Google Cloud如何為您的應(yīng)用程序安全提供幫助？

我們將介紹云安全基礎(chǔ)知識(shí)，包括三個(gè)非常簡(jiǎn)單的安全概念。

Here you go! Read on and please share your thoughts in the comments below.

干得好！ 繼續(xù)閱讀，請(qǐng)?jiān)谙旅娴脑u(píng)論中分享您的想法。

三大安全基礎(chǔ) (Three security fundamentals)

＃1保護(hù) (#1 Protection)

Google Cloud provides protection from threats through a secure foundation. It offers the core infrastructure that is designed, built and operated to help prevent threats. How is it done? Here are a few of the ways!

Google Cloud通過(guò)安全的基礎(chǔ)提供了免受威脅的保護(hù)。 它提供了設(shè)計(jì)，構(gòu)建和運(yùn)行以幫助防止威脅的核心基礎(chǔ)架構(gòu)。 怎么做？ 以下是幾種方法！

Defense in depth

縱深防御

Google’s infrastructure doesn’t rely on any single technology to make it secure. Rather, builds security through progressive layers that deliver true defense in depth.

Google的基礎(chǔ)架構(gòu)不依賴(lài)任何單一技術(shù)來(lái)確保其安全性。 而是通過(guò)可進(jìn)行深度防御的漸進(jìn)層來(lái)建立安全性。

Other cloud providers may describe a similar stack of capabilities, but the way Google Cloud approaches many of these is unique. Here is how:

其他云提供商可能會(huì)描述類(lèi)似的功能堆棧，但是Google Cloud處理其中許多功能的方式是獨(dú)特的。 方法如下：

The hardware is Google controlled, built and hardened.

硬件由Google控制，構(gòu)建和加固。

Any application binary that runs on Google infrastructure is deployed securely.

在Google基礎(chǔ)架構(gòu)上運(yùn)行的所有應(yīng)用程序二進(jìn)制文件均已安全部署。

There is no assumption of any trust between services, and multiple mechanisms are used to establish and maintain trust — the infrastructure was designed to be multi-tenant from the beginning.

服務(wù)之間不存在任何信任的假設(shè)，并且使用多種機(jī)制來(lái)建立和維護(hù)信任-基礎(chǔ)結(jié)構(gòu)從一開(kāi)始就被設(shè)計(jì)為多租戶(hù)。

All identities, users and services, are strongly authenticated.

所有身份，用戶(hù)和服務(wù)均經(jīng)過(guò)嚴(yán)格認(rèn)證。

Data stored on Google’s infrastructure is automatically encrypted at rest and distributed for availability and reliability.

Google的基礎(chǔ)架構(gòu)上存儲(chǔ)的數(shù)據(jù)會(huì)自動(dòng)進(jìn)行靜態(tài)加密，并進(jìn)行分發(fā)以提高可用性和可靠性。

Communications over the Internet to Google Cloud services are encrypted.

互聯(lián)網(wǎng)上與Google Cloud服務(wù)的通信已加密。

The scale of the infrastructure allows to absorb many Denial of Service (DoS) attacks, and there are multiple layers of protection that further reduce the risk of any DDoS impact.

基礎(chǔ)架構(gòu)的規(guī)模允許吸收許多拒絕服務(wù)(DoS)攻擊，并且多層保護(hù)可以進(jìn)一步降低任何DDoS影響的風(fēng)險(xiǎn)。

The operations teams detect threats and respond to incidents 24 x 7 x 365.

運(yùn)營(yíng)團(tuán)隊(duì)可以檢測(cè)威脅并對(duì)事件進(jìn)行24 x 7 x 365響應(yīng)。

If this is intriguing, here is a white paper on Google infrastructure design that goes into all of these areas in significant details.

如果感興趣的話(huà)，請(qǐng)參閱以下有關(guān)Google基礎(chǔ)架構(gòu)設(shè)計(jì)的白皮書(shū)，其中將詳細(xì)介紹所有這些領(lǐng)域。

End-to-end provenance & attestation

端到端的出處和證明

Google’s hardware infrastructure is custom-designed by Google “from chip to chiller” to precisely meet their requirements, including security.

