Codeofchina.com is in charge of this English translation. In case of any doubt about the English translation, the Chinese original shall be considered authoritative.
This standard is one of the series of standards for financial applications of cloud computing technology, which include:
——Financial application specification of cloud computing technology - Technical architecture;
——Financial application specification of cloud computing technology - Security technical requirements;
——Financial application specification of cloud computing technology - Disaster recovery.
This standard is developed in accordance with the rules given in GB/T 1.1-2009.
This standard was proposed by the People's Bank of China.
This standard is under the jurisdiction of the National Technical Committee on Finance of Standardization Administration of China (SAC/TC 180).
Financial application specification of cloud computing technology - Security technical requirements
1 Scope
This standard specifies the security technical requirements for the application of cloud computing technology in the financial field, covering the contents such as basic hardware security, resource abstraction and control security, application security, data security, security management function, security technology management requirements, and optional component security.
This standard is applicable to cloud service providers, cloud service users, cloud service partners, etc. in the financial field.
2 Normative references
The following documents for the application of this document are essential. Any dated reference, just dated edition applies to this document. For undated references, the latest edition of the normative document (including any amendments) applies.
JR/T 0131-2015 Financial information system room power system specification
JR/T 0166-2018 Financial application specification of cloud computing technology - Technical architecture
3 Terms and definitions
For the purpose of this document, the terms and definitions defined in JB/T 0166-2013 apply.
4 Abbreviations
For the purposes of this document, the following abbreviations apply.
API Application Programming Interface
CPU Central Processing Unit
DDoS Distributed Denial of Service
DoS Denial of Service
HTTPS Hypertext Transfer Protocol Secure
IaaS Infrastructure as a Service
IP Internet Protocol
MAC Media Access Control
PaaS Platform as a Service
SaaS Software as a Service
SQL Structured Query Language
VPN Virtual Private Network
XSS Cross-site Scripting
5 General
5.1 Graduation of security technical requirements for cloud computing
Cloud computing technology uses information technology and data resources on demand to reduce informatization costs and improve resource utilization efficiency, but it also brings new risks in service outsourcing, data leakage, service misuse and other aspects. Cloud service users shall fully evaluate the scientificity, security and reliability in application of cloud computing technology in combination with the business importance and data sensitivity of information systems, shall carefully select cloud computing technology to deploy business systems under the premise of ensuring system business continuity, data security and fund security, and shall select the deployment and service models that are compatible with the businesses to ensure that financial business systems using cloud computing technology are secure and controllable.
With a view to further enhancing the applicability and perspectiveness of the standard, this specification classifies the specific clauses into basic requirements, extended requirements and enhanced requirements according to the hierarchical and classified management ideas. The basic requirements are general and basic security requirements, which shall be met in all financial applications of cloud computing technology; the extended requirements are extended security technical requirements proposed for social service models such as community cloud based on the general requirements; the enhanced requirements are proposed starting from the development trend of security technology and the perspectiveness of financial users.
5.2 Basic requirements, enhanced requirements, and security framework for cloud computing
The security framework for cloud computing consists of basic hardware security, resource abstraction and control security, application security, data security, security management function and optional component security. Cloud service providers and users work together to achieve security. The security framework for cloud computing is shown in Figure 1. The security division of cloud service providers and users is different under different service categories such as IaaS, PaaS and SaaS. Financial institutions are the end providers of financial services, and their security responsibilities shall not be waived or mitigated by the use of cloud services.
Figure 1 Security framework for cloud computing
As a basic platform for carrying information systems in the financial field, the cloud computing platform shall have security requirements not inferior to those of the carried business systems. The cloud computing platform is still an information system in essence, which shall meet the requirements of the nation and financial industry related to the security of information systems. This standard proposes the security requirements for cloud computing platform mainly from the perspective of cloud computing technology. See Annex A for the security requirements for the optional components such as container, middleware and database of cloud computing platform; see Annex B for the cloud computing-related security risk analysis.
