|
US$439.00 · In stock
Delivery: <= 4 days. True-PDF full-copy in English will be manually translated and delivered via email.
GB/T 37950-2019: Information security technology - Security technical requirements for desktop cloud
Status: Valid
| Standard ID | Contents [version] | USD | STEP2 | [PDF] delivered in | Standard Title (Description) | Status | PDF |
| GB/T 37950-2019 | English | 439 |
Add to Cart
|
4 days [Need to translate]
|
Information security technology - Security technical requirements for desktop cloud
| Valid |
GB/T 37950-2019
|
PDF similar to GB/T 37950-2019
Basic data | Standard ID | GB/T 37950-2019 (GB/T37950-2019) | | Description (Translated English) | Information security technology - Security technical requirements for desktop cloud | | Sector / Industry | National Standard (Recommended) | | Classification of Chinese Standard | L80 | | Classification of International Standard | 35.040 | | Word Count Estimation | 22,215 | | Date of Issue | 2019-08-30 | | Date of Implementation | 2020-03-01 | | Issuing agency(ies) | State Administration for Market Regulation, China National Standardization Administration | GB/T 37950-2019: Information security technology - Security technical requirements for desktop cloud
---This is a DRAFT version for illustration, not a final translation. Full copy of true-PDF in English version (including equations, symbols, images, flow-chart, tables, and figures etc.) will be manually/carefully translated upon your order.
Information security technology - Security technical requirements for desktop cloud
ICS 35.040
L80
National Standards of People's Republic of China
Information Security Technology
Desktop cloud security technical requirements
2019-08-30 released
2020-03-01 Implementation
State Administration for Market Regulation
Issued by China National Standardization Administration
Table of contents
Foreword Ⅰ
1 Scope 1
2 Normative references 1
3 Terms and definitions 1
4 Abbreviations 3
5 Overview 3
5.1 Desktop Cloud Basic Functional Architecture 3
5.2 Desktop Cloud Security Reference Architecture 3
5.3 Form of expression of safety technical requirements 4
6 Physical layer security 4
6.1 Environmental safety 4
6.2 Physical equipment security 5
6.3 Physical Security Management 5
7 Virtualization layer security 5
7.1 Host Security 5
7.2 Virtual Computing Security 6
7.3 Virtual storage security 7
7.4 Virtual Network Security 8
7.5 Virtualization Security Management 9
8 Desktop platform layer security 11
8.1 Desktop Access Security 11
8.2 Desktop platform management security 13
Appendix A (informative appendix) Desktop cloud scenario description 16
Reference 19
Foreword
This standard was drafted in accordance with the rules given in GB/T 1.1-2009.
Please note that certain contents of this document may involve patents. The issuing agency of this document is not responsible for identifying these patents.
This standard was proposed and managed by the National Information Security Standardization Technical Committee (SAC/TC260).
Drafting organizations of this standard. The 30th Research Institute of China Electronics Technology Group Corporation, the Third Research Institute of the Ministry of Public Security, China Electronic Technology Standardization
Research Institute, China Netcom Technology Co., Ltd., Huawei Technologies Co., Ltd., Weishitong Information Industry Co., Ltd., University of Electronic Science and Technology of China,
Metropolitan University, Beijing Guodiantong Network Technology Co., Ltd., Wuhan University, China Information Security Research Institute Co., Ltd., Shenzhen Shenxinfu Electronics
Technology Co., Ltd., Hunan Kylin Xin’an Technology Co., Ltd.
The main drafters of this standard. Wang Qiang, Wang Yalu, Chen Yan, Liu Xiaoyi, Zhang Jian, Feng Chengyan, Guo Xiaohua, Wang Huilai, Zhao Hua, Luo Jun, Chen Aiguo,
Wanguogen, Li Zhiqi, Wang Lina, Liu Bozhong, Yang Chen, Liu Wenqing, Li Zhanwei.
Information Security Technology
Desktop cloud security technical requirements
1 Scope
This standard specifies the security technical requirements for desktop cloud based on virtualization technology in the application process.
This standard applies to the security design and development of desktop clouds and can be used to guide desktop cloud security testing.
2 Normative references
The following documents are indispensable for the application of this document. For dated reference documents, only the dated version applies to this article
Pieces. For undated references, the latest version (including all amendments) applies to this document.
