Cloud computing service is a new model and new business format that promotes on-demand supply of information technology capabilities and promotes full utilization of information technology and data resources. The cloud computing service has the characteristics of efficiency and convenience, on-demand services, and flexible expansion. It has been well applied in all aspects of society. More and more party and government agencies are migrating business and data to the cloud platform. But at the same time, we should also note that my country's government cloud field still has problems such as weak service capabilities, large core technology gaps, and prominent network security challenges.
1. Current status of development of government cloud services in my country
(1) National policies strongly support the development of government cloud services In 2015, the State Council issued the "Opinions on Promoting the Innovation and Development of Cloud Computing and Cultivating New Business Formats in the Information Industry", proposing to explore the development of e-government cloud computing The new model encourages the application of cloud computing to integrate and transform existing e-government information systems to achieve overall deployment and co-construction and sharing, increase government procurement of cloud computing services, and significantly reduce the number of self-built data centers by the government. In 2021, the "14th Five-Year Plan for National Economic and Social Development of the People's Republic of China and the Outline of Long-term Goals for 2035" adopted at the Fourth Session of the 13th National People's Congress, and the "14th Five-Year Plan" National Plan issued by the Central Cyberspace Affairs Commission Important documents such as the "Informatization Plan", the "14th Five-Year Plan for Digital Economy Development" issued by the State Council, and the "14th Five-Year Plan for Promoting National Government Informatization" issued by the National Development and Reform Commission have made recommendations on the development and application of government cloud. Plan the layout. Among them, the "14th Five-Year Plan" outline emphasizes that "it is necessary to improve the national e-government network, intensively build government cloud platforms and data center systems, and promote cloud migration of government information systems." (2) Application of cloud computing services in party and government departments Situation According to China Academy of Information and Communications Technology statistics, in 2020, my country's overall cloud computing market size reached 209.1 billion yuan, with a growth rate of 56.6%. Our country's cloud computing vendors are also highly competitive internationally. According to the 2021 global cloud computing IaaS market share released by the international consulting agency Gartner, Alibaba Cloud , Huawei Cloud , and Tencent Cloud ranked first. Three, five, six. The attitude of my country's party and government departments towards cloud computing services has also changed from the original fear or inability to use cloud computing services to the current preference for use, especially local and provincial party and government departments. According to statistics from public channels and manufacturer surveys, there are no less than 75 provincial government cloud platforms in 31 provinces, autonomous regions, municipalities and Xinjiang Production and Construction Corps in my country, among which a few are self-built cloud platforms for information centers. , and the rest are cloud service models provided by purchasing enterprises, and are generally off-site private clouds. Provincial government affairs clouds in various regions are generally managed by the Cyberspace Administration of China, the General Office of the Government, and the Big Data Bureau, which are responsible for cloud management of users and security supervision of the cloud platform. Judging from the situation of cloud migration, the information systems of various committees and bureaus are generally connected to the local provincial government cloud. However, due to the different levels of control in each province, some provincial committees and bureaus have self-built clouds, other government community clouds, or even public clouds. Case. Take a provincial government cloud as an example. The government general office is in charge of the government cloud. More than 900 application systems from 300 units have been deployed on the provincial government cloud platform. The information system cloud rate exceeds 80%. The overall architecture adopts "3+ N+1”: “3” refers to the construction of 2 heterogeneous cloud computing centers and 1 backup cloud center, with cloud services provided by different cloud service providers; “N” refers to the construction of multiple industries for the customized needs of government applications. Proprietary cloud; "1" refers to the construction of a unified supervision cloud platform across the region to support e-government management units in conducting business guidance and evaluation of user units, and to conduct assessment and supervision, resource scheduling and security management of cloud service providers. At the prefecture-level city level, according to incomplete statistics, there are more than 200 prefecture-level and municipal-level government cloud platforms across the country, including more than 50 in provincial capital cities and cities specifically listed in the state plan. At the level of central government agencies and ministries, self-built clouds are still the main method at present, and a few have begun to switch to the model of purchasing cloud services, which are basically off-site private clouds.