6 Basic hardware security
6.1 Machine room security
Basic requirements:
It shall be ensured that the physical data center and ancillary facilities deployed for the cloud computing platform meet the relevant requirements of JR/T 0131-2015. Extended requirements:
a) For the group cloud deployment model, the operating environment of cloud computing data center serving the financial industry shall be physically isolated from other industries;
b) It shall be ensured that the physical equipment used for the business operation, and data storage and processing of cloud service users are located in China;
c) It shall be ensured that the operation maintenance system and the operation system of the cloud computing platform are deployed in China.
Enhanced requirements:
None
6.2 Network security
Basic requirements:
a) Network redundancy design shall be supported, and network communication links, network equipment, etc. shall be redundantly deployed;
b) The network shall be divided into different network areas according to security requirements to support network security isolation;
c) It shall be ensured that the business network of the cloud computing platform is securely isolated from the management network;
d) It shall be ensured that network control measures are taken to prevent unauthorized equipment from connecting to the internal network of the cloud computing platform and to prevent unauthorized outward connection of the physical server of cloud computing platform.
Extended requirements:
a) The provision of private line or VPN access for cloud service users shall be supported;
b) For the group cloud deployment model, it shall be ensured that the network physical hardware serving the financial industry, except the WAN, is not shared with other industries;
c) It shall be ensured that the network resources serving the cloud service users are securely isolated from other network resources.
Enhanced requirements:
Network bandwidth priority allocation shall be supported.
6.3 Equipment security
Basic requirements:
a) Redundant deployment of critical equipment shall be ensured to ensure system availability;
b) The operating state, resource usage, etc. of equipment shall be monitored so as to issue an alarm when an abnormal situation occurs;
c) Equipment and storage media shall be ensured of being capable of completely removing the data they carry when they are reused, scrapped or replaced. Extended requirements:
For the community cloud deployment model, it shall be ensured that the physical equipment used in the financial industry are not shared with other industries.
Enhanced requirements:
a) The equipment shall be ensured of secure startup, i.e., the version at the time of startup is consistent with expected one and the integrity is not compromised;
b) Integrity protection shall be performed on the important configuration files of equipment.
7 Resource abstraction and control security
7.1 General requirements
The clause proposes the general requirements that shall be met for network resource pool, storage resource pool and computing resource pool.
Basic requirements:
a) The kernel patch detection reinforcement and prevention of kernel privilege escalation shall be supported;
b) Secure and reliable identity authentication measures shall be ensured of being taken during access to the cloud computing platform through interfaces such as Web and API.
Extended requirements:
a) It shall be ensured that the API interface is called remotely using the HTTPS protocol;
b) Timely detection and fixing of software vulnerabilities shall be supported.
Enhanced requirements:
It shall be ensured that users remotely access the cloud computing platform for management in an encrypted way, and at least two or more combined mechanisms are used for identity authentication.
7.2 Network resource pool security
7.2.1 General
Network resource pool security includes security requirements for network resource configuration and operation, as well as security requirements for security products, functions or services that ensure the network security. The cloud service user will obtain virtual network resources and control rights in the network resource pool from the cloud service provider.
7.2.2 Architecture security
Basic requirements:
The virtual network shall be ensured of full redundancy design to avoid single point fault.
Extended requirements:
a) The isolation of networks of different tenants and that of different networks of the same tenant shall be supported;
b) Cloud service users shall be supported to divide their security zones by themselves;
c) VPC-related security functions shall be supported, and VPC operations (such as creating or deleting VPC, custom route, security group, and ACL policy) require verifying the cloud service user credentials;
d) Creation of VPN or private line connection between VPCs and between VPC and other networks shall be supported;
e) Cloud service users shall be supported to monitor the traffic between the various network nodes they own.
Enhanced requirements:
a) Traffic between virtual machines shall be identified and monitored;
b) Open interfaces shall be supported to allow access of third-party security products.
Foreword II
1 Scope
2 Normative references
3 Terms and definitions
4 Abbreviations
5 General
6 Basic hardware security
7 Resource abstraction and control security
8 Application security
9 Data security
10 Security management function
11 Security technology management requirements
Annex A (Normative) Security requirements for the optional components of cloud computing platform
Annex B (Informative) Security risks of cloud computing
JR/T 0167-2018, JR 0167-2018, JRT 0167-2018, JR/T0167-2018, JR/T 0167, JR/T0167, JR0167-2018, JR 0167, JR0167, JRT0167-2018, JRT 0167, JRT0167
Introduction of JR/T 0167-2018
Codeofchina.com is in charge of this English translation. In case of any doubt about the English translation, the Chinese original shall be considered authoritative.
