Currently, cloud computing has become popular IT system solutions. It's scalable, elastic, resilient computing power, greatly reduces the difficulty of construction and management of IT. And it rents purchasing in ways that greatly reduces the investment. Public cloud is the most important type of cloud computing way, you can build applications for global users. But in the public cloud, applications and databases to support its operation are migrated to the cloud, data security is a very important issue. More and more cloud data breach, such as the recent deployment to the cloud of a game more than 1.6 million users of data leakage, secure cloud database to set off alarm bells. Compared to traditional computing environment, open cloud computing and virtualization features, traditional data security solutions complicate or even able to ask the force to protect the database in the cloud has brought greater challenges.
Beijing is in the ambit Anviz Technology Co., Ltd. is the exclusive brand and registered trademark. In ANVIZ focus on data security management, after more than ten years of accumulation of technology, we have a comprehensive database of domestic security reinforcement product lines including database auditing, database firewall, database encryption, data desensitization and other products, help customers reduce data security risk and easily meet compliance requirements. Data security management solutions for cloud computing in ANVIZ provides comprehensive security for cloud computing and big data environments of data assets.
Limitations of traditional technology solutions
To address security management data, in ANVIZ provide database auditing , firewall, transparent encryption, desensitization and other products, the formation of the data generated in its life cycle, use, stages of storage, backup and other security solutions. Among them, the deployment of database systems and database firewall audit, monitoring and access control to achieve access status data, it is the most basic security needs. In a conventional network environment, usually bypass mirror directly connected, the OS agents like manner. In a public cloud environment, it is still necessary to deploy database security reinforcement products, safety data at all stages of the life cycle of reinforcement. And deploy database auditing and firewall are still the most basic and most necessary means of protection. In the public cloud environments, database auditing and firewall bypassing mirror, direct, OS agents and other implementations are possible in theory, but in practice will be the scene has various limitations.
1) the mirror mode. In traditional environments, disposed on the switch port mirroring, mirroring traffic database device to the database audit. However, this approach requires deployment of a network cloud computing platform is defined by the mirror SDN, such embodiments complicated to manage a cloud computing environment brings increased workload. And the tenant does not accept the traffic is bypassed cloud database platform.
2) direct connection. In the traditional environment, by proxy or transparent bridge mode, the database audit or firewall deployed before the database, to monitor the filter or to access the database. Similarly, this approach requires deployment of a network cloud computing platform is defined by SDN direct connection mode, such that the embodiment becomes complicated. Moreover, mainstream cloud hosts have only a virtual network interface, and this deployment requires at least two interfaces. This requires a cloud platform to make adjustments to the virtual machine, so as to bring further difficulties for implementation.
3) OS proxy mode. In this way a database installed on the OS where the service broker, database mirroring will have access to the audit server, or access to the filter. In a public cloud environment, database service RDS most cloud service vendors provide both SQL access interface is embodied in the form of, does not give tenants rights database server OS operation, but not allowed to install any software on the RDS server some type of. This requires a cloud platform to make adjustments to the virtual machine, so as to bring further difficulties for implementation.
And, above three ways, we can not achieve a complete monitoring of database access. For example, a virtual machine escape, or an attacker to log database server OS and directly to the database operation, is not to be recorded or filtration.
Implementation
To achieve audit cloud database and fine-grained access control, in ANVIZ paid off, the accumulated over the years based on the introduction of a cloud computing environment to adapt products and solutions. For different specific environments, there are two specific implementations.
Option One: the LOCAL probe implement database auditing. Using its own logging mechanism database, use the SQL statement to achieve probe, obtain and record all access to the database, sent to the database server independent audit running. As shown below.
The advantage of this program are as follows:
1) without any invasive : based entirely on the mechanism of the database, use the SQL interface, the system without any intrusive modifications;
2) will not loss : no access to peaks, are able to complete record;
3) not leak trial : access to the database would be recorded from any way;
4) implement simple : do not need to do any cloud vendors and OS-level software level changes, even independent of the cloud provider, the cloud hosting tenant purchase, deploy database auditing system itself;
5) an elastic Audit : The actual workload audit, the audit elastic adjustment processing capability of the server;
6) High security : the user to choose a third-party security products, cloud platform operation and maintenance personnel can not operate and control the contents of the audit.
Option Two: single-arm brokers for database auditing and database firewall. In ANVIZ database audit / firewall running on separate virtual hosts, APP / WEB server database access points in ANVIZ host and modify the database configuration, only in response to requests from ANVIZ host. In ANVIZ host and forward the communication traffic database access, access to the case of recording or filtration. As shown below.
The advantage of this program are as follows:
1) No invasive : completely independent of the database server and APP / WEB server, the system without any intrusive modifications;
2) 不会丢包:任何峰值的访问,都能够完整记录;
3)实施简单:不需要云供应商做任何OS级和软件级的改动,甚至可以独立于云供应商,租户购买云主机后,自行部署数据库审计/防火墙系统;
4) 弹性审计:根据实际的审计工作量,弹性的调整审计/防火墙服务器的处理能力;
5)高安全性:用户自主选择的第三方的安全产品,云平台运维人员也不能操作和控制审计内容。
测试结果
我们将如上方案部署于多个公有云系统,并进行了长时间的压力测试和稳定性测试,结论如下。
方案一结论:
1) 在通常情况下,数据库服务压力不大时,审计系统对公有云RDB服务几乎没有性能影响;
2) 在数据库服务压力比较大时,审计系统对RDB性能稍有影响;
3) 在极端情况下,当数据库服务压力持续100%时,仅仅降低原来性能的10%左右;
4) 在超高性能主机环境下,当数据库服务压力持续100%时,审计系统RDB性能影响不超过1%;
5) 当用户数据库服务压力较大时,增加数据库服务器性能,基本可以消除审计系统对公有云数据库服务的性能影响;
6) 经过长时间满负载压力测试,而使用本方案完全消除了传统部署方式中难以避免的丢包现象,100%的获取数据库操作,且运行稳定。
方案二结论:
1) 当中安威士数据库审计/防火墙未满负荷运行时,对访问的延迟在微秒级,对业务处理吞吐量的影响几乎为零;
2) 经过长时间高压力测试,本方案没有丢包现象,且运行稳定。
中安威士云端数据库安全审计和防火墙方案,基于十余年技术积累,为云端数据提供必要的和弹性的安全管理能力。除了上文所述优势,本方案还具有如下突出优势:
快:业界较高的处理性能。
超高的连续处理、入库能力
Log retrieval ultra-high speed, support exclusion query, supports any combination of keyword query
Log ultra-high storage capacity
Chi: intelligent automatic learning, the basic realization of zero-configuration
Stability: more than ten years of accumulated technology, thousands of actual cases, the product is stable.
Full: fully functional and comprehensive audit.
No packet loss: loss peak traffic is not entirely audit
Not leak trial: a full range of audit, do not miss the access to the database from any route
Full-featured: a sensitive data discovery, performance auditing, vulnerability scanning and risk assessment
It can be deployed in any environment
US: beautiful and reporting interface. Providing a large number of report templates, including a variety of audit reports, security trends. Reports can implement custom formats and templates.
Fine : Fine-grained access control and audit, to field, statement-level.