dbsec-凯发k8游戏

background

the information security technology-baseline for classified cybersecurity protection law is the basic system, strategy and measure for national information security assurance. it is the fundamental of protect informationalized development and maintain network security, the reflection of national network security assurance.

the classified protection law v2.0 was issued on 13th may, 2019, and it was officially used on 1st, december. the issue is a milestone event, which marks china’s data classification protect has stepped into a new era, is of great significance to enhance national cyber security protection capability and safeguard national space security.

compared with v1.0, v2.0 updated the structure, request items count, scope, protection idea, classification process, etc., covers all the protection objects such as traditional system, basic information network, cloud computing, big data, lot, mobile internet, industrial control information, etc. version 2.0 switches from a passive defensive security system of version 1.0 to a dynaic assurance system which focus on omnibearing posive protection, safe and trustable, dynamically situational awareness and comprehensive audit.

security challenges

compliance challenges

as security standards are upgraded, enterprises are facing compliance challenges. the classified protection law v2.0 brings new challenges to enterprises of data security compliance on both technology and management. on the management, three necessary elements are required for enterprises, they are “organizaiton”, “system” and “personnel”, their operating management must be safe. and on the technology, from security zone boundary to security computing environment, enterprises should perform integral protection and comprehensive audit for both internal and external.

classified protection law’s requirements for data security:

◆finer granularity: control the db policy and content with more finer granularity such as ip address, time, sql statement, affect scope, etc.

◆enterprises need to use password to ensure the security of important data in storage process, and claims that ”use system to manage data, authenticate the storage security of information and important business data”.

◆“record the user behavior, security event, etc”.

◆control the process of db operating and audit the operationg behavior comprehensively, and perform a fine-grained control for the change operation through process approval and operation command, etc., and provide integrated bevaior records.

◆after carding the existing assets, perform different level of security protection according to the important degree of business.

◆monitor and control the access and operation performed by the external personnel.

◆have the reversible masking capability, and at the same time ensure the consistency and relevance between the masked data.

◆check and count the privacy information selected from business system, app, etc., and clarify the data that required by the business system. avoiding over select or illegal collection of privacy information.

high growth data security risk challenges

data security risk grow rapidly, and data leakage suffering great losses. according to a annual report of ibm, the influence that data breaches imposed on enterprise business has increased 12% on cost for the past five years. now the average cost of data breaches reach $3.92 million. the increasing number proves that the data breaches, the growing number of regulations and the complex criminal defense process, will impose a financial influence on the business for the years to come.

business influence that caused by data breaches are more serious in smes. according to the research, the enterprises whose employees are less than 500 cost more than avg $2.5 million, this is a big loss for small businesses who typically can make no more than $50 million a year. enterprises are facing the challenge of how to bulid a more efficient internal risk control system, of which the risk to data security have increased dramatically as the increased data values.

security aduit accountability and accountability challenges

when db system are invaded and illegally operated, the destroy and breaches bevavior performed by hackers or illegal personnels can not be located accurately, which seriously hinder the investication and evidence collection by the auditing department in the future.

security solution

data security solution of classified protection law v2.0

as a professional data security vendor, dbsec combs the data security requirements of classified protection law v2.0 and makes compliance interpretation. dbsec has a deep technical reserve in data security and in-depth understanding of data security governance systems. based on its rich experience, dbsec presents the overall safeguard idea of data security governance, covering the before-event diagnose, in-event control and after-event analysis of data security protection.

before-event diagnose: database vulnerability scanning product and data asset carding system

◆database vulnerability scanning product: detect and repair the known db vunerability effectively;carry out comprehensive security vulnerability detection for important databases in the current system, which effectively exposed the current database system security problems, at the same time put forward the suggestions of vulnerability repair, carry out the overall security reinforcement, to improve the overall security of db system.

◆data asset carding system: discover automatically the sensitive data in the db, and classify the data according to its type and confidentiality level.identify the sensitive data automatically and classify the sensitive data to carding the database permissions, avoid too many accounts with priority access to important sensitive data, and also effectively reflect the user change, permission change and other conditions.

in-event control: db firewall, db operating management, db encryption and db data masking

◆db firewall and db operating management: proactive protection;in the face of external intrusion, provide anti-sql injection and database virtual patch pack functions. through the virtual patch pack, the database system can complete the prevention and control of major database vulnerabilities without upgrading and patching.

through the process management of db operation and maintenance personnel behavior, avoid the malicious operation and misoperation behavior of internal operation and maintenance personnel, solve the problem of unclear identity caused by the sharing of operation and maintenance account, and ensure the safe and execution of operation and maintenance behavior within the controlled scope.

◆through database encryption and database masking to achieve the security protection of database important sensitive information.

store the sensitive data encrypted in database to prevent it from being parsed into plaintext. through the enhanced access control and powers separation to prevent dba and third-party outsourcing personnel from accessing sensitive information by overstepping their authority. deforming, masking, replacing and transforming sensitive data in the production database into fictitious data that likes the real data, and keep the data correlation and semantic characteristics, so that the masked data can be safely applied in the test, development and third-party use environment.

after-event analysis: database audit

through the database vulnerability detection in lockup period, database’s security status can be monitored, including the security status assessment of security configuration, connection, user change, permission change, code change, etc., which provides advices in security baseline building and security patch reinforcement and reports and analysis of security change status.

monitor database security status, prevent database security from deteriorating: build security baseline for database, scan it regularly, report and analyze the security status changes.

advantages

data usage department and role carding

during the data asset carding, clarify how is data stored, the data is used by what departments, systems and personnels and how. only by knowing the distribution of sensitive, can we know what control strategies need to be implemented. such as on the database layer, we have to know which database is the data stored in, what does the database like, to know what control measures should database operation personnel take, what is the fuzzification strategy for the data export of this database, and what is the storage encryption requirement for this database. on the basis of knowing the data storage distribution, we also need to know what business system will access to this database, only by which can we make the permission strategy and control measures for employees of these business systems to access to sensitive data.

all content ∨

data access control

according to different aspects of data use, it is necessary to complete the data use principles and control policies, what will be used in data access account management, data access authority management, data use process management, data sharing (extraction) management and data storage management.

data security audit and authentication

regular audit is the key to ensure the implementation of data security governance standards, but also the important responsibility of the information security management department, including the compliance detection ensures the data security use requirements are really executed, and the operations and permissions are monitored and audited, which means the data access process of business units and operating departments are monitored and audit for legitimacy, and also are analyzed and discovered for risks. therefore, it is very important to build a sound data security governance process, including the system, procedure and standard to ensure the management and control of data security planning, implement, operation and supervision. rolling revision of information security system and standards can continuously tamp the audit records of basic database access process of data security and standardization management, and provide traceability and accountability of historical access behavior.

all content ∨