December 1, 2019 marked a significant milestone for many enterprise security operations teams, as the national security standard - "Information Security Technology Network Security Grade Protection Basic Requirements" version 2.0 (abbreviated as Grade Protection 2.0) was officially implemented. The new Grade Protection 2.0 standard is more industry-specific, with more detailed and comprehensive coverage. Surrounding the implementation of Grade Protection 2.0, various industries can build enterprise IT security systems in a scenario-based and standardized manner.
In the gaming industry, compliance with grade protection regulations is a mandatory requirement for business operations. Before the release of Grade Protection 2.0 standard, the gaming industry had already used Grade Protection 1.0 as a benchmark to standardize IT system operations security. Among the multi-faceted compliance requirements of Grade Protection 2.0, host asset management is a crucial task. With the help of JumpServer bastion host, global IP game operator CMGE has built an operations security audit system that complies with the new grade protection regulations.
Challenge: Widely Distributed and Continuously Changing IT Assets
As a renowned global IP game operator, CMGE focuses on IP as its core, continuously providing quality IP games to global players through self-development and agency distribution, while actively pursuing investment layouts around IP and CP to build an ecosystem centered on IP games. According to reports, in the domestic mobile game market, CMGE ranks first in cumulative revenue from games developed based on IP, first in total number of games developed based on IP, and first in IP resource reserves.
Considering global service delivery needs, CMGE took the lead in adopting a multi-cloud architecture for IT construction. Currently, CMGE uses multiple public clouds, including Alibaba Cloud, Tencent Cloud, Kingsoft Cloud, Huawei Cloud, and UCLOUD. On different public clouds, CMGE owns numerous virtual machines, storage, databases, and other cloud assets. These distributed, large-scale cloud assets require unified security management and auditing.
Additionally, the quantity of these cloud assets fluctuates with game operation expansion or reduction. When popular games are launched, cloud asset numbers rapidly increase, but during gaming off-seasons, CMGE reclaims resources based on market conditions, fully utilizing the elastic scaling advantages of public cloud services.
Based on actual business needs, CMGE aims to use the bastion host to uniformly manage large-scale and constantly changing cloud assets, building a 4A-compliant (Authentication, Authorization, Accounting, and Auditing) operations security audit system to meet Grade Protection 2.0 standards at the asset compliance management level.
Implementation: Three Core Capabilities Ensuring Compliance with New Grade Protection Regulations
After product selection and practical testing, CMGE ultimately chose to build a security audit system for large-scale cloud asset management based on JumpServer bastion host. CMGE believes that as an innovative bastion host, JumpServer's support for multi-cloud environments is their most valued feature. Compared to traditional bastion hosts, JumpServer adopts a distributed architecture design, better supporting enterprise asset management and audit requirements in multi-cloud environments. Additionally, since JumpServer sets no limits on concurrent connections and asset numbers, there's no need to worry about license restrictions during scale expansion.
Targeting the specific host security requirements in the grade protection standards, CMGE implemented three core capabilities based on JumpServer bastion host: identity authentication, access control, and security auditing:
1. Identity Authentication: Identifies and authenticates login users with unique identity markers. Each user logs in through their independent bastion host account, correctly authenticating user identity and effectively avoiding security risks such as account mixing and unclear identities. Additionally, JumpServer bastion host provides multi-factor authentication (MFA) functionality, enabling secondary authentication through mobile app dynamic verification codes, with simple and quick operation.
2. Access Control: JumpServer bastion host provides a comprehensive permission management system, helping enterprises clarify many-to-many relationships between people and assets, assets and permissions, and people and permissions, while allowing enterprises to flexibly create and assign this authorization system. Using this framework, CMGE built a trinity access control system of personnel, assets, and permissions, well meeting the relevant grade protection requirements. Administrators can promptly block certain high-risk operations, preventing dangerous situations and effectively improving system security.
3. Security Auditing: JumpServer bastion host provides audit capabilities for Windows and Linux systems, recording and tracking every operation of each user, with all operations through the bastion host being recorded. Administrators can audit all connection operations afterward, effectively eliminating issues of unclear security responsibilities.
Benefits: Unified Multi-Cloud Asset Management, Cloud Storage, and Flexible Scaling
For CMGE, leveraging JumpServer bastion host's leading architecture design and scalability, the security operations team successfully overcame the challenge of managing large-scale, distributed assets, building an operations security audit system for multi-cloud environments.
In multi-cloud environments, automatic acquisition of cloud asset information is a significant challenge. The X-Pack software package included in JumpServer bastion host's software subscription service provides "multi-cloud asset management" functionality. Using this feature, CMGE achieved rapid management of public cloud resources, with one-click and periodic synchronization of public cloud assets to JumpServer bastion host, requiring no manual entry or operation, greatly improving management experience.
For enterprises adopting multi-cloud architecture, continuously stimulating the ability to use cloud-native services is an important goal. For example, if operation recordings of cloud assets are transmitted back to local data centers in the traditional bastion host manner, it would waste significant network bandwidth. JumpServer bastion host supports storing recording information directly on cloud storage services like AWS S3, Alibaba Cloud OSS, and ElasticSearch, saving substantial bandwidth resources.
In terms of scalability, JumpServer bastion host's different sub-components can be deployed independently and scaled horizontally. During peak business pressure, users can expand sub-components independently to quickly respond to access pressure. After the peak pressure passes, the number of sub-component deployments can be reduced, easily achieving system elastic scaling without affecting user experience.
Building and operating an enterprise security system is a long-term task. After meeting the new grade protection requirements, CMGE plans to integrate the bastion host into its content operations and release system. Using JumpServer bastion host's standardized API interfaces, they aim to connect different aspects of game server launch, release, operations, and security, while achieving linkage between the bastion host and cloud management platform, continuously improving system security while optimizing IT system operational efficiency.