2. Main regulatory measures for the security of government cloud services
(1) Cloud service license management According to the "Telecommunications Business Classification Catalog (2015 Edition)" issued by the Ministry of Industry and Information Technology, the B11 Internet data center business under the value-added telecommunications business Including Internet resource collaboration service business, which mainly refers to the use of equipment and resources set up on data centers to provide users with data storage, Internet, etc. through the Internet or other networks to obtain, use on demand, expand at any time, collaborate and share, etc. Application development environment, Internet application deployment and operation management and other services. Therefore, to provide cloud services in my country, you must obtain an Internet Resource Collaboration Service (IRC) license under the Internet Data Center License (IDC). According to my country's relevant regulations on value-added telecommunications business management, this license is currently not open to foreign capital. (2) Network security level protection " Network Security Law " clearly stipulates that the country implements a network security level protection system. Network operators should perform relevant security protection obligations in accordance with the requirements of the network security level protection system. Cloud service providers serve as cloud platforms. operators should also comply with this requirement. In order to better apply to cloud computing environments, cloud computing security extension requirements have been added to the basic requirements for network security level protection. (3) Cloud computing service security assessment In order to strengthen the network security management of cloud computing services of party and government departments, in 2014, the Cyberspace Administration of China issued the "Opinions on Strengthening the Network Security Management of Cloud Computing Services of Party and Government Departments" (Document No. 14 ), which puts forward security requirements for party and government agencies to purchase and use cloud service . In July 2019, the Cyberspace Administration of China, the National Development and Reform Commission, the Ministry of Industry and Information Technology, and the Ministry of Finance jointly issued the "Cloud Computing Service Security Assessment Measures" to establish a coordination mechanism for cloud computing service security assessment work and organize the coordination of cloud computing service security assessment work. Cloud platforms that provide services for government agencies and critical information infrastructure should carry out security assessments, focusing on the following: (1) Basic information such as credit reporting and operating conditions of cloud service providers; (2) Cloud service provider personnel background and stability, especially Personnel who can access customer data and collect relevant metadata; (3) Cloud platform technology, product and service supply chain security conditions; (4) Cloud service provider security management capabilities and cloud platform security protection conditions; (5) Customer migration data feasibility and convenience; (6) business continuity of the cloud service provider; (7) other factors that may affect the security of cloud services. The main reference standards for evaluation are "Information Security Technology Cloud Computing Service Security Capability Requirements" (GB/T 31168-2014) and "Information Security Technology Cloud Computing Service Security Guidelines" (GB/T 31167-2014). According to data from the official website of the Central Cyberspace Administration of China, a total of 66 cloud platforms have passed security assessments so far, and their computer rooms cover 22 provinces, autonomous regions and municipalities across the country. Among the 66 platforms, 22 serve the national party and government departments and critical information infrastructure operators, 31 serve the party and government departments of specific provinces, and 13 serve the party and government departments of specific cities or specific users. In addition, it can be seen from the number of cloud platforms that passed the assessment that 4 cloud platforms had their security assessment results revoked during the continuous supervision process.
3. Security challenges faced by government cloud services
With the rapid popularization and application of government cloud services, while fully enjoying the efficiency improvements and convenience brought by cloud computing, the security challenges faced by my country's government cloud services are also prominent. (1) Cloud service providers are scattered and the cloud platform is small in scale, making it difficult to form economies of scale. my country’s government cloud service providers are relatively scattered. Judging from the 75 provincial government clouds mentioned above, a total of about 60 cloud service providers are involved. There are mainly local state-owned enterprises, local telecommunications operators, Huawei , Inspur , etc. Government cloud platforms are generally small in scale, with more than 70% having less than 500 physical servers. Because there are many government cloud platforms and their scale is small, each platform has limited investment in professionals and other aspects, making it difficult to have sufficient resources to ensure security.On the other hand, there are many cloud service providers, and a considerable proportion of cloud service providers use cloud solutions from other manufacturers. The most typical solutions come from Huawei, Alibaba Cloud, Inspur, H3C , Tencent and other manufacturers. Cloud service providers Its own development and operation and maintenance capabilities are seriously insufficient and it relies heavily on third parties. (2) The cloud computing service model can easily lead to problems such as unclear division of responsibilities and over-reliance. The intensive nature of the