Codeofchina.com is in charge of this English translation. In case of any doubt about the English translation, the Chinese original shall be considered authoritative.
This standard is one of the series of standards for financial applications of cloud computing technology, which include:
——Financial application specification of cloud computing technology - Technical architecture;
——Financial application specification of cloud computing technology - Security technical requirements;
——Financial application specification of cloud computing technology - Disaster recovery.
This standard is developed in accordance with the rules given in GB/T 1.1-2009.
This standard was proposed by the People's Bank of China.
This standard is under the jurisdiction of the National Technical Committee on Finance of Standardization Administration of China (SAC/TC 180).
Financial application specification of cloud computing technology - Security technical requirements
1 Scope
This standard specifies the security technical requirements for the application of cloud computing technology in the financial field, covering the contents such as basic hardware security, resource abstraction and control security, application security, data security, security management function, security technology management requirements, and optional component security.
This standard is applicable to cloud service providers, cloud service users, cloud service partners, etc. in the financial field.
2 Normative references
The following documents for the application of this document are essential. Any dated reference, just dated edition applies to this document. For undated references, the latest edition of the normative document (including any amendments) applies.
JR/T 0131-2015 Financial information system room power system specification
JR/T 0166-2018 Financial application specification of cloud computing technology - Technical architecture
3 Terms and definitions
For the purpose of this document, the terms and definitions defined in JB/T 0166-2013 apply.
4 Abbreviations
For the purposes of this document, the following abbreviations apply.
API Application Programming Interface
CPU Central Processing Unit
DDoS Distributed Denial of Service
DoS Denial of Service
HTTPS Hypertext Transfer Protocol Secure
IaaS Infrastructure as a Service
IP Internet Protocol
MAC Media Access Control
PaaS Platform as a Service
SaaS Software as a Service
SQL Structured Query Language
VPN Virtual Private Network
XSS Cross-site Scripting
5 General
5.1 Graduation of security technical requirements for cloud computing
Cloud computing technology uses information technology and data resources on demand to reduce informatization costs and improve resource utilization efficiency, but it also brings new risks in service outsourcing, data leakage, service misuse and other aspects. Cloud service users shall fully evaluate the scientificity, security and reliability in application of cloud computing technology in combination with the business importance and data sensitivity of information systems, shall carefully select cloud computing technology to deploy business systems under the premise of ensuring system business continuity, data security and fund security, and shall select the deployment and service models that are compatible with the businesses to ensure that financial business systems using cloud computing technology are secure and controllable.
With a view to further enhancing the applicability and perspectiveness of the standard, this specification classifies the specific clauses into basic requirements, extended requirements and enhanced requirements according to the hierarchical and classified management ideas. The basic requirements are general and basic security requirements, which shall be met in all financial applications of cloud computing technology; the extended requirements are extended security technical requirements proposed for social service models such as community cloud based on the general requirements; the enhanced requirements are proposed starting from the development trend of security technology and the perspectiveness of financial users.
5.2 Basic requirements, enhanced requirements, and security framework for cloud computing
The security framework for cloud computing consists of basic hardware security, resource abstraction and control security, application security, data security, security management function and optional component security. Cloud service providers and users work together to achieve security. The security framework for cloud computing is shown in Figure 1. The security division of cloud service providers and users is different under different service categories such as IaaS, PaaS and SaaS. Financial institutions are the end providers of financial services, and their security responsibilities shall not be waived or mitigated by the use of cloud services.
Figure 1 Security framework for cloud computing
As a basic platform for carrying information systems in the financial field, the cloud computing platform shall have security requirements not inferior to those of the carried business systems. The cloud computing platform is still an information system in essence, which shall meet the requirements of the nation and financial industry related to the security of information systems. This standard proposes the security requirements for cloud computing platform mainly from the perspective of cloud computing technology. See Annex A for the security requirements for the optional components such as container, middleware and database of cloud computing platform; see Annex B for the cloud computing-related security risk analysis.
6 Basic hardware security
6.1 Machine room security
Basic requirements:
It shall be ensured that the physical data center and ancillary facilities deployed for the cloud computing platform meet the relevant requirements of JR/T 0131-2015. Extended requirements:
a) For the group cloud deployment model, the operating environment of cloud computing data center serving the financial industry shall be physically isolated from other industries;
b) It shall be ensured that the physical equipment used for the business operation, and data storage and processing of cloud service users are located in China;
c) It shall be ensured that the operation maintenance system and the operation system of the cloud computing platform are deployed in China.
