Atitit. Summary of information security control O7

Atitit. Summary of information security control O7

 

1. Information security covers a lot of content: 1

2. # security risks caused by internal personnel 1

3. # transparent encryption of sensitive data 2

4. # Security Protection 2

5. # Protect key business data through data security domains 2

6. # implement security rules and multi-element authorization 3

7. # considerations for database security audit 3

8. # establish a centralized database Audit platform 3

9. Other Methods 3

 

1. Information security covers a lot of content:

Identity Authentication and single sign-on

Network Transmission Encryption

Anti-Virus

Data Encryption/Decryption Storage

Record-level access control

Internal control

Command security rule engine

Centralized Security Audit

Security specifications and automatic security assessment (FTP, password, port, patch ...)

......

Security Protection projects have been implemented, a complete CA system has been established, and security protection mechanisms have been configured to SHIELD data centers, firewalls, intrusion detection, anti-virus, and network switches.

A set of security management specifications, such as operating system and database user name and password management, as well as restrictions on FTP, telnet, IP addresses for specific operations, etc.

Provides functions such as network transmission encryption and security audit, and implements strict security audit on the operating system and network layer.

The maintenance of some application systems, through joint O & M by developers, cannot completely eliminate security risks by relying solely on management systems

 

 

Author: old wow's paw attilax iron, email: [email protected]

Reprinted please indicate Source: http://blog.csdn.net/attilax

 

2. # security risks caused by internal personnel

Internal maintenance personnel take data backup from the entire database

Unauthorized operations by High-Permission users (such as root and DBA) to delete or damage key business data

System maintenance personnel or super users with high permissions can view, steal, or even maliciously damage business data in the background without permission.

Internal staff modify business data in violation of regulations, or business staff gain unauthorized access to data and applications

Allow applications to directly access data in the database

High-Permission users (such as root and DBA) Delete and modify audit data

...

 

3. # transparent encryption of sensitive data

Encrypted storage of sensitive data columns, files, and images

Helps comply with privacy and regulatory controls

SB 1386, CISP/PCI, Sox

Prevent unauthorized copy and backup of data files from being leaked

Data is automatically encrypted when written to a disk, and is automatically decrypted when read from the disk. This is completely transparent to applications and reduces application development and maintenance costs.

 

 

4. # Security Protection

Network security protection is mainly used to protect external intrusions. Auditing is mainly used for post-event management of security incidents and cannot actively prevent and control such incidents.

As mentioned above, 80% of data loss is caused internally.

You need to restrict DBA's right to view, modify, and steal application data. For example, business maintenance personnel can only maintain their own background data, but cannot back up, clear, or export data.

Internal control and security domain, separation of duties and prevention of unauthorized access to data

Multi-factor authorization, security rule-based authorization, custom and enforced personalized security rules

Provides detailed security violation reports for regulatory Audit

Transparent to applications, no need to change existing applications

 

 

 

5. # Protect key business data through data security domains

In the security field of databases, applications or a set of database objects can be closed to the protected area.

Database DBA viewing application data

Strengthen internal control, especially for super administrator users. For example, after creating a security domain for production data, DBA will not be able to view, tamper with and destroy registration and report collection data.

Production management super users view financial business data

Duties are separated. After data security domains are implemented, business personnel will not be able to access data without authorization.

 

6. # implement security rules and multi-element authorization

The role of security rules is to further limit database operations based on specific environments or decision-making elements (such as the IP address of the machine, operation time, and Verification Mode)

IP address-based rules will prevent unauthorized remote operations

The operator does not perform unauthorized operations during normal working hours

Date and time-based rules will prevent unauthorized operations

 

 

7. # considerations for database security audit

Database Auditing And Security Control are equally important

Audits key data to reduce the impact on performance. For example, only audits information operations of taxpayers with a turnover of more than 10 million.

Data Center, which may have multiple Database Systems

Audit data needs to be collected quickly and automatically

Prevent audit information islands (missed audits)

Audit data needs to be quickly integrated to generate audit reports

Provide warning

Protects the security of audit data and prevents the audit data from being damaged or deleted by hackers, DBAs, or high-Permission personnel.

 

 

 

8. # establishing a centralized database Audit platform 9. Other Methods

In addition to conventional SQL injection, XSS, and csrf, Web security still has many special preventive measures.

1. Do not place the website background management program on the same server as the foreground program... it is recommended that the background management program not use web, but the Cs method...
2. Do not place the database on the same server as the website Web server, so as to prevent the host administrator from accessing the database and prevent the database administrator from accessing the website program ..
3. The order program is written in compiled language Java to avoid using plain text languages such as PHP... very important core programs can use C ++...
2. The communication between the database server and the website server requires SSL encryption. This common database can be set ..
3. Order data should be encrypted and saved... this will prevent the database administrator from seeing the data ..
4. encryption of order data is usually very secure... however, many of the current ordering libraries are not encrypted, and all changes are big programs for changing encrypted data .. you can only encrypt fields such as the amount ..
5. important fields such as the amount can also be added with an MD5 Signature to ensure security. In this way, the database administrator can change the field and find that the Order Program will automatically detect illegal modifications and lock them ..
6. for the prevention of members who can access programs and databases at the same time, you need to add another database as the backtracing security database .. when the order is in normal use, decrypt it and compare it with the signature. Finally, compare it with the backtracing security database to ensure security...