In addition to data encryption, what data protection measures do you know?

Data Encryption is the most common and effective data protection method. But how can we ensure data security when encryption is not supported or encryption is not run? Make up some data protection measures. You may laugh at it, but it is always good to know some methods.

1. Data deletion:

Maybe data deletion sounds crazy. Some companies prefer to collect large amounts of data and keep each byte of data they collect. Many of them are sensitive data.

The real question is, if sensitive data is not critical to the enterprise, why should we keep the sensitive data that brings risks to the environment? If there is no mandatory Business Requirement and removing data does not cause instability in the application, consider deleting data. This method is cheap, fast, and can reduce risks, increase disk space, and make queries faster. Of course, no one will be able to snoop your data.

2. tagging (token-based ):

Another method to cope with data delay is marking. Tag is to replace sensitive data with a tag (token) with no value. This is just like in the game room, players can exchange cash for tokens that can provide a specific usage. This kind of coin can be used like a currency, but it is not a real currency. In IT systems, tokens are just random numbers. The token is created to match the format and Data Type of the original number. However, unlike encryption, a token cannot reverse restore to obtain the original value.

The most common example is to replace credit card numbers with tokens to comply with pci dss (Payment Card Industry Data security standards. The token has 16 digits. Generally, the last four digits of the original credit card number are retained. For credit cards, you may still occasionally refer to their original values, such as when you pay or resolve disputes. Therefore, you can retain the original credit card number, but not store it in many databases of the enterprise IT infrastructure, but store it in an independent token library with high security. Since you no longer need encryption and key management to ensure the security of data content, the management and compliance issues are relatively simple.

3. Data shielding:

Employees often put data at risk. Generally, it is not intended to be malicious, but to find a simpler way to complete the work. For example, when testing a database, real customer and transaction data are accessed from a secure production database and then stored in an insecure test system. This kind of use of customer and transaction data is not uncommon. It becomes a main reason for data shielding the market.

Blocking data is to hide the original sensitive information through conversion and keep the total value in the database. Data shielding is one of several technologies that ensure data security and availability. The practicality is why we store data. It is important for data analysis to produce high-quality copies. For example, you can use a number randomly selected from the phone book to replace the actual customer name. This technology ensures that the screen can retain specific information. For example, we want to hide the birth date of patients, but we also want to report the average age of these patients. In this case, we create a random date, but these random values are limited to a specific date range.

There are many ways to SHIELD data, such as moving, replacing, writing, taking the average, blurring, and so on. Each method applies to specific data types and user targets. Third-party commercial platforms can also be used to shield data, provide a variety of blocking and data management functions, and provide high-quality servers with {over} {filters, this ensures that quality reviews and testers are unlikely to steal copies of productive databases.

4. Dynamic shielding:

Dynamic shielding is a variant of Data shielding, but there is an important difference: Dynamic shielding does not replace the data stored in the database with a shielded copy. When it responds to user queries, dynamically blocks data.

For example, a user needs to find the salary information of his/her colleagues. Based on the user's authorization settings, you can give him real data, or you can give him a false copy of the seemingly original value.

Blocking can be performed in three ways: View, query rewriting, and result blocking. Views are a feature of relational databases that can generate temporary tables. View-based shielding is a temporary table with the same structure as real data, but it contains shielded data. Users who do not have sufficient permission to view real data will be redirected to the view again, and the query operation is not different, but it will provide users with a shielded copy. Query Rewriting refers to the dynamic rewriting of user queries, ignoring sensitive rows and columns of data based on user creden.

Result blocking refers to retrieving sensitive data from the query results before returning the query results to users. In this case, the system often uses "X" to replace all characters to show that all sensitive data has been removed. In general, the two methods of query rewriting and result shielding are provided by the proxy {over} {filter} gateway service between the user and the database.