The following is a detailed analysis of the realization of the
security protection architecture and related key technologies.
KMS key management and encryption and decryption algorithms
Key management includes the creation, storage, life cycle management and protection of keys. The security of the key directly determines the security of the encrypted data. It is recommended that the key be stored separately and protected by the root key. The root key is protected by a hardware encryption card, or by the password of the KMS service.
KMS key management protects the master key through the user’s password, the password is correct, the master key is decrypted; the master key protects the key file, the key file can only be used after the master key is successfully decrypted, and finally generated by the key file Available keys.
In terms of encryption and decryption algorithms, in addition to the necessary strong encryption algorithms (such as AES256) and hardware encryption algorithms certified by related institutions, it is particularly necessary to propose here. In order to achieve application transparency, it is necessary to provide special encryption algorithms according to the needs of the application system, such as FPE[8], Tokenization, SSE[9], etc.
The FPE encryption algorithm is an encryption algorithm with format retention. It is mainly used to encrypt information with data characteristics such as ID cards, bank card numbers, credit card numbers, and social security numbers. The data encrypted by this algorithm can retain the original data format. There will be no impact on the business logic of the application, ensuring the transparency of the application.
Tokenization is a data masking algorithm. Similar to FPE [8], by "disturbing" the data and retaining the original format of the data, the effect of encryption is achieved while ensuring the transparency of the application.
Transparent database encryption
Database transparent encryption is to encrypt data by column. For the specified column, the specified encryption algorithm, key, salt, etc. are used for encryption. The encrypted data is stored in the table space of DBMS [7] in the form of cipher text.
Only authorized users can see the plaintext data, and authorization is also performed in columns. This method has good flexibility and security. Unauthorized users will not be able to read the encrypted column (query) and change the data in the encrypted column.
In terms of authority management, database transparent encryption uses a decentralized mechanism to realize the separation of three rights, effectively restricting privileged users such as database administrators (DBA) to access data. At the same time, this protection is transparent and will not cause inconvenience to the administrator's daily work.
The most important thing is that the transparent database encryption application is transparent, the application system and peripheral maintenance tools do not need to be modified, covering SQL statement transparency, storage program transparency, development interface transparency, database object transparency, and management tool transparency.
Advantage:
Transparent to application systems and database management tools
Fine-grained control of database accounts, including DB users, client IP, client MAC address, applications or tools, etc.
Fine-grained audit of sensitive data access
limit:
Need to be implemented separately for different databases
Need to implement special ciphertext indexing technology and transparent access technology to meet performance and application transparency
Not applicable to RDS, DBMS instances deployed by users on ECS
Application layer transparent encryption
Application transparent encryption is divided into two implementation technologies: JDBC[10]/ODBC[11] encryption driver, and cloud access security agent. The most important one is the encryption technology used to support application transparency: FPE, Tokenization.
1. JDBC/ODBC encryption driver
The application layer JDBC/ODBC encryption driver can be realized by Wrapper on the JDBC/ODBC provided by the original DBMS. The JDBC/ODBC encryption driver is replaced during deployment to achieve transparent data encryption and decryption for the application, and the data arrives at the DBMS/RDS Encryption is performed before, and the data is decrypted after leaving the DBMS/RDS to the Application, ultimately ensuring that most application systems do not need to be modified; at the same time, independent authority control and key acquisition are implemented at the JDBC/ODBC encryption driver layer.
For sensitive data, complete sensitive data access audit capabilities are realized through the JDBC/ODBC encryption driver.
JDBC/ODBC encryption drive technology
JDBC/ODBC encryption drive technology
Advantage:
Encryption by field is realized, and the data is encrypted before it reaches the DBMS/RDS, which has good security
Realize the transparency of the application, just change the JDBC driver to complete
Realize fine-grained control of database accounts, including DB users, client IP, client MAC address, applications or tools, etc.
Part of the realization of application user control, including application account, application client IP, etc.
limit:
It cannot be transparent to third-party data tools (such as PLSQL, TOAD, etc.), and the data is ciphertext
For server-side programs, such as stored procedures, automated scripts that reside on the DBMS host, etc., transparency cannot be achieved
Need to implement the corresponding JDBC/ODBC Wrapper for different databases
2.
Cloud access security proxy
Cloud Access Security Security Proxy (CASB) often adopts the application gateway method. As a reverse proxy service gateway for HTTP or HTTPS, it encrypts sensitive data in HTTP pages and uses two different protection methods: Tokenization. By processing HTTP requests and responses, the encryption and decryption of field-oriented data and uploaded content is realized, the encryption is realized before the data is sent to the cloud, and the ciphertext data is decrypted before it leaves the cloud and reaches the client.
The cloud access security proxy gateway is typically deployed on the user's data center side, and the user has complete control over the encryption key and encryption and decryption process of the data. Any inline proxy method can be used for deployment.
The cloud access security proxy gateway can provide detailed access control capabilities for application system users and groups, as well as fine-grained access audit capabilities for application system users.
Advantage:
Encryption by field is realized, and encryption can be completed before the data reaches the cloud, with the best security
With high security, it can provide application user-oriented decryption authority control, effectively preventing DBA's high authority and SQL injection attacks
Maximum compliance capability
limit:
The application system may not be able to achieve true application transparency, and some applications need to be modified
It cannot be transparent to third-party data tools (such as PLSQL, TOAD, etc.), and the data is ciphertext
For server-side programs, such as stored procedures, automated scripts that reside on the DBMS host, etc., transparency cannot be achieved
File-level transparent encryption protection
File-level transparent encryption protection realizes the encryption and decryption of special data files or volumes (Volume) by deploying special encryption and decryption agents on the cloud host operating system. Has the ability to control operating system accounts. Only a dedicated DBMS system account can encrypt and decrypt files or volumes.
Advantage:
Transparent to database systems (DBMS) and applications
Supports both structured and unstructured file encryption
Effectively control the access of operating system users to meet the usual control requirements
limit:
Cannot provide fine-grained data access audit capabilities
Need to provide special agents for different operating system platforms
Unable to control database account access to sensitive data
Automatic data desensitization
With the widespread use of cloud computing and elastic computing, there will be two trends in system development and testing:
1) System development and testing are completed in the local environment and then deployed in the cloud.
2) System development and testing are also carried out in the cloud, making full use of the cloud's elastic computing resources and convenient and simple cloud deployment capabilities.
Either way, all or part of the production data is transferred to the testing and R&D environment. Due to compliance and security requirements, the transferred data must be "desensitized".
Data automatic desensitization technology can "desensitize" the data in the test library, the data in the migration process, and the data exported into files; and can ensure the consistency of data relationships, such as the same ID number scattered in different tables The data remains the same after desensitization.
Database firewall
Database firewall is a database security protection technology based on database protocol analysis and control technology. Based on the active defense mechanism, the database firewall implements database access behavior control, dangerous operation blocking, and suspicious behavior auditing. It is a comprehensive database security protection technology integrating database IPS and IDS functions.