GB/T 2887-2011 General Specification for Computer Site
GB/T 5271.8-2001 Information Technology Vocabulary Part 8.Security
GB/T 9361-2011 Computer site safety requirements
GB/T 25069-2010 Information Security Technical Terms
GB/T 31915-2015 Information Technology Elastic Computing Application Interface
3 Terms and definitions
GB/T 5271.8-2001, GB/T 25069-2010 and GB/T 31915-2015 and the following terms and definitions apply
In this document.
3.1
Desktop cloud
A desktop delivery model based on cloud computing.
Note. In this mode, by virtualizing the computer desktop, the personal computing environment is stored in the data center, providing users with on-demand distribution, fast
Delivered desktop. The user uses a terminal device to access the desktop through the network.
3.2
Virtual desktop
A desktop application based on virtualization technology.
Note. The virtual desktop supports users to use terminal devices for interactive operations to obtain a user experience consistent with traditional personal computers.
3.3
Desktop virtualization
A technology based on server virtualization and allowing users to remotely access the desktop and perform input and output operations.
3.4
Thin terminal
An operating system that uses a processor and cuts to achieve decoding, display and information input of the transmission protocol, providing users with a virtual table
The terminal equipment delivered on the surface.
3.5
Zero terminal
A terminal device with no general processor, no local hard disk, and no general operating system.
Note. Zero terminal uses dedicated hardware protocol processing chip to realize transmission protocol decoding, display and information input, providing users with terminals for virtual desktop delivery
equipment.
3.6
Fat terminal
A terminal device with a general-purpose processor, a local hard disk, a general-purpose operating system, and can install virtual desktop client software.
Examples. traditional personal computers and portable computers.
3.7
Mobile terminal
A computer terminal device used in a mobile environment.
Examples. digital mobile phones, portable computers, etc.
3.8
Virtualization
A resource management technology that abstracts and transforms computer physical resources such as processors, storage, and networks, and presents them in the form of software
To simplify management and improve the resource utilization of physical equipment.
3.9
Guest operating system
An operating system running in a virtual machine for users to directly use.
3.10
Virtual machine monitor
A virtual resource management software that coordinates the access of multiple guest operating systems to the host's hardware resources, and executes between virtual machines.
Add protection.
3.11
Host
A server that has a virtual machine monitor installed and provides virtual machine services.
3.12
virtual machine
A computer with complete hardware system functions integrated, abstracted and isolated through virtualization technology.
3.13
Virtual machine image
File system image corresponding to the virtual machine.
Note. Including the operating system and the software required for virtual machine operation.
3.14
Virtual machine template
A collection of metadata required to configure a virtual machine.
Note 1.The virtual machine template is used to easily generate virtual machines.
Note 2.Including the number of CPUs, memory size and disk size, etc.
3.15
Virtual machine live migration
Live migration
Live migration
Migrate real-time virtual machines from one physical server to another without shutting down the virtual machine in a certain way
The migration method on the management server.
4 Abbreviations
The following abbreviations apply to this document.
5 overview
5.1 Basic Functional Architecture of Desktop Cloud
The basic functional architecture of the desktop cloud is composed of server-side functions and client-side functions. The specific description is as follows. The client-side is mainly in the terminal device
(Including thin terminals, fat terminals, zero terminals and mobile terminals) installed or pre-loaded desktop cloud client software, providing instructions for peripherals
Receiving, decoding, transmission protocol, user interface. The server is mainly based on hardware, through different technical means to establish virtual desktops, and
Able to create, modify, delete and other basic operations on virtual desktops, configure and manage virtual desktop networks and storage, and target existing
The established virtual desktops are assigned to different desktop users, and all desktop images are managed centrally. The server also includes the transmission protocol
The server is responsible for receiving user operation information and pushing virtual desktops to users. Figure 1 shows the reference function of a desktop cloud
Figure. Refer to Appendix A for the technical architecture and deployment scenarios of mainstream desktop clouds.
5.2 Desktop Cloud Security Reference Architecture
Figure 2 shows a reference diagram of a desktop cloud security architecture. The desktop cloud security architecture can be divided into three layers, namely. physical layer, virtual
Simulation layer, desktop platform layer. The specific description is as follows.
a) Physical layer security. The physical layer provides the physical resources required for the operation of the desktop cloud, including physical computing resources and physical storage resources.
