dbsec-凯发k8游戏

data security products series

dbsec database encryption system (des)

product overview

dbsec database encryption system (des) is a database security product based on transperant database communication encryption technology, provides multiple functions such as sensitive data encrypted storage, access control consolidation, application access security control, users commutative monitoring, etc.

based on two core mechanisms, the encryption storage mechanism on the bottom layer and the independent privileges control mechanism, des prevents the data breaches result by plaintext storage, the external intrusion for the purpose of stealing sensitive data, the data abuse of internal high privilege users, the direct data decryption through bypass the legal application system, and solves data breaches problems at “the last kilometer”.

des provides various encryption methods, such as column encryption, table encryption, table space encryption for different use scenarios and security requirements. combined with the patented core technologies, such as transparent encryption and decryption, ciphertext indexing and so on, des features excellent adaptation and practicability, and achieves the high security of data, the complete trasperant of application, and high-efficiency access of encryption.

des currently supports windows, aix, linux, solaris and many other platforms, supports a variety of international mainstream databases such as oracle, mssql, mysql, etc., and domestic databases such as dm. des provides many highly available deployment patterns, in which des can be deployed as master, slave, emergency and so on, to meet the various deployment demandings of users. its encryption and decryption algorithms are in accordance with national encryption standards, and it is compatible with a variety of international commercial algorithms. des provides extensible encryption devices and encryption algorithm interfaces, can work with various encryption cards and machines. des goes for government, education, military, confidential, electricity and many other industries, and compliance with the laws and regulations in national classified cybersecurity protection law, grading protection law, military confidential regulations, etc.

product values

prevent data breaches result by plaintext storage

the loss of data file, log file and backup file who are stored unencrypted in the bottom layer of database may bring data branches risks. take oracle as an example, there are many software in the market that can directly analyze the plaintext stored data file, and output clear and structured data, such as aul and mydul.

des ensures the data security fundamentally by storage encryption function. so the data is unreadable even after reverse data analysis.

prevent external intrusion for the purpose of stealing sensitive data

database is a large scale system with high complexity. take oracle as an example, it reported more than 1,000 kinds of security vulnerabilities, and it is still in increasing. once attackers exploit these database vulnerabilities, they get sensitive data easily.

des strengthens the verification of user password, provides idependent password management and ciphertext control system. so even attackers break the database privilege control system, they still can not access to the sensitive data.

prevent the illegal data access of legal users

the legal database user’s username and password of application system usually exposed to a third-party due to human factor or poor management. then the third-party can steal the data in patches through commands and management tools.

des has capability to protect application security, can bind the legal database users with application systems, after that, users can access to the ciphertext data through the specific application system, but can’t by any other ways such as the commands.

prevent data stealing of internal high privilege users

limited by export policies, superusers (represent by sys, sysdba and sa) originally have the privileges of data access and data authorization in the database systems on c2 security level. and in large enterprises or government bodies, besides system administrator, some database users (represent by data analyst, programmer and service outsourcing personnel) can also access to sensitive data. these sensitive data access privileges has nothing to do with business that bring great risks of data breaches. the built-in encryption and decryption technologies of database can not slove the problems of high-privilege users access to sensitive data fundamentally.

des provides a privilege separation mechanism, with three kinds of privileges in it who monitors each other, effectively splits the privileges of privileged users. it adds the user type: security administrator (dsa). without the authorization of dsa, even dba can not access to the ciphertext data. and it adds the user type: audit administrator (daa), who audits and traces the authorization of dsa.

product advantages

transperant data encryption

des supports the encryption algorithm that required by national password management organizations, and also supports internaltional mainstream encryption algorithms. it provides column, table and table space encryption configurations for databases, ensures sensitive data stored in ciphertext. des encrypts the data files, also the log files and index files, to strengthen the security of storage.

the meaning of transperant data encryption: firstly, it is transperant for application system and operation tools, which means users and developers needn’t change their application system, the existed backup and recovery operation behaviors; furthermore, it displays the plaintext data for those who have the access privilege of encrypted data, and the encryption and decryption process are complete transperant for users.

data query with high efficiency

after data encryption, des can also provide index capability for the encrypted data, to keep the efficient access capability of databases.

through the index technology of encrypted data, des breaks the limitations of using modified encryption and network equipment encryption in ciphertext index query. des ensures the high security of index data, and at the same time provides the query capability of encrypted data. some operations on the encrypted columns can also use the index, such as equal to, greater than, less than, and like.

access control consolidation

des adds the user type: data security administrator (dsa). dsa is independent from the dba, and they work together to strengthen the access control of sensitive fields, to achieve the real accordance of responsibility and privilege. dba controls the general access control of common fields, and dsa controls the creation, masking and encryption access privilege of sensitive data.

based on the encryption storage, des performs the access control on database users on force by the independent password management system and privilege control mechanism. it prevent efficiently the illegal access of high privilege users to sensitive datas. so even the high privilege users such as sys, sysdba or sa, can’t access to the encrypted data without the authorization of des.

application identity security

des provides encryption data access control based on the roles, ip address and time range, and can identify the applications. des binds the legal users with application systems, after that, a user can access to the ciphertext data through the specific application system, but can’t by any other ways such as the commands, management tools.

des judges the abstract value and connect random seeds of application programs and systems, ensures the application identity lable is unforgeable, and the legal connection is non-replayable.

high usability and easy to maintain

des provides high-usability supports and abnormal troubleshooting capability based on its technologies of data integrated storage, rac support, double hot standby, emergency mode, multi-process redundancy, trasnperant trouble switch, data error neglect, backup recovery, etc.

des is with high stability, reliability and productization. it provides graphical management interface, makes itself easy to use. des can be installed and deployed within half an hour, and its security can be strengthened (data encryption protection) within a day. des has rapidly and accurately intergrated decryption capability, to ensure the application system can be operated normally after the decryption.