Auto-sync: 2026-04-22 04:02
This commit is contained in:
@@ -1,44 +1,144 @@
|
||||
---
|
||||
title: Cloud Security
|
||||
---
|
||||
|
||||
# Cloud Security
|
||||
|
||||
**Cloud Security** encompasses the technologies, policies, controls, and services that protect cloud-based data, applications, and infrastructure from unauthorized access, data breaches, and other cyber threats.
|
||||
> **Cloud Security** — 保护云环境、数据、应用程序和基础设施免受威胁的一组策略、技术和控制措施。
|
||||
|
||||
## Common Misconception
|
||||
## Definition
|
||||
|
||||
> **Myth**: Cloud computing is not secure.
|
||||
云安全(Cloud Security)是一套全面的实践,确保:
|
||||
|
||||
> **Reality**: Cloud security is often more robust than on-premises solutions.
|
||||
- **数据保护** — 加密、备份、访问控制
|
||||
- **身份管理** — IAM、MFA、零信任
|
||||
- **网络安全** — 防火墙、VPC、隔离
|
||||
- **合规性** — 满足法规和标准
|
||||
- **可见性** — 监控、日志、审计
|
||||
|
||||
## Why Cloud Security Often Exceeds On-Premises
|
||||
## Shared Responsibility Model
|
||||
|
||||
- **Massive Investment**: Leading cloud providers (AWS, Azure, GCP) invest billions annually in security infrastructure
|
||||
- **Encryption**: Data encrypted at rest and in transit by default
|
||||
- **Multi-Factor Authentication (MFA)**: Built-in identity and access management
|
||||
- **Compliance Certifications**: ISO 27001, HIPAA, GDPR, SOC 2, and more
|
||||
- **Automated Security Updates**: Continuous patching without user intervention
|
||||
- **24/7 Monitoring**: Dedicated security operations centers monitoring threats round-the-clock
|
||||
- **Advanced Firewalls**: Managed firewall services with DDoS protection
|
||||
| 责任 | SaaS | PaaS | IaaS |
|
||||
|------|------|------|------|
|
||||
| **云服务商** | 全部基础设施 | 基础设施 | 物理层 |
|
||||
| **客户** | 数据、应用 | 数据、应用、运行时 | OS、网络、应用 |
|
||||
|
||||
## Core Security Components
|
||||
## Security Maturity Levels
|
||||
|
||||
| Component | Description |
|
||||
|-----------|-------------|
|
||||
| Identity & Access Management (IAM) | Role-based access control, MFA, least privilege |
|
||||
| Encryption | AES-256 at rest, TLS 1.3 in transit |
|
||||
| Network Security | VPCs, Security Groups, WAF, DDoS protection |
|
||||
| Compliance | Automated compliance reporting and auditing |
|
||||
| Threat Detection | AI/ML-powered anomaly detection and SIEM |
|
||||
| Level | 特征 |
|
||||
|-------|------|
|
||||
| **L1: Basic** | 基础防火墙、简单 IAM |
|
||||
| **L2: Standard** | MFA、日志、基本加密 |
|
||||
| **L3: Advanced** | WAF、DDoS 保护、SIEM |
|
||||
| **L4: Comprehensive** | CSPM、零信任、持续监控 |
|
||||
| **L5: Optimized** | AI 威胁检测、自适应安全 |
|
||||
|
||||
## Related Concepts
|
||||
## Key Security Practices
|
||||
|
||||
- [[Cloud Computing]]
|
||||
- [[High Availability]]
|
||||
- [[Multi-Cloud Strategy]]
|
||||
- [[DevSecOps]]
