1沈瓏-企業云安全建設之路（19頁）.pdf

《1沈瓏-企業云安全建設之路（19頁）.pdf》由會員分享，可在線閱讀，更多相關《1沈瓏-企業云安全建設之路（19頁）.pdf（19頁珍藏版）》請在三個皮匠報告上搜索。

1、企業云安全建設之路Robin Shen,Nov 2021Agenda 云安全面臨的挑戰 如何制定企業的云安全策略和路線圖 云安全控制點設計 云安全管理平臺 CSPM 云源生的安全能力 CWPP Q&AGartner 公有云支出報告Revenue&Cost2022202120202019$243B$270B$332B$397B23%INCREASEPublic Cloud Service Spending Forecast(Total Market Worldwide)SOURCE:Gartner Research/Nov 2020&Apr 2021Gartner Predict:2022，80

2、%企業服務會部署在云端云安全挑戰5數字化轉型DevOps/敏捷開發容器化/微服務/開源技術跨部門協作 多云環境舊數據中心，舊的應用系統威脅無處不在內部/外部威脅勒索軟件隱私與合規越來越多，越來越嚴的合規趨勢1243多云支持，全球部署統一的賬號管理和身份安全統一的安全策略(SDSec)統一的管理平臺統一的合規管理和監控云安全戰略的愿景123451）戰略一致性2）差距分析評估3）優先級分析 4）技術工具、方案選型5）部署安全控制措施和工具7）持續監控和改進6）運維支持SOC 支持統一日志平臺監控實現愿景的7步驟云安全-常見問題PaaS SecuritySQL PaaS Enable Public

3、AccessEnsure that Public access level is set to Private for blob containersNetwork SecuritySSH/RDP access is not restricted from the internet Ensure HTTPS TLS 1.2 higher enabledKey ManagementEnsure the key vault is recoverableHost SecurityEnsure that the endpoint protection for all Virtual Machines

4、is installedLog managementEnsure that Send alerts to is setEnsure that Auditing is set to OnEnsure audit profile captures all the activitiesEnsure that Activity Log Retention is set 180 days or greaterSecurity OperationClouds assets out of security control/monitoring(legacy or shadow IT)Identity pro

5、tection云安全運維-賬號安全，共享運維賬號，使用特權賬號運維云安全-常見問題PaaS SecuritySQL PaaS Enable Public AccessEnsure that Public access level is set to Private for blob containersNetwork SecuritySSH/RDP access is not restricted from the internet Ensure HTTPS TLS 1.2 higher enabledKey ManagementEnsure the key vault is recovera

6、bleHost SecurityEnsure that the endpoint protection for all Virtual Machines is installedLog managementEnsure that Send alerts to is setEnsure that Auditing is set to OnEnsure audit profile captures all the activitiesEnsure that Activity Log Retention is set 180 days or greaterSecurity OperationClou

7、ds assets out of security control/monitoring(legacy or shadow IT)Identity protection云安全運維-賬號安全，共享運維賬號，使用特權賬號運維010203管理員終端設備管理員終端設備 Use Privileged Access Workstation(PAW)特權賬號管理特權賬號管理 Privileged Identity Management(PIM)for Cloud 多因素驗證多因素驗證 Multi-Factor Authentication/SSO緊急賬號緊急賬號 At least 2 Emergency A

8、ccount-“Break Glass”Accounts最小化權限最小化權限 RBAC,Least Privilegebased 基于條件的訪問控制基于條件的訪問控制 Conditional Access Control -location/behaviour based,統一的身份管理統一的身份管理 Centralized identity management-AD integration/connector監控和審計監控和審計 Monitoring&Audit(Cloud Log,SIEMS integration and Monitoring)0405Protect0708Cloud-

9、賬號身份保護06Detect&Response01040203網絡連接VPCExpressRouteVPNDNS網絡邊界保護DDoS ProtectionWAFAzure/AliCloud FirewallApplication Gateway網絡監控Network WatcherAzure/Alicloud Security Centre網路隔離Azure/AliCloud FirewallNetwork Security GroupsService EndpointCloud-網絡安全0102030405Cloud-虛擬機安全主機安全主機安全 Host Security-Azure Def

10、ender,Alibaba Security Center更新及補丁更新及補丁 Updates and Patching 磁盤加密磁盤加密 Disk Encryption安全基線安全基線 Security Baselines/CIS Benchmarking運維堡壘機運維堡壘機 Bastion/PAMCloud-數據安全存儲存儲 Storage/BlobData at rest encryption for Storage/BlobData in transit-HTTPS/SMB3.0Access Control-Deny public access,SAS token-Limit IP s

11、egment to access Advance threat protection for storage account密碼管理器密碼管理器Key Vault/KMS Key encryption keyApplication integrationAudit log&Security roles數據庫安全數據庫安全Vulnerability Assessment,data classification&discoveryATP monitoringSQL firewallRow-level security&dynamic data maskingDatabase auditCloud-

12、密鑰安全開發程序員審計者安全管理員Create a Key Vault in Azure Create/import keys/secrets Grant permissions to data applications to encrypt,sign,or unwrap data Get URIs of key/secret Can revoke access Enable Logging/TracingDeploy applications configured with the URI of the key/secret Application can use the URI of th

13、e key/secret to encrypt,sign,or unwrap Application can use tenants keys,but cannot see themReview logs to confirm the proper use of keys and compliance with policies and standards of data securityCloud-數據庫安全 漏洞管理 Vulnerability AssessmentVul/Baseline Scanning 日志事件監控 Activity MonitoringDatabase Auditi

14、ng/LogAdvance Threat Protection 訪問控制 Access ControlSQL Firewall,AD IntegrationDynamic Data Masking 數據保護 Data ProtectionTransparent Data Encryption Cloud-PaaS 安全SAST/DAST/IAST/RASP/Pen-TestingCI/CD IntegrationContainer Security AKS,ACKContainer Registry(malware/Vulnerability)SCA Software composition

15、analysis DevSecOpsSecurity Centre MonitoringNetwork Segment e.g.,Service EndpointWAF or other protectionService SecuritySecurity Centre MonitoringWAF or Firewall Protection/IPSNetwork Separation,.e.g.,service endpointAnti-BotRisk controlBastion hostKMSAnti-DDoSDatabase AuditContent auditCloud-安全運營/S

16、OC/SIEMSCloud-CSPM 云安全態勢管理Cloud Security Posture Management(CSPM)-concentrates on continuously security assessment and compliance monitoring for multi-cloudUnified Visibility And Monitoring Multi-cloud supportAutomation&Real-time Remediation Policy enforcementRisk Assessment&Auditing Customized Filt

17、er/insight/packageIAM Governance Govern cloud Identity and IAMThreat Protection Integrate with CSP threat protection servicePosture Management CIS/CSA/ISO27001/NIST etc.Extensible Platform SNOW/CrowdStrike integration SOC Integration/SOARInfrastructure as Code Security Shift Cloud Security Left to P

18、ower DevSecOps Cloud-CWPP 云工作負載保護Cloud Native Tools(Examples):1.Azure Security Center MMAContain registerKubernetesPaaS SQL 2.Alibaba Security CenterSecurity Center AgentBaseline scanImage securityVulnerabilityThird Party Tools:Support all kinds of CloudsMore features-SandboxApplication security features (SCA)