Talk about data encryption in disaster recovery business

  Data disaster recovery often relies on a multi-department, multi-unit or even cross-system integrated platform, so the security of data in the transmission process or storage medium will also be particularly prominent. In the specific practice of disaster recovery work, we mainly use end-based and transmission channel-based encryption methods for data security protection. The transmission network is an enterprise's own resources, and its security is guaranteed. Therefore, many disaster recovery systems tend to focus only on availability and integrity, and lack of attention to confidentiality.

 

  Now, with the rise of cloud computing, especially public cloud, enterprises need to continuously strengthen the cloud encryption protection of data. First of all, from the perspective of backup data storage security, if the backup data is stored in plaintext on the storage medium, it is easy to be attacked by hackers and cause data leakage. Secondly, from the perspective of backup data transmission security, if the backup data is transmitted in clear text during network transmission, it is easy to cause backup data leakage through data packet interception and other means.

 

  At present, there are many encryption methods for data, which can be roughly divided into two encryption methods after simple classification:

 

  1. Source encryption

 

  End-to-end encryption is to encrypt the output of the data at the source and the storage at the destination. A file system (such as the Windows Encrypting File System) or a database encrypts the data stored in it. If the data is encrypted when it is stored, it is also encrypted when it is backed up. To put it simply, source-side encryption mainly includes hardware encryption and software encryption. Hardware encryption technology generally refers to the use of hardware data encryption technology to encrypt product hardware, with functions such as preventing brute force cracking, password guessing, and data recovery. , the implementation methods include keyboard encryption, card encryption, fingerprint encryption, etc.; and software encryption is to realize the encryption function of the storage device through the built-in encryption software of the product. The implementation methods mainly include in-software password encryption, certificate encryption, and CD-ROM encryption.

 

  In practice, the British i2CDP adopts the currently popular encryption algorithm AES (Advanced Encryption Standard). AES can encrypt and decrypt quickly in both software and hardware, which is easy to apply and requires only a small amount of memory.


 

  2. Transmission encryption

 

  A data encryption gateway is connected in series between the backup data initiator and the backup medium. The backup data initiator first establishes a secure tunnel with the encryption gateway, and the backup data passes through the secure tunnel to ensure transmission security. At the same time, the encryption gateway allows data to be encrypted in real-time during the backup transmission process in a completely transparent manner.

 

  In specific applications, the most ideal situation is to use the combination of end encryption and transmission encryption, and the storage device has the function of encrypting data files and provides secure tunnel services. The initiator of the backup data first establishes a secure tunnel with the encryption gateway, and the backup data is performed through the secure tunnel to ensure transmission security. At the same time, before the backup data is landed on the storage medium, the backup data file is encrypted to ensure that all ciphertext data is stored on the storage medium.

 

 

  According to different technologies and encryption methods, there is still a lot of content about encryption algorithms and corresponding key management systems. Due to the limited space, this article will not repeat them. If you are using a cloud-based data encryption solution, then you need to make sure that the data encryption process is real and that you have the keys firmly in your hands.

Guess you like

Origin http://10.200.1.11:23101/article/api/json?id=326611949&siteId=291194637