Google Cloud如何為您的應用程序安全提供幫助？

我們將介紹云安全基礎知識，包括三個非常簡單的安全概念。

Here you go! Read on and please share your thoughts in the comments below.

干得好！ 繼續(xù)閱讀，請在下面的評論中分享您的想法。

三大安全基礎 (Three security fundamentals)

＃1保護 (#1 Protection)

Google Cloud provides protection from threats through a secure foundation. It offers the core infrastructure that is designed, built and operated to help prevent threats. How is it done? Here are a few of the ways!

Google Cloud通過安全的基礎提供了免受威脅的保護。 它提供了設計，構建和運行以幫助防止威脅的核心基礎架構。 怎么做？ 以下是幾種方法！

Defense in depth

縱深防御

Google’s infrastructure doesn’t rely on any single technology to make it secure. Rather, builds security through progressive layers that deliver true defense in depth.

Google的基礎架構不依賴任何單一技術來確保其安全性。 而是通過可進行深度防御的漸進層來建立安全性。

Other cloud providers may describe a similar stack of capabilities, but the way Google Cloud approaches many of these is unique. Here is how:

其他云提供商可能會描述類似的功能堆棧，但是Google Cloud處理其中許多功能的方式是獨特的。 方法如下：

The hardware is Google controlled, built and hardened.

硬件由Google控制，構建和加固。

Any application binary that runs on Google infrastructure is deployed securely.

在Google基礎架構上運行的所有應用程序二進制文件均已安全部署。

There is no assumption of any trust between services, and multiple mechanisms are used to establish and maintain trust — the infrastructure was designed to be multi-tenant from the beginning.

服務之間不存在任何信任的假設，并且使用多種機制來建立和維護信任-基礎結構從一開始就被設計為多租戶。

All identities, users and services, are strongly authenticated.

所有身份，用戶和服務均經過嚴格認證。

Data stored on Google’s infrastructure is automatically encrypted at rest and distributed for availability and reliability.

Google的基礎架構上存儲的數(shù)據會自動進行靜態(tài)加密，并進行分發(fā)以提高可用性和可靠性。

Communications over the Internet to Google Cloud services are encrypted.

互聯(lián)網上與Google Cloud服務的通信已加密。

The scale of the infrastructure allows to absorb many Denial of Service (DoS) attacks, and there are multiple layers of protection that further reduce the risk of any DDoS impact.

基礎架構的規(guī)模允許吸收許多拒絕服務(DoS)攻擊，并且多層保護可以進一步降低任何DDoS影響的風險。

The operations teams detect threats and respond to incidents 24 x 7 x 365.

運營團隊可以檢測威脅并對事件進行24 x 7 x 365響應。

If this is intriguing, here is a white paper on Google infrastructure design that goes into all of these areas in significant details.

如果感興趣的話，請參閱以下有關Google基礎架構設計的白皮書，其中將詳細介紹所有這些領域。

End-to-end provenance & attestation

端到端的出處和證明

Google’s hardware infrastructure is custom-designed by Google “from chip to chiller” to precisely meet their requirements, including security.

Google的硬件基礎架構由Google“從芯片到冷卻器”進行定制設計，以精確滿足其要求，包括安全性。

Google’s servers and Operating Systems(OS) are designed for the sole purpose of providing Google services.

Google的服務器和操作系統(tǒng)(OS)專為提供Google服務而設計。

The servers are custom built and don’t include unnecessary components like video cards or peripheral interconnects that can introduce vulnerabilities.

這些服務器是自定義構建的，不包含不必要的組件，例如視頻卡或可能引起漏洞的外圍互連。

The same goes for software, including low-level software and OS, which is a stripped-down, hardened version of Linux.

對于軟件(包括底層軟件和OS)也是如此，后者是精簡的Linux簡化版本。

Further, Google designed and included hardware specifically for security — like Titan, custom security chip that is used to establish a hardware root of trust in the servers and peripherals.

此外，Google設計并包含了專門用于安全性的硬件，例如Titan，這是用于在服務器和外圍設備中建立信任的硬件根的定制安全芯片 。

Network hardware and software are also purpose built to improve performance as well as security.

還專門構建了網絡硬件和軟件以提高性能和安全性。

This all rolls up to the custom data center designs, which include multiple layers of physical and logical protection.

這一切都匯總到了定制數(shù)據中心設計中，其中包括多層物理和邏輯保護。

Understanding provenance from the bottom of the hardware stack to the top allows Google Cloud to control the underpinnings of the security posture. Unlike other cloud providers, Google has greatly reduced the “vendor in the middle problem” — if a vulnerability is found, steps can be taken immediately to develop and roll out a fix. This level of control results in greatly reduced exposure.