Source, physical network resources. The security of the physical layer involves environmental security and physical device security (including physical security of terminal devices,
The physical security of desktop cloud servers, storage device security, network device security, etc.), and the corresponding management of the physical layer
Physical security management.
b) Virtualization layer security. The virtualization layer provides the virtual resources required for the operation of the desktop cloud, including virtual computing resources, virtual storage
Storage resources, virtual network resources. The security of the virtualization layer mainly includes. host security (only for managed hypervisors),
Virtual computing security, virtual storage security and virtual network security, and the corresponding virtualization of the management of the virtual resource layer
Security management.
c) Desktop platform layer security. The desktop platform layer provides users with a secure desktop platform to support various
Kind of application software. The security of the desktop platform layer mainly includes. desktop access security (including terminal devices accessing virtual desktops)
Security, transmission protocol security, and desktop user authentication), and the corresponding desktop platform security management that manages the desktop cloud platform.
5.3 Form of expression of safety technical requirements
This standard divides desktop cloud security technical requirements into general requirements and enhanced requirements. Companies or government agencies need to use their own information and
Analyze the business and select the corresponding security technical requirements for desktop cloud according to the sensitivity of the information and the importance of the business involved
Design, development and testing.
Each safety requirement in this standard is given in the form of general requirements and enhanced requirements. The enhanced requirements are supplements and supplements to the general requirements.
Reinforcement. When realizing enhancement requirements, general requirements should be met first.
6 Physical layer security
6.1 Environmental safety
Implement in accordance with the provisions of Chapter 4 and Chapter 5 of GB/T 2887-2011 and Chapter 5~Chapter 10 of GB/T 9361-2011.
6.2 Physical equipment security
6.2.1 General requirements
include.
a) It should be implemented in accordance with the provisions of Chapter 5 in GB/T 2887-2011;
b) Expansion slots and redundant physical ports should not be provided in the equipment, and unnecessary physical ports should be closed;
c) The BIOS of the thin terminal should only be able to boot from the built-in device and not retain other boot methods.
6.2.2 Enhanced requirements
The built-in storage of the thin terminal should support hardware-based encryption.
6.3 Physical security management
include.
a) Implement in accordance with the provisions of Chapter 5 in GB/T 2887-2011;
b) It should support the monitoring of the port usage of physical equipment.
7 Virtualization layer security
7.1 Host Security
7.1.1 Identity authentication
7.1.1.1 General requirements
include.
a) The user who logs in to the host should be identified and authenticated;
b) Different users of the host computer should have different user names, and the user names should be unique;
c) The user ID of the host computer should have the characteristics of not being easily fraudulent, and the password should have complexity requirements and be changed regularly;
d) The host login failure handling function should be enabled, and measures such as ending the session, limiting the number of logins and automatic logout can be taken;
e) When remotely managing the host computer, necessary measures should be taken to prevent the authentication information from being intercepted during network transmission.
7.1.1.2 Enhanced requirements
Should support third-party identification schemes.
7.1.2 Access Control
7.1.2.1 General requirements
include.
a) The access control function should be enabled to control and manage user access to host resources according to security policies;
b) Permissions should be assigned according to the role of the management user to realize the separation of the permissions of the management user, and only grant the minimum required
Permissions;
c) The access rights of the default account should be strictly restricted, and the default password of the default account should be modified.
7.1.3.2 Enhancement requirements
include.
a) It should be ensured that the storage space where the authentication information of the administrator user and desktop cloud user is located is released or redistributed to other users.
Cleared, regardless of whether the information is stored on the hard disk or in the memory;
b) It should be ensured that the storage space where resources such as files, directories and database records in the system are located are released or re-allocated to other users.
Before the household is cleared;
c) It should be ensured that the storage space of the host machine where the temporary files generated when the virtual machine is running is cleared after the virtual machine is destroyed.
7.1.4 Intrusion Prevention
7.1.4.1 General requirements
The host operating system should follow the minimum installation principle, install only the required components and applications, and keep the system patches updated in time.
7.1.4.2 Enhanced requirements
include.
a) The key areas of the host operating system (such as operating system configuration files, account management modules, operating system peripheral management modules, etc.) should
Only supports read-only mode;
b) It should be able to detect the intrusion of the host, and be able to record the source IP, attack type, attack purpose, and time of the attack
In the event of a serious intrusion, an alarm will be provided.
7.1.5 Malicious code prevention
7.1.5.1 General requirements
The host operating system should be able to prevent malicious code.
7.2.1.2 Enhanced requirements
The integrity of the virtual machine monitor and the virtual machine operating system image should be checked to ensure that the system has not been tampered with.