This standard is one of the series of standards for financial applications of cloud computing technology, which include:
——Financial application specification of cloud computing technology - Technical architecture;
——Financial application specification of cloud computing technology - Security technical requirements;
——Financial application specification of cloud computing technology - Disaster recovery.
This standard is developed in accordance with the rules given in GB/T 1.1-2009.
This standard was proposed by the People's Bank of China.
This standard is under the jurisdiction of the National Technical Committee on Finance of Standardization Administration of China (SAC/TC 180).
Financial application specification of cloud computing technology - Security technical requirements
1 Scope
This standard specifies the security technical requirements for the application of cloud computing technology in the financial field, covering the contents such as basic hardware security, resource abstraction and control security, application security, data security, security management function, security technology management requirements, and optional component security.
This standard is applicable to cloud service providers, cloud service users, cloud service partners, etc. in the financial field.
2 Normative references
The following documents for the application of this document are essential. Any dated reference, just dated edition applies to this document. For undated references, the latest edition of the normative document (including any amendments) applies.
JR/T 0131-2015 Financial information system room power system specification
JR/T 0166-2018 Financial application specification of cloud computing technology - Technical architecture
3 Terms and definitions
For the purpose of this document, the terms and definitions defined in JB/T 0166-2013 apply.
4 Abbreviations
For the purposes of this document, the following abbreviations apply.
API Application Programming Interface
CPU Central Processing Unit
DDoS Distributed Denial of Service
DoS Denial of Service
HTTPS Hypertext Transfer Protocol Secure
IaaS Infrastructure as a Service
IP Internet Protocol
MAC Media Access Control
PaaS Platform as a Service
SaaS Software as a Service
SQL Structured Query Language
VPN Virtual Private Network
XSS Cross-site Scripting
5 General
5.1 Graduation of security technical requirements for cloud computing
Cloud computing technology uses information technology and data resources on demand to reduce informatization costs and improve resource utilization efficiency, but it also brings new risks in service outsourcing, data leakage, service misuse and other aspects. Cloud service users shall fully evaluate the scientificity, security and reliability in application of cloud computing technology in combination with the business importance and data sensitivity of information systems, shall carefully select cloud computing technology to deploy business systems under the premise of ensuring system business continuity, data security and fund security, and shall select the deployment and service models that are compatible with the businesses to ensure that financial business systems using cloud computing technology are secure and controllable.
With a view to further enhancing the applicability and perspectiveness of the standard, this specification classifies the specific clauses into basic requirements, extended requirements and enhanced requirements according to the hierarchical and classified management ideas. The basic requirements are general and basic security requirements, which shall be met in all financial applications of cloud computing technology; the extended requirements are extended security technical requirements proposed for social service models such as community cloud based on the general requirements; the enhanced requirements are proposed starting from the development trend of security technology and the perspectiveness of financial users.
5.2 Basic requirements, enhanced requirements, and security framework for cloud computing
The security framework for cloud computing consists of basic hardware security, resource abstraction and control security, application security, data security, security management function and optional component security. Cloud service providers and users work together to achieve security. The security framework for cloud computing is shown in Figure 1. The security division of cloud service providers and users is different under different service categories such as IaaS, PaaS and SaaS. Financial institutions are the end providers of financial services, and their security responsibilities shall not be waived or mitigated by the use of cloud services.
Figure 1 Security framework for cloud computing
As a basic platform for carrying information systems in the financial field, the cloud computing platform shall have security requirements not inferior to those of the carried business systems. The cloud computing platform is still an information system in essence, which shall meet the requirements of the nation and financial industry related to the security of information systems. This standard proposes the security requirements for cloud computing platform mainly from the perspective of cloud computing technology. See Annex A for the security requirements for the optional components such as container, middleware and database of cloud computing platform; see Annex B for the cloud computing-related security risk analysis.
