Transcript Document 7412420

雲端資訊安全
主講人:陳建源
研究室 :法401
Email: [email protected]
日期:99/12/20
（中央社記者吳佳穎台北2010年11月26日電）雲端潮流凸顯資
安議題重要性。防毒業者表示，企業雖有疑慮，但雲端依然商
機龐大；雲端安全聯盟提供美國政府經驗，說明適度區隔是雲
端資安可行方式-為推動安全的雲端運算環境，財團法人資訊
工業策進會今天舉辦2010國際資訊安全技術高峰會，邀請國內
外產研界人士共同討論。
趨勢科技全球研發長暨亞太區執行副總裁張偉欽表示，目前雖
有不少對於雲端運算資安的疑慮與不信任，但業界還是出現很
多資訊外包託管的雲端風潮，這類市場近年的營收成長30%以
上，商機龐大。
（中央社記者吳佳穎台北2010年11月26日電）
另外，由於企業對雲端信賴度不足，張偉欽預估還要 5年時間
，使用「公有雲」服務才會明顯。但他強調，防毒產業要先預
見趨勢，抓緊雲端潮流，提供因應的解決方案。
雲端安全聯盟（Cloud Security Alliance，CSA）創辦人馬瑟爾
（Tim Mather）說明，企業進入雲端服務首重安全評估，如美
國政府目前透過雲端運算處理的大多是沒有機密性、沒有法律
以及財務敏感的資料，且運作系統和一般雲端運作分開，適度
區隔的確必要。
中央研究院院士李德財分享台灣與美國院校的研究成果，以及
台灣學界未來資安的研究方向，例如台科大主要研究軟體安全
驗證、交大負責 WiMAX等多重網路環境安全、成大則專門研
究殭屍電腦病毒偵測。
資料來源
雲端安全聯盟(CSA, Cloud Security Alliance)：
於2009年在美國成立，是一家在雲計算環境下提供安全方
案的非營利性組
Security Guidance for Critical Areas of Focus in Cloud Computing
http://www.cloudsecurityalliance.org/guidance/csaguide.v2.1.pdf
Top Threats to Cloud Computing
http://www.cloudsecurityalliance.org/topthreats/csathreats.v1.0.pdf
[研究報告] 雲端運算的七大安全威脅
http://cyrilwang.pixnet.net/blog/post/30895717
Security Guidance for Critical Areas
of Focus in Cloud Computing
在這份文件中，將雲端安全分為兩大領域，分別為治
理 (Governance) 與維運 (Operation)，其下各有 5 個與
7 個分類，共計 12 個分類：
治理 (Governance)
1.治理與企業風險管理 (Governance and Enterprise
2.Risk Management)
3.法律與電子資料搜尋 (Legal and Electronic Discovery)
4.法規遵守與稽核 (Compliance and Audit)
5.資訊生命週期管理 (Information Lifecycle
Management)
6.可攜性與互通性 (Portability and Interoperability)
Security Guidance for Critical Areas
of Focus in Cloud Computing
維運 (Operation)
1.傳統上的安全、業務持續與災難復原 (Traditional
Security, Business Continuity, and Disaster Recovery)
2.資料中心維運 (Data Center Operations)
3.事件處理、通知與回復 (Incident Response,
Notification, and Remediation)
4.應用程式安全 (Application Security)
5.加密與金鑰管理 (Encryption and Key Management)
6.身份與存取管理 (Identity and Access Management)
7.虛擬化 (Virtualization)
治理 (Governance)
1.治理與企業風險管理 (Governance and Enterprise Risk
Management)
well-developed information security governance processes
The fundamental issues :
concern the identification and implementation of the
appropriate organizational structures, processes, and
controls to maintain effective information security governance,
risk management, and compliance.
Organizations should also assure reasonable information security
across the information supply chain, encompassing providers
and customers of Cloud Computing services and their supporting
third party vendors, in any cloud deployment model.
