Codeofchina.com is in charge of this English translation. In case of any doubt about the English translation, the Chinese original shall be considered authoritative.
This standard is one of the series of standards for financial applications of cloud computing technology, which include:
——Financial application specification of cloud computing technology - Technical architecture;
——Financial application specification of cloud computing technology - Security technical requirements;
——Financial application specification of cloud computing technology - Disaster recovery.
This standard is developed in accordance with the rules given in GB/T 1.1-2009.
This standard was proposed by the People's Bank of China.
This standard is under the jurisdiction of the National Technical Committee on Finance of Standardization Administration of China (SAC/TC 180).
Financial application specification of cloud computing technology - Security technical requirements
1 Scope
This standard specifies the security technical requirements for the application of cloud computing technology in the financial field, covering the contents such as basic hardware security, resource abstraction and control security, application security, data security, security management function, security technology management requirements, and optional component security.
This standard is applicable to cloud service providers, cloud service users, cloud service partners, etc. in the financial field.
2 Normative references
The following documents for the application of this document are essential. Any dated reference, just dated edition applies to this document. For undated references, the latest edition of the normative document (including any amendments) applies.
JR/T 0131-2015 Financial information system room power system specification
JR/T 0166-2018 Financial application specification of cloud computing technology - Technical architecture
3 Terms and definitions
For the purpose of this document, the terms and definitions defined in JB/T 0166-2013 apply.
4 Abbreviations
For the purposes of this document, the following abbreviations apply.
API Application Programming Interface
CPU Central Processing Unit
DDoS Distributed Denial of Service
DoS Denial of Service
HTTPS Hypertext Transfer Protocol Secure
IaaS Infrastructure as a Service
IP Internet Protocol
MAC Media Access Control
PaaS Platform as a Service
SaaS Software as a Service
SQL Structured Query Language
VPN Virtual Private Network
XSS Cross-site Scripting
5 General
5.1 Graduation of security technical requirements for cloud computing
Cloud computing technology uses information technology and data resources on demand to reduce informatization costs and improve resource utilization efficiency, but it also brings new risks in service outsourcing, data leakage, service misuse and other aspects. Cloud service users shall fully evaluate the scientificity, security and reliability in application of cloud computing technology in combination with the business importance and data sensitivity of information systems, shall carefully select cloud computing technology to deploy business systems under the premise of ensuring system business continuity, data security and fund security, and shall select the deployment and service models that are compatible with the businesses to ensure that financial business systems using cloud computing technology are secure and controllable.
With a view to further enhancing the applicability and perspectiveness of the standard, this specification classifies the specific clauses into basic requirements, extended requirements and enhanced requirements according to the hierarchical and classified management ideas. The basic requirements are general and basic security requirements, which shall be met in all financial applications of cloud computing technology; the extended requirements are extended security technical requirements proposed for social service models such as community cloud based on the general requirements; the enhanced requirements are proposed starting from the development trend of security technology and the perspectiveness of financial users.
5.2 Basic requirements, enhanced requirements, and security framework for cloud computing
The security framework for cloud computing consists of basic hardware security, resource abstraction and control security, application security, data security, security management function and optional component security. Cloud service providers and users work together to achieve security. The security framework for cloud computing is shown in Figure 1. The security division of cloud service providers and users is different under different service categories such as IaaS, PaaS and SaaS. Financial institutions are the end providers of financial services, and their security responsibilities shall not be waived or mitigated by the use of cloud services.
Figure 1 Security framework for cloud computing
As a basic platform for carrying information systems in the financial field, the cloud computing platform shall have security requirements not inferior to those of the carried business systems. The cloud computing platform is still an information system in essence, which shall meet the requirements of the nation and financial industry related to the security of information systems. This standard proposes the security requirements for cloud computing platform mainly from the perspective of cloud computing technology. See Annex A for the security requirements for the optional components such as container, middleware and database of cloud computing platform; see Annex B for the cloud computing-related security risk analysis.
6 Basic hardware security
6.1 Machine room security
Basic requirements:
It shall be ensured that the physical data center and ancillary facilities deployed for the cloud computing platform meet the relevant requirements of JR/T 0131-2015. Extended requirements:
a) For the group cloud deployment model, the operating environment of cloud computing data center serving the financial industry shall be physically isolated from other industries;
b) It shall be ensured that the physical equipment used for the business operation, and data storage and processing of cloud service users are located in China;
c) It shall be ensured that the operation maintenance system and the operation system of the cloud computing platform are deployed in China.
Enhanced requirements:
None
6.2 Network security
Basic requirements:
a) Network redundancy design shall be supported, and network communication links, network equipment, etc. shall be redundantly deployed;
b) The network shall be divided into different network areas according to security requirements to support network security isolation;
c) It shall be ensured that the business network of the cloud computing platform is securely isolated from the management network;
d) It shall be ensured that network control measures are taken to prevent unauthorized equipment from connecting to the internal network of the cloud computing platform and to prevent unauthorized outward connection of the physical server of cloud computing platform.
