dbsec-凯发k8游戏

background

with the development of digital economy, cross-border data flow has become the core and hot topic of politics, economy and society. the european union and apec have published gdpr and cbprs, respectively, to standarize the cross-border data transmission. in china, data are transmitted frequently across transnational enterprises and local enterprises who operating internationally. therefore, government attaches great importance to the security of cross-border data transfer. in this context, the cyber security law requires data exit security assessment as a must for enterprises. and on this basis, made personal information and important data exit security assessment measures and information security technology data exit security assessment guidelines as administrative regulations and national standards, respectively, together with the cyber security law, constitute china's current data exit security assessment system.

security challenges

compliance challenge

with the frequent occurrence of network and data security events, such as snowden event, prism event, google ireland event, countries attach great importance to data exit security and continuously strengthen data exit management system, posing new challenges to enterprise data exit security compliance.

article 37 of the cyber security law says, “the operators of key information infrastructure”and “the general network operators”, contains the network owner, manager and service provider, which means the vast majority of enterprises who engaged in network operations need to apply for security assessment when individual information and important data are involved.

personal information and important data exit security assessment measures defines the data exist as, provides personal information and important data that collected and generated in the process of network operating in china to overseas institutions, organizations and individuals. according to the definition, some special scenarios are classified into data exist, such as whose data center is in china and can be access to from overseas, or the data are transmitted inside a transnational group across many international branches. in the meantime, information security technology data exit security assessment guidelines says the data exist assessment mode is “self assessment in general case assessment oraganized by industry competent department in special case cac is responsible for overall assessment”. the following three conditions are described as data exist:

◆provides personal information and important data to domestic main body who are not subject to national jurisdiction or have not registered in china.

◆data that not being transferred and stored outside china, but is accessed and viewed by institutions, organizations and individuals outside the country.

◆transfer the internal data of network operating group to overseas, involves personnal information and important data that collected and generated in domestic operating process.

security challenges of cross-border data

as the accelerating economic globalization, cross-border data increased significantly, which may bring problems like data breaches, abuse, etc., and bring more challenges to the enterprises’ data exit security construction. most large multinational companies conduct global management, and the daily business data and management data within the group flow across borders frequently, espacially the internet business and internal it business, who generally will not set up data centers in every countries. branch companies are used to processing customer information and daily business data centrally. the frequent cross-border flow of many sensitive data brings huge risks to sensitive data security.

behaviors control challenge of legal personnel

multinational companies usually have large operation teams, contains legal personal such as dba, who give rise to core data related security risks because of illegal operations, such as unauthorized access to sensitive data, access to core business table during non-business hours, non-workplace access to the database, misoperation, high risk command, etc. the behavior management of different regions, departments and permissions becomes a data security management challenge to the multinational companies.

challege of security auditing and accountability

when database system is intruded and unauthorized operated, it is hard to accurately locate and trace the disruptive behavior and data breaches of hacker and illegal personnel, and seriously hinder the investigation and evidence collection by the auditing department in the future.

security solution

before-event inspection warning

inspect database vulnerabilities in lock-up period, to monitor the database security status, including assess the security status of related security configuration, connection, user change, permission change, code change, etc. provide advides for security baseline establishment and security patches reinforcement, to form the report and analysis of security change status.

monitor the security status of database, prevent database security from deteriorating: establish security baseline for database, and scan database regularly, report and analyze the change of database security status.

in-event operating controlling

perform login control by limiting the ip address, client tool, account and date of database operating personnel; perform database table control by configuring the affected number of data rows(threshold value), including the query, update and delete behavior. block and intercept the illegal behavior, to prevent high risk operation and mass data breaches.

provide the “apply and approva in advance” mechanism for regular database operations. only the approved database operation can be executed normally during the specified operation period, otherwise it will be intercepted.

sensitive data masking

identify the sensitive data from data centers in china, configure flexible policies and masking solutions, achieve a rapidly sensitive data masking, and ensure the effectiveness and availability of data at the same time. the masked data can be used safely in test, development, analysis and third-party environment.

effectively behavior auditing

the database operation of business personnel is basically legal, but they still could be maliciously utilized or attacked. das helps to accurately record the key business operation and key business operator, to provides precise evidence for the tracing of after-event, and sends warning when illegal database operation or batch export occurs. after the security event happens, it provides a complete audit record and trace path to restore the historical process of databse security violations.

advantages

automatic identification and masking of sensitive data

the flexible policies and masking solutions helps to achieve a rapidly sensitive data masking, and ensure the effectiveness and availability of data at the same time. the masked data can be used safely in test, development, analysis and third-party environment.

controllable cross-border access of sensitive and privacy data

take the “apply and approva in advance” mechanism when overseas entity accesses to the business sensitive data in china’s data centers. only the approved database operation can be executed normally during the specified operation period, otherwise it will be intercepted.

tracable sensitive data access behavior

audit and record the database access process, and make the historical access behavior traceable and definable.