Recently, the national standard press conference in the press room market supervision bureau office area Madian held network security protection system 2.0 officially released, the relevant "information security technology to protect the basic level of network security requirements", "Information Security Technology Network Security level of protection assessment requirements "," information security technology designed to protect the safety level of network security technical requirements "and other national standards and also will be officially released on December 1, 2019 came into effect.
Compared with other security 1.0, 2.0, etc. security structure, the number of items required, aspects of coverage, protection philosophy and grading processes, etc. have been updated, to achieve the basic information network, the cloud, the traditional large data information system, things, full coverage of the protected object mobile Internet and information systems and industrial control and other security from 1.0 standard passive defense security system to advance the prevention, something in response, subsequent changes in audit dynamic security system, focusing on a full range of active defense, security credible, dynamic and comprehensive perception audit.
As a professional data security vendor, Anwar gold and peer protection 2.0 data security and compliance requirements related to interpretation comb.
Paul two other
Etc. General requirements for safety in the two security, cloud security requirements and extend respectively to the reference request data security requirements were.
General requirements for safety
Safe operation and maintenance management
7.1.10.5 Vulnerability and Risk Management
After the repair should take the necessary measures to identify security vulnerabilities and risks to security vulnerabilities and risks identified in a timely manner may affect repair or evaluation.
Compliance Interpretation:
It is timely for database vulnerabilities, weak passwords, default configuration, and other broad authority to assess potential risks, and targeted repair by manually + technology tools.
Cloud computing security extensions requirements
Secure computing environment
7.2.4.3 Data confidentiality and integrity
b) shall ensure that only authorized customers in cloud services, cloud service providers or third-party cloud service customer data only has administrative privileges.
c) shall ensure that the integrity of the virtual machine migration process critical data, and take the necessary measures to restore the integrity of the damage is detected.
Compliance Interpretation:
To deal with the cloud service customer data to provide control security mechanism, cloud service providers need to obtain the approval of customer service authorized by the way, and then get permission to manage data.
Cloud computing environment to deal with the data is encrypted, even if the cloud service side mirror or copy the data without permission, nor from the bottom to get the plaintext customer data.
It should be in way before migrating through the background to back up important databases, ensure the availability of recovery. Backup work needs to be approved before they may be authorized. At the same time through the database encryption mechanisms to ensure the security of data in a virtual machine migration process fundamentally, even after the reverse analysis data file, see additional data still ciphertext.
Requires two reference
Secure computing environment
H.3.3 secure computing environment
f) big data platform should provide tools or services component technologies static and desensitization of de-identified;
g) to provide services outside the big data platform, platform, or a third party can only access, use and management of data resources in data applications in large data applications authorized.
Compliance Interpretation:
It should desensitization of sensitive information platform through technology tools.
Through the approval process should, operation commands to change the way the operation and maintenance of the fine-grained control. While providing a complete recording is performed.
And so Paul three
Paul and other three in the General Requirements for Safety, cloud computing security requirements and expand the requirements in terms of security of the border area, secure computing environment, security managers, security, communications networks, and other requirements were further reference.
General requirements for safety
Border security zone
8.1.3.2 Access Control
c) respond to source address, destination address, source port, destination port, and protocol be checked to allow / deny packets out;
e) respond to incoming and outgoing network data flow based access control application protocol and application content.
Compliance Interpretation:
Should be based on an address, ip, time, execute the statement, statements and other factors affecting the scope and content of the database fine-grained control protocol.
Secure computing environment
8.1.4.2 Access Control
f) granularity of access control to user-level should reach the body or process level, the object is a file, database table level;
g) deal with important subjects and objects set security mark, and control access to the main security marking of information resources.
8.1.4.8 Data confidentiality
b) should be used to ensure the confidentiality of important data encryption technology during storage, including, but not limited to, authentication data, critical data and important personal information.
8.1.4.11 Protection of Personal Information
a) should be taken and stored service users' personal information only necessary;
b) shall be protected from unauthorized access and illegal use of personal information.
Compliance Interpretation:
Efforts to control the operation of the database: the main body control, database accounts, applications, application accounts, the operation objects (tables, columns, stored procedure name), SQL statements fine-grained control
Achieving enhanced access control based on the ciphertext, and prevents the body such as the DBA highly privileged user access to sensitive data object.
Controlled rights-protected object field of access control is independent of the database, the database user privileges to prevent the body to enhance access to protected data.
