(yè)共享。
增強要求:
a) 應保證設備安全啟動,即啟動時的版本和預期一致,完整性沒有受到破壞; b) 應對設備重要配置文件進行完整性保護。
7 資源抽象與控制安全
7.1 通用要求
本章條要求是網絡資源池、存儲資源池和計算資源池均應滿足的通用要求。 基本要求:
a) 應支持內核補丁檢測加固和防止內核提權;
b) 應保證通過 Web 和 API 等接口訪問云計算平臺時采用安全可靠的身份認證措施。 擴展要求:
a) 應保證采用 HTTPS 協議遠程調用 API 接口; b) 應支持對軟件漏洞及時發(fā)現并修復。 增強要求:
應保證用戶遠程訪問云計算平臺進行管理時采取加密方式,并至少采取兩種或兩種以上的組合機制 進行身份鑒別。
7.2 網絡資源池安全
7.2.1 概述
網絡資源池安全包括針對網絡資源配置和運營的安全要求,也包括對保障網絡安全的安全產品、功 能或服務的安全要求。云服務使用者從云服務提供者獲取網絡資源池中的虛擬網絡資源和控制權。
7.2.2 架構安全
基本要求: 應保證虛擬網絡全冗余設計,避免單點故障。 擴展要求:
a) 應支持不同租戶網絡及同一租戶不同網絡的隔離; b) 應支持云服務使用者自行劃分安全區(qū)域;
c) 應支持 VPC 相關的安全功能,對 VPC 的操作(如創(chuàng)建或刪除 VPC,自定義路由、安全組和 ACL 策略等)需要驗證云服務使用者憑證;
d) 應支持 VPC 之間以及 VPC 與其他網絡建立 VPN 或專線連接; e) 應支持云服務使用者監(jiān)控所擁有各網絡節(jié)點間的流量。 增強要求:
a) 應識別、監(jiān)控虛擬機之間的流量;
b) 應支持開放接口,允許接入第三方安全產品。
7.2.3 訪問控制
基本要求:
a) 應部署訪問控制策略,實現虛擬機之間、虛擬機與資源管理和調度平臺之間、虛擬機與外部網 絡之間的安全訪問控制;
b) 應對云計算平臺管理員訪問管理網絡進行訪問控制;
c) 應實時監(jiān)控云服務遠程管理的訪問,并支持對未授權管理連接的處置; d) 應對遠程執(zhí)行特權命令進行限制。
擴展要求:
a) 應支持云服務使用者通過 VPN 訪問云計算平臺;
b) 應支持云服務使用者自行在虛擬網絡邊界設置訪問控制規(guī)則; c) 應支持云服務使用者自行劃分子網、設置訪問控制規(guī)則;
d) 應支持云服務使用者自行過濾進出 VPC 的網絡流量。 增強要求:
無。
7.2.4 安全審計
基本要求:
a) 應記錄虛擬網絡運行狀況、網絡流量、用戶行為等日志; b) 應為安全審計數據的匯集提供支持。
擴展要求:
a) 應根據云服務提供者和云服務使用者的職責劃分,實現各自控制部分的審計; b) 云服務提供者應為云服務使用者進行審計提供必要支持;
c) 審計記錄產生時間應由系統范圍內唯一確定的時鐘產生,以確保審計分析的正確性。 增強要求:
應支持根據特定要求輸出特定網絡通訊的元數據和報文數據。
7.2.5 入侵防范
基本要求:
a) 應防止虛擬機使用虛假的 IP 或 MAC 地址對外發(fā)起攻擊; b) 應識別、監(jiān)控和處理虛擬機之間的異常流量。
擴展要求:
a) 應檢測和防護云計算平臺內部虛擬機發(fā)起的針對云計算平臺的攻擊,能夠定位發(fā)起攻擊的虛擬 機,記錄攻擊類型、攻擊時間、攻擊流量等信息;
b) 應對各類網絡攻擊行為進行監(jiān)測和發(fā)現,當檢測到網絡攻擊行為時,記錄攻擊源 IP、攻擊類 型、攻擊時間等信息,在發(fā)生嚴重入侵事件時應進行告警;
c) 通過互聯網提供金融服務時,應支持 DoS/DDoS 攻擊防護,通過清洗 DoS/DDoS 攻擊流量,保障 網絡、服務器及上層應用的可用性;
d) 通過互聯網提供金融服務時,應支持檢測 Web 應用漏洞,攔截 SQL 注入、XSS 攻擊等多種 Web 應用攻擊行為;
e) 應支持防 ARP 欺騙。 增強要求:
a) 應支持禁用未備案域名;
b) 應檢測和阻斷云服務使用者對外攻擊行為,記錄攻擊類型、攻擊時間、攻擊流量等信息; c) 應支持對惡意虛擬機的隔離,支持阻斷惡意虛擬機與外部網絡以及其他虛擬機的通信。
7.2.6 惡意代碼防范
基本要求:
a) 應支持對惡意代碼進行檢測和清理;
b) 應維護惡意代碼特征庫的升級和相關檢測系統的更新。 擴展要求:
無。
增強要求: 無。
7.3 存儲資源池安全
存儲資源池安全包括對存儲資源配置和運營的安全要求,也包括對保障存儲安全的安全產品、功能 或服務的安全要求。云服務使用者從云服務提供者獲取存儲資源池中的虛擬存儲資源和控制權。
基本要求:
a) 應支持多層級訪問控制;
b) 應記錄存儲設備運行狀況、用戶行為等日志; c) 應為安全審計數據的匯集提供支持。 擴展要求:
a) 應支持分布式存儲的數據副本分布在不同的物理機架; b) 應禁止云計算平臺管理員未授權操作租戶資源;
c) 應支持租戶訪問存儲資源的安全傳輸;
d) 應支持跨物理集群服務使用者賬號權限管理;
e) 應支持內容加密存儲,加密密鑰支持租戶自管理、云服務提供者管理和第三方機構管理; f) 應對不同租戶的數據隔離;
g) 應根據云服務提供者和云服務使用者的職責劃分,實現各自控制部分的審計; h) 云服務提供者應為云服務使用者進行審計提供必要支持;
i) 審計記錄產生時間應由系統范圍內唯一確定的時鐘產生,以確保審計分析的正確性。 增強要求:
無。
