Big Data Application Security: Tencent, China Mobile, Cloudera

Source: Internet
Author: User
Tags big data security policy big data platform big data security security management

Tencent big data security practice

Tencent has always regarded big data application as an important development strategy of the company, and based on more than ten years of experience in Internet product development and operation, it has formed a complete, reliable and scalable big data business application framework to provide users with big data processing. service.

The Tencent Big Data Business Application Framework provides users with three basic capabilities:

  • Data: Provides massive data access and processing capabilities;

  • Connection: Provide an open interface, do the Internet + connector;

  • Security: Pay attention to network security and use it as a protection system that connects everything.

Tencent pays special attention to data security and privacy protection in the process of providing big data processing services, and adopts security technologies and management measures to ensure the healthy development of big data services. Big data and cloud computing are inseparable. Tencent Cloud provides customers with secure big data services through end, host, network and service security services. The security focus of Tencent's big data security is shown in Figure B-8.

Platform security

Pay attention to the security of the system itself, prevent attacks from the system level, and provide system-level support for more advanced security defense measures, including: system defense, that is, defend against attacks from system level, such as vulnerability attacks, sniffing attacks, traffic attacks. (such as DDoS), etc.; rights management, that is, providing rights management capabilities for the underlying resources such as files and devices to prevent unauthorized access; operation auditing: providing access to the underlying resources such as files and devices, and operating history logs for more advanced auditing. Data and feature support.

Data security

Pay attention to the security of each stage of the data life cycle to prevent data loss, coverage, and tampering. Including: storage security, that is, using multiple copies to store data to prevent data from being abnormally lost; erasing security, that is, delaying data deletion, preventing data loss caused by misoperation.

Transmission security

Pay attention to the security of data transmission, including: interface security, that is, adopting secure interface design and high-security data transmission protocol, ensuring security when accessing, processing, and transmitting data through interfaces, preventing data from being illegally accessed and eavesdropping. Or bypass sniffing; middle layer security, that is, using encryption and other methods to hide the actual data, to ensure that the data is not maliciously intercepted in the process of passing through the middle layer, only the data manager can dynamically decrypt and access the platform through the key or the like. Raw data.

Security management

Pay attention to the reasonable and compliant use of the big data analysis platform, and control the risks through the management methods matched with the technology to ensure security. Including: authentication, authentication, and credit management, that is, ensuring that users have corresponding access rights to platforms, interfaces, operations, resources, and data, and avoid unauthorized access; hierarchical management, that is, grading data according to sensitivity, to different levels The data provides differentiated processes, permissions, approval requirements and other management measures. The higher the data security level, the stricter the management;

Audit management, based on the audit data provided by the underlying layer, provides security auditing capabilities for the operation of the big data analytics platform in multiple dimensions such as rights management, data usage, and operational behavior, ensuring timely detection of hidden danger points in the big data analytics platform, depending on the Severity takes a variety of remedies including exclusion of hidden dangers, recovery of data, and personnel accountability, while guiding the Big Data Analytics Platform to not repeat similar issues.

China Mobile big data security practice

In order to cope with the data abuse and personal privacy security risks in the process of big data application services, China Mobile has established a comprehensive big data security system with the goal of protecting the attributes, confidentiality, integrity, availability and traceability of big data rights. The data is “manageable, controllable, and trustworthy” to protect the company's big data assets and user privacy in all areas.

China Mobile Big Data Security System covers six major systems: 

  • Security policy system: Based on the national big data security policy framework, it carries out the top-level design, clarifies the overall strategy of the company's big data security, and guides the development of relevant management systems, technical protection, security operations, compliance evaluation, and service support. It is the basic basis for the construction of other systems.

  • Securiy management system: It is through the construction of management system, clarifying the responsibility of the operator's security subject and implementing security management measures. Relevant systems include third-party cooperative management, internal security management, data classification and hierarchical management, emergency response mechanism, asset facility protection and certification and authorization management. And other security management requirements.

  • Security operation system: It defines the operational role, clarifies the security responsibility of the operating organization, realizes the whole process and full-cycle security management of big data services and data, and is effective through the platform system, business services, data assets and user privacy of big data. Safe operation and control to ensure sustainable and healthy business development.

  • Security technology system construction: The goal is to effectively pre-construct tower defense capabilities, including infrastructure, network systems, data storage, data processing, and business applications. Through the development of network, platform, system, data, business series security technical specifications to support the development of security protection capabilities.

  • Security compliance evaluation system: The construction goal is to continuously optimize the security assessment capability, and achieve a comprehensive assessment of the risk points of all aspects of the big data business through means of compliance assessment, security testing, and attack penetration to ensure the effectiveness of the security management system and technical requirements. implement.

