Shulou(Shulou.com)06/01 Report--

Preface

It has been a whole week since the Weimeng deletion incident. Weimeng officially released a message last night:

"

As of 8: 00 p.m. on March 1, with the assistance of Tencent Cloud team, after 7-24 hours of efforts, the data has been fully recovered. The system launch exercise will be held at 2: 00 a.m. on March 2, and the data will be officially launched at 9: 00 a.m. on March 3. We have prepared an indemnity reserve of 150 million yuan, of which the company bears 100 million yuan and the management bears 50 million yuan.

The Weimeng team also said: the accident exposed a management loophole in the company's data security. After the accident, Weimeng strengthened the internal process control management, invited external data security experts to evaluate the data security plan, and quickly worked out a data security plan to prevent the recurrence of such accidents.

Admittedly, "the recurrence of such accidents" is a commercial disaster that no enterprise can bear, which not only means serious damage to its goodwill and economy, but also has a disastrous or even fatal impact on tens of thousands of users (merchants). It is not easy to put an end to it, which requires the dual guarantee of technology and system. This paper has no intention to discuss the specific context and responsibility of the Weimeng incident, but only based on the thinking caused by this incident, and discusses the bank data security management system from the national laws and regulations and regulatory requirements for bank data security. it also focuses on the key technologies of five types of data security protection.

1. Awareness of data security

Many people's understanding of data security stays at the technical level, usually in the firewall hardware and some security software for data protection. In the whole data security system, the basic hardware and software technology is only a small part, which belongs to strengthening the security auxiliary function in the security construction, and is the basis for the realization of risk management. however, from some Internet financial companies and some malfunctioning bank accidents, it is shown that there are the following characteristics in these accidents:

01

Facing the pressure of high data management integration

In the data management construction of most banks, the centralized data management has been basically realized. For example, the common data of branches and institutions go back to the head office data center or regional data center, which improves the efficiency of data processing and reduces the cost of data management. However, to a certain extent, it improves the requirements of data security management and increases the risk to the data security of the data center. With the continuous expansion of banking business, it gradually brings more pressure in the maintenance work.

02

Security management of rapid data growth

With the rapid development of Internet technology, the business of commercial banks continues to develop and innovate, and the data generated by the business system is growing. However, for the data generated by the business, the level of governance and protection varies from business system to business system, as well as the media and methods used to store the data. Therefore, in the application and processing of production data, the risk of data leakage, data deletion and data corruption is also increasing.

03

Access Control of data Management

The function of the database system is responsible for data storage and business data management, which can meet the general application requirements in protecting the security and confidentiality of the data. However, for the access control ability of data management, it is generally autonomous access control, that is, the lack of behavior management function, usually purchase some audit and access control security software to strengthen.

two。 Risk factors of data security

Before the enterprises began to adopt a large number of new technologies, the traditional banking financial institution projects mainly focused on project management and application development. the analysis, identification and control of data security risks often rely on external company staff who provide development support, and the existing framework model is adopted for architecture, including network architecture, physical architecture, communication processing and so on. This can meet the fast-growing technical needs, but there are the following points in terms of data security risks:

01 equipment and its software operation risk most of the information systems used by commercial banks are project management development types, and there are uncertainties in the content and actual requirements of the design. and whether the corresponding data operators can correctly use and manage the database software. There is also a failure risk on the equipment hardware layer, and equipment failure and damage to the operating environment will lead to data security risks. 02 the threat of human risk to the personnel who cause the bank data risk is mainly divided into two kinds: conscious and unconscious.

Conscious: individuals and their organizations carry out data theft and destruction under the temptation of interests

Unconscious: the risk of data security caused by misoperation that does not comply with regulations in the process of data operation.

Another factor that poses security risk to bank data security is technology intrusion, which makes use of some loopholes or viruses to steal and destroy data.

3. Database protection scheme in the bank data security, the database is in the core position, its security is related to the security of the whole business system, but also the core of the bank, all the production data generated by business are stored in the database, so it is very important for the security protection of the database.

