Anwarking, let "data security" help commercial Bank characteristic management

April 21, hosted by CCW Research Media, the 13th session of the China Regional Commercial Bank informatization Development Strategy summit meeting as scheduled, Anwarking as a database security industry leader invited to attend and give a speech. This is a commercial bank for the information construction of the brain storm, in the spring rain of Guiyang city, from dozens of commercial banks in the CIO gathered Skylight Days Hotel, for the city business Information development facing the reform and challenges, the CIO views, enthusiastic discussion.

650) this.width=650; "src=" http://www.dbsec.cn/about_dbsec/news/images/20160421-1.jpg "width=" height= "376" Style= "margin:0px;padding:0px;" alt= "20160421-1.jpg"/>

At the beginning of the meeting, China Everbright Bank CIO first threw a question, Internet + for banking in the end what will be the impact of the bank's technological innovation where to go? In recent years, third-party platforms, internet finance and other emerging industries, its significance for the traditional banking, has not only been in the initial beneficial supplement. With the gradual intensification of the trend of financial de-media, the new financial platform has started to push the traditional banking, especially the regional commercial banks, which mainly rely on the deposit of lending business. It is the only way for commercial banks to break through traditional barriers and use information technology to seek characteristic business model.

The opportunity always accompanies the challenge, Everbright Bank CIO Wang Gang bluntly: "The era of interconnection, information security threats become the important challenge of banking business." "Facing the financial industry's frequent data breaches, how to evade the information technology risks brought by business innovation has become one of the important topics of this summit forum." In this respect, An Huaqin and database Security Senior consultant Sun at the meeting keynote speech: The construction of commercial banks database depth security defense system .

650) this.width=650; "src=" http://www.dbsec.cn/about_dbsec/news/images/20160421-2.jpg "width=" height= "325" Style= "margin:0px;padding:0px;" alt= "20160421-2.jpg"/>

How serious is the data security problem in banking?

An Huaqin and Database Security Senior consultant Sun with a set of shocking figures: only 2015 years 9, 10, 113 months, a number of vulnerability response platform published by the bank confirmed the vulnerability of 206, which directly related to the data leakage 110, accounting for 53% of the total vulnerability.

What causes such a large proportion of data security risks exist in the higher information level of the banking industry?

In this question, An Huaqin and Sun summarize the following four points:

One, the database "security base" is not unified

Hundreds of databases in the banking system, security vulnerabilities are not easy to gain insight. For example, the Oracle database commonly used in the banking system, 700 vulnerabilities, 3500+ configuration items, the security line of defense is fundamentally fragile. In addition, the quality of the front-end Web code is low, and design logic errors are one of the important reasons.

Second, the Internet business innovation brings unprecedented new risks

Mobile Banking, online banking app and other business online directly through the bank network barriers, coupled with the bank and securities, insurance, public transport, railways, water and other industries, such as hydro-industrial systems close, making business access to the database, the core data from multi-channel security threats.

Iii. How data security in development and testing is guaranteed

The banking system needs to use production data in the process of development and testing, so it is necessary to prevent data leakage and desensitization. However, manual desensitization of millions of rows of data is often inefficient under limited labor costs.

Iv. database security management and control means single

The bank system commonly used fortress machine, the database self-audit existence limitation, the database administrator often body concurrently several jobs, the mistake operation probability conceivable, therefore, to the database access behavior fine record and the control becomes the database security control essential condition, at the same time, satisfies the human bank, the CBRC, the audit, and so on guarantees and so on compliance request equally important.
The four major security problems in the bank pain points, how to solve the Commercial bank database anti-attack, anti-tampering, anti-loss, anti-leak, anti-super-authority and other issues, Anwarking put forward: The Bank database system for the overall design and planning, the formation of a database in-depth protection system, thereby safeguarding the core data security bank.

650) this.width=650; "src=" http://www.dbsec.cn/about_dbsec/news/images/20160421-3.jpg "width=" 583 "height=" 203 " Style= "margin:0px;padding:0px;" alt= "20160421-3.jpg"/>
Defense of bank database in depth

For the overall defense idea how to achieve, Sun carried out in-depth explanation:

Check for Alerts: Database vulnerability scanning

By the Bank Management personnel regular database security check, the production network, development Network, office network, the Internet DMZ Database security status of the comprehensive detection, assess the existence of security loopholes and provide repair suggestions, for the database system security baseline to improve the reference.

Active Defense: Database Firewall

Banking core application system operations personnel to the database access behavior, should adopt the database firewall technology to filter, from the source of access monitoring, to prevent high risk of unauthorized access, SQL injection, permission or role illegal promotion and sensitive data illegal access behavior, and through the virtual patching technology to avoid the database due to the patch upgrade , while causing the malicious access.

Bottom-line Defense: Database desensitization

To the production data desensitization, the use of development, testing and other systems, effectively prevent the internal bank personnel at random contact sensitive information, resulting in data leakage. Ensure regulatory compliance while meeting enterprise protection sensitive data.

Post-mortem: Database audits

The database operation is recorded in real time, and a fine-grained audit is carried out to alert the risk behavior of the database. Through the record of user access behavior, analysis, to help users generate compliance reports, accident traced, improve the security of data assets.

In the context of Internet +, the transformation and upgrading of commercial banks is imminent, but business innovation, security first, and ensure customer data security is the premise of all innovative means. Anwarking hope to be able to join the user, in the road of creating characteristic business model, let "data security" become the most shining label in the Commercial Bank science and technology innovation.

Anwarking, let "data security" help commercial Bank characteristic management