Codeofchina.com is in charge of this English translation. In case of any doubt about the English translation, the Chinese original shall be considered authoritative.
This standard is one of the series of standards for financial applications of cloud computing technology, which include:
——Financial application specification of cloud computing technology - Technical architecture;
——Financial application specification of cloud computing technology - Security technical requirements;
——Financial application specification of cloud computing technology - Disaster recovery.
This standard is developed in accordance with the rules given in GB/T 1.1-2009.
This standard was proposed by the People's Bank of China.
This standard is under the jurisdiction of the National Technical Committee on Finance of Standardization Administration of China (SAC/TC 180).
Financial application specification of cloud computing technology - Technical architecture
1 Scope
This standard specifies the requirements for technical architecture of the cloud computing platform in financial field, covering the contents such as service categories, deployment model, parties, architectural characteristics and architecture system of cloud computing.
This standard is applicable to cloud service providers, cloud service users, cloud service partners, etc. in the financial field.
2 Normative references
The following documents for the application of this document are essential. Any dated reference, just dated edition applies to this document. For undated references, the latest edition of the normative document (including any amendments) applies.
GB/T 32400-2015 Information technology - Cloud computing - Overview and vocabulary
GB 50174-2017 Code for design of data centers
JR/T 0071-2012 Implementation guide for classified protection of information system of financial industry
JR/T 0131-2015 Financial information system room power system specification
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
3.1
party
one or a group of natural or legal persons, regardless of whether the legal person is registered
[GB/T 32400-2015, Definition 3.1.6]
3.2
cloud computing
a kind of model in which extensible and elastic sharable physical and virtual resource pool is supplied and managed by means of on-demand self-service via network
Note: resources include the server, operating system, network, software, application and storage equipment.
[GB/T 32400-2015, Definition 3.2.5]
3.3
cloud service
one or more capabilities provided through the interfaces already defined by cloud computing
[GB/T 32400-2015, Definition 3.2.8]
3.4
cloud service provider
the party providing cloud service
[GB/T 32400-2015, Definition 3.2.15]
3.5
cloud service user
the party using cloud service
3.6
cloud service partner
the party who supports or assists cloud service provider activities, cloud service user activities, or both
3.7
cloud service auditor
the cloud service party responsible for auditing the provision and use of cloud service
3.8
cloud computing platform
the collection of cloud computing infrastructure and its service software provided by the cloud service provider and cloud service partner
3.9
private cloud
a cloud deployment model in which a cloud service is used only by one cloud service user and the resources are controlled by this cloud service user
3.10
community cloud
a cloud deployment model in which a cloud service is used and shared by a specific set of cloud service users, and the resources are controlled by the cloud service provider or users, both of whom have identical or highly similar supervision policies, security requirements, etc.
3.11
public cloud
a cloud deployment model in which a cloud service can be used by any cloud service user and the resources are controlled by cloud service provider
3.12
hybrid cloud
a cloud deployment model including two or more deployment models
3.13
infrastructure as a service
a cloud service category providing the cloud service user with the infrastructure capability type among the cloud capability types
3.14
platform as a service
a cloud service category providing the cloud service user with the platform capability type among the cloud capability types
3.15
software as a service
a cloud service category providing the cloud service user with the application capability type among the cloud capability types
3.16
tenant
one or more cloud service users accessing a group of physical or virtual resources in sharing mode
3.17
multi-tenancy
the characteristic ensuring multiple tenants and their calculation and data being isolated and inaccessible mutually via distribution of physical or virtual resource
[GB/T 32400-2015, Definition 3.2.27]
3.18
physical machine
the physical server corresponding to the virtual machine, which can provide a hardware environment for the virtual machine
3.19
physical machine service
the service providing the cloud service user with physical machine directly
3.20
virtual machine
a general term for the operating system and the application operating environment provided to the user, which are the same as the original physical server via various virtualization technologies. The virtual machine typically uses the resources of the physical server, which appears to the user that its usage model is identical to that of the physical server
3.21
hypervisor
the virtualization module managing the physical machine operating system, and controlling the flow of demands between the user’s operating system and physical hardware
3.22
container
the operating environment providing a lightweight and isolated set of processes and resources through the technology of operating system virtualization
3.23
resource pool
a collection of physical resources or virtual resources, which the resources can be obtained from and released to as well as recycled by the resource pool according to certain rules, including physical and virtual machines, physical and virtual storage resources and physical and virtual network resources
3.24
sensitive data
the data which, once revealed, may possibly cause damage to the user or financial institution, including but not limited to:
a) sensitive data of user , e.g. user password and key;
b) sensitive data of system , e.g. system key and key system management data;
c) other sensitive business data required to be kept secret;
d) crucial operational order;
e) main configuration documents of system;
f) other data required to be kept secret.
[JR/T 0071-2012, Definition 3.1]
4 Abbreviations
For the purposes of this document, the following abbreviations apply.