First of all, according to the "Information Technology risk Supervision Manual of Banking Financial institutions" issued by the Banking Supervision, the security of the database is divided into: data independence, data integrity, data backup, data access control, standardization mechanism and so on. 01 data independence in the early banking business, mainly savings, loan business data, the amount of data is small. At the same time, there is no need for data mining and analysis, the daily processing of business data cycle is short, the quantity is small. However, with the development of Internet technology, the customer base is becoming larger and the frequency of business transactions is also increasing. Classified mining and its management of all kinds of data is becoming more and more important. If the data is not managed periodically, then the loss of key core data will cause significant damage. Large amount of data stored in the database if there is no life cycle management of the database data, then the direct manifestation is the huge occupation of database space, which also has corresponding problems for the access performance of the business system and the performance of the database. It is difficult to manage business tables in the logical structure of the database, where the data is stored in tables, so the intuitive manifestation is that there is a large amount of table data, which brings pressure on the processing of business data and the technical performance of table access in the database itself. in data backup and index changes, it will take a long time and increase the risk of table lock. The recovery of data takes more time than that of big data, which is technically difficult, and what has a greater impact is the continuity of the business system. If the recovery time is long, it will bring great pressure and impact on business recovery.

Oracle database provides full data life cycle management, which can achieve data hierarchical migration, archiving, protection and so on. At the same time, it can also achieve efficient, low-cost, different access boundaries of data life cycle management tools.

Figure 1, data life cycle management phase 02 data integrity data integrity refers to ensuring the accuracy and reliability of data and information systems, and prohibiting unauthorized modifications to important data and business critical data. Incorrect and non-standard SQL operations in the database will lead to the destruction of data integrity, so strengthen the audit system for SQL.

For the key points of SQL audit: strengthen business SQL operation logic, sort out safety operation awareness according to the requirements of SQL development standards, open default audit rules as needed, and conduct periodic offline SQL development training with custom rule settings, strengthen the importance in the development and testing process SQL optimization skills training SQL performance comparison before and after optimization periodically release SQL audit data, reflecting the quality improvement brought by SQL audit

Fig. 2 diagram of SQL audit system

03 data backup "backup is more important than anything else", its importance is not expounded. Generally speaking, there are several ways to back up the bank database: cold backup and hot backup are also called "offline backup", which requires the database to be closed to maintain data consistency. copy database data files, parameter files, control files, redo log files and archive files. Hot backup is also called "online backup" or "online backup". Back up the database files without the need for the database to be closed. Hot backup does not affect the normal use of the database, and has the least impact on the business. Full backup of the database, full backup of incremental backup, full backup of the database, regardless of the data changes since the last backup. Incremental backup, backup database last full backup to the present change of data, backup time is shorter than full backup. Full backup and incremental backup constitute the backup management strategy. Data disaster recovery in recent years, China's banking business has developed rapidly, the total capital and business handling capacity of large banks have been in the forefront of the world, operating scope throughout the country and rapid expansion overseas, once the business stops, it may affect the normal operation of the whole bank and even the whole financial system, and affect social stability. Therefore, after the large concentration of data, the banking industry actively promotes disaster recovery, emergency management and continuous management of IT services.

Large and joint-stock banks actively promote the construction of "two places and three centers" and set up disaster preparedness centers in the same city and in different places to deal with construction failures and regional (such as earthquakes, floods, wars, etc.) disasters. Most commercial banks have basically established the disaster recovery system of the core business to ensure the data security of the core business and the recovery of the core business when the disaster occurs. Figure 3, "two places and three centers" disaster recovery figure 04 data access control database, as the supporting platform and running environment of banking application software, plays an important role in the banking business system. In the mainstream databases Oracle, MySQL and DB2, they have high security levels and can provide database recovery and transaction processing, as well as role management and autonomous control security mechanisms. Strengthen authority management and form an account responsibility system, for example, technical developers can only carry out operation and maintenance and development work on designated machines, and if they find that an account is leaked, correct it in time, and finally form a unified and clear account process management system. Through the IT operation and maintenance audit system to comprehensively monitor the work of operation and maintenance and developers, and combined with the database audit system to comprehensively monitor all operation and development tools, form omni-directional operation monitoring, monitor all operations of each account personnel in detail, and accurately locate the person through application layer account, database account, operating system user name, client host name, client IP, client MAC positioning technology. Figure 4, database rights management diagram

Note: objects refer to database resources, such as data, tables, tablespaces, etc.; security constraint control refers to identity isolation (separation of responsibilities) for secure access and stripping highly centralized users.

