With the rise and prosperity of Internet technology, information security represented by databases has become the consensus of many enterprises. Laws such as the Cybersecurity Law and the Classified Protection of Information Security also set clear provisions on data security protection and put forward specific requirements for data storage encryption. For example, for systems that have reached level 3 or above, the authentication information (such as usernames and passwords) and core business data of systems that have reached level 3 or above need to be stored in an encrypted manner.
Under the concept of "dynamic data security and data life cycle control", it is necessary to establish protection in all important links of the data life cycle and form a multi-layer joint protection system. Database encryption is the core layer of the multi-layer protection system, based on the active defense mechanism, through the encryption and storage of data, it can effectively prevent data leakage caused by internal illegal operations to download or copy database files and directly analyze data files. It can deal with external hacker dragging attacks, and unauthorized encrypted sensitive information will not be leaked; Enhanced access control can be used to prevent DBAs or high-privilege accounts from accessing sensitive data in plaintext.
PART 1
Database encryption needs to meet both compliance requirements and the business needs of users.
1
Compliance requirements
Sensitive data is stored encrypted
Keys are stored and managed separately
Support national cryptography algorithm
Enhanced access control, no access to plaintext data without permission
2
Business needs
The business system has few changes or no need to be transformed
Encryption of existing data
Guaranteed encrypted data is not lost
PART 2
Database encryption can theoretically have a variety of technical implementations, and at present, database encryption in the industry adopts a wide range of methods are database native encryption and application transformation encryption, and Ming Dynasty Wanda's database encryption supports both methods.
1
Native TDE encryption in the database
The TDE encryption function of the database itself is used to maintain transparency to the outside after encryption, and supports operations such as query, insertion, update, and deletion, SQL statement access, stored procedures, triggers, user-defined functions, primary keys, foreign keys, and various constraints, and supports ciphertext indexes. Database O&M tools, common SQL statements, stored procedures, and development interfaces are fully transparent and do not require any modification.
There are three encryption methods that can be supported by the native TDE encryption of Ming Dynasty Wanda Database:
▷ Database-level encryption: The entire database is used as an encryption unit, using a unified encryption algorithm and data encryption key.
▷ Tablespace-level encryption: Tables can be used as the encryption unit, or multiple tables can be combined into a spatial group as an encryption unit, and each table (or a tablespace group) uses a data encryption key and encryption algorithm.
▷ Column-level encryption: Column-level encryption: Each column has its own data encryption key and encryption algorithm.
One effect of database-native TDE encryption is that the data storage files are encrypted. Directly view the data storage file before encryption, you can see the plaintext information, and sensitive information is easy to leak; After the encrypted data storage file, the plaintext information cannot be directly seen. This way, even if the file is leaked, it will not cause sensitive data to be leaked.
Another effect of database-native TDE encryption is that it is transparent to the application, that is, the original business system directly accesses the database, and whether it is encrypted or not is imperceptible. Therefore, there is a need for enhanced access control mechanisms to prevent unauthorized access to sensitive data. The native TDE encryption of Ming Dynasty Wanda Database implements an enhanced access control mechanism through dynamic desensitization proxy service.
2
Apply retrofit encryption
Application transformation encryption requires the transformation of the application system, and the application system independently calls the encryption engine interface to encrypt and decrypt the data.
Ming Dynasty Wanda Database Encryption completes the encryption of sensitive data in the database by establishing a data encryption task, which is a one-time job.
▷ Data encryption: The business system first calls the encryption system interface to encrypt the plaintext data, and finally the business system stores it in the database;
▷ Data decryption: The business system reads the ciphertext data from the database, and then calls the encryption system interface to obtain the plaintext data.
Ming Dynasty Wanda database encryption supports fidelity encryption, which allows some query services in the business system to be untransformed; It can be integrated with third-party encryption cards to implement some hard encryption algorithms, such as SM1 national cryptography algorithm, to meet the requirements of password evaluation. At the same time, database O&M personnel can directly access the database to view encrypted ciphertext data, which can prevent sensitive data leakage.
Ming Dynasty Wanda applied transformation encryption to open data encryption and decryption capabilities to the outside world through the task subscription model.
You can subscribe to different engine tasks according to different encryption and decryption requirements, and each engine task has an independent HTTP ret call interface, and provides a separate SDK to call the integration package for download. The user business application system can use the RET interface of the invocation engine task or the integrated SDK invocation interface to implement simple data encryption and decryption processing. The system can mount a hardware encryption card or encryption machine to realize the integration of hardware encryption algorithms such as SM1 national cryptography algorithm.
The data structure of the encryption engine interface can be configured into the same structure as the database tables and fields of the business system, and the business system only needs to insert and call the encryption engine interface to achieve data encryption and decryption at the place where the database JDBC interface is called, and the business logic of the original application function is not adjusted, so as to minimize the transformation of the application system.