治理 (Governance)
2.法律與電子資料搜尋 (Legal and Electronic Discovery)
Cloud Computing creates new dynamics in the relationship
between an organization and its information, involving
the presence of a third party: the cloud provider.
治理 (Governance)
2.法律與電子資料搜尋 (Legal and Electronic Discovery)
The fundamental issues :
• The
functional dimension: determining which functions and
services in Cloud Computing have legal implications for
participants and stakeholders.
• The jurisdictional dimension: involves the way in which
governments administer laws and regulations impacting Cloud
Computing services, the stakeholders, and the data assets
involved.
• The contractual dimension involves the contract structures,
terms and conditions, and enforcement mechanisms through
which stakeholders in Cloud computing environments can
address and manage the legal and security issues.
治理 (Governance)
3.法規遵守與稽核 (Compliance and Audit)
• Regulatory applicability for the use of a given cloud service
• Division of compliance responsibilities between cloud provider
and cloud customer
• Cloud provider’s ability to produce evidence needed for
compliance
• Cloud customer’s role in bridging the gap between cloud provider
and auditor/assessor
治理 (Governance)
4.資訊生命週期管理 (Information Lifecycle Management)
The Data Security Lifecycle is different from Information
Lifecycle Management, reflecting the different needs of the
security audience. The Data Security Lifecycle consists of six
phases:
治理 (Governance)
4.資訊生命週期管理 (Information Lifecycle Management)
治理 (Governance)
4.資訊生命週期管理 (Information Lifecycle Management)
Data security: Confidentiality, Integrity, Availability, Authenticity,
Authorization, Authentication, and Non-Repudiation.
Location of the data: There must be assurance that the data,
including all of its copies and backups, is stored only in
geographic locations permitted by contract, SLA, and/or
regulation. For instance, use of “compliant storage” as
mandated by the European Union for storing electronic
health records can be an added challenge to the data owner
and cloud service provider.
治理 (Governance)
4.資訊生命週期管理 (Information Lifecycle Management)
Data remanance or persistence: Data must be effectively and
completely removed to be deemed ‘destroyed.’ Therefore,
techniques for completely and effectively locating data in the
cloud, erasing/destroying data, and assuring the data has been
completely removed or rendered unrecoverable must be
available and used when required.
Commingling data with other cloud customers: Data –
especially classified / sensitive data –must not be
commingled with other customer data without compensating
controls while in use,storage, or transit. Mixing or
commingling the data will be a challenge when concerns are
raised about data security and geo-location.
治理 (Governance)
4.資訊生命週期管理 (Information Lifecycle Management)
Data backup and recovery schemes for recovery and restoration:
Data must be available and data backup and recovery schemes
for the cloud must be in place and effective in order to prevent
data loss, unwanted data overwrite, and destruction. Don’t
assume cloud-based data is backed up and recoverable.
Data discovery: As the legal system continues to focus on electronic
discovery, cloud service providers and data owners will need to
focus on discovering data and assuring legal and regulatory
authorities that all data requested has been retrieved. In a cloud
environment that question is extremely difficult to answer and
will require administrative, technical and legal controls when
required.
治理 (Governance)
4.資訊生命週期管理 (Information Lifecycle Management)
Data aggregation and inference: With data in the cloud, there are
added concerns of data aggregation and inference that could
result in breaching the confidentiality of sensitive and
confidential information. Hence practices must be in play to
assure the data owner and data stakeholders that the data is still
protected from subtle “breach” when data is commingled and/or
aggregated, thus revealing protected information (e.g., medical
records containing names and medical information mixed with
anonymous data but containing the same “crossover field”).
治理 (Governance)
5.可攜性與互通性 (Portability and Interoperability)
• An unacceptable increase in cost at contract renewal time.
• A provider ceases business operations.
• A provider suddenly closes one or more services being used,
without acceptable migration plans.
• Unacceptable decrease in service quality, such as a failure to meet
key performance requirements or achieve service level
agreements (SLAs).
• A business dispute between cloud customer and provider.