7.2.2 Virtualization security isolation
7.2.2.1 General requirements
include.
a) Resource isolation between virtual machines and virtual machine monitors should be ensured, and between virtual machines and virtual machines and virtual machine monitors should be controlled
All data communication between;
b) Resource isolation between different virtual machines should be guaranteed, and a virtual machine crash will not affect the virtual machine monitor and other virtual machines;
c) CPU instruction isolation between different virtual machines should be guaranteed;
d) The memory isolation between different virtual machines should be guaranteed;
e) Ensure that the virtual machine can only receive the destination address, including its own messages;
f) Ensure that the virtual machine can only access the storage space allocated to it;
g) The isolation of I/O ports should be guaranteed.
7.2.2.2 Enhanced requirements
include.
a) Support virtual machine memory exclusive mode;
b) Support host CPU exclusive mode.
7.2.3 Migration security
7.2.3.1 General requirements
The virtual machine should support live migration.
7.2.3.2 Enhanced requirements
include.
a) Technical means should be adopted to ensure the confidentiality of data during the migration process;
b) Technical measures should be taken to ensure the integrity of the data after migration.
7.3 Virtual storage security
7.3.1 General requirements
include.
a) Multi-copy storage should be supported;
b) Measures should be taken to protect the integrity of important data;
c) Support setting access policies for virtual disks to ensure that user data cannot be accessed by other unauthorized users;
d) Encryption of virtual disks should be supported;
e) Should support the complete erasure of all data before the user requests to delete data or the device is discarded or resold;
f) The data of the virtual machine monitor, such as security configuration and access strategy, should be supported as key data for backup;
g) The original storage space data should be completely cleared during storage migration;
h) The storage location of user data and backup should be supported.
7.3.2 Enhancement requirements
If the deployment scenario is a public desktop cloud, the encrypted data and key of the virtual machine disk should be stored separately.
7.4 Virtual network security
7.4.1 Architecture Security
7.4.1.1 General requirements
include.
a) It should be ensured that the business processing capabilities of key network equipment and virtualized network equipment have redundant space to meet the needs of business peaks;
b) The bandwidth of the core network should be guaranteed to meet the needs of peak business;
c) Ensure that the virtual machine can only receive the destination address, including the message of its own address;
d) It should be able to monitor the traffic between virtual machines and between virtual machines and the host;
e) Open interfaces should be provided to allow access to third-party security products.
7.4.2 Network isolation
7.4.2.1 General requirements
include.
a) Separation of different types of traffic should be ensured, such as separation of management traffic and desktop cloud user business traffic;
b) It should support the division of network security domains to ensure the safe isolation between virtual machines, and support VLAN/VxLAN or security groups;
c) Technical means should be used to prevent desktop users from modifying the IP address and MAC address of the virtual network card;
d) It should support IP address and MAC address binding;
e) It should be possible to set the network interface bandwidth of the virtual machine;
f) Avoid excessive occupation of virtualized network resources by some virtual machines and network failures that affect the normal use of other virtual machines.
7.4.3 Intrusion Prevention
7.4.3.1 General requirements
include.
a) Virtual machines should be prevented from using fake IP or MAC addresses to launch attacks;
b) Virtual machines should be prohibited from modifying the VLANID to prevent virtual machine VLAN jumping attacks;
c) It should support the detection of the intrusion behavior of the virtual machine monitor and virtual machine in the virtual network, and provide an alarm when an intrusion event occurs.
7.4.3.2 Enhanced requirements
include.
a) It should support virtual machine binding fixed IP;
b) Support network port access control and close unused ports.
7.5 Virtualization Security Management
7.5.1 User Management
7.5.1.1 General requirements
include.
a) All administrator users who need to log in to the virtualization management platform should first be identified;
b) The administrator user ID should use the user name/user ID and ensure its uniqueness in the virtualization management platform;
c) Provide a mechanism for separating the permissions of virtual resource administrators, for example, system administrators, security administrators, security auditors and other different management
Member account;
d) The administrators of the virtualization management platform are divided by function and the principle of minimum authorization, and form a relationship of mutual restriction and supervision;
e) The administrator should be able to define appropriate user roles and manage users according to the principle of minimum authorization.