Enhanced requirements:
None
6.2 Network security
Basic requirements:
a) Network redundancy design shall be supported, and network communication links, network equipment, etc. shall be redundantly deployed;
b) The network shall be divided into different network areas according to security requirements to support network security isolation;
c) It shall be ensured that the business network of the cloud computing platform is securely isolated from the management network;
d) It shall be ensured that network control measures are taken to prevent unauthorized equipment from connecting to the internal network of the cloud computing platform and to prevent unauthorized outward connection of the physical server of cloud computing platform.
Extended requirements:
a) The provision of private line or VPN access for cloud service users shall be supported;
b) For the group cloud deployment model, it shall be ensured that the network physical hardware serving the financial industry, except the WAN, is not shared with other industries;
c) It shall be ensured that the network resources serving the cloud service users are securely isolated from other network resources.
Enhanced requirements:
Network bandwidth priority allocation shall be supported.
6.3 Equipment security
Basic requirements:
a) Redundant deployment of critical equipment shall be ensured to ensure system availability;
b) The operating state, resource usage, etc. of equipment shall be monitored so as to issue an alarm when an abnormal situation occurs;
c) Equipment and storage media shall be ensured of being capable of completely removing the data they carry when they are reused, scrapped or replaced. Extended requirements:
For the community cloud deployment model, it shall be ensured that the physical equipment used in the financial industry are not shared with other industries.
Enhanced requirements:
a) The equipment shall be ensured of secure startup, i.e., the version at the time of startup is consistent with expected one and the integrity is not compromised;
b) Integrity protection shall be performed on the important configuration files of equipment.
7 Resource abstraction and control security
7.1 General requirements
The clause proposes the general requirements that shall be met for network resource pool, storage resource pool and computing resource pool.
Basic requirements:
a) The kernel patch detection reinforcement and prevention of kernel privilege escalation shall be supported;
b) Secure and reliable identity authentication measures shall be ensured of being taken during access to the cloud computing platform through interfaces such as Web and API.
Extended requirements:
a) It shall be ensured that the API interface is called remotely using the HTTPS protocol;
b) Timely detection and fixing of software vulnerabilities shall be supported.
Enhanced requirements:
It shall be ensured that users remotely access the cloud computing platform for management in an encrypted way, and at least two or more combined mechanisms are used for identity authentication.
7.2 Network resource pool security
7.2.1 General
Network resource pool security includes security requirements for network resource configuration and operation, as well as security requirements for security products, functions or services that ensure the network security. The cloud service user will obtain virtual network resources and control rights in the network resource pool from the cloud service provider.
7.2.2 Architecture security
Basic requirements:
The virtual network shall be ensured of full redundancy design to avoid single point fault.
Extended requirements:
a) The isolation of networks of different tenants and that of different networks of the same tenant shall be supported;
b) Cloud service users shall be supported to divide their security zones by themselves;
c) VPC-related security functions shall be supported, and VPC operations (such as creating or deleting VPC, custom route, security group, and ACL policy) require verifying the cloud service user credentials;
d) Creation of VPN or private line connection between VPCs and between VPC and other networks shall be supported;
e) Cloud service users shall be supported to monitor the traffic between the various network nodes they own.
Enhanced requirements:
a) Traffic between virtual machines shall be identified and monitored;
b) Open interfaces shall be supported to allow access of third-party security products.
