ProHoster > Блог > Gudanarwa > Yadda ake yin abokai tare da GOST R 57580 da haɓakar akwati. Martanin Babban Bankin Kasa (da kuma tunaninmu kan wannan lamari)

Yadda ake yin abokai tare da GOST R 57580 da haɓakar akwati. Martanin Babban Bankin Kasa (da kuma tunaninmu kan wannan lamari)

Ba da dadewa mun gudanar da wani kima na yarda da bukatun GOST R 57580 (nan gaba kawai GOST). Abokin ciniki kamfani ne wanda ke haɓaka tsarin biyan kuɗi na lantarki. Tsarin yana da mahimmanci: fiye da masu amfani da miliyan 3, fiye da ma'amaloli dubu 200 kowace rana. Suna ɗaukar tsaron bayanai da mahimmanci a wurin.

A lokacin aikin tantancewa, abokin ciniki ya sanar a hankali cewa sashen haɓakawa, ban da injunan kama-da-wane, suna shirin yin amfani da kwantena. Amma tare da wannan, abokin ciniki ya kara da cewa, akwai matsala guda ɗaya: a cikin GOST babu wata kalma game da Docker guda ɗaya. Me zan yi? Yadda za a kimanta tsaro na kwantena?

Yadda ake yin abokai tare da GOST R 57580 da haɓakar akwati. Martanin Babban Bankin Kasa (da kuma tunaninmu kan wannan lamari)

Gaskiya ne, GOST kawai ya rubuta game da ingantaccen kayan aiki - game da yadda ake kare injunan kama-da-wane, hypervisor, da sabar. Mun tambayi babban bankin kasar domin karin haske. Amsar ta ba mu mamaki.

GOST da kuma ingantaccen aiki

Don fara da, bari mu tuna cewa GOST R 57580 sabon ma'auni ne wanda ke ƙayyade "buƙatun don tabbatar da tsaro na ƙungiyoyin kuɗi" (FI). Waɗannan FIs sun haɗa da masu aiki da masu halartar tsarin biyan kuɗi, ƙididdiga da ƙungiyoyi masu zaman kansu, cibiyoyi masu aiki da sharewa.

Daga Janairu 1, 2021, ana buƙatar FIs don gudanarwa kima na yarda da buƙatun sabon GOST. Mu, ITGLOBAL.COM, kamfani ne na tantancewa wanda ke gudanar da irin wannan tantancewar.

GOST yana da wani yanki da aka keɓe don kariyar yanayin da aka tsara - No. 7.8. Ba a fayyace kalmar “virtualization” a wurin ba; babu rarrabuwar kawuna zuwa nagartaccen kayan aiki da kwantena. Duk wani ƙwararren IT zai ce daga mahangar fasaha wannan ba daidai ba ne: na'ura mai mahimmanci (VM) da kwantena yanayi ne daban-daban, tare da ka'idodin keɓe daban-daban. Daga ra'ayi na raunin mai watsa shiri wanda aka sanya kwantena VM da Docker, wannan ma babban bambanci ne.

Ya bayyana cewa kimanta amincin bayanan VMs da kwantena shima yakamata ya bambanta.

Tambayoyin mu ga babban bankin kasa

Mun aika da su zuwa Sashen Tsaro na Watsa Labarai na Babban Bankin (muna gabatar da tambayoyin a takaice).

  1. Yadda za a yi la'akari da kwantena kama-da-wane-nau'in Docker lokacin tantance yardawar GOST? Shin daidai ne don kimanta fasaha daidai da sashe na 7.8 na GOST?
  2. Yadda za a tantance kayan aikin sarrafa kwantena na kama-da-wane? Shin yana yiwuwa a daidaita su zuwa abubuwan haɗin gwiwar sabar sabar kuma a kimanta su bisa ga sashe ɗaya na GOST?
  3. Shin ina buƙatar tantance amincin bayanan a cikin kwantena na Docker daban? Idan haka ne, waɗanne tsare-tsare ya kamata a yi la'akari da su don wannan yayin aikin tantancewa?
  4. Idan kwantena ya daidaita da kayan aikin kama-da-wane kuma an kimanta shi bisa ga sashe na 7.8, ta yaya ake aiwatar da bukatun GOST don aiwatar da kayan aikin tsaro na musamman?