Google的硬件基礎(chǔ)架構(gòu)由Google“從芯片到冷卻器”進(jìn)行定制設(shè)計(jì)，以精確滿(mǎn)足其要求，包括安全性。

Google’s servers and Operating Systems(OS) are designed for the sole purpose of providing Google services.

Google的服務(wù)器和操作系統(tǒng)(OS)專(zhuān)為提供Google服務(wù)而設(shè)計(jì)。

The servers are custom built and don’t include unnecessary components like video cards or peripheral interconnects that can introduce vulnerabilities.

這些服務(wù)器是自定義構(gòu)建的，不包含不必要的組件，例如視頻卡或可能引起漏洞的外圍互連。

The same goes for software, including low-level software and OS, which is a stripped-down, hardened version of Linux.

對(duì)于軟件(包括底層軟件和OS)也是如此，后者是精簡(jiǎn)的Linux簡(jiǎn)化版本。

Further, Google designed and included hardware specifically for security — like Titan, custom security chip that is used to establish a hardware root of trust in the servers and peripherals.

此外，Google設(shè)計(jì)并包含了專(zhuān)門(mén)用于安全性的硬件，例如Titan，這是用于在服務(wù)器和外圍設(shè)備中建立信任的硬件根的定制安全芯片 。

Network hardware and software are also purpose built to improve performance as well as security.

還專(zhuān)門(mén)構(gòu)建了網(wǎng)絡(luò)硬件和軟件以提高性能和安全性。

This all rolls up to the custom data center designs, which include multiple layers of physical and logical protection.

這一切都匯總到了定制數(shù)據(jù)中心設(shè)計(jì)中，其中包括多層物理和邏輯保護(hù)。

Understanding provenance from the bottom of the hardware stack to the top allows Google Cloud to control the underpinnings of the security posture. Unlike other cloud providers, Google has greatly reduced the “vendor in the middle problem” — if a vulnerability is found, steps can be taken immediately to develop and roll out a fix. This level of control results in greatly reduced exposure.

了解從硬件堆棧底部到頂部的出處，可以使Google Cloud控制安全狀況的基礎(chǔ)。 與其他云提供商不同，Google大大減少了“中間廠商問(wèn)題” —如果發(fā)現(xiàn)漏洞，則可以立即采取措施來(lái)開(kāi)發(fā)和推出修復(fù)程序。 這種控制水平可大大減少暴露。

Private backbone

私人骨干

Google operates one of the largest backbone networks in the world. There are more than 130 points of presence across 35 countries — and there is a continuous addition of more zones and regions to meet customers’ preferences and policy requirements.

Google經(jīng)營(yíng)著世界上最大的骨干網(wǎng)之一。 在35個(gè)國(guó)家/地區(qū)設(shè)有130多個(gè)服務(wù)點(diǎn)-并不斷增加更多的區(qū)域和地區(qū)，以滿(mǎn)足客戶(hù)的喜好和政策要求。

Google’s network delivers low latency but also improves security. Once customers’ traffic is on Google’s network it is no longer transiting the public internet, making it less likely to be attacked, intercepted, or manipulated.

Google的網(wǎng)絡(luò)提供了低延遲，但也提高了安全性。 一旦客戶(hù)的流量進(jìn)入Google的網(wǎng)絡(luò)，它就不再通過(guò)公共互聯(lián)網(wǎng)，從而減少了受到攻擊，攔截或操縱的可能性。

Encryption at rest by default

默認(rèn)情況下加密靜態(tài)

We will cover this one in more details in the upcoming comics but in short, all data at rest or in motion is encrypted by default on the Google network. And some services offer the option to supply or manager your own keys.