对主体用户、操作(DML、DDL、DCL)和客体对象进行访问控制的限定
通过加密存储机制,从根本上保证数据安全。可支持按列、按表空间方式进行加密。
对通过业务系统、app等方式收集的个人信息进行盘点统计,明确业务系统所需要的数据内容。避免过量采集、非法采集个人信息。
应对业务系统收集的信息进行梳理统计,同时对个人信息是使用进行管理控制。
安全管理人员
8.1.8.4外部人员访问管理
d)获得系统访问授权的外部人员应签署保密协议,不得进行非授权操作,不得复制和泄露任何敏感信息。
合规解读:
应对外部人员访问数据库等操作进行监督控制。
安全建设管理
8.1.9.3产品采购和使用
b)应确保密码产品与服务的采购和使用符合国家密码管理主管部门的要求。
合规解读:
应采购符合密码管理局要求,具备相应资质的产品。
安全运维管理
8.1.10.2资产管理
b)应根据资产的重要程度对资产进行标识管理,根据资产的价值选择相应的管理措施;
8.1.10.6网络和系统安全管理
g)应严格控制变更性运维,经过审批后才可改变连接、安装系统组件或调整配置参数,操作过程中应保留不可更改的审计日志,操作结束后应同步更新配置信息库;
i)应严格控制远程运维的开通,经过审批后才可开通远程运维接口或通道,操作过程中应保留不可更改的审计日志,操作结束后立即关闭接口或通道。
合规解读:
应对现有资产进行梳理后,根据业务重要程度进行不同级别的安全防护。
应通过流程审批、操作命令等方式对变更性运维进行细粒度控制。同时提供完整执行记录。
应对数据库运维进行流程控制及完整审计。
云计算扩展要求
安全通信网络
8.2.2.1网络架构
e)应提供开放接口或开放性安全服务,允许云服务客户接入第三方安全产品或在云计算平台选择第三方安全服务。
合规解读:
云服务客户应根据安全需要选择引入独立于平台的第三方产品。
安全区域边界
8.2.3.3安全审计
b)应保证云服务商对云服务客户系统和数据的操作可被云服务客户审计。
合规解读:
应具备独立于云服务商的第三方审计能力,确保云服务商在对云服务客户数据操作的审计能力。
安全计算环境
8.2.4.4镜像和快照保护
c)应采取密码技术或其他技术手段防止虚拟机镜像、快照中可能存在的敏感资源被非法访问。
合规解读:
应对云服务客户数据提供控制保障机制,服务商需通过审批方式获得云服务客户的授权,进而获得数据的管理权限。
8.2.4.5数据完整性和保密性
d)应支持云服务客户部署密钥管理解决方案,保证云服务客户自行实现数据的加解密过程。
合规解读:
应对云计算环境中数据进行加密,即使云服务方私自复制镜像或数据,也不能从底层拿到明文客户数据。
应通过数据库加密机制,将密文管理权限与数据库权限相分离,进而实现云服务客户自行管理的目的。
安全管理中心
8.2.5.1集中管理
c)应根据云服务商和云服务客户的职责划分,收集各自控制部分的审计数据并实现各自的集中审计;
合规解读:
应具备数据库审计能力,同时可对审计信息进行划分,避免审计信息泄露。
参考要求
大数据应用
安全计算环境
H.4.3安全计算环境
h)大数据平台应提供数据分类分级安全管理功能,供大数据应用针对不同类别级别的数据采取不同的安全保护措施;
i)大数据平台应提供设置数据安全标记功能,基于安全标记的授权和访问控制措施,满足细粒度授权访问控制管理能力要求;
j)大数据平台应在数据采集、存储、处理、分析等各个环节,支持对数据进行分类分级处置,并保证安全保护策略保持一致;
k)涉及重要数据接口、重要服务接口的调用,应实施访问控制,包括但不限于数据处理、使用、分析、导出、共享、交换等相关操作;
l)应在数据清洗和转换过程中对重要数据进行保护,以保证重要数据清洗和转换后的一致性,避免数据失真,并在产生问题时能有效还原和恢复;
m)应跟踪和记录数据采集、处理、分析和挖掘等过程,保证溯源数据能重现相应过程,溯源数据满足合规审计要求;
n)大数据平台应保证不同客户大数据应用的审计数据隔离存放,并提供不同客户审计数据收集汇总和集中分析的能力。
合规解读:
应建立完整数据库资产清单,并根据数据安全级别不同,选择不同数据库防御方案。
通过数据库加密等技术工具,对数据库中重要数据进行安全标记,带有标记的数据访问需遵守严格的访问条件。
It should have the ability to sort data, ensure data integrity assets, thus providing a basis for classification and grading.
It should have database access control. The control target comprises a time is not limited, ip, command, and so the scope of the statement.
It should have the ability to reversible desensitization, while ensuring consistency, the correlation between the data desensitization.
It should have data usage, traceability distribution.
We should have the ability to audit different customers are different databases.
Big data applications
Safe operation and maintenance management
H.4.5 safe operation and maintenance management
b) shall develop and implement classification and grading data protection strategies, develop different security measures to protect against different types of levels of data;
c) the data should be based on the classification and grading, dividing the range of important digital assets clearly important data usage scenarios and business processes to desensitize, or automatically identified;
d) shall periodically review the data categories and levels, as required class or level change data, change approval process should be based on the implementation of the changes.
Compliance Interpretation:
Should be based on different levels of data, choose a different database defensive scheme.
According to the different business scenarios, select all the replacement, partial replacement, partially obscured other desensitization program.
Should, on a regular basis of important data by combing technology tools, positioning, fit to carry out the assessment of the data.
As a proponent of the concept of governance of national data security, Anwar gold and respond positively to the requirements of 2.0 and other insurance, the introduction of appropriate solutions to help the user compliance, so that data usage free and safe.