7.5.2 Identity authentication
7.5.2.1 General requirements
include.
a) Realize the authentication of the administrator user identity, and authenticate each time you log in to the system;
b) The authentication information should be stored and transmitted in non-plain text;
c) After the session timeout, the system should disconnect the session or re-authenticate the user, and the system should provide the default value of the time limit;
d) The authentication failure processing function shall be provided, and the maximum value of authentication attempts (including the threshold of the number of attempts and time) shall be predefined, and
The measures the system should take when this value is reached.
7.5.2.2 Enhanced requirements
include.
a) Two or more combinations of identification techniques should be used;
b) Should support authentication methods based on trusted third parties.
7.5.3 Access Control
7.5.3.1 General requirements
include.
a) The coverage of access control should include subjects, objects and operations between them related to resource access;
b) The content and operation authority of authorized users to access protected resources cannot exceed the predefined scope;
c) Access control subjects are. virtual machines, administrator users, etc.;
d) The protected resources include at least. CPU, storage, network, etc.
7.5.3.2 Enhancement requirements
include.
a) The remote execution of privileged commands should be restricted;
b) The remote management connection should be monitored in real time, and certain measures should be taken when an unauthorized connection is found, such as disconnecting.
7.5.4 Host Management
7.5.4.1 General requirements
Should support real-time detection of hardware failure status, automatic isolation of failed hardware, and alarms.
7.5.4.2 Enhanced requirements
no.
7.5.5 Virtual Machine Management
7.5.5.1 General requirements
include.
a) The timing strategy and batch operation functions of virtual machines should be provided, including the start, restart, suspend, resume, shutdown, etc. of virtual machines;
b) It should be able to take corresponding measures according to the strategy when the virtual machine is abnormal;
c) The maximum usage quota of system resources for a single virtual machine should be restricted.
7.5.6 Virtual Storage Management
7.5.6.1 General requirements
Should support the management of encryption keys for stored data.
7.5.6.2 Enhanced requirements
It should support policy-based user data storage and provide different storage locations for data of different types or security requirements.
7.5.7 Virtual network management
7.5.7.1 General requirements
include.
a) Information diagrams of virtual network structure consistent with current operating conditions should be provided;
b) Should support the virtualization platform to manage the confidentiality and integrity of network data transmission;
c) Ensure that the access control strategy is consistent and effective before and after the virtual machine migration;
d) According to the different security requirements of user data, it should be divided into different network security domains to support the isolation between different data.
7.5.7.2 Enhanced requirements
Real-time updates and centralized monitoring of virtualized network resources, network structure and corresponding access control policies should be carried out.
7.5.8 Security Monitoring
7.5.8.1 General requirements
include.
a) Real-time monitoring of virtual machine status should be supported to form various security and other event information;
b) Should support custom security events, including event types, etc.;
c) Should support the processing of security event information to form different levels of security alarm information;
d) It should support the setting of multiple alarm methods.
7.5.8.2 Enhancement requirements
include.
a) Should support the inspection of the execution status of the runtime security policy;
b) An interface for monitoring information should be provided, and data should be provided for third-party audits to achieve centralized monitoring.
7.5.9 Security Audit
7.5.9.1 General requirements
include.
a) It should be able to generate audit logs for the following events.
1) The administrator's key operational behaviors, including host configuration, virtual resource allocation, virtual resource management, and abnormal use of virtual resources
Use etc.;
2) ...
Tips & Frequently Asked Questions:Question 1: How long will the true-PDF of GB/T 37950-2019_English be delivered?Answer: Upon your order, we will start to translate GB/T 37950-2019_English as soon as possible, and keep you informed of the progress. The lead time is typically 2 ~ 4 working days. The lengthier the document the longer the lead time. Question 2: Can I share the purchased PDF of GB/T 37950-2019_English with my colleagues?Answer: Yes. The purchased PDF of GB/T 37950-2019_English will be deemed to be sold to your employer/organization who actually pays for it, including your colleagues and your employer's intranet. Question 3: Does the price include tax/VAT?Answer: Yes. Our tax invoice, downloaded/delivered in 9 seconds, includes all tax/VAT and complies with 100+ countries' tax regulations (tax exempted in 100+ countries) -- See Avoidance of Double Taxation Agreements (DTAs): List of DTAs signed between Singapore and 100+ countriesQuestion 4: Do you accept my currency other than USD?Answer: Yes. If you need your currency to be printed on the invoice, please write an email to [email protected]. In 2 working-hours, we will create a special link for you to pay in any currencies. Otherwise, follow the normal steps: Add to Cart -- Checkout -- Select your currency to pay.
|