Currently, the information age into the era of data, value data are further highlights and excavated. At the same time, data has become the company's core assets. Accordingly, the data-targeted cyber attacks has become a new era of data security threats. Reports from Verizon's display, data breaches become more widespread and increasingly serious consequences.
In 2015, nearly 80,000 companies worldwide are black, of which 2122 companies publicly confirmed information is stolen, the world's top 500 enterprises occupied a large area. 2016 is the year of the outbreak centralized data leakage, and even lead to a degree of social panic, publishing platform that was forced to close for several vulnerabilities.
On the market existing network security and operating system security products provide protection against data from different directions. However, due to far away from the real data, the database can not prevent these leaks risk fundamentally. Only in the existing security system, database-centric, supplementary protection this part of the data, the deployment of "industry specializing in surgery," data security management system in order to solve the data security problem fundamentally.
A provincial government cloud platform for managing a large number of government applications. Managed by the database server to deploy to a physical machine under the cloud, all database Oracle, there are probably more than 300 instances. Government applications are deployed in the cloud. Business resource layer is divided into government information network service area, hosting area, the test area and the cloud platform management areas, focusing on the need for the database server is hosting area for protection.
Specific issues to be addressed are of two kinds:
(1) First, the government solve the internal cloud data security, which is a problem for the government data inside the cloud personnel during operation and maintenance of security;
(2) The other is to solve data security management problems for the government tenant cloud.
Overall program
Based on years of experience in data security management, our company presented data security management idea is "the data in a cage, to be accessed in the sun." As shown below.
1) comprehensive audit data activity. Track carefully sensitive data access, including access from the external users and internal personnel, especially for bulk access audit, the audit of the unauthorized operation, and the audit privileged operations;
2) fine-grained access control . Blocking abnormal, illegal, and SQL injection attacks of inquiry and access, and to prevent leakage of sensitive data is destroyed;
3) sensitive content desensitization . Targeted for different systems and operation and maintenance personnel, by desensitization dynamic, real-time masking granted, replacement, etc. show different ways of sensitive data to prevent data leakage; while, for example, development, testing, and other environment outside the data addressed, provide static desensitization technology, the bulk of desensitization of sensitive data, prevent real sensitive data leakage.
4) sensitive content encryption . Selective encryption of sensitive content, storage of sensitive data, the backup when present in cipher text. By controlling the encryption and decryption rights, rights management to provide enhanced access to sensitive data, prevent data theft super powers due to leakage and misuse.
implementation plan
The above data security solutions based on our series of database security reinforcement product realization. Specific network conditions, the following specific embodiments:
For cloud-government and internal operation and maintenance staff:
1) Dynamic database deployment desensitization system before physical database servers, while ensuring the operation and maintenance personnel to carry out the operation and maintenance of the reach and real data, to prevent the leakage of sensitive data;
2) static desensitization deploy database system before physical database servers to ensure data from the production database to the development / test database after the necessary desensitization, on a regular basis to generate the bulk of the development of test libraries, development and testing personnel to prevent contact with real data;
3) before the physical database server deployment by way of the bypass or spectroscopic database auditing system records database access operations, and automatic discovery of database attacks and unauthorized behavior, act as a deterrent, and provide the basis for retroactively;
4) the deployment database encryption system to protect sensitive data is particularly important, so that even if data is stolen can not see the plaintext;
5) application either through the firewall to access the database, the database can also be accessed via dynamic desensitization.
The system solution for tenants and staff:
1) on the tenant can choose whether to use cloud audit, firewalls, encryption and desensitization, at this time our equipment are deployed virtual machine;
2) For the audit on the cloud, to achieve a unique probe DB . The probe technology using the SQL statement to achieve, obtain and record all access to the database of tenants, sent to the database server independent audit running;
3) the tenant's operation and maintenance personnel to access the database through dynamic desensitization, or has access to the database through dynamic desensitization and firewall;
4) For the firewall database on the cloud and dynamic desensitization to single-arm agents deployed. Database firewall / dynamic desensitization and forward the communication traffic database access, access to the case of recording or filtration. Database Firewall system by automatically learning, build firewall rules to prevent SQL injection from the source, unauthorized data access and other attacks on the database. Desensitization is a dynamic system to prevent internal cloud tenant office staff leak sensitive information via screenshots and other ways.
ANVIZ in data security management solutions based on database auditing , database firewall, database encryption and database desensitization product realization. Program completely solves the data your organization is facing a wide range of information systems leak dilemma. The advantage of this scheme is reflected in:
Fast: high processing performance of the industry:
Continuous processing capacity: 1 to 100,000 SQL / s
Log retrieval speed: <10 seconds, 100 million records, any combination of keyword query
Log storage capacity: 30 to 10 billion SQL / TB
Indexed encryption rate:> 9k / s
Chi: intelligent automatic learning, the basic realization of zero-configuration;
Stability: more than ten years of accumulated technology, the leading domestic patented technology, thousands of actual cases, the products are stable;
Full: fully functional and comprehensive audit:
No packet loss: loss peak traffic is not entirely audit
Not leak trial: a full range of audit, do not miss the access to the database from any route
Full-featured: a sensitive data discovery, performance auditing, vulnerability scanning and risk assessment
It can be deployed in any environment
United States: Report and beautiful interface. Providing a large number of report templates, including a variety of audit reports, security trends. Reports can implement custom formats and templates;
Fine: Fine-grained access control and audit, to field, statement-level.