Codeofchina.com is in charge of this English translation. In case of any doubt about the English translation, the Chinese original shall be considered authoritative.
This standard is one of the series of standards for financial applications of cloud computing technology, which include:
——Financial application specification of cloud computing technology - Technical architecture;
——Financial application specification of cloud computing technology - Disaster recovery.
This standard is developed in accordance with the rules given in GB/T 1.1-2009.
This standard was proposed by the People's Bank of China.
This standard is under the jurisdiction of the National Technical Committee on Finance of Standardization Administration of China (SAC/TC 180).
Financial application specification of cloud computing technology - Technical architecture
1 Scope
This standard specifies the requirements for technical architecture of the cloud computing platform in financial field, covering the contents such as service categories, deployment model, parties, architectural characteristics and architecture system of cloud computing.
This standard is applicable to cloud service providers, cloud service users, cloud service partners, etc. in the financial field.
2 Normative references
The following documents for the application of this document are essential. Any dated reference, just dated edition applies to this document. For undated references, the latest edition of the normative document (including any amendments) applies.
GB/T 32400-2015 Information technology - Cloud computing - Overview and vocabulary
GB 50174-2017 Code for design of data centers
JR/T 0071-2012 Implementation guide for classified protection of information system of financial industry
JR/T 0131-2015 Financial information system room power system specification
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
3.1
party
one or a group of natural or legal persons, regardless of whether the legal person is registered
[GB/T 32400-2015, Definition 3.1.6]
3.2
cloud computing
a kind of model in which extensible and elastic sharable physical and virtual resource pool is supplied and managed by means of on-demand self-service via network
Note: resources include the server, operating system, network, software, application and storage equipment.
[GB/T 32400-2015, Definition 3.2.5]
3.3
cloud service
one or more capabilities provided through the interfaces already defined by cloud computing
[GB/T 32400-2015, Definition 3.2.8]
3.4
cloud service provider
the party providing cloud service
[GB/T 32400-2015, Definition 3.2.15]
3.5
cloud service user
the party using cloud service
3.6
cloud service partner
the party who supports or assists cloud service provider activities, cloud service user activities, or both
3.7
cloud service auditor
the cloud service party responsible for auditing the provision and use of cloud service
3.8
cloud computing platform
the collection of cloud computing infrastructure and its service software provided by the cloud service provider and cloud service partner
3.9
private cloud
a cloud deployment model in which a cloud service is used only by one cloud service user and the resources are controlled by this cloud service user
3.10
community cloud
a cloud deployment model in which a cloud service is used and shared by a specific set of cloud service users, and the resources are controlled by the cloud service provider or users, both of whom have identical or highly similar supervision policies, security requirements, etc.
3.11
public cloud
a cloud deployment model in which a cloud service can be used by any cloud service user and the resources are controlled by cloud service provider
3.12
hybrid cloud
a cloud deployment model including two or more deployment models
3.13
infrastructure as a service
a cloud service category providing the cloud service user with the infrastructure capability type among the cloud capability types
3.14
platform as a service
a cloud service category providing the cloud service user with the platform capability type among the cloud capability types
3.15
software as a service
a cloud service category providing the cloud service user with the application capability type among the cloud capability types
3.16
tenant
one or more cloud service users accessing a group of physical or virtual resources in sharing mode
3.17
multi-tenancy
the characteristic ensuring multiple tenants and their calculation and data being isolated and inaccessible mutually via distribution of physical or virtual resource
[GB/T 32400-2015, Definition 3.2.27]
3.18
physical machine
the physical server corresponding to the virtual machine, which can provide a hardware environment for the virtual machine
3.19
physical machine service
the service providing the cloud service user with physical machine directly
3.20
virtual machine
a general term for the operating system and the application operating environment provided to the user, which are the same as the original physical server via various virtualization technologies. The virtual machine typically uses the resources of the physical server, which appears to the user that its usage model is identical to that of the physical server
3.21
hypervisor
the virtualization module managing the physical machine operating system, and controlling the flow of demands between the user’s operating system and physical hardware
3.22
container
the operating environment providing a lightweight and isolated set of processes and resources through the technology of operating system virtualization
3.23
resource pool
a collection of physical resources or virtual resources, which the resources can be obtained from and released to as well as recycled by the resource pool according to certain rules, including physical and virtual machines, physical and virtual storage resources and physical and virtual network resources
3.24
sensitive data
the data which, once revealed, may possibly cause damage to the user or financial institution, including but not limited to:
a) sensitive data of user , e.g. user password and key;
b) sensitive data of system , e.g. system key and key system management data;
c) other sensitive business data required to be kept secret;
d) crucial operational order;
e) main configuration documents of system;
f) other data required to be kept secret.
[JR/T 0071-2012, Definition 3.1]
4 Abbreviations
For the purposes of this document, the following abbreviations apply.
ACL Access Control List
CPU Central Processing Unit
DSaaS Data Storage as a Service
HTTP Hypertext Transfer Protocol
I/O Input/Output
IaaS Infrastructure as a Service
NaaS Network as a Service
PaaS Platform as a Service
QoS Quality of Service
SaaS Software as a Service
SQL Structured Query Language
TCP Transmission Control Protocol
VPN Virtual Private Network
5 General
5.1 Service category
Cloud services mainly include Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS). In addition, according to service content, they can be divided into specific service categories such as Network as a Service (NaaS) and Data Storage as a Service (DSaaS).
IaaS provides basic resource services such as computing, storage and network. Cloud service users may use, monitor and manage the resources on the cloud computing platform via management platform, Application Programming Interface (API), etc.
PaaS provides the software development and operating platform services on the cloud computing infrastructure. Cloud service users can perform system development, testing, integration, deployment, operation, maintenance, etc. based on the PaaS provided by the cloud computing platform.
SaaS provides the application software services that run on the cloud computing infrastructure, such as email services.
Foreword II 1 Scope 2 Normative references 3 Terms and definitions 4 Abbreviations 5 General 6 Architectural characteristics 7 Architecture system
3.23 资源池 resource pool 一组物理资源或虚拟资源的集合,按照一定规则可从池中获取资源,也可释放资源并由资源池回收。 资源包括物理机、虚拟机、物理存储资源、虚拟存储资源、物理网络资源和虚拟网络资源等。 3.24 敏感数据 sensitive data 是指一旦泄露可能会对用户或金融机构造成损失的数据,包括但不限于: a) 用户敏感数据,如用户口令、密钥等; b) 系统敏感数据,如系统的密钥、关键的系统管理数据; c) 其他需要保密的敏感业务数据; d) 关键性的操作指令; e) 系统主要配置文件; f) 其他需要保密的数据。 [JR/T 0071—2012,定义3.1]
4 缩略语
下列缩略语适用于本文件。 ACL 访问控制列表(Access Control List) CPU 中央处理单元(Central Processing Unit) DSaaS 数据存储即服务(Data Storage as a Service) HTTP 超文本传输协议(Hypertext Transfer Protocol) I/O 输入/输出(Input/Output) IaaS 基础设施即服务(Infrastructure as a Service) NaaS 网络即服务(Network as a Service) PaaS 平台即服务(Platform as a Service) QoS 服务质量(Quality of Service) SaaS 软件即服务(Software as a Service) SQL 结构化查询语言(Structured Query Language) TCP 传输控制协议(Transmission Control Protocol) VPN 虚拟专用网络(Virtual Private Network)