6 Basic hardware security
6.1 Machine room security
Basic requirements:
It shall be ensured that the physical data center and ancillary facilities deployed for the cloud computing platform meet the relevant requirements of JR/T 0131-2015. Extended requirements:
a) For the group cloud deployment model, the operating environment of cloud computing data center serving the financial industry shall be physically isolated from other industries;
b) It shall be ensured that the physical equipment used for the business operation, and data storage and processing of cloud service users are located in China;
c) It shall be ensured that the operation maintenance system and the operation system of the cloud computing platform are deployed in China.
Enhanced requirements:
None
6.2 Network security
Basic requirements:
a) Network redundancy design shall be supported, and network communication links, network equipment, etc. shall be redundantly deployed;
b) The network shall be divided into different network areas according to security requirements to support network security isolation;
c) It shall be ensured that the business network of the cloud computing platform is securely isolated from the management network;
d) It shall be ensured that network control measures are taken to prevent unauthorized equipment from connecting to the internal network of the cloud computing platform and to prevent unauthorized outward connection of the physical server of cloud computing platform.
Extended requirements:
a) The provision of private line or VPN access for cloud service users shall be supported;
b) For the group cloud deployment model, it shall be ensured that the network physical hardware serving the financial industry, except the WAN, is not shared with other industries;
c) It shall be ensured that the network resources serving the cloud service users are securely isolated from other network resources.
Enhanced requirements:
Network bandwidth priority allocation shall be supported.
6.3 Equipment security
Basic requirements:
a) Redundant deployment of critical equipment shall be ensured to ensure system availability;
b) The operating state, resource usage, etc. of equipment shall be monitored so as to issue an alarm when an abnormal situation occurs;
c) Equipment and storage media shall be ensured of being capable of completely removing the data they carry when they are reused, scrapped or replaced. Extended requirements:
For the community cloud deployment model, it shall be ensured that the physical equipment used in the financial industry are not shared with other industries.
Enhanced requirements:
a) The equipment shall be ensured of secure startup, i.e., the version at the time of startup is consistent with expected one and the integrity is not compromised;
b) Integrity protection shall be performed on the important configuration files of equipment.
7 Resource abstraction and control security
7.1 General requirements
The clause proposes the general requirements that shall be met for network resource pool, storage resource pool and computing resource pool.
Basic requirements:
a) The kernel patch detection reinforcement and prevention of kernel privilege escalation shall be supported;
b) Secure and reliable identity authentication measures shall be ensured of being taken during access to the cloud computing platform through interfaces such as Web and API.
Extended requirements:
a) It shall be ensured that the API interface is called remotely using the HTTPS protocol;
b) Timely detection and fixing of software vulnerabilities shall be supported.
Enhanced requirements:
It shall be ensured that users remotely access the cloud computing platform for management in an encrypted way, and at least two or more combined mechanisms are used for identity authentication.
7.2 Network resource pool security
7.2.1 General
Network resource pool security includes security requirements for network resource configuration and operation, as well as security requirements for security products, functions or services that ensure the network security. The cloud service user will obtain virtual network resources and control rights in the network resource pool from the cloud service provider.
7.2.2 Architecture security
Basic requirements:
The virtual network shall be ensured of full redundancy design to avoid single point fault.
Extended requirements:
a) The isolation of networks of different tenants and that of different networks of the same tenant shall be supported;
b) Cloud service users shall be supported to divide their security zones by themselves;
c) VPC-related security functions shall be supported, and VPC operations (such as creating or deleting VPC, custom route, security group, and ACL policy) require verifying the cloud service user credentials;
d) Creation of VPN or private line connection between VPCs and between VPC and other networks shall be supported;
e) Cloud service users shall be supported to monitor the traffic between the various network nodes they own.
Enhanced requirements:
a) Traffic between virtual machines shall be identified and monitored;
b) Open interfaces shall be supported to allow access of third-party security products.
Contents of JR/T 0167-2018
Foreword II
1 Scope
2 Normative references
3 Terms and definitions
4 Abbreviations
5 General
6 Basic hardware security
7 Resource abstraction and control security
8 Application security
9 Data security
10 Security management function
11 Security technology management requirements
Annex A (Normative) Security requirements for the optional components of cloud computing platform
Annex B (Informative) Security risks of cloud computing
