当前位置:网站首页>Community Sharing|Tencent Overseas Games builds game security operation capabilities based on JumpServer
Community Sharing|Tencent Overseas Games builds game security operation capabilities based on JumpServer
2022-08-04 22:49:00 【FIT2CLOUD Feizhiyun】
编者注:在2022年7月9日举办的“2022 JumpServerOpen source fortress machine city met·深圳站”活动中,Tencent games overseas security operations director Lin golden share the topic《Forging industry leading security technology and the ability to operate game》的主题演讲.The following content according to the speech to sort out and into.
The safety of the classified management ideas
在很多情况下,We have to meet the need of safety management of resources and time are limited,In order to better in these constraints for safe operational work,就需要有“分级分类”The management of thinking.例如,Before making a safety planning or process safety risk,Need to demand for relevant risk recognition,Hierarchical classification,Key resources to solve high risk or higher priority items.
Tencent games overseas security operations managers Lin peak
Tencent games overseas business all over the world,Team is also distributed in overseas regions.Due to the overseas environment relatively complex,Only use tencent cloud is not enough to meet the needs of existing business overseas.因此,In the actual work scene we adopted the cloudy environment.
在这种背景下,To build a good tencent games overseas security operations system,“分级分类”Thinking is critical.This kind of thinking is able to help us identify and classification includes cloud resources related team around the world、Security permissions、Related policy, in all kinds of business.比如:The user types need to be classified for better isolation permissions;VPCAreas need to be classified to separate network;Regional team need to be classified to facilitate grading management.这样一来,We can according to the classification for the implementation of the overall strategies.
Based on complex overseas cloud security environment,Combining the fortress machine development and security requirements,After a comprehensive selection of contrast, JumpServer作为一款开源产品,Can meet our demand for security, and openness.因此,我们最终选择JumpServerAs a bastion of overseas business machine system,To support operations in tencent games security work.
JumpServer:The Chinese characteristic the fortress machine
We in overseas operations while on a safety management system selection,Overseas did not actually“堡垒机”这一概念,“堡垒机”Is a kind of products with Chinese characteristics.
Overseas security products isPAM(Privileged Access Management,The privileged access management)The concept of planning products,例如亚马逊AWS的Session Manager.Although domestic also have similar to thesePAM概念的“特权账号”产品,例如“超级管理员(Root)密码”Belong to the privileged accounts,The user can and permissions based on account of the life cycle life cycle,To customize the relevant safety management strategy.
These differences in security products design is mainly caused by the differences in management at home and abroad.If foreign personnel related to monitor,Is considered to limit its free.And domestic usually taken are more strict control strategy.This also further influence the concept of different security audit system of different development direction at home and abroad.
■ Characteristics of domestic security audit products
一般情况下,The proportion of investment of domestic enterprises in the whole security relatively less,So will be more inclined to select feature rich、To meet the demands of all security operations at once the product.Such a demand has spawned more comprehensive function of、具有“中国特色”The security audit products——堡垒机,More in line with the safety management of the people;
■ Characteristics of overseas security audit products
Unlike domestic full records and unified management mode,The safety of the overseas product line more focused on the development of one area,In charge of each link in the process of security audit log,So the security management of overseas need coupling of different product,Integrated into a security scheme to use.当然,This model to the requirement of the company as a whole analysis ability is higher.
JumpServerTypical application scenario in tencent games overseas
Through four main application scenarios below to share tencent games inJumpServerSome of the fortress machine construction operations experience,In these scenarios are also reflected the“分级分类”的思维.
场景一:Build a hierarchical structure management system,Achieving global flexible management areas
对于组织架构,We need to do more than the first level management architecture planning,Combined with the corresponding unified management standards and operating procedures,Step by step a step by step the relevant permissions to each organization.
▲ 图1 Tencent game level overseas architecture management system
场景特点:
■ A multi-level management structure,Clear authority relations;
■ Hierarchical management step by step,Realize the delegation;
■ 统一标准,Risk management controlled.
In the aspect of global collaboration,Due to the time difference problem to the different working time,因此我们可以通过JumpServerThe fortress machine the related delegation to various organizations.Can even according to different site organization and the needs of different business to give corresponding audit,Implementation problems or requirements24小时支持,So as to achieve the purpose of the overall global management,To improve the efficiency and level of the overall management.
场景二:To build open source independently controllable ecological,Integrated into the enterprise safety operational framework
在这一场景中,We first need to classify according to a certain dimension to the overall,At the same time to split cluster,Such as the high sensitive、Low sensitivity, etc,And on the cloudVPC做好分类,将JumpServerAbility into the whole safety operational framework.
▲ 图2 Tencent games overseas security operations overall framework
场景特点:
■ Unified asset、权限角色管理;
■ Implementation of network isolation of sensitive assets;
■ 集中日志,Analysis and audit.
In terms of personnel classification,Such as formal operations、DBASuch as staff with the development of production permission,The internal development、外包、Partners such as the personnel should not have the permission.通过CMDBAnd identity management system to balance、身份、Permissions decision-making management.