維運 (Operation)
1.傳統上的安全、業務持續與災難復原 (Traditional
Security, Business Continuity, and Disaster Recovery)
The body of knowledge accrued within traditional physical
ecurity, business continuity planning and disaster recovery
remains quite relevant to Cloud Computing.
維運 (Operation)
2.資料中心維運 (Data Center Operations)
The number of Cloud Computing providers continues to
increase as business and consumer IT services move to the
cloud. There has been similar growth in data centers to fuel
Cloud Computing service offerings.
Sharing IT resources to create efficiencies and economies of scale
維運 (Operation)
3.事件處理、通知與回復 (Incident Response, Notification,
and Remediation)
The nature of Cloud Computing makes it more difficult to
determine who to contact in case of a security incident, data
breach, or other event that requires investigation and reaction.
Standard security incident response mechanisms can be used
with modifications to accommodate the changes required by
shared reporting responsibilities. This domain provides
guidance on how to handle these incidents.
維運 (Operation)
4.應用程式安全 (Application Security)
Applications in cloud environments will both impact and be
impacted by the following major aspects:
• Application Security Architecture
• Software Development Life Cycle (SDLC)
• Compliance
• Tools and Services
• Vulnerabilities
維運 (Operation)
5.加密與金鑰管理 (Encryption and Key Management)
Cloud customers and providers need to guard against data loss
and theft
Cloud customers want their providers to encrypt their data to
ensure that it is protected no matter where the data is physically
located. Likewise, the cloud provider needs to protect its
customers’ sensitive data.
維運 (Operation)
5.加密與金鑰管理 (Encryption and Key Management)
Encryption for Confidentiality and Integrity
Cloud environments are shared with many tenants, and service
providers have privileged access to the data in those environments.
Thus confidential data hosted in a cloud must be protected using a
combination of access control (see Domain 12), contractual
liability (see Domains 2, 3, and 4), and encryption, which we
describe in this section. Of these, encryption offers the benefits of
minimum reliance on the cloud service provider and lack of
dependence on detection of operational failures.
維運 (Operation)
5.加密與金鑰管理 (Encryption and Key Management)
Encryption for Confidentiality and Integrity
Encrypting data in transit over networks: There is the utmost
need to encrypt multi-use credentials, such as credit card
numbers, passwords, and private keys, in transit over the
Internet. Although cloud provider networks may be more
secure than the open Internet, they are by their very architecture
made up of many disparate components, and disparate
organizations share the cloud. Therefore it is important to
protect this sensitive and regulated information in transit even
within the cloud provider’s network. Typically this can be
implemented with equal ease in SaaS, PaaS, and IaaS
environments.
維運 (Operation)
5.加密與金鑰管理 (Encryption and Key Management)
Encryption for Confidentiality and Integrity
Encrypting data at rest: Encrypting data on disk or in a live
production database has value, as it can protect against a
malicious cloud service provider or a malicious co-tenant as
well as against some types of application abuse. Encrypting
data at rest is common within IaaS environments, using a
variety of provider and third party tools. Encrypting data at rest
within PaaS environments is generally more complex, requiring
instrumentation of provider offerings or special customization.
Encrypting data at rest within SaaS environments is a feature
cloud customers cannot implement directly, and need to request
from their providers.
維運 (Operation)
5.加密與金鑰管理 (Encryption and Key Management)
Encryption for Confidentiality and Integrity
Encrypting data on backup media: This can protect against
misuse of lost or stolen media. Ideally, the cloud service
provider implements it transparently. However, as a customer
and provider of data, it is your responsibility to verify that such
encryption takes place. One consideration for the encryption
infrastructure is dealing with the longevity of the data.
維運 (Operation)
5.加密與金鑰管理 (Encryption and Key Management)
Key Management
Secure key stores: Key stores must themselves be protected, just
as any other sensitive data. They must be protected in storage,
in transit, and in backup. Improper key storage could lead to the
compromise of all encrypted data.
