Data security, I believe this concept has been popularized to the point of familiarity, but the new concept of data security governance is still relatively vague. In fact, for government departments or enterprises with important data assets, there are more or less practices in data asset protection and data security governance, but they have not yet been systemized and standardized.
In the "Data Security Law of the People's Republic of China (Draft)" released this year, data security governance has been mentioned many times, and the first chapter specifically states, "Data security refers to taking necessary measures to ensure that data is effectively protected and legal. The ability to use and maintain a safe state." "To maintain data security, we should adhere to the overall national security concept, establish and improve the data security governance system, and improve data security capabilities."
This indicates at the national policy level that data security governance is based on the vision of "safe data use", and builds a technical guarantee system with three goals: data security protection, data sensitive information management, and data legal use, so as to "make data use safer" The goal.
From an international perspective, Gartner, an international information technology research and analysis company, believes that data security governance is not just a set of product-level solutions combined with tools, but a top-down approach from the decision-making level to the technical level, from the management system to the tool support. A complete chain that runs through the entire organizational structure. There needs to be a consensus among all levels of the organization on the goals and objectives of data security governance to ensure that reasonable and appropriate measures are taken to protect information resources in the most effective manner.
To sum up, in order to achieve data security governance, it is necessary to provide a comprehensive solution from the aspects of security governance system, security compliance, technical capability support, etc. In a sense, to ensure the absolute security of data, all data must be physically isolated and turned into "dead" data, which is the most "safe" and cannot be taken away or destroyed. But does it make sense to do so? As we mentioned above, data can create value only in the process of flow, sharing, and processing, and the rational use of data can make data "live" data. The core idea of data security governance is to carry out a series of "live" data. Effective security "governance" and "reasoning" ensure that data is used and valued under safe and controllable conditions.
The construction of big data is a core of new infrastructure. The "liveness" of big data is reflected in the aggregation and sharing of data, which is also the key link to reflect the value of data. If there is only aggregation but no sharing, the value of data will be greatly reduced. Big data application is the process of data processing based on the big data platform, usually including data collection, data storage, data application, data exchange and data destruction, etc. All the above-mentioned links need to protect data, and security control measures usually need to be considered Including data collection, authorization, data authenticity, data classification and identification storage, data exchange integrity, sensitive data confidentiality, data backup and recovery, data output desensitization processing, sensitive data output control, and data classification and classification destruction mechanism, etc. Only effective data governance can ensure data security and allow people to enjoy big data with confidence.
The "governance" and "reasoning" of data security governance must be "reasonable" before "governance", and "governance" can only be "governance" after sorting out. In fact, data security governance is the same as TCM diagnosis and treatment. In order to "look, smell, diagnose, and diagnose", you must first know where my data assets are, what state these data assets are in, and what kind of security exists. Only by sorting out this information can we better deal with a gap. In the entire process of governance, data is not dead, it is flowing, and it is closely related to people, money, things, and wisdom, not only within the organization, various departments, outside the organization, and even between countries. It is even more difficult to govern the data, just like governing the Yellow River.
There is a profound connotation behind data security governance. It is to build an overall data security governance plan with data security as the core. It is necessary to grasp the close relationship with the business and to balance efficiency and stability. The essence of the solution is "precise visibility, safety and controllability".
Accurate visualization is the essence of data security governance, and the core of "reason" is accurate visualization.
First of all, we need to "sort out" what data assets we have. We encountered a typical customer in an actual project. Because of the variety of business assets, the number of third-party development and operation manufacturers, and the long construction period, he eventually led to multiple databases. There are hundreds of database instances, including many databases built by developers themselves. Customers of these databases are unknown, and a large amount of classified and sensitive data is also stored in them. Through our system, we help customers accurately identify these data assets.
After the data assets are "sorted out", we need to continue to sort out the risks of these data assets. For example, whether the data storage environment is safe, whether the data access environment is safe, whether the data interaction environment is safe, and whether the data circulation environment is safe. Take the customer above as an example. The super user authority for data access is in the hands of third-party operation and maintenance personnel, and the user does not have it. This is a huge risk point for data security. Through the risk assessment of the full life cycle, full data form, and full circulation of data assets, the overall risks of data assets can be "cleared" and better paved the way for "governance".
First "reason" and then "rule". Through "reasoning", we have an overall assessment of the security status of data assets, and "curing" is a process of prescribing the right medicine. The core of "governance" is safety and controllability.
The process of "governance" is divided into two levels. One is the systematic implementation of security products. From the perspective of the entire data life cycle, systematic security products need to be deployed, with the comprehensive data security management platform as the core, including database firewalls and database audits. , Data desensitization, database vulnerability scanning, database status monitoring, data watermark traceability, data security model, user behavior portrait and other capability units, use AI intelligence and machine learning to improve the effect of data security "governance". The second is the standardized implementation of relevant procedures and systems. From security construction planning, security business sorting, security strategy formulation, security system construction, and security data operation, to standardize security operations for data collection, transmission, storage, sharing, and processing, the system and The process ensures the effective operation of data security products.