|
||||
### 1. Identity and Access Management
|
||||
|
||||
## Sources
|
||||
**最佳实践**
|
||||
- 最小权限原则
|
||||
- MFA 强制执行
|
||||
- 定期访问审查
|
||||
- 特权访问管理 (PAM)
|
||||
- 服务账户限制
|
||||
|
||||
- [[The Myths and Misconceptions About Cloud Computing (LinkedIn)|the-myths-and-misconceptions-about-cloud-computing-linkedin]]
|
||||
**工具**
|
||||
- AWS IAM / Azure AD / GCP IAM
|
||||
- 身份提供者集成(SAML、OIDC)
|
||||
|
||||
### 2. Data Protection
|
||||
|
||||
**加密**
|
||||
- 传输中加密(TLS 1.3)
|
||||
- 静态加密(AES-256)
|
||||
- 客户管理密钥(CMK)
|
||||
- 密钥管理服务(KMS)
|
||||
|
||||
**备份和恢复**
|
||||
- 自动备份策略
|
||||
- 跨区域复制
|
||||
- 定期恢复测试
|
||||
|
||||
### 3. Network Security
|
||||
|
||||
**层级**
|
||||
```
|
||||
Internet → WAF → Firewall → VPC → 应用
|
||||
```
|
||||
|
||||
**组件**
|
||||
- 虚拟私有云 (VPC/VNet)
|
||||
- 安全组/网络 ACL
|
||||
- Web 应用防火墙 (WAF)
|
||||
- DDoS 防护
|
||||
- VPN/Direct Connect
|
||||
|
||||
### 4. Cloud Security Posture Management (CSPM)
|
||||
|
||||
**功能**
|
||||
- 持续合规评估
|
||||
- 安全配置基准
|
||||
- 自动化修复
|
||||
- 风险优先级
|
||||
|
||||
**工具**
|
||||
- AWS Security Hub / Azure Defender / GCP Security Command Center
|
||||
- Prisma Cloud, Wiz, Lacework
|
||||
|
||||
### 5. Container Security
|
||||
|
||||
| 阶段 | 实践 |
|
||||
|------|------|
|
||||
| **Build** | 镜像扫描、基础镜像最小化 |
|
||||
| **Deploy** | 签名验证、准入控制 |
|
||||
| **Runtime** | 运行时安全、网络策略 |
|
||||
|
||||
**工具**: Trivy, Falco, OPA Gatekeeper
|
||||
|
||||
## Cloud Security Maturity Model (CSMM)
|
||||
|
||||
CSMM 评估云安全成熟度的 12 个类别:
|
||||
|
||||
| 域 | 类别 |
|
||||
|----|------|
|
||||
| **Governance** | 治理战略、风险管理 |
|
||||
| **Architecture** | 安全架构、合规设计 |
|
||||
| ** Data** | 数据分类、保护、保留 |
|
||||
| **Applications** | 安全开发生命周期 |
|
||||
| **Endpoint** | 终端保护、移动设备 |
|
||||
| **Identity** | 身份管理、访问控制 |
|
||||
| **Infrastructure** | 网络安全、计算安全 |
|
||||
| **Logging** | 日志管理、监控 |
|
||||
| **Incident** | 事件响应、业务连续性 |
|
||||
| **Supply Chain** | 供应商安全、第三方风险 |
|
||||
| **Physical** | 物理安全 |
|
||||
| **People** | 安全意识、培训 |
|
||||
|
||||
## Compliance Frameworks
|
||||
|
||||
| 标准 | 适用场景 |
|
||||
|------|---------|
|
||||
| **SOC 2** | 通用数据处理 |
|
||||
| **ISO 27001** | 信息安全管理 |
|
||||
| **HIPAA** | 医疗健康数据 |
|
||||
| **PCI-DSS** | 支付卡数据 |
|
||||
| **GDPR** | 欧盟个人数据 |
|
||||
| **FedRAMP** | 美国政府数据 |
|
||||
|
||||
## Incident Response
|
||||
|
||||
```
|
||||
检测 → 遏制 → 根除 → 恢复 → 事后分析
|
||||
```
|
||||
|
||||
**云环境特有考虑**
|
||||
- 自动化响应(Lambda/Cloud Functions)
|
||||
- 取证挑战(共享责任)
|
||||
- 跨账户调查
|
||||
|
||||
## See Also
|
||||
|
||||
- [[Cloud Maturity Model]] — 云成熟度框架
|
||||
- [[Cloud Governance]] — 云治理
|
||||
- [[DevSecOps]] — DevSecOps
|
||||
- [[Disaster Recovery]] — 灾难恢复
|
||||
- [[WAF]] — Web 应用防火墙
|
||||
- [[CSPM]] — 云安全态势管理
|
||||
|
||||
Reference in New Issue
Block a user