Access to key stores: Access to key stores must be limited to the
entities that specifically need the individual keys. There should
also be policies governing the key stores, which use separation
of roles to help control access; an entity that uses a given key
should not be the entity that stores that key.
維運 (Operation)
5.加密與金鑰管理 (Encryption and Key Management)
Key Management
Key backup and recoverability: Loss of keys inevitably means
loss of the data that those keys protect. While this is an
effective way to destroy data, accidental loss of keys protecting
mission critical data would be devastating to a business, so
secure backup and recovery solutions must be implemented.
維運 (Operation)
5.加密與金鑰管理 (Encryption and Key Management)
Key Management
There are a number of standards and guidelines applicable to key
management in the cloud. The OASIS Key Management
Interoperability Protocol (KMIP) is an emerging standard for
interoperable key management in the cloud. The IEEE 1619.3
standards cover storage encryption and key management,
especially as they pertain to storage IaaS.
維運 (Operation)
6.身份與存取管理 (Identity and Access Management)
Managing identities and access control for enterprise applications
remains one of the greatest challenges facing IT today.
cloud-based Identity and Access Management (IAM)
• Identity provisioning/deprovisioning
• Authentication
• Federation
• Authorization & user profile management
維運 (Operation)
6.身份與存取管理 (Identity and Access Management)
cloud-based Identity and Access Management (IAM)
Identity Provisioning: One of the major challenges for
organizations adopting Cloud Computing services is the secure
and timely management of on-boarding (provisioning) and offboarding (deprovisioning) of users in the cloud. Furthermore,
enterprises that have invested in user management processes
within an enterprise will seek to extend those processes and
practice to cloud services.
維運 (Operation)
6.身份與存取管理 (Identity and Access Management)
cloud-based Identity and Access Management (IAM)
Authentication: When organizations start to utilize cloud services,
authenticating users in a trustworthy and manageable manner is
a vital requirement. Organizations must address authenticationrelated challenges such as credential management, strong
authentication (typically defined as multi-factor authentication),
delegated authentication, and managing trust across all types of
cloud services.
維運 (Operation)
6.身份與存取管理 (Identity and Access Management)
cloud-based Identity and Access Management (IAM)
Federation: In a Cloud Computing environment, Federated
Identity Management plays a vital role in enabling
organizations to authenticate their users of cloud services using
the organization’s chosen identity provider (IdP). In that
context, exchanging identity attributes between the service
provider (SP) and the IdP in a secure way is also an important
requirement.
維運 (Operation)
6.身份與存取管理 (Identity and Access Management)
cloud-based Identity and Access Management (IAM)
Authorization & user profile management: The requirements for
user profiles and access control policy vary depending on
whether the user is acting on their own behalf (such as a
consumer) or as a member of an organization (such as an
employer, university, hospital, or other enterprise). The access
control requirements in SPI environments include establishing
trusted user profile and policy information, using it to control
access within the cloud service, and doing this in an auditable
way.
維運 (Operation)
7.虛擬化 (Virtualization)
The ability to provide multi-tenant cloud services at the
infrastructure, platform, or software level is often underpinned
by the ability to provide some form of virtualization to create
economic scale.
If Virtual Machine (VM) technology is being used in the
infrastructure of the cloud services, then we must be concerned
about compartmentalization and hardening of those VM
systems.
The reality of current practices related to management of virtual
operating systems is that many of the processes that provide
security-by-default are missing, and special attention must be
paid to replacing them.