Foreword II
1 Scope
2 Normative references
3 Terms and definitions
4 Abbreviations
5 General
6 Basic hardware security
7 Resource abstraction and control security
8 Application security
9 Data security
10 Security management function
11 Security technology management requirements
Annex A (Normative) Security requirements for the optional components of cloud computing platform
Annex B (Informative) Security risks of cloud computing
云計(jì)算技術(shù)金融應(yīng)用規(guī)范 安全技術(shù)要求
1 范圍
本標(biāo)準(zhǔn)規(guī)定了金融領(lǐng)域云計(jì)算技術(shù)應(yīng)用的安全技術(shù)要求,涵蓋基礎(chǔ)硬件安全、資源抽象與控制安全、 應(yīng)用安全、數(shù)據(jù)安全、安全管理功能、安全技術(shù)管理要求、可選組件安全等內(nèi)容。
本標(biāo)準(zhǔn)適用于金融領(lǐng)域的云服務(wù)提供者、云服務(wù)使用者、云服務(wù)合作者等。
2 規(guī)范性引用文件
下列文件對于本文件的應(yīng)用是必不可少的。凡是注日期的引用文件,僅注日期的版本適用于本文件。 凡是不注日期的引用文件,其最新版本(包括所有的修改單)適用于本文件。
JR/T 0131—2015 金融業(yè)信息系統(tǒng)機(jī)房動力系統(tǒng)規(guī)范 JR/T 0166—2018 云計(jì)算技術(shù)金融應(yīng)用規(guī)范 技術(shù)架構(gòu)
3 術(shù)語和定義
JR/T 0166—2018界定的術(shù)語和定義適用于本文件。
4 縮略語
下列縮略語適用于本文件。
API 應(yīng)用程序編程接口(Application Programming Interface) CPU 中央處理單元(Central Processing Unit)
DDoS 分布式拒絕服務(wù)攻擊(Distributed Denial of Service) DoS 拒絕服務(wù)(Denial of Service)
HTTPS 安全超文本傳輸協(xié)議(Hypertext Transfer Protocol Secure) IaaS 基礎(chǔ)設(shè)施即服務(wù)(Infrastructure as a Service)
IP 互聯(lián)網(wǎng)協(xié)議(Internet Protocol)
MAC 媒體訪問控制(Media Access Control) PaaS 平臺即服務(wù)(Platform as a Service) SaaS 軟件即服務(wù)(Software as a Service)
SQL 結(jié)構(gòu)化查詢語言(Structured Query Language) VPN 虛擬專用網(wǎng)絡(luò)(Virtual Private Network)
XSS 跨站腳本攻擊(Cross-site Scripting)
5 概述
5.1 云計(jì)算安全技術(shù)要求分級
云計(jì)算技術(shù)按需使用信息技術(shù)和數(shù)據(jù)資源,降低信息化成本,提高資源利用效率,但同時(shí)也帶來了服務(wù)外包、數(shù)據(jù)泄露、服務(wù)濫用等方面的新風(fēng)險(xiǎn)。云服務(wù)使用者應(yīng)結(jié)合信息系統(tǒng)的業(yè)務(wù)重要性和數(shù)據(jù)敏感性,充分評估應(yīng)用云計(jì)算技術(shù)的科學(xué)性、安全性和可靠性,在確保系統(tǒng)業(yè)務(wù)連續(xù)性、數(shù)據(jù)和資金安全 的前提下,謹(jǐn)慎選用云計(jì)算技術(shù)部署業(yè)務(wù)系統(tǒng),選擇與業(yè)務(wù)相適應(yīng)的部署和服務(wù)模式,確保使用云計(jì)算 技術(shù)的金融業(yè)務(wù)系統(tǒng)安全可控。
