《1沈珑-企业云安全建设之路(19页).pdf》由会员分享,可在线阅读,更多相关《1沈珑-企业云安全建设之路(19页).pdf(19页珍藏版)》请在三个皮匠报告上搜索。
1、企业云安全建设之路Robin Shen,Nov 2021Agenda 云安全面临的挑战 如何制定企业的云安全策略和路线图 云安全控制点设计 云安全管理平台 CSPM 云源生的安全能力 CWPP Q&AGartner 公有云支出报告Revenue&Cost2022202120202019$243B$270B$332B$397B23%INCREASEPublic Cloud Service Spending Forecast(Total Market Worldwide)SOURCE:Gartner Research/Nov 2020&Apr 2021Gartner Predict:2022,80
2、%企业服务会部署在云端云安全挑战5数字化转型DevOps/敏捷开发容器化/微服务/开源技术跨部门协作 多云环境旧数据中心,旧的应用系统威胁无处不在内部/外部威胁勒索软件隐私与合规越来越多,越来越严的合规趋势1243多云支持,全球部署统一的账号管理和身份安全统一的安全策略(SDSec)统一的管理平台统一的合规管理和监控云安全战略的愿景123451)战略一致性2)差距分析评估3)优先级分析 4)技术工具、方案选型5)部署安全控制措施和工具7)持续监控和改进6)运维支持SOC 支持统一日志平台监控实现愿景的7步骤云安全-常见问题PaaS SecuritySQL PaaS Enable Public
3、AccessEnsure that Public access level is set to Private for blob containersNetwork SecuritySSH/RDP access is not restricted from the internet Ensure HTTPS TLS 1.2 higher enabledKey ManagementEnsure the key vault is recoverableHost SecurityEnsure that the endpoint protection for all Virtual Machines
4、is installedLog managementEnsure that Send alerts to is setEnsure that Auditing is set to OnEnsure audit profile captures all the activitiesEnsure that Activity Log Retention is set 180 days or greaterSecurity OperationClouds assets out of security control/monitoring(legacy or shadow IT)Identity pro
5、tection云安全运维-账号安全,共享运维账号,使用特权账号运维云安全-常见问题PaaS SecuritySQL PaaS Enable Public AccessEnsure that Public access level is set to Private for blob containersNetwork SecuritySSH/RDP access is not restricted from the internet Ensure HTTPS TLS 1.2 higher enabledKey ManagementEnsure the key vault is recovera
6、bleHost SecurityEnsure that the endpoint protection for all Virtual Machines is installedLog managementEnsure that Send alerts to is setEnsure that Auditing is set to OnEnsure audit profile captures all the activitiesEnsure that Activity Log Retention is set 180 days or greaterSecurity OperationClou
7、ds assets out of security control/monitoring(legacy or shadow IT)Identity protection云安全运维-账号安全,共享运维账号,使用特权账号运维010203管理员终端设备管理员终端设备 Use Privileged Access Workstation(PAW)特权账号管理特权账号管理 Privileged Identity Management(PIM)for Cloud 多因素验证多因素验证 Multi-Factor Authentication/SSO紧急账号紧急账号 At least 2 Emergency A
8、ccount-“Break Glass”Accounts最小化权限最小化权限 RBAC,Least Privilegebased 基于条件的访问控制基于条件的访问控制 Conditional Access Control -location/behaviour based,统一的身份管理统一的身份管理 Centralized identity management-AD integration/connector监控和审计监控和审计 Monitoring&Audit(Cloud Log,SIEMS integration and Monitoring)0405Protect0708Cloud-
9、账号身份保护06Detect&Response01040203网络连接VPCExpressRouteVPNDNS网络边界保护DDoS ProtectionWAFAzure/AliCloud FirewallApplication Gateway网络监控Network WatcherAzure/Alicloud Security Centre网路隔离Azure/AliCloud FirewallNetwork Security GroupsService EndpointCloud-网络安全0102030405Cloud-虚拟机安全主机安全主机安全 Host Security-Azure Def
10、ender,Alibaba Security Center更新及补丁更新及补丁 Updates and Patching 磁盘加密磁盘加密 Disk Encryption安全基线安全基线 Security Baselines/CIS Benchmarking运维堡垒机运维堡垒机 Bastion/PAMCloud-数据安全存储存储 Storage/BlobData at rest encryption for Storage/BlobData in transit-HTTPS/SMB3.0Access Control-Deny public access,SAS token-Limit IP s
11、egment to access Advance threat protection for storage account密码管理器密码管理器Key Vault/KMS Key encryption keyApplication integrationAudit log&Security roles数据库安全数据库安全Vulnerability Assessment,data classification&discoveryATP monitoringSQL firewallRow-level security&dynamic data maskingDatabase auditCloud-
12、密钥安全开发程序员审计者安全管理员Create a Key Vault in Azure Create/import keys/secrets Grant permissions to data applications to encrypt,sign,or unwrap data Get URIs of key/secret Can revoke access Enable Logging/TracingDeploy applications configured with the URI of the key/secret Application can use the URI of th
13、e key/secret to encrypt,sign,or unwrap Application can use tenants keys,but cannot see themReview logs to confirm the proper use of keys and compliance with policies and standards of data securityCloud-数据库安全 漏洞管理 Vulnerability AssessmentVul/Baseline Scanning 日志事件监控 Activity MonitoringDatabase Auditi
14、ng/LogAdvance Threat Protection 访问控制 Access ControlSQL Firewall,AD IntegrationDynamic Data Masking 数据保护 Data ProtectionTransparent Data Encryption Cloud-PaaS 安全SAST/DAST/IAST/RASP/Pen-TestingCI/CD IntegrationContainer Security AKS,ACKContainer Registry(malware/Vulnerability)SCA Software composition
15、analysis DevSecOpsSecurity Centre MonitoringNetwork Segment e.g.,Service EndpointWAF or other protectionService SecuritySecurity Centre MonitoringWAF or Firewall Protection/IPSNetwork Separation,.e.g.,service endpointAnti-BotRisk controlBastion hostKMSAnti-DDoSDatabase AuditContent auditCloud-安全运营/S
16、OC/SIEMSCloud-CSPM 云安全态势管理Cloud Security Posture Management(CSPM)-concentrates on continuously security assessment and compliance monitoring for multi-cloudUnified Visibility And Monitoring Multi-cloud supportAutomation&Real-time Remediation Policy enforcementRisk Assessment&Auditing Customized Filt
17、er/insight/packageIAM Governance Govern cloud Identity and IAMThreat Protection Integrate with CSP threat protection servicePosture Management CIS/CSA/ISO27001/NIST etc.Extensible Platform SNOW/CrowdStrike integration SOC Integration/SOARInfrastructure as Code Security Shift Cloud Security Left to P
18、ower DevSecOps Cloud-CWPP 云工作负载保护Cloud Native Tools(Examples):1.Azure Security Center MMAContain registerKubernetesPaaS SQL 2.Alibaba Security CenterSecurity Center AgentBaseline scanImage securityVulnerabilityThird Party Tools:Support all kinds of CloudsMore features-SandboxApplication security features (SCA)