雲端新興安全問題
以虛擬化為基礎的雲端環境繼承所有以往所面臨的資安
問題
個人端：
惡意程式、垃圾郵件、不當廣告、網路釣魚
主機端：
惡意程式、殭屍電腦、阻斷式攻擊、社交攻
擊、中間人攻擊、SSL漏洞與實作缺失
雲端新興安全問題
散戶型駭客可以很方便地租用相同
的運算環境來測試並挖掘其弱點
組織型駭客可以自建雲端或利用雲端
從事BotNet攻擊與密碼破解
因此，雲端環境的安全威脅程度更大如何強化原來
的安全措施在雲端環境中更顯重要
虛擬環境上
虛擬平台弱點
共享資源風險
虛擬機器移轉
與備份管理
跨虛擬主機攻
擊(Inter-VM)
雲端新興安全問題
雲端運算的七大安全威脅
CSA (Cloud Security Alliance) 在 (2010 年 3 月) 初發布了一份
研究報告，標題是 “Top Threats to Cloud Computing V1.0”，
列出了目前雲端運算所遭遇的七大安全威脅
1.濫用或利用雲端運算進行非法的行為 (Abuse and
Nefarious Use of Cloud Computing)
此一威脅主要是針對雲端運算服務的供應者而言。雲端
運算服務供應商 (尤其是 IaaS 與 PaaS 供應商) 為了降低
使用的門檻，通常並不會要求使用者必須經過嚴格的資
料審查過程就可以直接使用其所其提供的資源，有些服
務供應商甚至提供免費使用的功能或試用期。這些做法
雖然可以有效推廣雲端運算的業務，卻也容易成為有心
分子利用的管道。事實上，已經有包含殭屍網路、木馬
程式下載在內的惡意程式運行於雲端運算的系統內。
雲端運算的七大安全威脅
1.濫用或利用雲端運算進行非法的行為 (Abuse and
Nefarious Use of Cloud Computing)
Examples
IaaS offerings have hosted the Zeus botnet, InfoStealer trojan
horses, and downloads for Microsoft Office and Adobe PDF
exploits.
Additionally, botnets have used IaaS servers for command and
control functions. Spam continues to be a problem — as a
defensive measure, entire blocks of IaaS network addresses have
been publicly blacklist.
雲端運算的七大安全威脅
1.濫用或利用雲端運算進行非法的行為 (Abuse and
Nefarious Use of Cloud Computing)
Remediation
Stricter initial registration and validation processes.
Enhanced credit card fraud monitoring and coordination.
Comprehensive introspection of customer network traffic.
Monitoring public blacklists for one’s own network blocks.
雲端運算的七大安全威脅
2.不安全的介面與 APIs (Insecure Interface and APIs)
使用者透過使用者介面或是 APIs 與雲端運算服務進行
互動，因此這些介面與 APIs 是否安全直接影響到雲端運
算服務本身的安全性。像是使用者介面的驗證與授權功
能是否安全，APIs 的相依性與安全性，都是必須特別注
意的地方。此外，如果有使用第三方的加值服務，這些
服務的介面與 APIs 的安全性也必須一併加以考量。
雲端運算的七大安全威脅
2.不安全的介面與 APIs (Insecure Interface and APIs)
Examples
Anonymous access and/or reusable tokens or passwords,
clear-text authentication or transmission of content, inflexible
access controls or improper authorizations,
limited monitoring and logging capabilities,
unknown service or API dependencies.
雲端運算的七大安全威脅
2.不安全的介面與 APIs (Insecure Interface and APIs)
Remediation
1. Analyze the security model of cloud provider interfaces.
2.Ensure strong authentication and access controls are
implemented in concert with encrypted transmission.
3. Understand the dependency chain associated with the API.
雲端運算的七大安全威脅
3.惡意的內部人員 (Malicious Insiders)
內部人員所造成的問題，這幾年來已經成為許多組
織關注的重點，採用雲端運算將會讓內部人員所產
生的問題更形嚴重。一個最主要的因素在於使用者
無法得知雲端運算服務供應商如何規範與管理內部
員工，甚至連招聘的條件與流程也屬於非公開的資
訊。以安全的角度來說，”未知”絕對不是一種幸
福，而是一種芒刺在背的威脅。更何況以雲端運算
的業務性質而言，絕對是有心分子眼中的肥魚，所
以內部惡意員工的比例應當會比一般組織來的更高
。
雲端運算的七大安全威脅
3.惡意的內部人員 (Malicious Insiders)
Examples
無
雲端運算的七大安全威脅
3.惡意的內部人員 (Malicious Insiders)
Remediation
1.Enforce strict supply chain management and conduct a
comprehensive supplier assessment.
