Data Asset Protection Overview

Data asset protection provides data masking, data watermarking, database audit, database encryption, cloud bastion host, and API data security protection to ensure your asset security. You can purchase and use these services as required.

After purchasing DSC Professional Edition, you can use basic data masking and watermarking. For details, see Data Masking Overview and Data Watermarking Overview.
After purchasing database audit, you can use the database audit function. Database audit records user access to databases in real time, generates fine-grained audit reports, and generates alarms for risky behaviors and attacks in real time.
After purchasing database encryption, you can use the database encryption function. Database encryption provides the Transparent Data Encryption (TDE) capability for RDS or third-party relational databases. Sensitive data is encrypted and stored based on the gateway proxy encryption technology.
After purchasing CBHs, you can use the CBH functions. CBH uses a unified O&M login entry and the protocol-based forward proxy and remote access isolation technologies to centrally manage and audit cloud resources, such as servers, cloud hosts, databases, and application systems.
After purchasing API data security protection, you can use the API data security protection function. API Data Security Protection automatically sorts out application APIs to implement fine-grained access control, API exception risk detection, API sensitive data detection, masking, and watermarking.

Data Asset Protection

For details on data asset protection functions, refer to this section.

Static Data Masking

DSC can help mask a large amount of data at one time based on the configured data masking rules. Static data masking is used when sensitive data in the production environment is delivered to the development, testing, or external environment for development and testing and data sharing and research. You can create a data masking task on the DSC console to quickly mask sensitive data in database, OBS, and big data assets.

Figure 1 Static data masking flowchart

**Table 1** Data sources supported by data masking
Masking Type	Data Source Type
Data masking	SQLServer, MySQL, TDSQL, PostgreSQL, KingBase, DMDBMS, GaussDB, Oracle, and DWS
Elasticsearch masking	Elasticsearch
Hive masking	Hive
HBase masking	HBase
DLI masking	DLI
MRS masking	MRS_HIVE
OBS masking	OBS bucket files (text and images (face and license plate))

Data Watermarking

Data watermarking supports databases, documents, and images. If watermarks are added to distributed data, you can extract watermarks from leaked data to trace data flows and accurately locate the organization and person who leaked the data. In this case, the organization or person that is accountable for the leakage problem can be easily found. Adding watermarks does not affect use of the distributed data.

**Table 2** Supported database types
Database Type	Data Type
DWS	smallint, integer, bigint, float4, float8, varchar, text, and char
MRS-HIVE	smallint, int, long, float, double, and string

**Table 3** Supported file types
Type	Format
Document	pdf, pptx, docx, and xlsx
JSON data (invoking data watermark APIs)	Integer, floating point, and string.

**Table 4** Supported image watermark types
Type	Format
Images (or invoking image watermark APIs)	jpg, jpeg, png, bmp, tiff, tif, tga, and gif

Figure 2 Data watermarking process

Database Audit (DBSS)

Leveraging advanced big data analytics, DBSS offers a suite of features including database auditing, SQL injection attack detection, and identification of hazardous activities, all designed to fortify database security in the cloud environment. Table 5 describes its functions and features.

For details about the functions and usage, see DBSS Functions and DBSS User Guide.

**Table 5** Functions
Function	Description
User Behavior Detection and Audit	Associates access operations in the application layer with those in the database layer. Uses built-in or user-defined privacy data protection rules to mask private data (such as accounts and passwords) in audit logs displayed on the console.
Multi-dimensional Lead Analysis	Behavior analysis Supports quick analysis from multiple dimensions, such as audit duration, total number of statements, total number of risks, statements today, risks today, and sessions today. Session analysis Conducts analysis based on time, database user, and client. Statement analysis Provides multiple search criteria, such as time, risk severity, user, client IP address, database IP address, operation type, and rule.
Real-time Alarms for Risky Operations and SQL Injection	Risky operations Defines a risky operation in fine-grained dimensions such as operation type, operation object, and risk severity. SQL Injection Provides an SQL injection library, which facilitates alarm reporting for database exceptions based on the SQL command feature or risk severity. System resource Reports alarms when the usage of system resources (CPU, memory, and disk) reaches configured threshold.
Fine-grained Reports for Various Abnormal Behaviors	Session behavior Provides session analysis report of the client and database users. Risky operations Provides the risk distribution and analysis report. Compliance report Provides compliance reports that meet data security standards (for example, Sarbanes-Oxley).

Secure Database Encryption

Database encryption and access control is a security solution that safeguards sensitive data through encryption, utilizing gateway proxy technology.

As a proxy encryption gateway, the system is deployed between the database and client applications. Any access must pass through the gateway to implement data encryption and access control. Figure 3 shows the system networking scenario.

Figure 3 Networking

Data Encryption
The system supports data encryption and integrity verification, meeting the evaluation requirements of graded protection and sub-protection as well as the evaluation requirements of storage data integrity and confidentiality assurance in the application and security evaluation of commercial cryptographic systems.
- Encryption algorithm: AES and SM4 Chinese national cryptographic algorithm are supported.
- Integrity check algorithm: AES-GCM and SM3-HMAC are supported.
Access Control
The system has an access authorization mechanism independent of the database. Authorized users can access encrypted data, but unauthorized users cannot access encrypted data. This effectively prevents administrators from accessing the database without authorization and hackers from dragging the database.

The system allows system administrators, security administrators, and audit administrators to manage separation of permissions, enhancing database security compliance.

Scenario

Database encryption and access control can meet compliance requirements as well as sensitive database data protection requirements.

Meeting the compliance requirements of national assessment

The application system processes data based on user permissions. For legacy systems (the old system cannot be upgraded or reconstructed) and personal privacy protection issues required by Cybersecurity Law yet are not considered during development, it is too complex to change the code, data privacy protection depends on external technologies.