Operations staff can through the identity management system for decision-making and identity permissions related strategy,Determine whether to allow its high belongs to sensitive cluster,At the same time to determine whether its have privileges to maintain high sensitiveVPC中的相关资源,So as to achieve good sensitive asset isolation effect.
当然,Cluster segmentation hierarchy and the strength of the control strategy can be based on actual business situation to realize.In control more strictly within the company,可以通过JumpServerFor more detailed division.
场景三:With the overseas public cloud seamless docking,Better adapt to the cloud environment
In order to fit cloudy scene,Tencent games have different area、不同的云,And is equipped with differentVPC,需要打通JumpServer与这些VPC之间的通路.Due to the shuttle costs too high,因此在这种情况下,We can first in view of the regional environment to carry on the simple split,For each business to different through different regional environment.
Such as the importance of very high、In a large area of traffic,Can choose special way to get through;Importance for other low、Small flow area,可以选择VPN等方式接入.网络打通后,JumpServerAdaptive network directly connected and domain gateway nanotubes assets.
▲ 图3 Tencent games overseas cloudy environment adaptation architecture
场景特点:
■ Adapter cloudy network environment,Support network domain gateway mode connection network assets;
■ 基于云APITo realize automatic cloud assets nanotubes.
同时,In the operational work also need to develop security policy.Based on the security level to consider,We are not allVPCAre open to the fortress machine,虽然JumpServerSecurity is very good,But also difficult to ensure absolute safety.在这种情况下,We can choose only opened a key entrance to the Intranet.这样一来,Even in business orVPCToo many scenarios,Even some historical burden causes segment conflicts occur,Through this network hierarchy in a way that access to the ideal,充分利用了JumpServerIn cloudy environment adaptation ability.
另外,FIT2CLOUDFly to cloud and a calledCloudExplorerIt cloudy cloudy management platform software and management ability and advantage.所以,JumpServerIn terms of organization cloudy product nanotubes adapter is very good.
场景四:Based on the container services the global distribution of multi-site deployment architecture
For the fortress machine,If in some usual instability or failure,Does not directly affect the online environment to run.But for operations engineer,We need to production for some of the key operation or fault emergency treatment,If the fortress machine malfunction,Will directly cause the engineer can't timely operation,造成非常大的影响.
Companies to introduce fortress machine is in order to get good management effect by using it,But if the fortress machine itself become bottleneck of management system,就是本末倒置了.由于JumpServerThe fortress machine in cloudy container services do a good job of adapting to,所以我们可以运用JumpServerThe container characteristics,To provide enterprises with a more robust operation architecture,Ensure the stability of the overall system operation.
▲ 图4 Based on the container services the global distribution of multi-site deployment architecture
场景特点:
■ Support the cloudy container services,灵活部署;
■ 可扩展性、高可用性.
In cloudy container deployment scenarios,Even if the fortress machine failure cause unable to login for emergency treatment,JumpServerAlso provides users with the means of security.这时候可以使用JumpServerThe password for the backup mechanism,By way of emergency direct login environment,To deal with failure or emergency solving matters,To undergo screening step by step to solve the problem of fortress machine itself,This function can satisfy the actual needs of our emergency maintenance.
JumpServerThe value of the fortress machine benefits
Distributed deployment in cloudy environmentJumpServer后,Tencent games overseas assets in the global operations of safety management gains include:
■ Depth adapted global area more cloudy environment
In view of our global assets cloudy distribution characteristics of,JumpServerThe more nodes deployment,The user can choose the nearest access,Reduce operational audit delay,Has good capability of disaster inter-district and high availability.同时,JumpServerA unified log audit center,Support efficient daily analysis work.通过JumpServerWe can easily find some sensitive operation behavior,Help us rapidly improve the efficiency of daily audit work;
■ The integration of safe and efficient operations experience
JumpServerAs a widely used open source fortress machine,Its openness is very high,Users can open source open scenario building to create a safe、自主、Controlled management system.同时JumpServerEase of use is high fortress machine,成本也比较低;
■ Professional services to support
长期以来,JumpServerHas been sticking to the iterative development rhythm by the month.对于用户的需求,JumpServerProfessional team of rapid response.The entire team with the“软件用起来才有价值,才有改进的机会”的态度,Actively explore and user cooperation innovation path.
边栏推荐
猜你喜欢
随机推荐
软件测试技术之如何编写测试用例(4)
rk3399-0.0 svc command
【无标题】
golang打开文件和读写文件
MySQL的JSON 数据类型2
自从新来了个字节20K出来的,就见识到了什么是天花板
3D激光SLAM:LeGO-LOAM---两步优化的帧间里程计及代码分析
SRv6网络的安全解决方案
三个多月、40余场面试浓缩为6000字
【TCP/IP 五 ICMP】
BUG | The interface returns abnormal data
Numpy on the superposition of two arrays
Charles & TCPDump & Fiddler 抓包三兄弟七夕联手,还抓不到你的心?
JVM内存配置参数GC日志
被领导拒绝涨薪申请,跳槽后怒涨9.5K,这是我的心路历程
the warmest home
JVM memory configuration parameter GC log
go语言的time包介绍
How to make a video gif?Try this video making gif artifact
剑指Offer | 数值的整数次方