56 lines
4.5 KiB
Markdown
56 lines
4.5 KiB
Markdown
---
|
||
title: "CTP Topic 52 3 Lines of Defence (3LoD) framework Cloud Security Posture Management (CSPM)"
|
||
type: source
|
||
tags: [Security, CSPM, 3LoD, CTP]
|
||
date: 2026-04-14
|
||
---
|
||
|
||
## Source File
|
||
- [[Cloud & DevOps/Public-Cloud-Learning-Sessions/07_Security/ctp-topic-52-3-lines-of-defence-3lod-framework-cloud-security-posture-management]]
|
||
|
||
## Summary(用中文描述)
|
||
- 核心主题:Three Lines of Defence(3LoD)安全治理框架在企业云安全中的落地,以及 Cloud Security Posture Management(CSPM)工具的选型与实践
|
||
- 问题域:企业安全组织架构职责不清、多云账户安全配置碎片化、缺乏统一的云安全态势可视化和合规视图
|
||
- 方法/机制:
|
||
- 3LoD 框架:明确业务单元(一线)→ 集团职能部门(二线)→ 审计(三线)的安全责任分层
|
||
- CSPM 集中化:将多账户、多云(AWS/Azure/GCP)的安全配置错误统一汇聚到单一平台
|
||
- Cloud Guard 选型:基于 POC 对比两家供应商后选定,核心功能包括态势管理、资产管理、网络配置可视化、事件管理和威胁情报
|
||
- 云架构设计原则:云无关(agnostic)、可复用、跨云适用
|
||
- 结论/价值:3LoD 框架为安全组织提供了清晰的职责边界,CSPM 工具使安全团队能够主动发现和修复云配置偏差,从被动响应转向主动防御
|
||
|
||
## Key Claims(用中文描述)
|
||
- 3LoD 框架经 ELT 批准后成为组织统一的安全治理模型,解决了此前安全团队和政策碎片化的问题
|
||
- 第一线(业务单元)负责在其业务范围内实施和管理安全控制
|
||
- 第二线(集团职能部门)负责制定政策、事件响应和网络安全工具,作为第一线的顾问
|
||
- 第三线(审计)确保第一线和第二线合规,向业务提供保障
|
||
- CSPM 解决多云账户管理碎片化问题,提供统一的合规框架视图( CIS、NIST、ISO)和自定义策略能力
|
||
- Cloud Guard 在 POC 后被选中,核心功能包括态势管理、资产管理、网络配置可视化、事件管理和身份管理
|
||
- 新账户在创建流程中即被纳入 Cloud Guard,确保全面覆盖和相关规则集的自动应用
|
||
|
||
## Key Quotes
|
||
> "The three lines of defense model was approved by ELT mid-year and serves as the organization's go-to model." — Coyote, Head of Enterprise Application Security
|
||
|
||
> "The previous fragmented security models with multiple security teams and policies led to an audit that recommended a better framework for clear roles and responsibilities." — Coyote, Head of Enterprise Application Security
|
||
|
||
> "Cloud security posture management addresses siloed management and the lack of a central view of public cloud security posture, which led to incidents and prolonged response times." — Coyote, Head of Enterprise Application Security
|
||
|
||
## Key Concepts
|
||
- [[Three Lines of Defence(3LoD)]]:企业安全治理框架,将安全职责分为三层——业务单元(一线)、集团职能部门(二线)、审计(三线),为组织提供清晰的安全责任边界
|
||
- [[Cloud Security Posture Management(CSPM)]]:云安全态势管理工具,通过持续监控和评估云配置,发现偏差并提供修复建议,支持 CIS、NIST、ISO 等合规框架
|
||
- [[Cloud Guard]]:该组织选定的 CSPM 工具,通过 POC 对比两家供应商后确定,核心功能涵盖态势管理、资产管理、网络配置可视化、事件管理和威胁情报
|
||
- [[Security Governance(安全治理)]]:通过 3LoD 框架和 CSPM 工具相结合,实现从被动响应到主动防御的转变
|
||
|
||
## Key Entities
|
||
- [[Coyote]]:Enterprise Application Security 负责人(Head of),主讲本次 CTP Topic 52,推动 3LoD 框架落地和 CSPM 选型
|
||
|
||
## Connections
|
||
- [[ctp-topic-10-aws-landing-zone-lz-data-collection-tagging-related-security]] ← depends_on ← [[3 Lines of Defence(3LoD)Framework CSPM]]
|
||
- 两者同属云安全领域,Topic 10 聚焦标签化安全控制,3LoD 聚焦安全组织架构和 CSPM 工具
|
||
- [[public-cloud-learning-sessions-opentext-gis-security-policies-20241015]] ← extends ← [[3 Lines of Defence(3LoD)Framework CSPM]]
|
||
- GIS Security Policies 提供企业级安全策略体系,3LoD 定义了安全治理的组织架构层,两者互补
|
||
- [[ctp-topic-55-aws-firewall-manager]] ← extends ← [[Cloud Security Posture Management(CSPM)]]
|
||
- Firewall Manager 提供安全组策略集中化管理,CSPM(Cloud Guard)提供云配置合规评估,两者共同构成云安全防护体系
|
||
|
||
## Contradictions
|
||
- 无已知冲突内容
|