Extended requirements:
a) The provision of private line or VPN access for cloud service users shall be supported;
b) For the group cloud deployment model, it shall be ensured that the network physical hardware serving the financial industry, except the WAN, is not shared with other industries;
c) It shall be ensured that the network resources serving the cloud service users are securely isolated from other network resources.
Enhanced requirements:
Network bandwidth priority allocation shall be supported.
6.3 Equipment security
Basic requirements:
a) Redundant deployment of critical equipment shall be ensured to ensure system availability;
b) The operating state, resource usage, etc. of equipment shall be monitored so as to issue an alarm when an abnormal situation occurs;
c) Equipment and storage media shall be ensured of being capable of completely removing the data they carry when they are reused, scrapped or replaced. Extended requirements:
For the community cloud deployment model, it shall be ensured that the physical equipment used in the financial industry are not shared with other industries.
Enhanced requirements:
a) The equipment shall be ensured of secure startup, i.e., the version at the time of startup is consistent with expected one and the integrity is not compromised;
b) Integrity protection shall be performed on the important configuration files of equipment.
7 Resource abstraction and control security
7.1 General requirements
The clause proposes the general requirements that shall be met for network resource pool, storage resource pool and computing resource pool.
Basic requirements:
a) The kernel patch detection reinforcement and prevention of kernel privilege escalation shall be supported;
b) Secure and reliable identity authentication measures shall be ensured of being taken during access to the cloud computing platform through interfaces such as Web and API.
Extended requirements:
a) It shall be ensured that the API interface is called remotely using the HTTPS protocol;
b) Timely detection and fixing of software vulnerabilities shall be supported.
Enhanced requirements:
It shall be ensured that users remotely access the cloud computing platform for management in an encrypted way, and at least two or more combined mechanisms are used for identity authentication.
7.2 Network resource pool security
7.2.1 General
Network resource pool security includes security requirements for network resource configuration and operation, as well as security requirements for security products, functions or services that ensure the network security. The cloud service user will obtain virtual network resources and control rights in the network resource pool from the cloud service provider.
7.2.2 Architecture security
Basic requirements:
The virtual network shall be ensured of full redundancy design to avoid single point fault.