ACL Access Control List
CPU Central Processing Unit
DSaaS Data Storage as a Service
HTTP Hypertext Transfer Protocol
I/O Input/Output
IaaS Infrastructure as a Service
NaaS Network as a Service
PaaS Platform as a Service
QoS Quality of Service
SaaS Software as a Service
SQL Structured Query Language
TCP Transmission Control Protocol
VPN Virtual Private Network
5 General
5.1 Service category
Cloud services mainly include Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS). In addition, according to service content, they can be divided into specific service categories such as Network as a Service (NaaS) and Data Storage as a Service (DSaaS).
IaaS provides basic resource services such as computing, storage and network. Cloud service users may use, monitor and manage the resources on the cloud computing platform via management platform, Application Programming Interface (API), etc.
PaaS provides the software development and operating platform services on the cloud computing infrastructure. Cloud service users can perform system development, testing, integration, deployment, operation, maintenance, etc. based on the PaaS provided by the cloud computing platform.
SaaS provides the application software services that run on the cloud computing infrastructure, such as email services.
Foreword II
1 Scope
2 Normative references
3 Terms and definitions
4 Abbreviations
5 General
6 Architectural characteristics
7 Architecture system
云计算技术金融应用规范 技术架构
1 范围
本标准规定了金融领域云计算平台的技术架构要求,涵盖云计算的服务类别、部署模式、参与方、 架构特性和架构体系等内容。
本标准适用于金融领域的云服务提供者、云服务使用者、云服务合作者等。
2 规范性引用文件
下列文件对于本文件的应用是必不可少的。凡是注日期的引用文件,仅注日期的版本适用于本文件。凡是不注日期的引用文件,其最新版本(包括所有的修改单)适用于本文件。
GB/T 32400—2015 信息技术 云计算 概览与词汇 GB 50174—2017 数据中心设计规范
JR/T 0071—2012 金融行业信息系统信息安全等级保护实施指引
JR/T 0131—2015 金融业信息系统机房动力系统规范
3 术语和定义
下列术语和定义适用于本文件。
3.1
参与方 party
一个或一组自然人或法人,无论该法人是否注册。 [GB/T 32400—2015,定义3.1.6]
3.2
云计算 cloud computing
一种通过网络将可伸缩、弹性的共享物理和虚拟资源池以按需自服务的方式供应和管理的模式。
注:资源包括服务器、操作系统、网络、软件、应用和存储设备等。
[GB/T 32400—2015,定义3.2.5]
3.3
云服务 cloud service
通过云计算已定义的接口提供的一种或多种能力。 [GB/T 32400—2015,定义3.2.8]
3.4
云服务提供者 cloud service provider
提供云服务的参与方。
[GB/T 32400—2015,定义3.2.15]
3.5
云服务使用者 cloud service user
使用云服务的参与方。
3.6
云服务合作者 cloud service partner
支撑或协助云服务提供者活动、云服务使用者活动或者两者共同活动的参与方。
3.7
云服务审计者 cloud service auditor
负责审计云服务的供应和使用的云服务参与方。
3.8
云计算平台 cloud computing platform
云服务提供者和云服务合作者提供的云计算基础设施及其上服务软件的集合。
3.9
私有云 private cloud
云服务仅被一个云服务使用者使用,且资源被该云服务使用者控制的一种云部署模式。
3.10
团体云 community cloud
云服务由一组特定的云服务使用者使用和共享,且资源被云服务提供者或使用者控制的一种云部署 模式。云服务提供者和使用者在监管政策、安全要求等方面相同或高度相似。
3.11
公有云 public cloud
云服务可被任意云服务使用者使用,且资源被云服务提供者控制的一种云部署模式。
3.12
混合云 hybrid cloud
包含两种及以上部署模式的云部署模式。
3.13
基础设施即服务 infrastructure as a service
为云服务使用者提供云能力类型中的基础设施能力类型的一种云服务类别。
3.14
平台即服务 platform as a service