我們將在即將到來(lái)的漫畫(huà)中更詳細(xì)地介紹這一內(nèi)容，但簡(jiǎn)而言之，默認(rèn)情況下，所有靜態(tài)或動(dòng)態(tài)數(shù)據(jù)在Google網(wǎng)絡(luò)上都是加密的。 某些服務(wù)提供了提供或管理您自己的密鑰的選項(xiàng)。

Update at scale without disruptions

大規(guī)模更新而不會(huì)中斷

Google has the ability to update the cloud infrastructure without disrupting customers using a technology called Live Migration.

Google能夠使用稱(chēng)為L(zhǎng)ive Migration的技術(shù)來(lái)更新云基礎(chǔ)架構(gòu)，而不會(huì)中斷客戶(hù)。

Updates add functionality, but from a security standpoint, they also are required to patch software vulnerabilities. No one writes perfect software, so this is a constant requirement.

更新增加了功能，但是從安全角度出發(fā)，也需要修補(bǔ)程序來(lái)修補(bǔ)軟件漏洞。 沒(méi)有人編寫(xiě)完美的軟件，因此這是一個(gè)持續(xù)的要求。

Keeping ahead of threats

領(lǐng)先于威脅

Security landscape rapidly evolves and many organizations struggle to keep pace. Because Google runs on the same infrastructure that is available to the customers, customers can directly benefit from those investments.

安全形勢(shì)Swift發(fā)展，許多組織努力跟上步伐。 由于Google在客戶(hù)可用的相同基礎(chǔ)架構(gòu)上運(yùn)行，因此客戶(hù)可以直接從這些投資中受益。

The global footprint across enterprises and consumers gives Google an unprecedented visibility into threats and attacks. As a result, solutions can be developed before many other organizations even see the threats, reducing exposure.

Google在企業(yè)和消費(fèi)者中的全球足跡使Google對(duì)威脅和攻擊有了前所未有的可見(jiàn)性。 因此，可以在許多其他組織甚至沒(méi)有看到威脅之前就開(kāi)發(fā)解決方案，從而減少暴露。

＃2控件 (#2 Controls)

In the cloud there can be a lot of control options to make sure the app, the data and the services you deploy are secure. The most important thing to understand is that “cloud security requires collaboration”

在云中，可以有很多控制選項(xiàng)來(lái)確保您部署的應(yīng)用程序，數(shù)據(jù)和服務(wù)是安全的。 要了解的最重要的事情是“ 云安全需要協(xié)作 ”

Your cloud provider (Google Cloud) is responsible for securing the infrastructure.

您的云提供商(Google Cloud)負(fù)責(zé)保護(hù)基礎(chǔ)架構(gòu)。

You are responsible for securing your data.

您有責(zé)任保護(hù)您的數(shù)據(jù)。

And.. Google Cloud provides the best practices, templates, products and solutions to help you secure your data and services.

并且.. Google Cloud提供了最佳做法，模板，產(chǎn)品和解決方案，可幫助您保護(hù)數(shù)據(jù)和服務(wù)。

Keeping this section short because I am planning on doing another comic issue on this topic, there is a lot more to learn here, so stay tuned! ??

由于我計(jì)劃針對(duì)該主題再做一本漫畫(huà)問(wèn)題，因此本節(jié)不多，這里還有很多要學(xué)習(xí)的內(nèi)容，請(qǐng)繼續(xù)關(guān)注！ ??

＃3合規(guī) (#3 Compliance)

In order to protect the sensitive data that you store in Google Cloud, it maintains and goes though compliance including complex regulatory, frameworks and guidelines. For example HIPPA, FedRAMP, SOC etc.

為了保護(hù)您存儲(chǔ)在Google Cloud中的敏感數(shù)據(jù)，它會(huì)保持并遵守法規(guī)，包括復(fù)雜的法規(guī)，框架和指南。 例如HIPPA，F(xiàn)edRAMP，SOC等。

翻譯自: https://medium.com/google-cloud/how-can-google-cloud-help-with-security-of-your-apps-8f5692f56177