Shulou(Shulou.com)06/01 Report--

I. Overview

1. Background overview

The Department of Human Resources and Social Security of a certain province, as the leading organization of the management of human resources of a province, is responsible for the development planning of the human resources market and the formulation of policies for the flow of human resources in the province, as well as the establishment of a unified and standardized human resources market. important work such as promoting the rational flow and effective allocation of human resources.

Chapter 8 of the Human Resources and Social Security Development Plan of a certain Province during the 13th five-year Plan issued in January 2017 The third section clearly points out: [guided by the "Internet + Society" action plan, we will promote the deep integration of Internet, cloud computing, big data and other technologies with human resources social security work, and achieve comprehensive coverage of all kinds of human resources social security business and its service institutions, service groups, and service functions. Improve the external data exchange platform, gradually achieve information sharing with public security, finance and other relevant departments, and improve the ability to support and guarantee the social security business of human resources in the province. We will promote the construction of information security systems, carry out disaster recovery construction of systems and data, and improve the security level of human resources social security information systems. ]

With the construction and improvement of the information platform for human resources-related public services, a large number of sensitive information is stored in the social security system, including ID card, social security, salary, telephone, home address and other sensitive information, once these information is leaked, the harm caused is not only the disclosure of personal privacy, but also will be used by criminals. It has led to a series of serious criminal and economic crimes, such as copying identity cards with sensitive personal information, illegally issuing credit cards, illegally swiping credit cards and so on.

In 2015, some 30 provinces and cities exposed loopholes: tens of millions of social security information or leaked "the incident caused a sensation across the country, resulting in the disclosure of social security information of nearly 100 million users, including sensitive information such as personal identity cards, finances, salaries, housing, and so on, involving more than a number of provinces. the data leakage cases from the social security system fully show that local social security and other departments have not invested enough in information security and weak supervision.

Yan Ming, director of the third Research Institute of the Ministry of Public Security, said in an interview with the Economic Information Daily that the social security system contains very private information, and it is also an important source of information and data for the country's macro-control. Once the system information is tampered with by lawbreakers, the consequences will be unimaginable. At the same time, a large amount of personal privacy information may be resold by some people for profit, resulting in economic losses. Yan Ming said: China now lacks an accountability mechanism for information security disclosure and a legal basis, so our country should speed up the establishment of a "chief security officer" system and implement the responsibility for information security to the responsible persons of relevant departments and enterprises.

2. Analysis of current situation.

In the following years after the large-scale social security data leak in 2015, a provincial people's agency gradually attached importance to data security and carried out some construction. Individual cities have deployed database audit, database firewall, database encryption and other products, and strengthened the management of database operation and maintenance. However, until 2018, the problem of data security in the social system of our province has not been completely solved, and data security incidents still occur from time to time.

At present, the people's cooperative system of a certain province consists of 19 people's cooperative systems of provincial departments and prefectures, cities and counties, and the database type is mainly Oracle. The current information security situation is analyzed as follows:

1) the database contains a large number of sensitive data, such as name, ID card number, bank account number, pension information, medical insurance information and so on. Once leaked, it will have a great impact on society and residents. Therefore, it is necessary to restrict the access rights of database, table and field, and desensitize sensitive fields if necessary to further increase the security of data.

2) part of the data of the social security system of a provincial department of people and social welfare has been deployed to the government cloud platform of Yunzheng Company, but sensitive information related to health insurance, pension and other sensitive information is still offline. And it will be migrated gradually, so it puts forward high requirements for the confidentiality and integrity of cloud data.

3) each social security system is composed of different databases, distinguishing between production database and exchange database, operated and maintained by different personnel, and connected to different application systems.

4) the social security system of a provincial people's and social department provides a variety of access methods to the client, including Wechat social security, mobile APP platform, Web and so on. The diversification of network applications can easily lead to multiple attacks from internal and external channels and forms.

II. Demand analysis

As mentioned above, in the information system of a provincial people's society system, there is an urgent need to deploy a data security management system to make up for the shortcomings of the existing security system and strengthen the security on the database side. to ensure that the requirements of "visibility", "controllability" and "compliance" in data management are met.

III. Solutions

1. Overall thinking

This paper puts forward an effective data security solution for the social security system of a provincial people's and Social Affairs Department, as shown in the figure above. The overall idea of this scheme is simply to put the data in a cage and make data access transparent. In view of a variety of application scenarios, a variety of measures are taken to solve the security problems of sensitive data in the whole life cycle.

IV. Value of the scheme

Through the above solutions, it can effectively meet the needs of data security management faced by users: make the data safe and visual, make the data safe and controllable, and make the data safe and compliant. In addition to the above key values, the data security management solution brings the following values to users:

1. Simplify business governance and improve data security management capabilities:

Because the database system is a complex software "black box", its visualization degree is very low. It is difficult for a database administrator to tell when data is accessed at any time. This brings great difficulties to business governance. Especially in the cloud environment, the degree of invisibility is even more serious.

2. Improve the defense system in depth and enhance the overall security protection capability:

It is the consensus of information security construction to establish an in-depth defense system. The section from the application system to the database is the last kilometer and the last line of defense of information security, which involves the most direct security management of sensitive data and is directly related to the security of sensitive data.

3. Reduce core data leakage and ensure business continuity:

Data is the most valuable asset, and it is also the ultimate goal for attackers to peep, tamper, and even delete. The violation of core data may lead to business interruption, serious information disclosure and tampering, and a serious threat to national information security.

4. To meet the compliance requirements of the country and industry:

Achieve independent audit and access control, directly output compliance reports, meet the requirements of national and social security industry regulations and standards.

5. Effectively maintain credibility and reputation.

To ensure that a certain social security will not have the leakage of information and the transmission of bad information, and enhance the influence and reputation of a certain social security in the society.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.