Back to Details

defense-in-depth

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Defense in Depth

纵深防御

Security Layers

安全层级

┌─────────────────────────────────┐
│         Perimeter Security       │  WAF, DDoS Protection
├─────────────────────────────────┤
│         Network Security         │  Firewalls, VPNs, Segmentation
├─────────────────────────────────┤
│         Host Security            │  OS Hardening, Patching
├─────────────────────────────────┤
│         Application Security     │  AuthN, AuthZ, Input Validation
├─────────────────────────────────┤
│         Data Security            │  Encryption, Access Control
└─────────────────────────────────┘
┌─────────────────────────────────┐
│         Perimeter Security       │  WAF, DDoS Protection
├─────────────────────────────────┤
│         Network Security         │  Firewalls, VPNs, Segmentation
├─────────────────────────────────┤
│         Host Security            │  OS Hardening, Patching
├─────────────────────────────────┤
│         Application Security     │  AuthN, AuthZ, Input Validation
├─────────────────────────────────┤
│         Data Security            │  Encryption, Access Control
└─────────────────────────────────┘

Layer Controls

各层级控制措施

1. Perimeter

1. 边界层

  • Web Application Firewall (WAF)
  • DDoS protection
  • Rate limiting
  • Bot detection
  • Web应用防火墙(WAF)
  • DDoS防护
  • 速率限制
  • 机器人检测

2. Network

2. 网络层

  • Network segmentation (VPCs, subnets)
  • Security groups / firewalls
  • VPN for internal access
  • Zero-trust network access
  • 网络分段(VPC、子网)
  • 安全组/防火墙
  • 用于内部访问的VPN
  • 零信任网络访问

3. Host

3. 主机层

  • OS hardening
  • Patch management
  • Endpoint protection
  • File integrity monitoring
  • 操作系统加固
  • 补丁管理
  • 端点防护
  • 文件完整性监控

4. Application

4. 应用层

  • Authentication (OAuth2, OIDC)
  • Authorization (RBAC, ABAC)
  • Input validation
  • Output encoding
  • Session management
  • Secure headers
  • 身份认证(OAuth2、OIDC)
  • 授权(RBAC、ABAC)
  • 输入验证
  • 输出编码
  • 会话管理
  • 安全标头

5. Data

5. 数据层

  • Encryption at rest (AES-256)
  • Encryption in transit (TLS 1.3)
  • Key management
  • Data masking
  • Access logging
  • 静态数据加密(AES-256)
  • 传输中数据加密(TLS 1.3)
  • 密钥管理
  • 数据脱敏
  • 访问日志

Security Checklist

安全检查清单

  • WAF configured with OWASP rules
  • Network segmentation in place
  • All traffic encrypted (TLS)
  • Authentication on all endpoints
  • Least privilege access controls
  • Secrets managed securely
  • Audit logging enabled
  • Backups encrypted and tested
  • 已配置符合OWASP规则的WAF
  • 已部署网络分段
  • 所有流量已加密(TLS)
  • 所有端点已启用身份认证
  • 已实施最小权限访问控制
  • 密钥已安全管理
  • 已启用审计日志
  • 备份已加密且经过测试

Principle of Least Privilege

最小权限原则

Grant only the minimum permissions needed:
  • Use IAM roles, not long-lived credentials
  • Scope permissions to specific resources
  • Regular access reviews
  • Just-in-time access for sensitive operations
仅授予完成工作所需的最小权限:
  • 使用IAM角色,而非长期凭证
  • 权限范围限定为特定资源
  • 定期进行访问权限审查
  • 敏感操作采用即时访问权限