為進(jìn)一步增強(qiáng)標(biāo)準(zhǔn)的適用性和前瞻性,規(guī)范按照分級分類管理思路將具體條款分為基本要求、擴(kuò)展 要求和增強(qiáng)要求。基本要求是通用性和基礎(chǔ)性的安全要求,云計(jì)算技術(shù)金融應(yīng)用均應(yīng)滿足;擴(kuò)展要求是 在通用要求基礎(chǔ)上,針對團(tuán)體云等社會化服務(wù)模式提出的擴(kuò)展性安全技術(shù)要求;增強(qiáng)要求是從安全技術(shù) 的發(fā)展趨勢和金融用戶的前瞻性需求入手提出的增強(qiáng)要求。
5.2 基本要求增強(qiáng)要求云計(jì)算安全框架
云計(jì)算安全框架由基礎(chǔ)硬件安全、資源抽象與控制安全、應(yīng)用安全、數(shù)據(jù)安全、安全管理功能以及 可選組件安全組成。云服務(wù)提供者和使用者共同實(shí)現(xiàn)安全保障。云計(jì)算安全框架如圖1所示,在IaaS、 PaaS、SaaS等不同服務(wù)類別下云服務(wù)提供者和使用者的安全分工有所區(qū)別。金融機(jī)構(gòu)是金融服務(wù)的最終 提供者,其承擔(dān)的安全責(zé)任不應(yīng)因使用云服務(wù)而免除或減輕。
圖 1 云計(jì)算安全框架
云計(jì)算平臺作為承載金融領(lǐng)域信息系統(tǒng)的基礎(chǔ)平臺,其安全要求應(yīng)不低于所承載業(yè)務(wù)系統(tǒng)的安全要 求。云計(jì)算平臺本質(zhì)上仍是一種信息系統(tǒng),應(yīng)滿足國家和金融行業(yè)信息系統(tǒng)安全相關(guān)要求,本標(biāo)準(zhǔn)重點(diǎn) 從云計(jì)算技術(shù)角度提出了云計(jì)算平臺應(yīng)符合的安全要求。容器、中間件、數(shù)據(jù)庫等云計(jì)算平臺可選組件 的安全要求見附錄A,云計(jì)算相關(guān)安全風(fēng)險(xiǎn)分析參見附錄B。
6 基礎(chǔ)硬件安全
6.1 機(jī)房安全
基本要求:
應(yīng)保證云計(jì)算平臺部署的物理數(shù)據(jù)中心及附屬設(shè)施符合 JR/T 0131—2015 相關(guān)要求。 擴(kuò)展要求:
a) 對于團(tuán)體云部署模式,應(yīng)保證用于服務(wù)金融業(yè)的云計(jì)算數(shù)據(jù)中心運(yùn)行環(huán)境與其他行業(yè)物理隔 離;
b) 應(yīng)保證用于云服務(wù)使用者業(yè)務(wù)運(yùn)行、數(shù)據(jù)存儲和處理的物理設(shè)備位于中國境內(nèi); c) 應(yīng)保證云計(jì)算平臺的運(yùn)維和運(yùn)營系統(tǒng)部署在中國境內(nèi)。
增強(qiáng)要求: 無。
6.2 網(wǎng)絡(luò)安全
基本要求:
a) 應(yīng)支持網(wǎng)絡(luò)冗余設(shè)計(jì),將網(wǎng)絡(luò)通信鏈路和網(wǎng)絡(luò)設(shè)備等冗余部署; b) 應(yīng)按照安全需求劃分為不同的網(wǎng)絡(luò)區(qū)域,支持網(wǎng)絡(luò)安全隔離; c) 應(yīng)保證云計(jì)算平臺的業(yè)務(wù)網(wǎng)絡(luò)與管理網(wǎng)絡(luò)安全隔離;
d) 應(yīng)保證采取網(wǎng)絡(luò)控制措施防止非授權(quán)設(shè)備連接云計(jì)算平臺內(nèi)部網(wǎng)絡(luò),并防止云計(jì)算平臺物理服 務(wù)器非授權(quán)外聯(lián)。
擴(kuò)展要求:
a) 應(yīng)支持為云服務(wù)使用者提供專線或 VPN 接入;
b) 對于團(tuán)體云部署模式,應(yīng)保證除廣域網(wǎng)外為金融業(yè)服務(wù)的網(wǎng)絡(luò)物理硬件不與其他行業(yè)共享; c) 應(yīng)保證向云服務(wù)使用者提供服務(wù)的網(wǎng)絡(luò)資源與其他網(wǎng)絡(luò)資源安全隔離。
增強(qiáng)要求:
應(yīng)支持網(wǎng)絡(luò)帶寬優(yōu)先級分配。
6.3 設(shè)備安全
基本要求:
a) 應(yīng)保證關(guān)鍵設(shè)備冗余部署,保證系統(tǒng)可用性;
b) 應(yīng)對設(shè)備運(yùn)行狀態(tài)、資源使用等進(jìn)行監(jiān)控,能夠在發(fā)生異常情況時(shí)發(fā)出告警;