2.Specify human resource requirements as part of legal
contracts.
3.Require transparency into overall information security and
management practices, as well as compliance reporting.
4.Determine security breach notification processes.
雲端運算的七大安全威脅
4.共享環境所造成的議題 (Shared Technology
Issues)
雖然使用雲端運算的服務 (尤其是 IaaS) 時使用者好像
擁有獨立的環境，但是這些環境都是從共享的實體環境中
透過虛擬化的技術所產生出來的。這些虛擬化的平台能否
將不同的使用者進行有效地隔離，以避免彼此之間相互干
擾其服務的正常運算，甚至是避免彼此之間可以存取對方
的資源，對雲端運算的安全來說是一個嚴格的挑戰。
雲端運算的七大安全威脅
4.共享環境所造成的議題 (Shared Technology
Issues)
Examples
Joanna Rutkowska’s Red and Blue Pill exploits
Kortchinksy’s CloudBurst presentations
雲端運算的七大安全威脅
4.共享環境所造成的議題 (Shared Technology
Issues)
Remediation
1.Implement security best practices for installation/configuration.
2.Monitor environment for unauthorized changes/activity.
3.Promote strong authentication and access control for administrative
access and operations.
4. Enforce service level agreements for patching and vulnerability
remediation.
5.Conduct vulnerability scanning and configuration audits.
雲端運算的七大安全威脅
5.資料遺失或外洩 (Data Loss or Leakage)
資料遺失與外洩對於一個組織的影響不只在於實際
上的金錢損失，更在於如企業形象之類的無形損失
。雲端運算因為其特定的緣故，使得資料遺失或外
洩的議題面臨更加嚴峻的考驗。包含是否擁有足夠
的 AAA (驗證、授權、稽核)、是否採用適當且足夠
的加密技術、資料持續性的需求、如何安全地刪除
資料、災難復原、甚至是司法管轄的問題，都是必
須認真加以考量的問題。
雲端運算的七大安全威脅
5.資料遺失或外洩 (Data Loss or Leakage)
Examples
Insufficient authentication, authorization, and audit (AAA) controls;
inconsistent use of encryption and software keys; operational failures;
persistence and remanence challenges: disposal challenges;
risk of association;
jurisdiction and political issues;
data center reliability;
disaster recovery.
雲端運算的七大安全威脅
5.資料遺失或外洩 (Data Loss or Leakage)
Remediation
1.Implement strong API access control.
2.Encrypt and protect integrity of data in transit.
3.Analyzes data protection at both design and run time.
4.Implement strong key generation, storage and management,
and destruction practices.
5.Contractually demand providers wipe persistent media before it
is released into the pool.
6.Contractually specify provider backup and retention strategies.
雲端運算的七大安全威脅
6.帳號或服務被竊取 (Account or Service
Hijacking)
儘管帳號或服務被竊取的問題由來已久，但是這類
問題對於雲端運算來說更具威脅性。首先因為雲端
運算不像傳統的 IT 架構般擁有實體的東西，因此一
旦帳號或服務被竊取後，除非有其他的方式加以證
明，否則惡意分子可以完全取代原先使用者的身分
。在傳統的 IT 環境中，因為使用者至少還擁有硬體
的控制權，所以即使發生帳號或服務的竊取行為，
使用者還是可以進行一些事後的補救措施，但是這
些補救措施在雲端運算的架構下可能無法執行。此
外，對於那些公開的雲端運算服務而言，直接暴露
於網際網路上也讓這些竊取行為更加容易發生。
雲端運算的七大安全威脅
6.帳號或服務被竊取 (Account or Service
Hijacking)
Examples
無
雲端運算的七大安全威脅
6.帳號或服務被竊取 (Account or Service
Hijacking)
Remediation
1.Prohibit the sharing of account credentials between users and
services.
2.Leverage strong two-factor authentication techniques where
possible.
