© 2016 绿盟科技 导读 在 2015 年中，软件定义安全大多还在探讨这个体系架构诞生 的年代，还看到软件定义安全是一个新的热潮，而在今年已 经可以看到自适应安全、自动化应用编排、零信任 / 微分段、 体系标准化等落地应用形式，软件定义安全的发展速度由此 可见一斑。 2016 绿盟科技软件定义安全白皮书，着重探讨了安全编排、 资源池建设两个软件定义安全的核心部分，同时从落地实践 的角度，分享三个方面的实践经验，包括面向混合云和移动 办公的自适应访问控制；面向公有云的安全服务；可编排的 应急响应 / 弹性服务。 需要明确的是，软件定义安全与云计算安全无论从逻辑上还是 架构上都没有必然的联系。软件定义的安全方案同样也可以部 署在传统 IT 环境，如果能做到开放接口，通过软件驱动底层 安全设备，通过软件编排上层应用，那么这套安全防护体系也 是软件定义的。相反，即使在云环境中部署了大量的安全机制， 但如果仅是简单堆砌，那并不是软件定义安全。 本篇白皮书仍会重点讨论软件定义安全体系在云环境中应用， 着眼于其落地交付过程，此外也会讨该体系在 BYOD、传统 IT 环境等场景可能的应用。 如需了解更多，请联系： 特别声明 为避免客户数据泄露，所有数据在进行分析前都已经匿名化处理，不会在中间环节出现 泄露，任何与客户有关的具体信息，均不会出现在本报告中。 版权声明 本文中出现的任何文字叙述、文档格式、插图、照片、方法、过程等内容，除另有特别注明， 版权均属绿盟科技所有，受到有关产权及版权法保护。任何个人、机构未经绿盟科技的书面授 权许可，不得以任何方式复制或引用本文的任何片断。 目录 一 . 前言 ·····································································································1 二 . 背景 ·····································································································3 三 . “软件定义”之百家论 ······································································5 3.1 自适应安全······················································································································································ 5 3.2 自动化应用编排 ············································································································································ 6 3.3 零信任 / 微分段 ············································································································································ 7 3.4 体系标准化 ····················································································································································· 8 四 . 安全编排：一切防护皆软件定义 ······················································· 9 4.1 应用编排：软件定义安全的灵魂 ··········································································································· 9 4.2 在线商店：交付革命································································································································ 10 五 . 资源池：按需而变的安全能力 ·························································13 5.1 理想主义的困境 ········································································································································· 13 5.2 资源池：打通最后一环 ··························································································································· 14 5.3 资源池架构 ·················································································································································· 15 5.4 云计算环境的安全防护 ··························································································································· 19 1．南北向流量的安全防护 ······································································································· 19 2．东西向流量的安全防护 ······································································································· 20 5.5 传统环境的安全防护································································································································ 21 六 . 软件定义安全实践 ············································································22 6.1 面向混合云和移动办公的自适应访问控制 ····················································································· 22 6.2 面向公有云的安全服务 ··························································································································· 26 6.3 可编排的应急响应 / 弹性服务 ············································································································ 27 七 . 结束语 ·······························································································31 　　参考文献···························································································32 八 . 关于绿盟 - 巨人背后的专家······························································33 图表索引 图 3.1 自适应安全模型 ······································································································································ 5 图 3.2 Phantom Cyber 的架构···················································································································· 7 图 4.1 安全 APPStore ···································································································································· 11 图 4.2 客户端部署的安全应用····················································································································· 11 图 5.1 基于资源池的安全体系················································