The essence of
cloud computing is service. If computing resources cannot be scaled up/shared on a large scale, and if they cannot be provided in the form of services, it is not considered cloud computing at all.
Level protection rating process
Grading is the "basic starting point" for the development of network security level protection. Virtualization technology has blurred the traditional network boundaries, making it difficult to rationally split the boundaries of platforms/systems using cloud computing technology when grading.
The reasonable grading of
cloud computing hierarchical protection objects plays a decisive role for the cloud computing system/platform responsible party in implementing the hierarchical protection system.
Network Security Level Protection 2.0 In the process of grading, network security operators independently grade, and then organize security experts and business experts to review the rationality of the grading results and provide expert review opinions.
The general expert review process is as follows:
The responsible subject (network security operator) of the hierarchical protection object shall explain the grading object;
Report to the review experts the grading status of the grading protection object, and elaborate on the basis of grading, the process of independent grading, the overview of the preliminary determination of the grade, the system description of each information system, the focus of risk, the security of business information and the security of system services, etc. ;
After the experts listened to the report on the proposed grading status of the grading protection objects, they discussed and inquired, and finally formed an opinion review form for the grading level, which was printed on-site and signed by the experts, and the expert review work was completed.
When grading the objects of hierarchical protection, network operators should make reasonable grading based on the system business conditions, service objects, and the actual situation of their own information system construction. In order to ensure the rationality of grading, the party responsible for the system must first clarify the object of grading protection and the level of security protection.
Cloud computing grade protection object
In the cloud computing environment, hierarchical protection objects can be divided into three categories:
(1) Cloud computing platform
The combination of the cloud infrastructure provided by the cloud service provider and the service layer software on it. Cloud service providers can classify cloud computing platforms into different grading objects according to different cloud computing service models, such as: cloud computing basic service platform (IaaS platform), cloud computing data and development platform (PaaS platform), and cloud computing application services Platform (SaaS platform).
(2) Cloud service customer business application system
The cloud service customer business application system includes the business applications deployed by the cloud service customer on the cloud computing platform and the application service provided by the cloud service provider to the cloud service customer through the network.
The cloud service customer business application system is separately regarded as the grading object.
(3) Business application system built by cloud computing technology
A combination of business applications and the independent provision of underlying cloud computing services and hardware resources for this business application. There is no cloud service customer in this type of system.
The business application system constructed by cloud computing technology is regarded as the grading object alone.
Security protection level
The level of network security protection is divided into five levels: Level 1, Level 2, Level 3, Level 4, Level 5. The security protection level is determined by two elements: the object infringed when the object of level protection is destroyed and the degree of infringement on the object.
The determination of the security protection level has a certain degree of "objectivity", which is determined by the importance of the business data it handles and the service object. which is:
The object of infringement;
The degree of infringement on the object.
The security of the grading objects mainly includes business information security and system service security. The infringed objects and the degree of infringement on the objects may be different. Therefore, the security protection level should also be determined by business information security (S) and system service security ( A) Two aspects are determined. Determine the business information security level according to the importance of the business information and the damage after it is damaged; determine the system service security level according to the importance of the system service and the damage after the damage;
After separately determining the security level of business information security and the security level of system services, the higher level of the two determines the security level of the level protection object, such as:
Business information security: level two, system services: level three, the final level of protection: level three;
Business information security: level four, system services: level three, the final level of protection: level four;
Business information security: the third level, system services: the third level, the final level of protection: the third level.
Common cloud computing rating scenarios:
A cloud service provider provides cloud service customer B with infrastructure services (computing/networking/storage).
The group or large enterprise is B. After purchasing the basic resources of public cloud service provider A, it uses the IaaS service provided by A to provide user C with SaaS services. The security responsibility of the SaaS application system is B.
C may be an individual user, or may be a branch or service individual of B.
In this scenario:
A cloud service provider's IaaS platform is the object of level protection;
B provides SaaS services to users, and is rated as cloud service customer business system B;
C is graded according to user scenarios. If it is a branch of B or other enterprise users, the data security responsibility is C. At this time, C needs to rate the business application, and the level must not be higher than the security level determined by B for the business system.
Note: When actually grading cloud computing platforms/systems, a reasonable distinction should be made between the SaaS cloud computing platform and the SaaS cloud service customer system.
