Data security management is closely related to national data security, corporate asset protection, and personal information protection. Complex, diverse, and circulating data also brings more threats and challenges to data security, such as data asset management, classification and grading issues, centralized data security management and control issues, and data sharing and circulation issues. Origin Security's integrated data security platform uDSP is committed to helping enterprises make the tedious and heavy data security management work simple and efficient, and simplify it.
Q1 What is the origin-safe uDSP? How is it related to DSP proposed by Gartner?
uDSP (unified Data Security Platform) is an integrated data security platform product and service built by Origin Security using a cloud-native technology stack. In 2020, Origin Security put forward the technical concept of "data access security layer", that is, to build a layer of "data access security layer" between the tools, applications and data sources that access data, and aggregate the security capabilities required to protect data in this layer To implement, with sensitive data protection as the core, it integrates the security capabilities required for data protection across multiple data types, storage systems and ecosystems, that is, the integrated data security platform uDSP.
In 2021, Gartner released the report "2021 Security Operations Technology Maturity Curve", namely "Hype Cycle for Security Operations, 2021", formally proposing the concept of DSP. DSP (Data Security Platform) data security platform is defined as products and services with data discovery and identification technology as the core feature, aiming to provide integration for the security requirements of data across multiple data types, storage systems and ecosystems Collaborative integration. It has important security capabilities such as consistent visibility of sensitive data, highly integrated data security capabilities, separation of policy planes and control objects, multi-dimensional role collaboration pipelines, and simplified and efficient deployment and operation and maintenance. This coincides with the product capabilities of Origin Security based on the data access security layer.
The uDSP created by Origin Security can integrate technical protection measures and coordination mechanisms from sensitive data discovery, identification, protection, supervision to governance, which is in line with the current technology development trend and the actual needs of the industry.
Q2 What capabilities does the integrated data security platform uDSP have?
The sensitive data directory is the core product function of Origin uDSP. Based on the sensitive data intelligent identification engine, it can automatically identify and mark sensitive data types and security levels, help users sort out sensitive data assets from a security perspective, and support data access control, access authentication agents, data Self-service authorization, data dynamic desensitization, data flow track, data security audit and many other functions.
● Data Access Control
Configure and implement access control policies for custom data sets and users/user groups, which can allow, deny or warn specific users of access to specific data sets; support based on sensitive data types, control actions, access types, valid time, subjects Location and execution path to configure access control policies.
● Access self-service authorization
Provides self-service modes such as pre-authorization and approval authorization. For temporarily initiated data access requests, through the automatic configuration of access rights, approval is authorized and commitment is authorized; through the process and automation of data access rights configuration, data operation and maintenance are greatly reduced Human manual work.
● access authentication proxy
The user access authentication proxy mechanism that replaces the real account password of the data source with the virtual account password reduces the risk of leakage of the data source password; it can implement fine-grained real-time control of people and supervise high-risk privileges, and at the same time, comply with the requirements of the security compliance system When the data source password is changed regularly, there will be no impact on the data service.
● Dynamic data desensitization
Data security personnel configure desensitization algorithms and desensitization rule combinations according to application scenarios, and configure data delivery strategies according to conditions such as users, valid time, subject location, execution path, data collection, and sensitive data types; realize dynamic desensitization of sensitive data displayed on the front end of the application Sensitivity, no need to modify the application code, and carry out business application transformation.
● Data access auditing
Comprehensively audit data access activities, and record in detail the log of application user access data, including time stamp, application user, application access path, database user, data source, data location, access type, SQL request, data volume, sensitive data and other related information. Supports automatic fusion of cloud database audit logs and platform logs.
● Data access trace
Comprehensively and accurately record the context information of data activities at the application layer, automatically build an end-to-end, full-link sensitive data flow track; visualize the data flow path and access of "user->application->data location->sensitive data type" Behavioral habits and sensitive access popularity support drill-through analysis to establish basic information for further security audits and risk analysis.
Q3 How does uDSP realize the integration of sensitive data discovery, identification, protection, supervision and governance?
Origin Security believes that solving complex problems requires an innovative data technology architecture, and traditional single-point product technical capabilities are no longer sufficient. In order to protect data security, it should be as close as possible to the data source to improve the accuracy of data identification and the directness of the protection effect. At the same time, it should have the capability of layered decoupling, decoupling data security from business applications, making cross-departmental and organizational collaboration easier to achieve. Obviously, the technology should be capable of integration to achieve multiple data security capabilities to meet various business needs.
Based on this kind of thinking, Origin Security pioneered the technical architecture concept "Data Access Security Layer" (DASL, Data Access Security Layer), which is used to realize the access control and delivery control of sensitive data in data sources, aiming to protect sensitive data from subject to unauthorized access, alteration, disclosure, destruction and overexposure.
The data security basic capabilities provided by DASL include but are not limited to: sensitive data discovery, classification and classification identification, data access control, data dynamic desensitization, data security audit, etc.; and can be arranged through appropriate security policies according to specific business scenarios and needs These basic data security capabilities protect the security and compliance of sensitive data, while improving the traceability and auditability of sensitive data, enabling better monitoring of the access and use of sensitive data.
Q4 What database types does uDSP currently support? Can different data sources achieve unified security management and control?
uDSP supports MySQL, PGSQL, traditional Oracle, SQL Server, Hadoop big data systems, domestic database systems, etc.; whether these database systems are deployed on public clouds or in local data centers; whether they are self-built database systems in the cloud, or Cloud-native database service.