cloud computing platform leads to the weakening of users’ control and management capabilities over data and systems; compared with traditional information systems, The division of security responsibilities has become unclear under the cloud service model, and some users have relaxed security management due to the outsourcing of data and business, which is prone to management vacancies. Interoperability and transplantation between cloud computing platforms are difficult, and cloud service providers and The contracts or agreements signed by customers lack provisions related to data migration, and the technical implementation and verification tools and methods for data migration are lacking, which can easily cause users to become overly dependent on cloud service providers after migrating to the cloud. (3) Insufficient security management and technical protection of cloud computing platforms Compared with traditional government information systems, government cloud platforms are more complex and have more risks and hidden dangers. Judging from the practice in recent years, my country's government cloud currently has the following main problems Six typical questions. First, the responsibilities of cloud service provider operators, operation and maintenance parties, construction parties and other relevant parties are not clearly defined, and they blame each other when security issues are encountered, resulting in untimely handling of security incidents. Second, the boundaries of the cloud platform are not clearly defined, and physical and logical isolation measures are ineffective. For example, management flow and business flow are not isolated, resulting in the risk of data leakage. Third, the daily operation and maintenance of is not standardized, and the operation and maintenance terminal lacks effective control measures, such as no control over terminal access, lack of terminal security patch upgrades, use of personal laptops for operation and maintenance operations, etc., and there are risks such as unauthorized access. At the same time, the cloud platform Operation audits are not timely and suspicious behaviors cannot be effectively discovered. Fourth, the cloud platform relies heavily on third-party operation and maintenance. There are too many outsourced personnel, and there is a large turnover of personnel. The outsourced operation and maintenance management responsibilities are not implemented in place, which affects the security and stability of the cloud platform. The fifth is vulnerability scanning coverage is small, vulnerability repairs and upgrades are not timely, some platform vulnerabilities have been discovered for a long time but have not been fully repaired, and there is a risk of vulnerabilities being exploited for attacks. Sixth, cloud service providers have not formulated corresponding emergency response plans and disaster recovery plans based on actual user needs. Emergency response and disaster recovery drills are insufficient, which can easily have a negative impact on user business continuity. A considerable proportion of government cloud platforms only have data-level backup and image backup. (4) The bottom layer of the cloud computing platform relies heavily on open source software Currently, the key software used in my country's government cloud is mainly open source software or software developed by domestic manufacturers based on open source software. In terms of virtualization and cloud management software, it is mainly based on KVM and OpenStack; in terms of operating system, it is mainly based on CentOS and Ubuntu; in terms of database, it is mainly based on MySQL, MongoDB, MariaDB, PostgreSQL; for container technology, it is mainly based on Kubernetes and Docker. Whether a cloud service provider can track and repair vulnerabilities in open source components in a timely manner is closely related to the security level of the cloud platform. In addition, in terms of hardware, servers based on Intel X86 CPU are mainly used, and only a few platforms use servers based on ARM CPU; some government cloud platforms use servers containing GPU, all of which are foreign CPU and GPU products.
4. Some thoughts on strengthening the security of government cloud services
First, and other efforts have promoted cloud service providers to establish a self-assessment mechanism and actively compare the "Information Security Technology Cloud Computing Service Security Capability Requirements" and other relevant national standards to evaluate the performance of cloud platforms. Whether construction, operation and maintenance, daily management, safety technical means, etc. meet the requirements. Second, further strengthens the security of key software and hardware supply chains.Through the guidance of cloud computing service security assessment and other systems, we urge and guide cloud service providers to strengthen the assessment of the security, openness, transparency, and reliability of supply channels of key software and hardware of the platform, adhere to bottom-line thinking, and fully consider "stopping" in extreme circumstances. How to ensure the continued smooth and safe operation of the platform after the service supply is cut off. Third, promotes the large-scale construction and operation and maintenance of the government cloud platform, truly leveraging the characteristics of cloud computing. Cloud platforms that have passed the cloud computing service security assessment have higher guarantees in terms of security and controllability. Prioritizing the use of cloud platforms that have passed the assessment to provide services can improve the security of government department systems and data, and promote cloud computing. The platform further develops on a large scale to reduce security risks caused by insufficient personnel and security investment and insufficient professionalism of cloud service providers. (This article was published in the 2022 Issue 5 of "China Information Security" magazine)
shared from: China Information Security Public Account
