Talking about the security of cloud database

A cloud database is a database that is optimized or deployed to a virtual computing environment. The benefits of pay-as-you-demand, on-demand scaling, high availability, and storage consolidation can be achieved.

erp data, CRM data, HR data, and so on. Therefore, in order for enterprises to move the business completely to the cloud, the database must include a relational database. The cloud database discussed in this article refers specifically to the relational database on the cloud, not the dynameodb this specialized processing of non-relational data nosql the database.

migrating a relational database from a local area network or the Internet to the cloud to remove some of the technical challenges of the database itself, the database will face more challenges in the cloud environment, One of the most worrying concerns is the security implications of migration.

2009 2 month gmail e-mail address global failure, service interruption 4 more than one hour. and 2011 year 3 month again exploded a massive user database leak, with about 150,000 users using their own gmail account, found unexpectedly is a blank page, the user all messages are deleted.

2009 3 month Microsoft cloud Platform azure stop running 22 hours. 2010 year months in the west of the United States, a number of consecutive managed service outage events, the interruption caused users to access their own mailbox and personal data, more serious is that the error lasted for a whole week, even the last part of the database can not be recovered.

2011 4 month Amazon Company's ec2 , Server Database Center operation, and a serious downtime event occurs. 2012 year Month Amazon instagram/pinterest and

2012 8 month Apple icloud cloud storage System hacked and deleted all data.

2011 4 month 19 Sony's playstation and qriocity was hacked, the service was interrupted for more than a week and resulted in 7700 the user information of the registered account was stolen.

　　In the face of the above events, the security of the cloud platform needs to be further improved, and the database as the core of the storage and processing of the important data of the system is the core information value of the enterprise. Therefore, it is important to guarantee the security of data and database in the cloud environment. The following will give some advice on database security in a cloud environment, and strive to help cloud vendors protect the security of user data.

　　1. Database access control

　　Access control measures are the most critical way to protect data in a cloud environment, which is an important means to maintain system security and protect data. The following two types of users are primarily to be considered for data access control in the database domain:

　　(1) General user Rights control ( that is, users renting a database on the cloud ): According to the different business needs of customers, the database is divided into different regions, different areas of the tenant access to give different permissions. According to the settings of permissions to control what data users and groups of users can access, in order to facilitate management can group users, in the group to reasonable authorization of users. For example, the development Group, test group, operation and maintenance group and so on.

(2) worker : Data access control for database administrators, the primary responsibility of the database administrator is to be responsible for the normal operation of the database system, rather than having permission to view or modify all the data. Therefore, you need to limit database administrators access to enterprise core sensitive data. For some of the inaccessible access to the key field of the desensitization processing, to prevent the customer's information is stolen by the cloud service vendor Insider.

DAC (discretionaryaccess control) , mandatory access control mac (Mandatory Access control and role-based access controls rbac (role-based access Control) . In combination with the above two categories of users, it is recommended to adopt role-based access control technology. Defines a role as a set of users and a set of permissions that can be granted to multiple roles per user. Depending on the requirements submitted by the user, the cloud service provider changes the role of the user at any time, and when the role is activated, the user has all the permissions that the role contains. The use of role-based access control technology simplifies the management of permissions, and in the process of activating the user's current role can prevent users from having excessive rights to prevent the user intentionally or unintentionally unauthorized operation of other users or this database poses a security threat.

　　2. Database encryption technology

　　Database in the cloud environment is also a security risk, if the hacker through a certain way to copy the database files, in other environments to restore the database, so as to obtain the entire database data, which will cause difficult to estimate the organization's loss. Therefore, it is very necessary to encrypt the core data in the database, the current encryption technology for the database system, based on three different levels of implementation, these three layers are the disk layer,DBMS layer and the DBMS core layer.

disk layer Data encryption: This method of data encryption is an effective solution to prevent the disk from being stolen and to crack the disk for sensitive data, but it is not appropriate for the cloud. Cloud data security issues occur more in the application and network layers. Although the disk is encrypted, the operating system, database, application layer, etc. are still in clear text form. The intrusion of the operating system, database, application layer, etc. may be stolen in clear text. At the same time, this whole disk encryption method can also severely degrade performance, according to a cloud service manufacturer in this way, said this encryption will reduce about 20% efficiency.

dbms / decrypt the system into a proxy between the client and the database. The client sends the original statement to the client-side encryption device, which is encrypted and sent to the server's decryption device, which is then transmitted to the database. This encryption method is mainly for the communication information in the network encryption, in fact, the database stored in the sensitive information does not protect the role. If the hacker is to intercept the network traffic, it can be effectively protected, but the data in the database does not play an effective defense, more often than the disk-layer database encryption method used together. Because the encryption and decryption is not on the database side, so this way does not aggravate the load of the database server and can directly implement encryption on-line transmission, the disadvantage is that the encryption function is subject to some limitations.

　　DBMS kernel layer Data encryption: This encryption method is implemented by the database server engine to encrypt and decrypt data, and most of the major database systems have the function of data encryption. An application can use the same syntax to insert data into an application table, and the database kernel automatically encrypts the data before it writes information to the disk. Subsequent query operations transparently decrypt the data, so the application will still work correctly. It can be seen that this encryption method has the advantage of strong encryption, no need to modify the program, but increases the load on the database server, so it is recommended that users encrypt only sensitive data columns instead of all data, such as credit card number, ID number, etc. This encryption method can fundamentally eliminate the leakage of sensitive data.

　　3. Database Firewall technology

　　There are database vulnerabilities on the virtual database on the cloud and the database on the physical machine, so updating the database vulnerability patch is also a more advantageous security for the database. But in the actual operation of the cloud millions database short-term upgrade is obviously a less realistic solution. An Huaqin and database security experts recommend that you deploy a database firewall with Vpatch capabilities before a database on the cloud.

　　Vpatch is a virtual patching technology, An Huaqin and database firewall built-in database virtual patching technology, this technology is mainly to protect against database vulnerabilities. To prevent hackers from exploiting known database vulnerabilities, attack the database, effectively solve the cloud on the database upgrade is not timely to users of the potential threat to the database.

　　4. Database Auditing Techniques

　　Database security audit is to make a complete record of the data access operation behavior, in case of the violation of security rules, can effectively trace the responsibility and analysis of the reasons, if necessary, can also provide the necessary evidence to punish malicious attacks. On the other hand, after the implementation of the audit guidelines, the audit trail indicates that a particular person is not violating the procedures or destructive behavior and is a good protection for legitimate users.

　　It is believed that cloud service providers can improve the security of cloud database if they can apply the above 4 security methods to the user's cloud database. While cloud services offer lower prices, better efficiency, and greater flexibility, security is likely to be a hindrance to the further development of cloud service vendors. Resolving security issues on the cloud will be more beneficial to the development of the cloud vendor itself, as well as a user-responsible performance.

650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M00/79/50/wKiom1aODNvTzVCuAABayg6RaBQ333.jpg "title=" Forum issued two-dimensional code. jpg "alt=" wkiom1aodnvtzvcuaabayg6rabq333.jpg "/>

Talking about the security of cloud database