At the same time, in view of the current status of various island-style construction, heterogeneous, and cross-ecosystem databases. Different data sources can use the same control strategy by using uDSP. By configuring a unified data collection, data delivery strategy, and data access strategy, unified security control over different data sources is achieved.
The uDSP platform can integrate these security policies into a unified data security policy, and one policy can orchestrate different security control functions to form a collaborative linkage capability.
Q5 How does uDSP control data access?
Enterprise customers are often faced with various isolated, heterogeneous, cross-ecosystem databases and increasingly subdivided security scenarios. It is difficult to achieve unified policy orchestration with scattered data protection measures in the past. Through the integrated data security protection strategy orchestration of uDSP products, various core capabilities are integrated into a whole to meet the data protection needs in various application scenarios.
uDSP supports full-link sensitive data management and control of pre-event prevention, in-event control, and post-event auditing, such as pre-event authority control configuration, mid-event supervision and recording of sensitive data access flow tracks, and post-event based on data supervision results to continuously adjust data protection measures and operation strategies . Dynamically build a flow track consisting of nodes such as business users, business applications, API paths, origin users, database accounts, access points, data locations, sensitive data types, etc., and can present related information such as location, time, and times. Customize the supervision board for sensitive data access based on link nodes and context information to improve the efficiency of in-process supervision and post-event traceability.
For example, in the face of data query personnel restricting the returned data, uDSP can control user behavior through data delivery strategies and data access strategies. Or restrict a member to only have access to certain types of data, whether the data that can be accessed is desensitized, limit the number of rows returned by a query, etc.
Q6 When submitting data to the outside world or providing data through the API interface, can uDSP achieve corresponding control?
Data Access Security Layer (DASL), which can implement security and compliance control over data access and data delivery in a unified manner. Therefore, whether data is exported through tools or data is obtained through API calls, it will go through DASL. uDSP can use attributes such as the visitor, the sensitive type of the accessed data, and the accessed data object as the control conditions for policy execution.
In addition, for the scenario where the API interface sends out data, uDSP can audit context information such as the identity of the caller and API URL, and can also be used as a control condition for policy execution to implement precise and scenario-based protection policies.
Q7 Can you list a typical data protection scenario?
Case: Data access compliance governance for data analysts of an insurance company
Business scene
-
The local data center builds a data warehouse and a data middle platform. The data analysis business application and BI tool scenarios are very complex. We have developed more than 10 sets of analysis business systems internally and purchased multiple sets of commercial BI tools;
-
There are more than 300 data analysis engineers and business personnel, and the number of personnel accessing data is large and changes frequently;
demand pain point
-
It is necessary to meet the sensitive data desensitization and data security audit requirements proposed by the security compliance department. Sensitive data assets are unclear, and the configuration of desensitization rules is complex and inefficient;
-
The fine-grained control of data permissions depends on different database systems, BI tools, and business application authorization mechanisms, which cannot be managed uniformly and are difficult to change;
-
Maintaining the "row permission" data view requires a lot of manual work, and it is difficult to meet the timeliness requirements of self-service interactive data analysis. Some BI tools do not support "row permission;
Origin solution
An integrated data security platform uDSP is provided for the data team, which is integrated with the data authority approval process. While achieving continuous data protection and security compliance, it empowers the data management and data use departments to realize "self-service" data access services and improve The convenience of data provision improves work efficiency.
Q8 What data security governance scenarios can uDSP apply to?
The application scenarios of uDSP products may come from many departments. For example, the compliance department needs to protect personal information and data export security assessment; the security department conducts security management and control of database operation and maintenance for R&D operation and maintenance; the data department needs to desensitize the front-end interface display of sensitive data for data analysis applications... the following security Scenarios can be realized using Origin’s integrated data security platform uDSP products:
In the case that the business system does not need to be modified, uDSP can help the data team meet the needs of enterprises such as dynamic desensitization of sensitive data, fine-grained control of personnel permissions, and detailed log audit; help the compliance team provide "one-stop" server-side sensitive personal information protection and compliance solutions; assist the security team to help enterprises efficiently solve security management and control problems in the database operation and maintenance scenario, so that enterprise managers can quickly understand the security status of the entire system, and provide an important reference for enterprise data security decision-making.
Q9 To use origin security uDSP, do I need to modify the application code or replace the database client tool?
For application system protection, uDSP has two modes: audit only; audit + protection, neither of which requires modifying the business code of the application.
- Auditing: It is only necessary to deploy the agent client on the database server, and the application has no sense.
- Protection: The application only needs to replace the URL to connect to the database with the proxy address of uDSP.
In the research and development of operation and maintenance security management and control, based on the user authentication agent technology, data access personnel do not need to change the database tools in use.
Q10 What deployment modes does uDSP support?
Origin Security's uDSP products provide a variety of flexible product deployment modes to meet the needs of different enterprises.
01 Shared service
Origin DAC product components are distributed and deployed on multiple public clouds and industry clouds, providing shared SaaS service access points. Through simple configuration of your business and data sources on the public cloud, you can use these service access points nearby. Conveniently enjoy data security services.
02 Instance hosting
If your data source is deployed inside the private VPC network on the public cloud/industry cloud, or on the private cloud of the enterprise's local data center, the origin supports deploying the DAC instance into your private VPC or local private cloud, and the security control center Stay on the SaaS model to save on your IT and maintenance costs.
03 Local deployment
For the private cloud scenario of a large enterprise's local data center, Origin Security also supports the deployment of all components of the integrated data security platform to your local environment.