为云服务使用者提供云能力类型中的平台能力类型的一种云服务类别。
3.15
软件即服务 software as a service
为云服务使用者提供云能力类型中的应用能力类型的一种云服务类别。
3.16
租户 tenant
对一组物理和虚拟资源进行共享访问的一个或多个云服务使用者。
3.17
多租户 multi-tenancy
通过对物理或虚拟资源的分配实现多个租户以及他们的计算和数据彼此隔离和不可访问。 [GB/T 32400—2015,定义3.2.27]
3.18
物理机 physical machine
是指相对于虚拟机的物理服务器,可为虚拟机提供硬件环境。
3.19
物理机服务 physical machine service
是指直接向云服务使用者提供物理机的服务。
3.20
虚拟机 virtual machine
是指通过各种虚拟化技术,为用户提供的与原有物理服务器相同的操作系统和应用程序运行环境的 统称。虚拟机通常使用物理服务器的资源,在用户看来它与物理服务器的使用方式完全相同。
3.21
虚拟机管理器 hypervisor
管理物理机操作系统并控制客户操作系统与物理硬件之间指令流动的虚拟化组件。
3.22
容器 container
是指通过操作系统虚拟化的技术,提供轻量且隔离的一组进程和资源的运行环境。
3.23
资源池 resource pool
一组物理资源或虚拟资源的集合,按照一定规则可从池中获取资源,也可释放资源并由资源池回收。 资源包括物理机、虚拟机、物理存储资源、虚拟存储资源、物理网络资源和虚拟网络资源等。
3.24
敏感数据 sensitive data
是指一旦泄露可能会对用户或金融机构造成损失的数据,包括但不限于:
a) 用户敏感数据,如用户口令、密钥等;
b) 系统敏感数据,如系统的密钥、关键的系统管理数据;
c) 其他需要保密的敏感业务数据;
d) 关键性的操作指令;
e) 系统主要配置文件;
f) 其他需要保密的数据。 [JR/T 0071—2012,定义3.1]
4 缩略语
下列缩略语适用于本文件。
ACL 访问控制列表(Access Control List)
CPU 中央处理单元(Central Processing Unit) DSaaS 数据存储即服务(Data Storage as a Service)
HTTP 超文本传输协议(Hypertext Transfer Protocol) I/O 输入/输出(Input/Output)
IaaS 基础设施即服务(Infrastructure as a Service) NaaS 网络即服务(Network as a Service)
PaaS 平台即服务(Platform as a Service) QoS 服务质量(Quality of Service)
SaaS 软件即服务(Software as a Service)
SQL 结构化查询语言(Structured Query Language) TCP 传输控制协议(Transmission Control Protocol) VPN 虚拟专用网络(Virtual Private Network)
5 概述
5.1 服务类别
云服务主要包括基础设施即服务(IaaS)、平台即服务(PaaS)和软件即服务(SaaS),此外根据 服务内容还可分为网络即服务(NaaS)、数据存储即服务(DSaaS)等具体服务类别。
IaaS提供计算、存储、网络等基础资源服务。云服务使用者可通过管理平台、应用编程接口等使用、 监控、管理云计算平台中的资源。
PaaS提供运行在云计算基础设施上的软件开发和运行平台服务。云服务使用者可基于云计算平台提 供的PaaS进行系统开发、测试、集成、部署、运行、维护等工作。
SaaS提供运行在云计算基础设施上的应用软件服务,如电子邮箱服务等。
5.2 部署模式
金融领域云计算部署模式主要包括私有云、团体云以及由其组成的混合云等。金融机构应秉持安全 优先、对用户负责的原则,根据信息系统所承载业务的重要性和数据的敏感性、发生安全事件的危害程 度等,充分评估可能存在的风险隐患,谨慎选用与业务系统相适应的部署模式。金融机构应承担的安全 责任不因使用云服务而免除或减轻。
5.3 云服务参与方
云服务的参与方包括:
——云服务使用者。
——云服务提供者。
——云服务合作者。 如图1所示,云服务提供者为云服务使用者提供IaaS、PaaS、SaaS等类别的云服务,并负责云计算
平台的建设、运营和管理;云服务使用者基于云服务提供者提供的云服务构建、运行、维护自身的应用 系统,或直接使用可作为应用系统的云服务;云服务合作者为云服务提供者、云服务使用者提供支撑或 协助。云服务审计者是一种特殊的云服务合作者,应对云服务提供者、云服务使用者、其他云服务合作 者进行独立审计。
图 1 云服务参与方视图
6 架构特性
6.1 高弹性
云计算平台应具备资源弹性伸缩能力。在业务高峰期,云计算平台资源能够快速扩容支持大流量、 高并发的金融交易场景;在业务低谷期,云计算平台资源能够合理收缩,避免资源过度配置。
6.2 开放性
云计算平台应采用开放的架构体系,不与某个特定的云服务提供者绑定。在云服务使用者中止或变 更服务时,云计算平台应支持应用和数据在不同云计算平台间、用户信息系统与云计算平台间进行快速 便捷迁移。
6.3 互通性
云计算平台应支持通用、规范的通信接口,同一云计算平台内或不同云计算平台间的云服务应能够 按需进行安全便捷信息交互。
6.4 高可用性
云计算平台应具备软件、主机、存储、网络节点、数据中心等层面的高可用保障能力,能够从严重 故障或错误中快速恢复,保障应用系统的连续正常运行,满足金融领域业务连续性要求。
6.5 数据安全性
云计算平台应在架构层面保障端到端的数据安全,对用户数据进行全生命周期的严格保护,保证数 据在产生、使用、传输和存储等过程中的完整性、可用性和保密性,避免数据的损坏、丢失和泄露。
7 架构体系
7.1 概述
云计算平台架构体系可以分为基础硬件设施与设备、资源抽象与控制、云服务、运维运营管理等部 分,如图2所示。
——基础硬件设施与设备主要包括机房及其附属设施、计算设备、存储设备、网络设备和其他设备。
——资源抽象与控制主要包括计算资源池、存储资源池、网络资源池、资源管理和调度平台等。
——云服务主要包含 IaaS、PaaS、SaaS 等类型的服务。
——运维运营管理主要包括日常管理、资源监控、运维管理、自助服务和服务管理等。