3.Employ proactive monitoring to detect unauthorized activity.
4.Understand cloud provider security policies and SLAs.
雲端運算的七大安全威脅
7.未知的風險模型 (Unknown Risk Profile)
如我在前面所述，以安全的角度來說，”未知”絕
對不是一種幸福，而是一種芒刺在背的威脅。以雲
端運算來說，不管是 IaaS、PaaS、SaaS 都是將服務
包裝成一個使用者不需了解也無法了解的系統，讓
使用者專注於如何”使用”該系統。但是這樣的方
便性，也讓使用者無法了解這些服務所使用的網路
架構、安全架構、軟體版本等等各式各樣的重要資
訊。這些資訊對於評估安全狀態是很有幫助的，欠
缺這些資訊將使得這樣的評估行為無法被有效地進
行。
雲端運算的七大安全威脅
7.未知的風險模型 (Unknown Risk Profile)
Examples
IRS asked Amazon EC2 to perform a C&A; Amazon refused.
http://news.qualys.com/newsblog/forrester-cloud-computingqa.
html
Heartland Data Breach: Heartland’s payment processing
systems were using known-vulnerable software and actually
infected, but Heartland was “willing to do only the bare
minimum and comply with state laws instead of taking the
extra effort to notify every single customer, regardless of law,
about whether their data has been stolen.”
http://www.pcworld.com/article/158038/heartland_has_no_hea
rt_for_violated_customers.html
雲端運算的七大安全威脅
7.未知的風險模型 (Unknown Risk Profile)
Remediation
1.Disclosure of applicable logs and data.
2.Partial/full disclosure of infrastructure details (e.g., patch
levels, firewalls, etc.).
3.Monitoring and alerting on necessary information.
何謂ISMS（Information Security
Management System）
政策
推動重要政府機關（構）導入ISMS（Information Security
Management System）驗證係「國家資通安全會報」之重要政策，
依該會報「政府機關（構）資訊安全責任等級分級作業施行計畫」
規劃資安責任等級A級之政府機關（構）須於96年前；B級之政府
機關（構）須於97年前通過第三者驗證。
何謂資訊安全（Information Security）
機密性（Confidentiality）
保護資訊不被未經授權之個人、程序、系統等實體所取得或揭露。
完整性（Integrity）
保證資訊之正確與完整，不會被意外破壞或惡意改變。
可用性（Availability）
保障所有經授權之實體於需要時可以存取或使用資訊。
適法性（Legality）
符合本國相關法令規範。
何謂ISMS（Information Security
Management System）
何謂ISMS
為國際現行五大管理系統之一，乃組織管理系統的一部分，必須依據
風險管理的方法加以制訂，進而用以建立、執行、操作、監控、審查
、維護與改進組織的資訊安全。
在ISMS國際標準未制定前，以CNS 17800：2002/BS 7799-2：2002為驗
證標準。2005年10月15日國際標準組織（ISO）正式公布ISO/IEC
27001：2005國際標準，我國經濟部標準檢驗局業依新標準制定CNS
27001：200X（暫定），以取代CNS 17800：2002作為我國受理ISMS之
驗證標準。
雲端安全發展現況
IBM
與傳統資安無差異性，整合既有Web AP Security
產品
IBM
推出支援雲端服務產品，如VPC Gateway、
Cloud Safety Box (舊產品新包裝)
Novell
與雲端安全聯盟(CSA)共同推展Trusted Cloud ，
強調其身分認證技術
VMWare
發布VMSafe API 供協力廠商開發展虛擬層的資
安產品
趨勢科技
發展自有雲端管理平台並以Deep Security提供虛
擬主機資安防護及研究由虛擬層進行防護
VPC Gateway: 客戶可快速地建立一個多重備援且安全的通訊頻道到Virtual
Private Cloud(Amazon Virtual Private Cloud)，無須使用專屬的網路設備
Cloud Safety Box: 類似Amazon S3的介面，讓儲存在任何已支援的作業系統下內
容的壓縮、加密與分割得以自動化