了解從硬件堆棧底部到頂部的出處，可以使Google Cloud控制安全狀況的基礎。 與其他云提供商不同，Google大大減少了“中間廠商問題” —如果發(fā)現(xiàn)漏洞，則可以立即采取措施來開發(fā)和推出修復程序。 這種控制水平可大大減少暴露。

Private backbone

私人骨干

Google operates one of the largest backbone networks in the world. There are more than 130 points of presence across 35 countries — and there is a continuous addition of more zones and regions to meet customers’ preferences and policy requirements.

Google經營著世界上最大的骨干網之一。 在35個國家/地區(qū)設有130多個服務點-并不斷增加更多的區(qū)域和地區(qū)，以滿足客戶的喜好和政策要求。

Google’s network delivers low latency but also improves security. Once customers’ traffic is on Google’s network it is no longer transiting the public internet, making it less likely to be attacked, intercepted, or manipulated.

Google的網絡提供了低延遲，但也提高了安全性。 一旦客戶的流量進入Google的網絡，它就不再通過公共互聯(lián)網，從而減少了受到攻擊，攔截或操縱的可能性。

Encryption at rest by default

默認情況下加密靜態(tài)

We will cover this one in more details in the upcoming comics but in short, all data at rest or in motion is encrypted by default on the Google network. And some services offer the option to supply or manager your own keys.

我們將在即將到來的漫畫中更詳細地介紹這一內容，但簡而言之，默認情況下，所有靜態(tài)或動態(tài)數(shù)據在Google網絡上都是加密的。 某些服務提供了提供或管理您自己的密鑰的選項。

Update at scale without disruptions

大規(guī)模更新而不會中斷

Google has the ability to update the cloud infrastructure without disrupting customers using a technology called Live Migration.

Google能夠使用稱為Live Migration的技術來更新云基礎架構，而不會中斷客戶。

Updates add functionality, but from a security standpoint, they also are required to patch software vulnerabilities. No one writes perfect software, so this is a constant requirement.

更新增加了功能，但是從安全角度出發(fā)，也需要修補程序來修補軟件漏洞。 沒有人編寫完美的軟件，因此這是一個持續(xù)的要求。

Keeping ahead of threats

領先于威脅

Security landscape rapidly evolves and many organizations struggle to keep pace. Because Google runs on the same infrastructure that is available to the customers, customers can directly benefit from those investments.

安全形勢Swift發(fā)展，許多組織努力跟上步伐。 由于Google在客戶可用的相同基礎架構上運行，因此客戶可以直接從這些投資中受益。

The global footprint across enterprises and consumers gives Google an unprecedented visibility into threats and attacks. As a result, solutions can be developed before many other organizations even see the threats, reducing exposure.

Google在企業(yè)和消費者中的全球足跡使Google對威脅和攻擊有了前所未有的可見性。 因此，可以在許多其他組織甚至沒有看到威脅之前就開發(fā)解決方案，從而減少暴露。

＃2控件 (#2 Controls)

In the cloud there can be a lot of control options to make sure the app, the data and the services you deploy are secure. The most important thing to understand is that “cloud security requires collaboration”

在云中，可以有很多控制選項來確保您部署的應用程序，數(shù)據和服務是安全的。 要了解的最重要的事情是“ 云安全需要協(xié)作 ”

Your cloud provider (Google Cloud) is responsible for securing the infrastructure.

您的云提供商(Google Cloud)負責保護基礎架構。

You are responsible for securing your data.

您有責任保護您的數(shù)據。

And.. Google Cloud provides the best practices, templates, products and solutions to help you secure your data and services.

并且.. Google Cloud提供了最佳做法，模板，產品和解決方案，可幫助您保護數(shù)據和服務。

Keeping this section short because I am planning on doing another comic issue on this topic, there is a lot more to learn here, so stay tuned! ??

由于我計劃針對該主題再做一本漫畫問題，因此本節(jié)不多，這里還有很多要學習的內容，請繼續(xù)關注！ ??

＃3合規(guī) (#3 Compliance)

In order to protect the sensitive data that you store in Google Cloud, it maintains and goes though compliance including complex regulatory, frameworks and guidelines. For example HIPPA, FedRAMP, SOC etc.

為了保護您存儲在Google Cloud中的敏感數(shù)據，它會保持并遵守法規(guī)，包括復雜的法規(guī)，框架和指南。 例如HIPPA，F(xiàn)edRAMP，SOC等。

翻譯自: https://medium.com/google-cloud/how-can-google-cloud-help-with-security-of-your-apps-8f5692f56177