Shulou(Shulou.com)06/01 Report--

I. Background

The data in university network generally includes website data, teaching resources, book resources, educational administration data, office resources, financial management data, etc., such as staff information, student information, teaching information, scientific research information, asset information, book borrowing information, teachers and students consumption information and Internet information. The school's enrollment and employment, financial affairs, asset data, etc. are all data that cannot be leaked and tampered with. As the core data carrier-database, once data leakage and tampering from application users 'unauthorized operation, program developers and database operation and maintenance personnel occur, it will cause huge losses and will definitely have a great impact on the school and society. Therefore, as a database that stores a large number of personnel information, it is necessary to strengthen data security management. In addition to timely improvement, Effective handling of vulnerabilities is important to prevent similar attacks from happening again, and the most powerful means to do this is flexible and targeted database security protection measures.

II. Demand analysis

a) Policy requirements

On November 7, 2016, the data covered by the Cyber Security Law include general network data (Article 21), and information infrastructure data (Article 34), user information and personal information (Article 42) are separately protected:

Audit data access logs for at least six months (Article 21);

Classify data and differentiate sensitive data from ordinary data (Article 21);

Backup and disaster recovery of important data (Articles 21 and 34);

Encryption of important data (Articles 21 and 31);

Desensitization of personal information (Article 42).

Data security construction is one of the core contents of the construction of Level Protection 2.0. According to the new computing environment and business scenarios, clear requirements for data security protection capability are made that are more in line with the actual situation. The following are the specific requirements for Level II and Level III respectively:

Class 2.0 requirements:

1. The administrative user shall be granted the minimum authority required to realize the separation of administrative user's authority (7.1.4.2-Access Control (Level 2));

2. Security audit function shall be enabled, audit shall cover each user, audit important user behavior and important security events; audit records shall include date and time of event, user, event type, success of event and other audit-related information, and audit records shall be protected and backed up regularly to avoid unexpected deletion, modification or overwrite (7.1.4.2-Security Audit (Level II));

3. Only the personal information of users necessary for business shall be collected and stored; unauthorized access and illegal use of user personal information shall be prohibited (7.1.4.10 Personal Information Protection (Level II));

Level 2.0 requirements:

Level III security audit and personal information protection are the same as Level II security requirements, additional, Level III security in access control and data confidentiality added related requirements, as follows:

1. Access control policies should be configured, which specify the access rules of subjects to objects; the granularity of access control should reach that subjects are user level or process level, and objects are file and database table level (8.1.4.2-Access Control (Level 3));

Cryptography technology shall be adopted to ensure the confidentiality of important data in the storage process, including but not limited to identification data, important business data and important personal information (8.1.4.8 Data confidentiality (Level III));

In order to implement the national information security level protection system and standardize and guide the national education information security level protection work, the General Office of the Ministry of Education issued the Notice on Printing and Distributing the Special Inspection on the Information Security Level Protection Work of the Education System (Jiaoban Office Letter [2010] No.80). On February 20, 2017, the Office of the Leading Group for Network Security and Informatization of the Ministry of Education issued a notice on printing and distributing the minutes of the second meeting of the Leading Group for Network Security and Informatization of the Ministry of Education, which emphasized accelerating the promotion of network security level protection.

b) Operational requirements

The purpose of information system network security construction is to establish a network security system with complete system, strong security function and excellent system performance in accordance with a series of national laws and policies on information security construction, so as to effectively guarantee the normal operation of various information services and protect the security of sensitive data information in the network. The business requirements for data security construction of specific colleges and universities are as follows:

1. There are many systems, the data forms scattered islands, and the management efficiency is inefficient;

2. Lack of safety personnel and heavy personnel management;

3. Destruction and leakage of core information assets such as finance, privacy information of teachers and students;

4. The loss of funds caused by illegal tampering of financial data of colleges and universities;

5. Possible data leakage risks of third-party outsourcing personnel and application developers in the development and testing environment;

6. Deficiencies exist in the protection of traditional university informatization database.

III. Solutions

In order to solve the above business needs of colleges and universities, and at the same time meet the construction work of information protection evaluation and network security in colleges and universities, it is necessary to establish and improve database security protection. Improve database security by deploying database auditing, encryption, firewalls, and desensitization systems in the environment.

At present, the status quo of data security in colleges and universities mainly presents the following three forms:

1. The digital campus construction has been completed, and a one-stop platform has been built to realize the campus business. A centralized data center has been built on campus, and various businesses are being upgraded from digital campus to smart campus. Basic database audit equipment has been deployed in the data center.

2. Digital campus construction is under way, but it has not yet been put into use, and various business systems are separated. Construction of a data centre is under way to extract inventory data from various legacy systems. The topology is complex and security domains have not yet been divided.

3. The original system is still used, the digital campus is in the project planning stage and budget stage, and it is necessary to carry out the iterative construction of application system and data security construction simultaneously.

According to the security status of the three types of data mentioned above, three different technical means are adopted for security protection.

1. Colleges and universities that have completed the construction of digital campuses will implement comprehensive data management. Deploy a data security situational awareness platform, classify and grade massive data in the large-scale integrated data center in the school, improve access control rules, and supplement each security node to realize data auditing, access control, desensitization and encryption.

