The Information Security Technology Cybersecurity Classified Protection Regulation, also known as Classified Protection 2.0, was released on May 10, 2019, and will be officially implemented on December 1, 2019. Classified Protection 2.0 specifically provides technical requirements for cloud computing. As a cloud practitioner, the author has broken down the security design technical requirements section (GB/T25070—2019) of this standard to share with everyone.
Definition of Security Levels
The standard defines: "Classified protection objects are divided into five security protection levels from low to high based on their importance in national security, economic construction, and social life, and the degree of harm to national security, social order, public interests, and the legitimate rights and interests of citizens, legal persons, and other organizations after being damaged".
Different levels of classified protection objects require different protection capabilities, and the levels increase progressively.
See the table below for details:
| Protection Level | Capability Requirements |
| Level 1 Security Protection Capability | Should be able to protect against malicious attacks from individuals with few resources, general natural disasters, and other threats of equivalent severity that cause damage to critical resources. After being damaged, should be able to restore partial functionality. |
| Level 2 Security Protection Capability | Should be able to protect against malicious attacks from small external organizations with limited resources, general natural disasters, and other threats of equivalent severity that cause damage to important resources. Should be able to discover important security vulnerabilities and handle security incidents. After being damaged, should be able to restore partial functionality within a certain period. |
| Level 3 Security Protection Capability | Should be able to protect under unified security policy against malicious attacks from organized external groups with relatively abundant resources, relatively serious natural disasters, and other threats of equivalent severity that cause damage to major resources. Should be able to timely detect, monitor attack behaviors and handle security incidents. After being damaged, should be able to quickly restore most functionality. |
| Level 4 Security Protection Capability | Should be able to protect under unified security policy against malicious attacks from national-level, hostile organizations with abundant resources, serious natural disasters, and other threats of equivalent severity that cause resource damage. Should be able to timely detect, monitor attack behaviors and security incidents. After being damaged, should be able to quickly restore all functionality. |
| Level 5 Security Protection Capability | Omitted |
In the standard, very specific technical requirements are given for cloud computing from Level 1 to Level 4.
Cloud Computing Classified Protection Security Computing Design Framework
Classified Protection 2.0 specifically provides a required security technology design framework for cloud computing classified protection security.
Figure 1: Cloud Computing Classified Protection Security Computing Design Framework
The standard clearly stipulates: "Users securely access the secure computing environment provided by cloud service providers through secure communication networks via direct network access, API interface access, and web service access. The security assurance of user terminals themselves is not within the scope of this part. The secure computing environment includes resource layer security and service layer security. The resource layer is divided into physical resources and virtual resources, requiring clear technical requirements for physical resource security design and virtual resource security design. Physical and environmental security is not within the scope of this part. The service layer is the implementation of services provided by cloud service providers, containing software components required to implement services. Depending on the service model, cloud service providers and cloud tenants bear different security responsibilities. Service layer security design needs to clarify security design technical requirements within the scope of resources controlled by cloud service providers, and cloud service providers can provide security technologies and protection capabilities to cloud tenants by offering security interfaces and security services. The system management, security management, and security audit of the cloud computing environment are uniformly controlled by the security management center. Combined with this framework, security technology design is carried out for cloud computing environments of different levels, while supporting security design for different levels of cloud tenant ends (business systems) through service layer security."
Due to space limitations, we only introduce the Level 3 security requirements. Other levels have additions and reductions.
Requirements for Cloud Computing in Level 3 System Security Protection Design
1. Cloud Secure Computing Environment Design Technical Requirements
The standard requires: "
a) User Identity Authentication
Should support cloud tenants registered to cloud computing services to establish master and sub-accounts, and use usernames and user identifiers to identify master and sub-account user identities.
b) User Account Protection
Should support establishing a cloud tenant account system to achieve subject authorization for accessing virtual machines, cloud databases, cloud networks, cloud storage, and other objects.
c) Security Audit
Should support auditing of privileged commands executed during remote management by cloud service providers and cloud tenants.