c) 應(yīng)保證設(shè)備和存儲介質(zhì)在重用、報(bào)廢或更換時(shí),能夠?qū)ζ涑休d的數(shù)據(jù)完全清除。 擴(kuò)展要求:
對于團(tuán)體云部署模式,應(yīng)保證用于金融業(yè)的物理設(shè)備不與其他行業(yè)共享。
增強(qiáng)要求:
a) 應(yīng)保證設(shè)備安全啟動,即啟動時(shí)的版本和預(yù)期一致,完整性沒有受到破壞; b) 應(yīng)對設(shè)備重要配置文件進(jìn)行完整性保護(hù)。
7 資源抽象與控制安全
7.1 通用要求
本章條要求是網(wǎng)絡(luò)資源池、存儲資源池和計(jì)算資源池均應(yīng)滿足的通用要求。 基本要求:
a) 應(yīng)支持內(nèi)核補(bǔ)丁檢測加固和防止內(nèi)核提權(quán);
b) 應(yīng)保證通過 Web 和 API 等接口訪問云計(jì)算平臺時(shí)采用安全可靠的身份認(rèn)證措施。 擴(kuò)展要求:
a) 應(yīng)保證采用 HTTPS 協(xié)議遠(yuǎn)程調(diào)用 API 接口; b) 應(yīng)支持對軟件漏洞及時(shí)發(fā)現(xiàn)并修復(fù)。 增強(qiáng)要求:
應(yīng)保證用戶遠(yuǎn)程訪問云計(jì)算平臺進(jìn)行管理時(shí)采取加密方式,并至少采取兩種或兩種以上的組合機(jī)制 進(jìn)行身份鑒別。
7.2 網(wǎng)絡(luò)資源池安全
7.2.1 概述
網(wǎng)絡(luò)資源池安全包括針對網(wǎng)絡(luò)資源配置和運(yùn)營的安全要求,也包括對保障網(wǎng)絡(luò)安全的安全產(chǎn)品、功 能或服務(wù)的安全要求。云服務(wù)使用者從云服務(wù)提供者獲取網(wǎng)絡(luò)資源池中的虛擬網(wǎng)絡(luò)資源和控制權(quán)。
7.2.2 架構(gòu)安全
基本要求: 應(yīng)保證虛擬網(wǎng)絡(luò)全冗余設(shè)計(jì),避免單點(diǎn)故障。 擴(kuò)展要求:
a) 應(yīng)支持不同租戶網(wǎng)絡(luò)及同一租戶不同網(wǎng)絡(luò)的隔離; b) 應(yīng)支持云服務(wù)使用者自行劃分安全區(qū)域;
c) 應(yīng)支持 VPC 相關(guān)的安全功能,對 VPC 的操作(如創(chuàng)建或刪除 VPC,自定義路由、安全組和 ACL 策略等)需要驗(yàn)證云服務(wù)使用者憑證;
d) 應(yīng)支持 VPC 之間以及 VPC 與其他網(wǎng)絡(luò)建立 VPN 或?qū)>€連接; e) 應(yīng)支持云服務(wù)使用者監(jiān)控所擁有各網(wǎng)絡(luò)節(jié)點(diǎn)間的流量。 增強(qiáng)要求:
a) 應(yīng)識別、監(jiān)控虛擬機(jī)之間的流量;
b) 應(yīng)支持開放接口,允許接入第三方安全產(chǎn)品。
7.2.3 訪問控制
基本要求:
a) 應(yīng)部署訪問控制策略,實(shí)現(xiàn)虛擬機(jī)之間、虛擬機(jī)與資源管理和調(diào)度平臺之間、虛擬機(jī)與外部網(wǎng) 絡(luò)之間的安全訪問控制;
b) 應(yīng)對云計(jì)算平臺管理員訪問管理網(wǎng)絡(luò)進(jìn)行訪問控制;
c) 應(yīng)實(shí)時(shí)監(jiān)控云服務(wù)遠(yuǎn)程管理的訪問,并支持對未授權(quán)管理連接的處置; d) 應(yīng)對遠(yuǎn)程執(zhí)行特權(quán)命令進(jìn)行限制。
擴(kuò)展要求:
a) 應(yīng)支持云服務(wù)使用者通過 VPN 訪問云計(jì)算平臺;
b) 應(yīng)支持云服務(wù)使用者自行在虛擬網(wǎng)絡(luò)邊界設(shè)置訪問控制規(guī)則; c) 應(yīng)支持云服務(wù)使用者自行劃分子網(wǎng)、設(shè)置訪問控制規(guī)則;
d) 應(yīng)支持云服務(wù)使用者自行過濾進(jìn)出 VPC 的網(wǎng)絡(luò)流量。 增強(qiáng)要求:
無。
7.2.4 安全審計(jì)
基本要求:
a) 應(yīng)記錄虛擬網(wǎng)絡(luò)運(yùn)行狀況、網(wǎng)絡(luò)流量、用戶行為等日志; b) 應(yīng)為安全審計(jì)數(shù)據(jù)的匯集提供支持。
