Introduction to Database Encryption and Access Control

Database encryption and access control is a security solution that safeguards sensitive data through encryption, utilizing gateway proxy technology.

As a proxy encryption gateway, the system is deployed between the database and client applications. Any access must pass through the gateway to implement data encryption and access control. Figure 1 shows the system networking scenario.

Figure 1 Network Mode

Encrypting Data

The system supports data encryption and integrity verification, meeting the evaluation requirements of graded protection and sub-protection as well as the evaluation requirements of storage data integrity and confidentiality assurance in the application and security evaluation of commercial cryptographic systems.

Encryption algorithm: AES
Integrity check algorithm: AES-GCM

Access control

The system has an access authorization mechanism independent of the database. Authorized users can access encrypted data, but unauthorized users cannot access encrypted data. This effectively prevents administrators from accessing the database without authorization and hackers from dragging the database.

The system allows system administrators, security administrators, and audit administrators to manage separation of permissions, enhancing database security and compliance.

Application Scenarios

Database encryption and access control can meet compliance requirements as well as sensitive database data protection requirements.

Meet the compliance requirements of national assessment.

The application system processes data based on user permissions. For legacy systems (the old system cannot be upgraded or reconstructed) and personal privacy protection issues required by the Cybersecurity Law are not considered during development, it is too complex to change the code, data privacy protection depends on external technologies.

Database encryption and access control can implement database encryption and comply with various laws and regulations.

Meets the requirements for protecting sensitive database data.

Database encryption and access control can effectively prevent data leakage caused by the leakage of high-privilege accounts and passwords of database administrators, such as DBAs. In addition, the system can prevent database files from being downloaded or copied due to external APT attacks or improper internal management, meeting sensitive data protection requirements of databases.

Functions

This section describes the main functions and related sections of database encryption and access control.

**Table 1** Functions
Feature/Update	Function	Related Chapters
Asset Management	Allows users to add, delete, modify, and query database assets, test data source connectivity, and configure database read/write isolation, encryption mode, return value, and account permission detection.	Adding Data Assets
Sensitive Data Discovery	Supports sensitive data scanning, sensitive data type management, and sensitive data industry template management.	Sensitive Data Discovery
Business test	Supports service simulation tests to simulate whether encryption and decryption can be performed properly. Supports service SQL traffic analysis by accessing the network before encryption, locates SQL statements that may be executed abnormally after encryption, and generates analysis reports.	Simulated Encryption Test, Simulated Decryption Test, Service Test and Analysis
Encrypting Data	The data encryption module manages encryption and decryption tasks, authorizes client and database users to restrict user access, views and downloads encryption logs, rolls back table structures, manages encryption tables, and downloads bypass plug-ins.	Data Encryption and Decryption
Dynamic data masking	A masking algorithm can be configured for sensitive data to dynamically mask plaintext data.	Dynamic Data Masking
Key management	Supports three-level key algorithms, key source configuration, key (DSK) periodic rotation update, KMS interconnection configuration, key record query, and key search.	Initializing a Key, Key Management
Platform management	On the platform management module, you can configure basic network adapters and routes, upgrade the system, back up and restore configuration data, view application access records, and configure security passwords.	Platform Management
System management	Maintains platform users, including account management, organizational structure management, role management, and account review; and allows users to view and manage various system messages. Displays the device status, manages devices, diagnoses the usage of the system kernel, CPU, and hard disk, upgrades the system, and manages system security configurations.	System Management
Log management	Allows users to view and search for logs of all operations in the system.	Viewing System Operation Logs