云内云外融合网络安全 纵深防御体系研究

基于城轨行业网络安全建设现状和国内外网络安全行业新技术应用调研情况，分析城轨云的网络安全风 险，在遵循城轨协会各项技术规范和“平台统保、系统自保、边界防护、等保达标、安全确保”方针的基础上， 研究城轨云内云外融合网络安全纵深防御体系建设方法，提出安全能力分步建设步骤和区分网域差异化安全能力 构建理念，并探讨城轨云安全运维中心安全运营成熟度模型和各阶段目标，为后续城轨行业云平台安全规划建设 提供指导。通过对软件定义安全、零信任、云工作负载、安全运维中心等创新技术进行对比分析，测试验证了相 关技术在城轨云的创新应用场景，分析了创新技术所带来的技术效益。研究成果对于深化我国城轨云网络安全纵 深防御体系具有一定的参考意义。

Defense-in-depth System for Integrated Network Security Inside and Outside the Cloud

Based on the current situation of network security construction in the urban rail industry and research on the application of new technologies in the network security industry at home and abroad, this study analyzes the network security risks of the urban rail cloud. Beginning with the 20-character policy of guaranteeing compliance and ensuring safety, we study a construction method for an urban rail cloud-integrated network security in-depth defense system, propose step-by-step construction steps of the security capabilities and concept of differentiated security capability construction in different network domains, and discuss the urban rail cloud. The security operation maturity model of the security operation and maintenance center and goals of each stage provide guidance for the subsequent security planning and construction of cloud platforms in the urban rail industry. A comparative analysis of innovative technologies such as software-defined security, zero trust, cloud workloads, and security operation and maintenance centers verifies the innovative application scenarios of related technologies in an urban rail cloud. The technologies introduced by the innovative technologies are analyzed. The results provide good reference significance for deepening the defense-in-depth system of urban rail cloud network security in China.