2. For colleges and universities that have not yet completed the construction of data centers, a step-by-step construction scheme for data security shall be adopted. First, basic data security configuration is carried out, and then advanced configuration is carried out according to the project progress. Finally, it is smoothly upgraded to the data security situational awareness platform, and comprehensive data security construction can be realized without a large number of equipment updates.

Data State Sense Deployment Mode

Presentation of Data Security Situation Awareness Platform

Data classification and presentation

user behavior Analysis

a) Basic configuration

Deploy database audit products for all databases. Mirrors plus probes enable online monitoring and protection of databases and activities in a variety of ways. Timely discover illegal operation behavior against database on network, record and alarm. Once a threat occurs, it can be quickly judged whether it is the ultra vires operation of internal personnel or the intrusion behavior of external personnel, and the responsibility can be pursued afterwards to meet the compliance requirements.

2. For some systems that contain important data and are vulnerable to attack, especially those that need to provide services to off-campus personnel, such as database servers for card, education management, financial management, etc., database firewalls are used to resist SQL injection attacks and attacks against database vulnerabilities on the one hand, and client IP and host names on the other hand, effectively controlling misoperations such as deletion of all tables from within, abuse of super privileges, etc. At the same time, the learning function is enabled to automatically generate the baseline model whitelist, realize the zero configuration of rules, and solve the problem of setting firewall rules in detail.

The basic configuration not only meets the basic requirements of audit and access control under the Equal Protection and Network Security Law, but also meets the requirements of the hospital for leaving traces of access behavior, internal and external illegal and unauthorized access.

Through the deployment of database audit products, important commands, important behaviors, etc., audit all operations of the database, data accessed by the operation, or execution results, meet the requirements of Class II or Class III security audit, and meet the requirements of Article 21 of the Network Security Law. At the same time, the deployment of database firewall can set fine-grained access control, granularity can be table level or even field, row, statement level. Therefore, the minimum operation authority is realized, the super administrator authority such as DBA is limited, the decentralization separation is realized, the requirements of access control and personal information protection for the second and third levels of equal protection are met, and the requirements of Article 21 of the Network Security Law for distinguishing sensitive data from ordinary data are met.

b) Advanced configuration

For systems containing sensitive information, such as financial database systems containing assets and finances, it is also necessary to deploy database encryption systems. Encrypt and store the information stored in the database, and realize the permission control of sensitive data access through an independent permission control system to ensure the security of its data.

2. For the development zone, it is necessary to deploy database static desensitization products for development analysis data, such as scientific research data, to provide batch data desensitization capability. The desensitized quasi-real data is generated by sampling, replacement, etc. to meet the needs of exporting from the development database for system developers to prevent leakage of real data. For operation and maintenance environments, especially application systems under development, database dynamic desensitization products are used to provide real-time data desensitization capabilities to prevent high-authority access, misoperation, and malicious operations by third-party maintenance personnel, and to prevent privacy data leakage.

The advanced configuration adds encryption and desensitization on the basis of basic configuration, which not only provides comprehensive protection for multi-type core business system database, but also provides one-machine multi-function protection technical means for the hospital to pass equal protection test work, fully meeting the construction requirements of information security in education industry.

Through database encryption, important system data can be encrypted by column, row and record mode, meeting the requirements of ensuring the confidentiality of 2.0-level data, and meeting the requirements of Article 21 and Article 31 of the Network Security Law for encrypting important data. Through database desensitization, the desensitization operation of personal information is realized in the process of data collection, unauthorized access and illegal use of personal information are prevented, the requirements for personal information protection in Grade II and Grade III of Equal Protection 2.0 are met, and the requirements for desensitization of personal information in Article 42 of the Network Security Law are met.

c) Analysis of data security products applicable to university business systems

d) Management programmes

1. Database accounts are strictly distinguished according to business purposes, and business permissions are demarcated. It is recommended to bind IP with management terminals;

2. Internal authority management: Finance Department, Asset Section and Information Section allocate independent database accounts, and minimize access to databases for different business accounts;

3. Manage the database permissions, conduct comprehensive monitoring and auditing of the core database tables, regularly generate user activity reports, block IP and database users who have unauthorized access, and ensure normal access behavior of legitimate users.

IV. Advantages

Zonvis technical solutions can effectively solve the data security problems currently faced by university financial systems and improve the security, confidentiality, stability and availability of databases. Maximum assurance against information leakage, tampering, deletion, etc. due to external and internal attacks, intentional or unintentional dangerous operations, etc. Meet the information security level protection, network security law and university information security related requirements.

1. Solve data security problems from the core

Prevention and control shall be carried out from the SQL statement level of accessing database and the field level of viewing database, so as to completely prevent the problem of "tampering with data, deleting data and stealing data" from the root cause.

2. Prevent unrelated business personnel from accessing core data

Establish an authority system for personnel accessing core data, so that core data flows within a small number of compliant personnel, completely shield the access rights of unrelated personnel and unrelated business systems, and only open access rights for operation and maintenance and financial departments, and conduct centralized audit and protection.

3. Defense-oriented, audit-assisted

At the same time of active defense, it still carries out audit monitoring on the whole visit behavior, so as to analyze the time, place and person when the problem may occur at any time, so as to set up a more reasonable defense strategy. Block illegal access and behavior based on white list, comprehensively and accurately audit user operation behavior.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.