Martanin babban bankin kasa

Da ke ƙasa akwai manyan sassan.

"GOST R 57580.1-2017 ya kafa abubuwan da ake buƙata don aiwatarwa ta hanyar aiwatar da matakan fasaha dangane da matakan da ke gaba na ZI karamin sashe na 7.8 na GOST R 57580.1-2017, wanda, a cikin ra'ayi na Sashen, za a iya fadada shi zuwa lokuta na yin amfani da gandun daji. fasahar, la'akari da wadannan:

  • aiwatar da matakan ZSV.1 - ZSV.11 don tsara ganewa, tabbatarwa, izini (ikon shiga) lokacin aiwatar da damar yin amfani da ma'ana ga injunan injina da abubuwan sabar uwar garke na iya bambanta da lokuta na yin amfani da fasahar haɓakar kwantena. Yin la'akari da wannan, don aiwatar da matakan da dama (misali, ZVS.6 da ZVS.7), mun yi imanin cewa yana yiwuwa a ba da shawarar cewa cibiyoyin kudi su samar da matakan ramawa waɗanda za su ci gaba da burin;
  • aiwatar da matakan ZSV.13 - ZSV.22 don tsari da sarrafa bayanan hulɗar na'urori masu mahimmanci yana ba da rarrabuwa na cibiyar sadarwar kwamfuta na ƙungiyar kuɗi don bambanta tsakanin abubuwan da aka ba da sanarwar da ke aiwatar da fasaha na fasaha kuma suna cikin sassan tsaro daban-daban. Yin la'akari da wannan, mun yi imanin cewa yana da kyau a samar da rarrabuwa mai dacewa lokacin amfani da fasaha na fasaha na kwantena (dukansu dangane da kwantena masu kama da aiki da kuma dangane da tsarin ƙira da aka yi amfani da su a matakin tsarin aiki);
  • aiwatar da matakan ZSV.26, ZSV.29 - ZSV.31 don tsara kariyar hotuna na injunan kama-da-wane ya kamata a aiwatar da su ta hanyar kwatankwacin kuma don kare asali da hotuna na yau da kullun na kwantena;
  • aiwatar da matakan ZVS.32 - ZVS.43 don yin rikodin abubuwan tsaro na bayanai da suka shafi samun damar yin amfani da injina da kayan aikin sabar sabar ya kamata a aiwatar da su ta hanyar kwatanci kuma dangane da abubuwan da ke tattare da yanayin da ke aiwatar da fasahar sarrafa kwantena.”

Me ake nufi

Muhimmi guda biyu daga martanin Sashen Tsaro na Watsa Labarai na Babban Bankin:

  • matakan kare kwantena ba su da bambanci da matakan kare injina;
  • Ya biyo baya daga wannan cewa, a cikin yanayin tsaro na bayanai, Babban Bankin ya daidaita nau'ikan nau'ikan nau'ikan dabi'a guda biyu - kwantena Docker da VMs.

Har ila yau, martanin ya ambaci "matakan lada" waɗanda ke buƙatar aiwatar da su don kawar da barazanar. Ba a san abin da waɗannan "matakan ramawa" suke ba da kuma yadda za a auna isarsu, cikar su da tasiri.

Me ke damun babban bankin kasar?

Idan kun yi amfani da shawarwarin Babban Bankin a lokacin kima (da kuma kimantawa), kuna buƙatar warware matsalolin fasaha da ma'ana da dama.