  • Big Data Service Support System: The concept is “security data protection, data promotion security”, focusing on providing support services for information security assurance based on big data resources, such as basic security situational awareness, data security monitoring and early warning, intelligence analysis, public opinion monitoring, and bad Application in security areas such as information governance. Through the application research of big data in various fields such as big data security management and control, it provides a new type of support service means for information security management and control.

China Mobile imposes strict regulations and implementation on the various processing links of users' personal information:

  • Defining, classifying, and categorizing the content contained in customer information;

  • Clear the information security management responsibility department and responsibilities. Strict requirements and detailed regulations have been imposed on the responsibilities of various departments, and the roles and authorities of relevant positions have been clarified;

  • Strict management of customer sensitive information operations. For the key operations involving sensitive user information, strictly abide by the protection requirements of the treasury model, and adopt the principle of “key operation, multi-person completion, separation of powers and checks and balances” to achieve separation of operation and authorization;

  • Establish a customer information security inspection system;

  • Continuously improve the level of customer information system technology control;

  • Strictly control third-party information security risks.

  • In addition, China Mobile has independently developed a big data security management platform, Leichi, to achieve unified data authentication, centralized fine-grained authorization, audit monitoring, data desensitization and abnormal behavior detection alarms, which can comprehensively manage and control data. It can be managed beforehand, controlled in the matter, and can be checked afterwards.

Cloudera big data security practice

Hadoop has been widely used in finance, telecommunications, manufacturing, energy, and health care. Customers in these areas build enterprise data lakes based on Hadoop to complete enterprise data integration. Data integration is stored in a relatively independent system for secure storage and management.

After the data is integrated, only a few people access the data to share with more users for analysis, how to effectively verify the identity of the visitors, data rights management, data access marks are audited, and the level of confidentiality is relatively high. Encryption of data on big data platforms is an important issue for enterprise data lakes.

In terms of big data security, Cloudera provides a security solution architecture from data platform identity authentication, access authorization management, data encryption protection to security auditing. 

Border

Focus on controlling the identity of external users or services during access to the cluster, also known as the identity authentication module, which is the basis for implementing the big data security architecture; all components in the Cloudera data platform can provide Kerberos-based authentication Some components can also provide additional LDAP (Active Directory) or SAML based authentication;

When users access a cluster with security authentication enabled, they must be able to pass the security authentication method required by the service. When deploying authentication, depending on the enterprise infrastructure, you can choose a different deployment solution.

Access

When focusing on the user or application accessing data, the definition and implementation process of the user's rights is usually called authorization; Cloudera can limit whether the user has access to certain resources. Hadoop-based data platforms often offer a variety of resources and services, but are limited by access control measures and have to limit the breadth and depth of Hadoop usage.

At first, Hadoop was only used as a supplement to ETL to open to SQL developers. Later, business analysis departments realized the convenience of Hadoop and required access authorization for data and services. This required big data platform and enterprise existing LDAP or AD integrates while providing consistent role-based access control for different applications.

Cloudera uses ApacheSentry to complete the configuration and permission control implementation of the big data system access policy, so that a consistent access control configuration and implementation process can be implemented. For example, a user implements permission configuration for a table through Hive or Impala, then When this user accesses this data via Spark or Search, ApacheSentry also ensures consistent permission control.

Transparent

Understanding the source of the data and knowing how the data is being used is critical to monitoring the existence of illegal data access in big data systems, which needs to be done through security audits. The purpose of a security audit is to capture a complete record of activities within the system and cannot be changed.

Navigator provides automated data upstream and downstream relationship collection and visual display. For any data source on Hadoop, to a column of the data table, you can extract which columns of the upstream data source and which columns generate the columns of the downstream data source.

Data

Provides encryption protection for data during transmission and static storage, and can still be effectively protected when sensitive data is over-authorized. Cloudera recommends configuring TLS through ClouderaManager to encrypt data during transmission. Static encryption of data can be done through HDFSData-at-RestEncryption, Navigator Encrypt and Navigator Key Trustee.

Regarding encryption key management, the Cloudera platform not only supports the traditional Java Key Store-based encryption key management method, but also provides a better key storage solution for the Navigator Key Trustee service. It can also provide the existing HSM with the enterprise. Integrated solution.

Through the wizard-based operation interface provided by ClouderaManager, it is convenient to enable Kerberos authentication of Hadoop to avoid corporate users from being attacked by hackers. Sentry provides fine-grained role-based rights management for Hive, Impala, Solr, and HDFS components of the Big Data platform to avoid unauthorized access after data collection.

Navigator provides unified auditing capabilities for all components of the Big Data platform. NavigatorEncrypt guarantees that the data transfer process and static storage are in encrypted form to prevent hackers from intercepting data and data leaks. At the same time, Cloudera is constantly strengthening the security features of the Hadoop ecosystem, such as the Record Service to provide unified security control for the Hadoop platform. Enhance the security of data storage and processing in Kudu, Spark and other technologies.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.