Should support tenants to collect and view audit information related to their resources, ensuring that cloud service providers' access operations to cloud tenant systems and data can be audited by tenants.
d) Intrusion Prevention
Should be able to detect abnormal access by virtual machines to host physical resources. Should support behavior monitoring of cloud tenants, detecting and alerting on malicious attacks or malicious external connections initiated by cloud tenants.
e) Data Confidentiality Protection
Should provide important business data encryption services, with encryption keys managed by tenants themselves; should provide encryption services to ensure the confidentiality of important data during virtual machine migration.
f) Data Backup and Recovery
Should adopt redundant architecture or distributed architecture design; should support data multi-replica storage; should support universal interfaces to ensure cloud tenants can migrate business systems and data to other cloud computing platforms and local systems, ensuring portability.
g) Virtualization Security
Should implement secure isolation of CPU, memory, and storage space between virtual machines; should be able to detect unauthorized management of virtual machines and issue alerts; should prohibit direct access by virtual machines to host physical resources and be able to alert on abnormal access; should support secure isolation between virtualization networks of different cloud tenants; should monitor the running status of physical machines, hosts, and virtual machines.
h) Malicious Code Prevention
Physical machines and hosts should install security-hardened operating systems or implement host malicious code prevention; virtual machines should install security-hardened operating systems or implement host malicious code prevention; should support capabilities for web application malicious code detection and protection.
i) Image and Snapshot Security
Should support images and snapshots to provide integrity protection for virtual machine image and snapshot files; prevent unauthorized access to potentially sensitive resources in virtual machine images and snapshots; provide security-hardened operating system images for important business systems or support self-hardening of operating system images."
2. Cloud Security Area Boundary Design Technical Requirements
The standard requires: "
a) Area Boundary Structure Security
Should ensure virtual machines only receive packets with destination addresses including their own addresses or broadcast packets required by business, while limiting broadcast attacks; should implement isolation between virtual network resources of different tenants and avoid excessive occupation of network resources; should ensure separation of cloud computing platform management traffic and cloud tenant business traffic.
Should be able to identify and monitor network traffic between virtual machines and between virtual machines and physical machines; provide open interfaces or open security services, allowing cloud tenants to access third-party security products or select third-party security services on the cloud platform.
b) Area Boundary Access Control
Should ensure that when virtual machines migrate, access control policies migrate with them; should allow cloud tenants to set access control policies between different virtual machines; should establish tenant private networks to achieve secure isolation between different tenants; should deploy monitoring mechanisms at network boundaries to effectively monitor traffic entering and leaving the network.
c) Area Boundary Intrusion Prevention
When virtual machines migrate, intrusion prevention mechanisms should be applicable at new boundaries; should incorporate area boundary intrusion prevention mechanisms into unified management by the security management center.
Should provide internet content security monitoring functions to cloud tenants, with real-time detection and alerting for harmful information.
d) Area Boundary Audit Requirements
According to the division of responsibilities between cloud service providers and cloud tenants, collect audit data from their respective controlled parts; according to the division of responsibilities between cloud service providers and cloud tenants, implement centralized auditing of their respective controlled parts; when virtual machine migration or virtual resource changes occur, security audit mechanisms should be applicable at new boundaries; provide interfaces for aggregating security audit data and make available for third-party auditing."
3. Cloud Security Communication Network Design Technical Requirements
The standard requires: "
- Communication Network Data Transmission Confidentiality
Should support confidentiality protection of cloud tenant remote communication data.
Should encrypt network communication between network policy controllers and network devices (or device agents).
b) Communication Network Trusted Access Protection
Should prohibit direct access to cloud computing platform physical networks via the internet; should provide open interfaces allowing access to trusted third-party security products.
c) Communication Network Security Audit
Should support tenants to collect and view audit information related to their resources; should ensure that cloud service providers' access operations to cloud tenant communication networks can be audited by tenants."
4. Security Management Center Design Technical Requirements
The standard requires: "
(1) System Management
When conducting cloud computing platform security design, security management should provide methods to query cloud tenant data and backup storage locations; cloud computing platform operations and maintenance should be conducted within China, and operations and maintenance activities from outside China to domestic cloud computing platforms should follow relevant national regulations.
(2) Security Management
When conducting cloud computing platform security design, cloud computing security management should have capabilities for traceback analysis of attack behaviors and prediction and early warning of network security incidents; should have capabilities for sensing, predicting, and judging network security situations.
(3) Audit Management
When conducting cloud computing platform security design, the cloud computing platform should audit operations such as creation and deletion of cloud services including cloud servers, cloud databases, cloud storage, etc.; should conduct security audits of administrator operations and maintenance behaviors through operations and maintenance audit systems; should ensure the effectiveness of audit data isolation through tenant isolation mechanisms."