  • Kowane kwandon da za a iya aiwatarwa yana buƙatar shigar da software na kariya ta bayanai (IP) akansa: riga-kafi, sa ido kan mutunci, aiki tare da rajistan ayyukan, tsarin DLP (Rigakafin Leak Data), da sauransu. Ana iya shigar da duk waɗannan akan VM ba tare da wata matsala ba, amma a cikin yanayin akwati, shigar da bayanan tsaro wani yunkuri ne na banza. Kwantena ya ƙunshi ƙaramin adadin “kayan jiki” wanda ake buƙata don sabis ɗin ya yi aiki. Shigar da SZI a cikin sa ya saba wa ma'anarsa.
  • Hotunan kwantena ya kamata a kiyaye su bisa ga ƙa'ida ɗaya; yadda ake aiwatar da wannan kuma ba a sani ba.
  • GOST yana buƙatar ƙuntata samun dama ga abubuwan haɗin kai na uwar garken, watau zuwa hypervisor. Menene ake ɗaukar bangaren uwar garken a cikin yanayin Docker? Wannan ba yana nufin cewa kowace kwantena tana buƙatar a gudanar da ita a kan wani maƙiyi daban ba?
  • Idan don haɓakawa na al'ada yana yiwuwa a iyakance VMs ta hanyoyin tsaro da sassan cibiyar sadarwa, to a cikin yanayin kwantena Docker a cikin runduna ɗaya, wannan ba haka bane.

A aikace, mai yiyuwa ne kowane mai bincike zai tantance tsaron kwantena ta hanyarsa, bisa iliminsa da kwarewarsa. To, ko kada ku kimanta shi kwata-kwata, idan babu ɗaya ko ɗayan.

Kawai idan, za mu ƙara cewa daga Janairu 1, 2021, mafi ƙarancin maki dole ne ya zama ƙasa da 0,7.

Af, muna aika martani akai-akai da sharhi daga masu gudanarwa dangane da buƙatun GOST 57580 da Dokokin Babban Bankin mu a cikin mu. Telegram channel.

Abin da za ku yi

A ra'ayinmu, ƙungiyoyin kuɗi suna da zaɓi biyu kawai don magance matsalar.

1. Guji aiwatar da kwantena

Magani ga waɗanda suke shirye su sami damar yin amfani da ƙwarewar kayan aiki kawai kuma a lokaci guda suna jin tsoron ƙananan ƙididdiga bisa ga GOST da tara daga Babban Bankin.

A ƙari: ya fi sauƙi don biyan buƙatun ƙaramin sashe na 7.8 na GOST.

Rage: Dole ne mu watsar da sabbin kayan aikin haɓaka dangane da haɓakar kwantena, musamman Docker da Kubernetes.

2. ƙin yarda da buƙatun ƙaramin sashe na 7.8 na GOST

Amma a lokaci guda, yi amfani da mafi kyawun ayyuka don tabbatar da tsaro na bayanai lokacin aiki tare da kwantena. Wannan mafita ce ga waɗanda ke darajar sabbin fasahohi da damar da suke bayarwa. Ta "mafi kyawun ayyuka" muna nufin ƙa'idodi da ƙa'idodi da masana'antu suka yarda da su don tabbatar da amincin kwantena Docker:

  • tsaro na OS mai watsa shiri, ingantaccen tsarin shiga, haramcin musayar bayanai tsakanin kwantena, da sauransu;
  • yin amfani da aikin Docker Trust don bincika amincin hotuna da yin amfani da na'urar daukar hoto mai rauni;
  • Kada mu manta game da tsaro na samun damar nesa da tsarin hanyar sadarwa gaba ɗaya: ba a soke hare-hare irin su ARP-spoofing da MAC-flooding ba.

A ƙari: babu wani hani na fasaha akan amfani da ƙwaƙƙwaran kwantena.

Rage: akwai babban yuwuwar cewa mai gudanarwa zai hukunta saboda rashin bin ka'idodin GOST.

ƙarshe

Abokin cinikinmu ya yanke shawarar kada ya bar kwantena. A lokaci guda, dole ne ya sake yin la'akari da girman aikin da kuma lokacin canjin Docker (sun dade har tsawon watanni shida). Abokin ciniki ya fahimci haɗari sosai. Ya kuma fahimci cewa yayin kima na gaba na yarda da GOST R 57580, da yawa zai dogara ne akan mai duba.

Me za ku yi a wannan yanayin?

source: www.habr.com

Add a comment