Extended requirements:
a) The isolation of networks of different tenants and that of different networks of the same tenant shall be supported;
b) Cloud service users shall be supported to divide their security zones by themselves;
c) VPC-related security functions shall be supported, and VPC operations (such as creating or deleting VPC, custom route, security group, and ACL policy) require verifying the cloud service user credentials;
d) Creation of VPN or private line connection between VPCs and between VPC and other networks shall be supported;
e) Cloud service users shall be supported to monitor the traffic between the various network nodes they own.
Enhanced requirements:
a) Traffic between virtual machines shall be identified and monitored;
b) Open interfaces shall be supported to allow access of third-party security products.
Foreword II
1 Scope
2 Normative references
3 Terms and definitions
4 Abbreviations
5 General
6 Basic hardware security
7 Resource abstraction and control security
8 Application security
9 Data security
10 Security management function
11 Security technology management requirements
Annex A (Normative) Security requirements for the optional components of cloud computing platform
Annex B (Informative) Security risks of cloud computing
云计算技术金融应用规范 安全技术要求
1 范围
本标准规定了金融领域云计算技术应用的安全技术要求,涵盖基础硬件安全、资源抽象与控制安全、 应用安全、数据安全、安全管理功能、安全技术管理要求、可选组件安全等内容。
本标准适用于金融领域的云服务提供者、云服务使用者、云服务合作者等。
2 规范性引用文件
下列文件对于本文件的应用是必不可少的。凡是注日期的引用文件,仅注日期的版本适用于本文件。 凡是不注日期的引用文件,其最新版本(包括所有的修改单)适用于本文件。
JR/T 0131—2015 金融业信息系统机房动力系统规范 JR/T 0166—2018 云计算技术金融应用规范 技术架构
3 术语和定义
JR/T 0166—2018界定的术语和定义适用于本文件。
4 缩略语
下列缩略语适用于本文件。
API 应用程序编程接口(Application Programming Interface) CPU 中央处理单元(Central Processing Unit)
DDoS 分布式拒绝服务攻击(Distributed Denial of Service) DoS 拒绝服务(Denial of Service)
HTTPS 安全超文本传输协议(Hypertext Transfer Protocol Secure) IaaS 基础设施即服务(Infrastructure as a Service)
IP 互联网协议(Internet Protocol)
MAC 媒体访问控制(Media Access Control) PaaS 平台即服务(Platform as a Service) SaaS 软件即服务(Software as a Service)
SQL 结构化查询语言(Structured Query Language) VPN 虚拟专用网络(Virtual Private Network)
XSS 跨站脚本攻击(Cross-site Scripting)
5 概述
5.1 云计算安全技术要求分级
云计算技术按需使用信息技术和数据资源,降低信息化成本,提高资源利用效率,但同时也带来了服务外包、数据泄露、服务滥用等方面的新风险。云服务使用者应结合信息系统的业务重要性和数据敏感性,充分评估应用云计算技术的科学性、安全性和可靠性,在确保系统业务连续性、数据和资金安全 的前提下,谨慎选用云计算技术部署业务系统,选择与业务相适应的部署和服务模式,确保使用云计算 技术的金融业务系统安全可控。
为进一步增强标准的适用性和前瞻性,规范按照分级分类管理思路将具体条款分为基本要求、扩展 要求和增强要求。基本要求是通用性和基础性的安全要求,云计算技术金融应用均应满足;扩展要求是 在通用要求基础上,针对团体云等社会化服务模式提出的扩展性安全技术要求;增强要求是从安全技术 的发展趋势和金融用户的前瞻性需求入手提出的增强要求。
5.2 基本要求增强要求云计算安全框架
云计算安全框架由基础硬件安全、资源抽象与控制安全、应用安全、数据安全、安全管理功能以及 可选组件安全组成。云服务提供者和使用者共同实现安全保障。云计算安全框架如图1所示,在IaaS、 PaaS、SaaS等不同服务类别下云服务提供者和使用者的安全分工有所区别。金融机构是金融服务的最终 提供者,其承担的安全责任不应因使用云服务而免除或减轻。
图 1 云计算安全框架
云计算平台作为承载金融领域信息系统的基础平台,其安全要求应不低于所承载业务系统的安全要 求。云计算平台本质上仍是一种信息系统,应满足国家和金融行业信息系统安全相关要求,本标准重点 从云计算技术角度提出了云计算平台应符合的安全要求。容器、中间件、数据库等云计算平台可选组件 的安全要求见附录A,云计算相关安全风险分析参见附录B。
