September 2021
Beginner to intermediate
392 pages
12h 13m
Chinese
book
Google系统架构解密: 构建安全可靠的系统
by Heather Adkins, Betsy Beyer, Paul Blankinship, Piotr Lewandowski, Ana Oprea, Adam Stubblefield
Content preview from Google系统架构解密: 构建安全可靠的系统
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.
最小特权设计
|
61
5.8
小结
在设计复杂系统时,最小特权模型是最安全的方法之一,它能确保客户端有且只有完成任
务所需要的权限。这是一个强大的设计范式,可以保护系统和数据,避免其遭受已知或未
知用户造成的恶意(或意外)的损坏。
Google
团队花费了大量的时间和精力来实施这个模
型。以下是其中的关键环节。
•
全面了解系统的功能,以便根据每个部分的安全风险级别进行分类。
•
基于此分类,将系统分区以及对数据的访问级别尽可能地精细化。最小功能化的
API
是最小特权的必需品。
•
身份认证系统可用于用户尝试访问系统时验证其凭据。
•
授权系统可以实施定义明确的安全策略,可以轻松附加到精细化分区的系统。
•
一套细粒度授权的高级控制机制。例如,提供临时权限、多因素授权和多方审批等功能。
•
支持这些关键概念的系统的运营需求,至少需要以下几项。
–
有能力审计所有访问并生成信号,以识别威胁并进行历史取证分析。
–
推理、定义、测试和调试安全策略,为用户提供策略咨询的支持。
–
当系统出现非预期情况时,可以使用
Breakglass
机制。
要让以上组件以用户和开发人员方便使用的方式运行,并且不会明显地影响工作效率,还
要有组织承诺尽可能无缝地衔接最小特权机制。这个承诺含有一个集中的安全功能,其中
包括安全态势,以及通过安全咨询、策略定义、威胁检测和对安全相关问题的支持等方式
与用户和开发人员进行交互。
虽然这可能是一项艰巨的任务,但我们坚信,这是对现有安全态势落地的重大改进。
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.
Read now
Unlock full access
More than 5,000 organizations count on O’Reilly
O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.Julian F.
I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.Addison B.
I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.Amir M.
I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.