The sudden epidemic has taken a large number of SMEs off guard and was forced to accelerate the transfer of office and business scenarios from offline to online. At the same time, the application of new generation information technologies such as 5G, AI, cloud computing is also accelerating the digitization and industrial upgrading of various industries. The process, with the development of technology and the acceleration of infrastructure construction, has also put forward higher requirements for information security.
However, in the face of drastic changes in the network environment, enterprises often have difficulty switching roles quickly in response to increasingly blurred security boundaries during digital transformation. Most SMEs have insufficient human resources and technical capabilities to cope with new security challenges.
Constantly promulgating laws and regulations also emphasize the importance of information security. It has been almost five months since the standard of the Cyber Security Level Protection System 2.0 (hereinafter referred to as iso-guaranteed 2.0) was officially implemented. On the one hand, iso-guaranteed 2.0 has horizontally expanded the scope of cloud computing, mobile Internet, Internet of Things, industrial control systems and big data Safety requirements; on the other hand, the management specifications for rating protection evaluation agencies, the process for determining the level clearly, and the method for determining the level of the rating object have been extended vertically. How to deal with new security challenges quickly and efficiently while conducting business digital transformation and upgrading at the same time as it meets new security challenges has become an issue that companies must think about before starting business.
Which companies need to pass the guarantee?
According to Article 21 of the "Network Security Law of the People's Republic of China", network operators shall perform relevant security protection obligations in accordance with the requirements of the network security level protection system. At the same time, Article 76 defines that the network operator refers to the network owner, manager and network service provider.
Although the standards related to hierarchical protection are non-mandatory recommended standards, operators of networks (except personal and home networks) must carry out hierarchical protection in accordance with the Cyber Security Law.
Even if an enterprise uses a cloud server that has passed the warranty, and the system is built on the cloud, it also needs to pass the warranty test. There are many situations for business cloud, such as public cloud, private cloud, private cloud and other different attributes, and the use of IaaS, PaaS, SaaS, IDC hosting and other different services, although the security responsibility boundary has changed, but the network The safety responsibility of the operator will not be transferred. According to the principles of "who operates who is responsible, who uses who is responsible, and who is in charge who is responsible", it should bear the responsibility of network security for hierarchical protection.
According to Appendix D of "Basic Requirements for Information Security Technology Network Security Level Protection" (GB / T 22239-2019), cloud service providers assume different platform security responsibilities based on the IaaS, PaaS, and SaaS models provided. After the business system goes to the cloud, the cloud tenant and the cloud platform service provider should follow the responsibility sharing matrix and jointly assume corresponding security responsibilities.
(Cloud tenant and cloud platform service provider responsibility sharing model)
What are the evaluation requirements for operating systems on the cloud?
For the majority of small and medium-sized enterprises using public clouds, the security personnel and technical capacity reserves are relatively lacking. When faced with the complex requirements of isoguaranty 2.0, it is even more confused, especially for the cooperation of operating systems on the cloud. Regulatory evaluation requires complex manual configuration to meet the requirements of more than 30 compliance items.
Taking the CentOS 7.x operating system as an example, according to "GB / T22239-2019 Information Security Technology Network Security Level Protection Basic Requirements", the baseline requirements to be met include identity authentication, access control, security audit, intrusion prevention, malicious code prevention , Credibility verification, data integrity, data confidentiality, data backup and recovery, residual information protection, personal information protection, a total of 11 parts.
1. Identification
◆ Evaluation requirements
The identity of the logged-in user should be identified and authenticated. The identity is unique, and the identity authentication information has complexity requirements and is regularly replaced; it should have the function of handling login failures, should be configured and enabled to end the session, limit the number of illegal logins and when the login connection times out Relevant measures such as automatic withdrawal; ...
Second, access control
◆ Evaluation requirements
Accounts and permissions should be assigned to the logged-in user; the default account should be renamed or deleted, and the default password of the default account should be modified; redundant, expired accounts should be deleted or deactivated in time to avoid the existence of shared accounts; the management user should be granted the required Minimal authority, to achieve the separation of authority of management users;
3. Security Audit
◆ Evaluation requirements
The security audit function should be enabled, the audit covers every user, and audit important user behaviors and important security events; the audit record should include the date and time of the event, the type of event, subject identification, object identification and results, etc ...
4. Intrusion prevention
◆ Evaluation requirements
Unneeded system services, default sharing, and high-risk ports should be closed; possible known vulnerabilities should be discovered, and after sufficient testing and evaluation, the vulnerabilities should be patched in time; Provide an alarm when a serious intrusion occurs. ...
Five, malicious code prevention
◆ Evaluation requirements
Technical measures against malicious code attacks or active immune credible verification mechanisms should be adopted to identify intrusions and virus behaviors in a timely manner and effectively block them.
In addition, there are more than 30 meticulous evaluation requirements for 11 parts including credible verification, data integrity, data confidentiality, data backup and recovery, residual information protection, and personal information protection.
How to configure to quickly pass the operating system evaluation?
In the face of such complicated evaluation requirements, even if the cloud-based enterprise understands the specific content, it is difficult to sort out the specific server configuration and the degree to which it can be modified to meet the requirements of insurance evaluation agencies, even because Misconfiguration or modification during operation (such as SSH login configuration items, etc.), resulting in the system unable to log in or other abnormalities.
(Problems that may be encountered during manual configuration)
So in addition to manual configuration, what other easy ways can pass the operating system compliance assessment?
In order to help tenants on the cloud solve this problem, recently Tencent Security Yunding Lab, with the support of baseline standards provided by professional evaluation agencies, has launched free cloud native default and other compliance images-the product is based on native public mirrors, keeping native The kernel has not been modified. On the basis of ensuring the compatibility and performance of the original image, it has been adapted to ensure compliance, helping users to get rid of the complex operations and configuration problems, allowing users to automatically complete 90% of the operating system with one click without manual operation The above basic compliance configuration.
It is understood that Tencent Cloud has passed the assessment of the third grade of public cloud and the fourth grade of financial cloud with a score of 97.82 points and 97.57 points respectively. Tencent Cloud will carry out more than 10 such compliance certifications for various internal systems every year, and will also help users in various industries to provide support for other security assessments. In these processes, Tencent Cloud not only conducted in-depth exchanges with professional evaluation agencies, but also accumulated a rich set of automated evaluation tools and experience.
Now, with the support of the baseline standards of professional evaluation agencies, Tencent Cloud will export these experiences and capabilities to the tenants on the cloud through the default compliance image to help the tenants pass the operating system and other security assessments, and the Tencent security team will The mirror image is continuously operated and maintained to ensure that when a new major security threat occurs, the default compliance image pair used by the tenant has completed the vulnerability repair and continues to obtain a security update experience.
