Shulou(Shulou.com)05/31 Report--

Most people do not understand the knowledge points of this article entitled "what should be paid attention to in Cloud Database encryption", so the editor summarizes the following contents, with detailed contents and clear steps, which can be used for reference. I hope you can get something after reading this article. Let's take a look at this article "what problems you need to pay attention to in cloud database encryption".

Cloud database encryption

* there is one thing to consider the need to encrypt data. All databases have the function of restricting access. Some appropriate implementations are sufficient to protect data confidentiality.

Other factors that need to be encrypted to protect data stored in the database are: hiding data from privileged users of the database, such as database administrators, and in order to comply with laws and regulations, the data owner cannot control access to the data through an account (such as using a shared account).

When using a cloud database, especially a database SaaS solution, the normal functionality of the database will be reduced, forcing the database or cloud application to access the key unless it can operate on ciphertext.

Data encryption brings complexity and performance costs. In addition to encryption, there are other effective methods:

◆ uses object security. Use SQL permission and revocation statements to restrict account access to this data. Which of these accounts are granted access must be strictly controlled to ensure that only authorized users can access it.

◆ stores secure hashes. Storing the hash value of this data instead of storing it directly allows enterprise programs to prove that the holder has the correct value without actually storing it.

Key management

Key management is a very difficult process in public cloud computing. Key management needs to be considered in the process of running on the multi-tenant model in the public cloud.

The simplest application case is that there are applications running in the public cloud, encrypted data flows from within the enterprise to the public cloud, and the key is used only within the enterprise. Some encryption engines can encrypt when data flows out and decrypt when data flows in. When other processes on the public cloud, such as batch processing, require an access key to decrypt data, an application that uses the key becomes complex.

Users in an enterprise need to have their own key, rather than a separate shared key that can be used to access the entire enterprise. The simplest solution is to use an encryption engine to assign (or manage) a key to each user or entity based on entity identity information. In this way, any information specifically encrypted for an entity will be maintained by that entity. If entities within a group need to share data, a group-level key can be assigned to the application that manages group access and the key can be shared among entities within the group. Keys should be managed within the enterprise as discussed earlier in this section.

When data is stored in the public cloud environment, when the environment is deactivated, it will be a problem to prove that all data (especially PII or SPI data or data belonging to laws and regulations) has been deleted from the public cloud environment, including other media such as replication disks, etc. Maintain that local key management can abolish (or delete or lose) keys from the key management system to ensure that any data remaining in the public cloud cannot be decrypted to provide this guarantee.

Encrypting data is of little value if cloud service providers and users do not have an effective key management process. At the service provider, factors of concern include: the server has encrypted data, while the access key server lacks a division of responsibilities; the database administrator can access the personal key; or the database service architecture depends on a single key.

Using a key to encrypt a key, generating an encryption key in memory, and storing only the encryption key of the key server are effective architectural solutions that can control and protect the key itself. These should be taken into account when building any solution. Client key management, protecting keys on devices that are not inherently secure, such as mobile terminals, or that the device does not have the same level of control, are factors to be considered.

Concrete suggestions in practice

In the specific practice of enterprise applications, we can follow the following useful suggestions:

◆ applies key management measures when using any form of encryption or decryption product

If possible, ◆ should use off-the-shelf technologies from trusted sources to get * practices.

◆ uses * key management practices to acquire technologies and products for encryption, decryption, signature, and verification from trusted sources.

In particular, ◆ recommends that organizations maintain their own keys or use trusted password services that already operate such services.

◆ if an organization needs to use data stored in the cloud to run analysis or other processing, the organization should export data from data sources in the cloud based on a platform such as Hadoop development

The jurisdiction of ◆ keys can be maintained at the individual or collective level

The management of ◆ collective access can use off-the-shelf technologies, such as DRM systems, or other software running on desktops or laptops to encrypt hard drives, files, and email messages

In order to maintain the practices of ◆ and pass the audit, enterprises should manage their keys or use trusted services from encryption software providers.

The keys used in ◆ 's existing encryption technologies such as DRM and hard disk encryption products should be centrally managed using key storage technology; hardware security modulation should be used to store keys and handle encryption operations such as encryption, decryption, signature and modification.

◆ enterprise users should enable encryption operations and other processing in the enterprise through registration steps, such as access to content-aware or format-preserving encryption systems with / without keys as needed.

Based on all the components of identity authentication, ◆ integrates the technology deployment into the company system and makes authorization decisions in the processing process to use bundled encryption operations to manage the keys of the encryption and decryption process.

◆ if possible, use an existing system such as E-DRM or data leakage Prevention (DLP)

◆ bundles encryption operations and key management into the company's identity authentication system, providing organizations with the integration of flexibility and the use of technologies that the organization has known, audited, or verified.

◆ in addition, for cloud database encryption, you can refer to the following practical suggestions:

◆ uses standard algorithms. Do not use special non-standard technology, the special encryption algorithm has not been proved and is easy to break.

◆ avoids using old insecure encryption standards such as data encryption Standard (DES)

◆ uses object security. Even in the case of encryption, you should insist on using basic object security (SQL permission and revocation statements) to prevent access to data

◆ do not encrypt primary keys or index columns. If you encrypt the primary key, you will have to encrypt all reference foreign keys. If the enterprise encrypts the index column, when the enterprise used to use encrypted values, querying data will be very slow.

◆ uses a columnar method for encryption (because big data's system uses this method).

The above is the content of this article on "what should be paid attention to in cloud database encryption". I believe we all have a certain understanding. I hope the content shared by the editor will be helpful to you. If you want to learn more about related knowledge, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.