6 基础硬件安全
6.1 机房安全
基本要求:
应保证云计算平台部署的物理数据中心及附属设施符合 JR/T 0131—2015 相关要求。 扩展要求:
a) 对于团体云部署模式,应保证用于服务金融业的云计算数据中心运行环境与其他行业物理隔 离;
b) 应保证用于云服务使用者业务运行、数据存储和处理的物理设备位于中国境内; c) 应保证云计算平台的运维和运营系统部署在中国境内。
增强要求: 无。
6.2 网络安全
基本要求:
a) 应支持网络冗余设计,将网络通信链路和网络设备等冗余部署; b) 应按照安全需求划分为不同的网络区域,支持网络安全隔离; c) 应保证云计算平台的业务网络与管理网络安全隔离;
d) 应保证采取网络控制措施防止非授权设备连接云计算平台内部网络,并防止云计算平台物理服 务器非授权外联。
扩展要求:
a) 应支持为云服务使用者提供专线或 VPN 接入;
b) 对于团体云部署模式,应保证除广域网外为金融业服务的网络物理硬件不与其他行业共享; c) 应保证向云服务使用者提供服务的网络资源与其他网络资源安全隔离。
增强要求:
应支持网络带宽优先级分配。
6.3 设备安全
基本要求:
a) 应保证关键设备冗余部署,保证系统可用性;
b) 应对设备运行状态、资源使用等进行监控,能够在发生异常情况时发出告警;
c) 应保证设备和存储介质在重用、报废或更换时,能够对其承载的数据完全清除。 扩展要求:
对于团体云部署模式,应保证用于金融业的物理设备不与其他行业共享。
增强要求:
a) 应保证设备安全启动,即启动时的版本和预期一致,完整性没有受到破坏; b) 应对设备重要配置文件进行完整性保护。
7 资源抽象与控制安全
7.1 通用要求
本章条要求是网络资源池、存储资源池和计算资源池均应满足的通用要求。 基本要求:
a) 应支持内核补丁检测加固和防止内核提权;
b) 应保证通过 Web 和 API 等接口访问云计算平台时采用安全可靠的身份认证措施。 扩展要求:
a) 应保证采用 HTTPS 协议远程调用 API 接口; b) 应支持对软件漏洞及时发现并修复。 增强要求:
应保证用户远程访问云计算平台进行管理时采取加密方式,并至少采取两种或两种以上的组合机制 进行身份鉴别。
7.2 网络资源池安全
7.2.1 概述
网络资源池安全包括针对网络资源配置和运营的安全要求,也包括对保障网络安全的安全产品、功 能或服务的安全要求。云服务使用者从云服务提供者获取网络资源池中的虚拟网络资源和控制权。
7.2.2 架构安全
基本要求: 应保证虚拟网络全冗余设计,避免单点故障。 扩展要求:
a) 应支持不同租户网络及同一租户不同网络的隔离; b) 应支持云服务使用者自行划分安全区域;
c) 应支持 VPC 相关的安全功能,对 VPC 的操作(如创建或删除 VPC,自定义路由、安全组和 ACL 策略等)需要验证云服务使用者凭证;
d) 应支持 VPC 之间以及 VPC 与其他网络建立 VPN 或专线连接; e) 应支持云服务使用者监控所拥有各网络节点间的流量。 增强要求:
a) 应识别、监控虚拟机之间的流量;
b) 应支持开放接口,允许接入第三方安全产品。
7.2.3 访问控制
基本要求:
a) 应部署访问控制策略,实现虚拟机之间、虚拟机与资源管理和调度平台之间、虚拟机与外部网 络之间的安全访问控制;
b) 应对云计算平台管理员访问管理网络进行访问控制;
c) 应实时监控云服务远程管理的访问,并支持对未授权管理连接的处置; d) 应对远程执行特权命令进行限制。
扩展要求:
a) 应支持云服务使用者通过 VPN 访问云计算平台;
b) 应支持云服务使用者自行在虚拟网络边界设置访问控制规则; c) 应支持云服务使用者自行划分子网、设置访问控制规则;
d) 应支持云服务使用者自行过滤进出 VPC 的网络流量。 增强要求:
无。
7.2.4 安全审计
基本要求:
a) 应记录虚拟网络运行状况、网络流量、用户行为等日志; b) 应为安全审计数据的汇集提供支持。
扩展要求:
a) 应根据云服务提供者和云服务使用者的职责划分,实现各自控制部分的审计; b) 云服务提供者应为云服务使用者进行审计提供必要支持;
c) 审计记录产生时间应由系统范围内唯一确定的时钟产生,以确保审计分析的正确性。 增强要求:
应支持根据特定要求输出特定网络通讯的元数据和报文数据。
7.2.5 入侵防范
基本要求:
a) 应防止虚拟机使用虚假的 IP 或 MAC 地址对外发起攻击; b) 应识别、监控和处理虚拟机之间的异常流量。
扩展要求:
a) 应检测和防护云计算平台内部虚拟机发起的针对云计算平台的攻击,能够定位发起攻击的虚拟 机,记录攻击类型、攻击时间、攻击流量等信息;
b) 应对各类网络攻击行为进行监测和发现,当检测到网络攻击行为时,记录攻击源 IP、攻击类 型、攻击时间等信息,在发生严重入侵事件时应进行告警;
c) 通过互联网提供金融服务时,应支持 DoS/DDoS 攻击防护,通过清洗 DoS/DDoS 攻击流量,保障 网络、服务器及上层应用的可用性;
d) 通过互联网提供金融服务时,应支持检测 Web 应用漏洞,拦截 SQL 注入、XSS 攻击等多种 Web 应用攻击行为;
e) 应支持防 ARP 欺骗。 增强要求:
a) 应支持禁用未备案域名;
b) 应检测和阻断云服务使用者对外攻击行为,记录攻击类型、攻击时间、攻击流量等信息; c) 应支持对恶意虚拟机的隔离,支持阻断恶意虚拟机与外部网络以及其他虚拟机的通信。
7.2.6 恶意代码防范
基本要求:
a) 应支持对恶意代码进行检测和清理;
b) 应维护恶意代码特征库的升级和相关检测系统的更新。 扩展要求:
无。
增强要求: 无。
7.3 存储资源池安全
存储资源池安全包括对存储资源配置和运营的安全要求,也包括对保障存储安全的安全产品、功能 或服务的安全要求。云服务使用者从云服务提供者获取存储资源池中的虚拟存储资源和控制权。
基本要求:
a) 应支持多层级访问控制;
b) 应记录存储设备运行状况、用户行为等日志; c) 应为安全审计数据的汇集提供支持。 扩展要求:
a) 应支持分布式存储的数据副本分布在不同的物理机架; b) 应禁止云计算平台管理员未授权操作租户资源;
c) 应支持租户访问存储资源的安全传输;
d) 应支持跨物理集群服务使用者账号权限管理;
e) 应支持内容加密存储,加密密钥支持租户自管理、云服务提供者管理和第三方机构管理; f) 应对不同租户的数据隔离;
g) 应根据云服务提供者和云服务使用者的职责划分,实现各自控制部分的审计; h) 云服务提供者应为云服务使用者进行审计提供必要支持;
i) 审计记录产生时间应由系统范围内唯一确定的时钟产生,以确保审计分析的正确性。 增强要求:
无。