The purpose of the standardization mechanism data standardization construction plan is to ensure the integrity, validity, consistency, standardization and sharing of business data, so as to improve the use of data and data security isolation, reduce design defects and incorrect operation procedures caused by non-standardization.

Unified data standards can improve business efficiency, and business system development processes increase data sharing, unified design and definition of all kinds of data structures, open interfaces to standardize data governance, and have high data quality. meet the standard data source format to reduce data non-compliance and access

Figure 5, logical architecture diagram of data standardization management

4. Data management system information system deals with all kinds of data (user data, system data, business data, etc.) plays a vital role in maintaining the normal operation of the system. Once the data is destroyed, it will affect the business continuity and security of banking financial institutions to varying degrees, and even bring huge reputation risks or economic losses. Because all levels of the information system (network, host, application, etc.) transmit, store and process all kinds of data, the protection of data needs the support of physical environment, network, database, operating system, application and so on. Banking financial institutions should strictly control the collection, transmission, use, storage, backup, recovery, query and destruction of business data to ensure the confidentiality, integrity and availability of the data.

Basic requirements of data management mechanism: banking financial institutions should formulate strict guidance and strictly manage the use, storage, backup, recovery, destruction and other aspects of business data. The basic requirements of the responsibilities of data management: banking financial institutions should establish a complete post responsibility system according to the content and level of data management, as well as the process of data generation, storage, distribution, backup, recovery and destruction, and implement the responsibility to people. 03 basic requirements of the data recovery exercise: the recovery procedure should be carried out regularly to check and test the effectiveness of the backup media to ensure that the backup recovery can be completed within the time specified in the recovery program.

Conclusion the Weimeng accident caused the stock price of the company to fluctuate by 1 billion yuan. For an Internet company, the only valuable asset is data. It is not too deep to protect the data. In fact, in the era of DT, the protection of data is the most important for any organization.

There is nothing new in the sun. Eygle once wrote a book: "data Security Alert Book", which collects a large number of security-related cases, analyzes and deals with experience, in order to serve as a warning. It is strongly recommended that data managers in every enterprise can think deeply about the warnings from real-world data security and the necessary measures to be taken. The following products and services are expected to effectively reduce and avoid disasters caused by inadequate data security protection.

Cloud and Enmo's ZDBM products are database backup, disaster recovery and replication data management platforms using replication data management (CDM) technology. As for consistency or continuity, it is believed that every operation and maintenance team will form pre-criteria according to business characteristics, and different business systems will have different choices at different stages. ZDBM strikes a balance between the two, meeting the urgent needs of organizations in terms of data security and efficient use of backup data.

ZDBM software interface

Another MyData with backup function is an all-in-one product for MySQL database. Its backup and recovery function provides XtraBackup-based physical full backup, incremental backup, binlog log backup and mydumper logical backup, which can be flexibly matched according to different backup and recovery needs, providing more choices.

MyData software interface

Service maintenance category: to provide professional technical support for the security, stability and performance of the customer core system database. Single service: data recovery (database damage, storage and other equipment failure), emergency rescue (hotline: 400,660,8755). Database security reinforcement. Training: enterprise internal training & practical training & certification course training (Enmo College: www.enmoedu.com).

Reference: guidelines for Information Technology risk Management in Commercial Banks, Information and Communications Technology Security Management (ISO/IEC TR 13335), Information Security Technology, personal Information Security Code, Banking Financial institutions Information Technology risk Supervision Manual

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.