October 2016, in ANVIZ invited to participate in a southern city government e-government cloud construction projects and undertake specific part of the project in cloud data security protection. Cloud database will now be implemented in the project strengthening security solutions to others.
With cloud computing technology, cloud-to-government e-government IT resources unified management, on-demand, which can effectively save the cost of investment in information technology resources, reducing IT resource consumption. But cloud computing model based on e-government, we must also face cyber threats and malicious attacks, especially for data security, privacy protection put forward higher requirements. Especially in data management and ownership separation of the state, the importance of data security and privacy protection is particularly prominent. Only ensure the availability and stability of the network but also to ensure the security and privacy of data in order to make all government departments (various commissions Bureau) safely migrate their business up to the unified government platform.
The new government security risks cloud cloud database platform facing the following main points:
1, e-government cloud data center server is connected to the Internet or some of this private network, the face of a more extensive network attacks;
2, government cloud computing platform and network resources fully virtualized and distributed, the physical boundaries tenant network disappears, the traditional network perimeter protection measures can not guarantee data security;
3, since the multi-tenant architecture , on the same malicious tenant cloud platform government possible to use a virtual machine escape attack, etc., to obtain data in the database;
4, government cloud service side with superuser privileges , tenants can not be trusted cloud-free means of prevention services.
After several in-depth exchanges with customers, as well as a comprehensive communication and government cloud platform construction side, and then based on many years of practical experience in database security, we dig out the real needs of cloud database secure government cloud platform. In conclusion, probably it was the following:
1, to meet policy compliance needs. Director of the State Information Center E-government Extranet Security Office at Shao Guoan stressed that "government cloud essentially following Paul and other building three or more construction, important data encryption requirements." In addition, "National Security Law", "Network Security Act", "Cloud security and so on", etc. are clearly provisions on data security protection. Whether cloud-government operations department, or the government to carry on cloud various commissions Bureau should meet these regulatory requirements regarding data security management.
2, visible cloud data activity. Various commissions Bureau handed over their data storage and management of unified government cloud platform, cloud platforms need for technical staff visits the cloud database to record and audit. Meanwhile, the tenants have access to their database records and conduct the audit, which is the most basic security needs.
3, controllable cloud data activity. Controlled means that the active defense of the cloud database, by controlling access to cloud database activities and operational behavior, ensure data security. Includes two aspects, one of: leak-proof, protect sensitive information that is part or all of the cloud database being watched, or the mirror dragged library; Second: tamperproof, i.e. the cloud protect sensitive information in the database is illegally modified or deleted . Similarly, cloud data control activities, and for each tenant cloud platform is a must.
It can be said, visualization, control and compliance management for cloud databases, cloud is a fundamental way to solve the problem of database security.
According to such a basic idea visualization, control and compliance, we have designed a complete solution for cloud database security management: " the data into the cage, so that data access in the sun into line ."
This scheme can be summarized as the following aspects:
1, fine-grained access control and encryption and desensitization of sensitive content, the data caged .
Fine-grained access control: based on automatic learning, generation of fine-grained white list, blocking queries and access exception, preventing sensitive data leakage . Blocking data anomalies and irregularities modify and delete operations, prevent sensitive data from being illicitly tampered with ;
Sensitive content encryption and desensitization: selective encryption of sensitive content and desensitization to prevent the online data storage and backup medium of data loss is to steal sensitive data leakage. Enhanced permissions management to encrypt sensitive data and prevent unauthorized abuse of authority, lawful authority and misuse of stolen data leakage caused. Operators, application systems, as well as development and test environments provide quasi real data.
2, a comprehensive cloud audit data activity, so that data access in the sun into line . Cloud data distribution, performance, access and activities of all-round monitoring and recording, to facilitate post audit and tracing. To detect abnormal activity and risk data, to generate an alarm. Visual report output, to facilitate analysis;
Follow the above ideas, the cloud database Anviz the government reinforced security solutions based on self-developed series of database security reinforcement product realization. Specific embodiment shown below:
Point of the solution as follows:
1, the deployment of all database database audit system
By deploying some software in Ann Shite probe, to achieve a comprehensive audit;
Open the database risk assessment capabilities, comprehensive risk assessment of the state of the database system;
Open learning function to automatically generate whitelist baseline model access rules;
Open intrusion detection, to detect illegal operations against the behavior of the database.
2, more importantly, the implementation of database database firewall system
For More importantly, vulnerable systems, in particular, to provide services outside the database, database deployment of firewalls;
Open intrusion protection to ward off the risk of SQL injection attacks and attacks against the database vulnerabilities, while preventing a full table or delete misuse, abuse and other super powers;
Open learning function to generate a whitelist rule, and manually add blacklist rule, solve difficult problems detailed settings database firewall rules.
3, is especially important for database systems, database encryption system deployment
Of particular importance for the database, to encrypt sensitive fields developed;
To achieve access to sensitive data by limiting the separation of powers control system access control, to ensure the security of their data;
Regular rotation key to ensure the security of the encrypted data.
4, is especially important for database systems, database deployment dynamic desensitization system
For operation and maintenance operations, set up dynamic desensitization rules to ensure that the operation and maintenance personnel can not see the real data;
For applications that require management and control, the dynamic set desensitization rules to ensure that the quasi-real data application system to see desensitization.
Through the above solutions effectively meet the needs of data security management of cloud-government faced: the visualization of data security , the data is safe and controllable , so that the data security compliance . In addition to the above bring major value, but specifically, in ANVIZ government cloud data security management solutions also bring government tenant cloud platform and platform value as follows:
Streamline business management, improve data security management capabilities;
Improve the defense in depth system, improve the overall security capability;
The core data assets to reduce violations, guarantee business continuity;
SQL injection attacks to eliminate the root causes;
Safeguard the credibility and reputation of the government.
In summary, the government Anviz cloud data security management solutions to government data in the cloud environment to provide a comprehensive, high level of protection, effectively protecting the security of government data in the cloud will greatly accelerate China's electronic clouds on the government process.