擴(kuò)展要求:
a) 應(yīng)根據(jù)云服務(wù)提供者和云服務(wù)使用者的職責(zé)劃分,實(shí)現(xiàn)各自控制部分的審計(jì); b) 云服務(wù)提供者應(yīng)為云服務(wù)使用者進(jìn)行審計(jì)提供必要支持;
c) 審計(jì)記錄產(chǎn)生時(shí)間應(yīng)由系統(tǒng)范圍內(nèi)唯一確定的時(shí)鐘產(chǎn)生,以確保審計(jì)分析的正確性。 增強(qiáng)要求:
應(yīng)支持根據(jù)特定要求輸出特定網(wǎng)絡(luò)通訊的元數(shù)據(jù)和報(bào)文數(shù)據(jù)。
7.2.5 入侵防范
基本要求:
a) 應(yīng)防止虛擬機(jī)使用虛假的 IP 或 MAC 地址對外發(fā)起攻擊; b) 應(yīng)識別、監(jiān)控和處理虛擬機(jī)之間的異常流量。
擴(kuò)展要求:
a) 應(yīng)檢測和防護(hù)云計(jì)算平臺內(nèi)部虛擬機(jī)發(fā)起的針對云計(jì)算平臺的攻擊,能夠定位發(fā)起攻擊的虛擬 機(jī),記錄攻擊類型、攻擊時(shí)間、攻擊流量等信息;
b) 應(yīng)對各類網(wǎng)絡(luò)攻擊行為進(jìn)行監(jiān)測和發(fā)現(xiàn),當(dāng)檢測到網(wǎng)絡(luò)攻擊行為時(shí),記錄攻擊源 IP、攻擊類 型、攻擊時(shí)間等信息,在發(fā)生嚴(yán)重入侵事件時(shí)應(yīng)進(jìn)行告警;
c) 通過互聯(lián)網(wǎng)提供金融服務(wù)時(shí),應(yīng)支持 DoS/DDoS 攻擊防護(hù),通過清洗 DoS/DDoS 攻擊流量,保障 網(wǎng)絡(luò)、服務(wù)器及上層應(yīng)用的可用性;
d) 通過互聯(lián)網(wǎng)提供金融服務(wù)時(shí),應(yīng)支持檢測 Web 應(yīng)用漏洞,攔截 SQL 注入、XSS 攻擊等多種 Web 應(yīng)用攻擊行為;
e) 應(yīng)支持防 ARP 欺騙。 增強(qiáng)要求:
a) 應(yīng)支持禁用未備案域名;
b) 應(yīng)檢測和阻斷云服務(wù)使用者對外攻擊行為,記錄攻擊類型、攻擊時(shí)間、攻擊流量等信息; c) 應(yīng)支持對惡意虛擬機(jī)的隔離,支持阻斷惡意虛擬機(jī)與外部網(wǎng)絡(luò)以及其他虛擬機(jī)的通信。
7.2.6 惡意代碼防范
基本要求:
a) 應(yīng)支持對惡意代碼進(jìn)行檢測和清理;
b) 應(yīng)維護(hù)惡意代碼特征庫的升級和相關(guān)檢測系統(tǒng)的更新。 擴(kuò)展要求:
無。
增強(qiáng)要求: 無。
7.3 存儲資源池安全
存儲資源池安全包括對存儲資源配置和運(yùn)營的安全要求,也包括對保障存儲安全的安全產(chǎn)品、功能 或服務(wù)的安全要求。云服務(wù)使用者從云服務(wù)提供者獲取存儲資源池中的虛擬存儲資源和控制權(quán)。
基本要求:
a) 應(yīng)支持多層級訪問控制;
b) 應(yīng)記錄存儲設(shè)備運(yùn)行狀況、用戶行為等日志; c) 應(yīng)為安全審計(jì)數(shù)據(jù)的匯集提供支持。 擴(kuò)展要求:
a) 應(yīng)支持分布式存儲的數(shù)據(jù)副本分布在不同的物理機(jī)架; b) 應(yīng)禁止云計(jì)算平臺管理員未授權(quán)操作租戶資源;
c) 應(yīng)支持租戶訪問存儲資源的安全傳輸;
d) 應(yīng)支持跨物理集群服務(wù)使用者賬號權(quán)限管理;
e) 應(yīng)支持內(nèi)容加密存儲,加密密鑰支持租戶自管理、云服務(wù)提供者管理和第三方機(jī)構(gòu)管理; f) 應(yīng)對不同租戶的數(shù)據(jù)隔離;
g) 應(yīng)根據(jù)云服務(wù)提供者和云服務(wù)使用者的職責(zé)劃分,實(shí)現(xiàn)各自控制部分的審計(jì); h) 云服務(wù)提供者應(yīng)為云服務(wù)使用者進(jìn)行審計(jì)提供必要支持;
i) 審計(jì)記錄產(chǎn)生時(shí)間應(yīng)由系統(tǒng)范圍內(nèi)唯一確定的時(shí)鐘產(chǎn)生,以確保審計(jì)分析的正確性。 增強(qiáng)要求:
無。