Database encryption and access control can implement database encryption and comply with various laws and regulations.

Meeting the requirements for protecting sensitive data in databases

Database encryption and access control can effectively prevent data leakage caused by the leakage of high-privilege accounts and passwords of database administrators, such as DBAs. In addition, the system can prevent database files from being downloaded or copied due to external APT attacks or improper internal management, meeting sensitive data protection requirements of databases.

Table 6 describes the main functions of database encryption and access control.

**Table 6** Functions
Function	Description
Asset Management	Allows users to add, delete, modify, and query database assets, test data source connectivity, and configure database read/write isolation, encryption mode, return value, and account permission detection.
Sensitive Data Discovery	Supports sensitive data scanning, sensitive data type management, and sensitive data industry template management.
Service Test	Supports service simulation tests to simulate whether encryption and decryption can be performed properly. Supports service SQL traffic analysis by accessing the network before encryption, locates SQL statements that may be executed abnormally after encryption, and generates analysis reports.
Encrypting Data	The data encryption module manages encryption and decryption tasks, authorizes client and database users to restrict user access, views and downloads encryption logs, rolls back table structures, manages encryption tables, and downloads bypass plug-ins.
Dynamic Data Masking	A masking algorithm can be configured for sensitive data to dynamically mask plaintext data.
Key Management	Supports three-level key algorithms, key source configuration, key (DSK) periodic rotation update, KMS interconnection configuration, key record query, and key search.
Platform Management	On the platform management module, you can configure basic network adapters and routes, upgrade the system, back up and restore configuration data, view application access records, and configure security passwords.
System Management	Maintains platform users, including account management, organizational structure management, role management, and account review; and allows users to view and manage various system messages. Displays the device status, manages devices, diagnoses the usage of the system kernel, CPU, and hard disk, upgrades the system, and manages system security configurations.
Log Management	Allows users to view and search for logs of all operations in the system.

Cloud Bastion Host (CBH)

Cloud Bastion Host (CBH) is a unified security management and control platform. It provides account, authorization, authentication, and audit management services that enable you to centrally manage cloud computing resources.

CBH provides various functional modules, such as department, user, resource, policy, operation, and audit modules. It integrates functions such as single sign-on (SSO), unified asset management, multi-terminal access protocols, file transfer, and session collaboration. With the unified O&M login portal, protocol-based forward proxy, and remote access isolation technologies, CBH enables centralized, simplified, secure management and maintenance auditing for cloud resources such as servers, cloud hosts, databases, and application systems.

For details about the functions and features, see CBH Functions and Features and CBH User Guide.

Identity Authentication
CBH uses multi-factor authentication and remote authentication technologies to enhance O&M security.
- Multi-factor authentication: CBH authenticates users with SMS messages, mobile tokens, USB keys, and one-time-password (OTP) tokens, reducing account leakage risks.
- Remote authentication: CBH interconnects with third-party authentication services or platforms to perform remote account authentication, prevent credential leakage, and ensure secure O&M. Currently, Active Directory (AD), Remote Authentication Dial-In User Service (RADIUS), Lightweight Directory Access Protocol (LDAP), and Azure AD remote authentication are available. CBH allows you to synchronize users from the AD domain server without modifying the original user directory structure.

Account Management
With a CBH system, you can centrally manage system user accounts and managed resource accounts, and establish a visible, controllable, and manageable O&M system that covers the entire account lifecycle.
- User account management: Manages the entire life cycle of system user accounts. Users can use a unique account to log in to the system to solve problems such as shared accounts, temporary accounts, and permission abuse.
- Resource account management: Centralized resource account management, full lifecycle management of resource accounts, single sign-on (SSO) to resources, and seamless switchover between management and O&M.

Permissions Management
CBH supports fine-grained permission management so that you have complete control over which user can access the CBH system and which managed resources can be accessed by a specific system user, enabling you to safeguard both the CBH system and managed resources.
- System access permission: controls user login and system access permissions based on the attributes of a single user account.
- Resource access control: You can assign permissions for resources by user, user group, account, and account group.

Operation Audit
In a CBH system, each system user has a unique identifier. After a system user logs in to the CBH system, the CBH system logs their operations and monitors and audits their operations on managed resources based on the unique identifier so that any security events can be discovered and reported in real time.
- System behavior audit: All system operations are recorded, and alarms are generated for misoperations, malicious operations, and unauthorized operations.
- Resource O&M audit: Records users' O&M operations throughout the entire process and supports multiple O&M audit technologies and forms. User operations can be audited at any time to identify O&M risks and provide basis for security event tracing and analysis.

O&M Functions
CBH supports multiple architectures, tools, and methods to manage a wide range of resources.
- O&M from your web browser: By leveraging HTML5 for remote logins, O&M engineers can perform O&M, such as real-time operation monitoring and file uploading and downloading, without installing a special client.
- O&M using a third-party client: CBH enables one-click interconnection with multiple O&M tools, enabling you to perform O&M without changing client usage habits.
- Automatic O&M: Complex online operations are automatically performed, eliminating repeated work and improving work efficiency.

O&M Ticket Application
During the O&M, if a system user does not have the required permissions for a certain resource, they can submit a ticket to apply for the permissions.
- O&M engineers can:
  - Manually or automatically trigger the ticket system and submit access approval tickets, command approval tickets, and database approval tickets.
  - Submit, query, cancel, and delete tickets.
- System administrators can:
  - Customize approval processes, including multi-level approval processes.
  - Approve one or more tickets at a time, as well as reject, cancel, query, and delete tickets.

API Data Security Protection

This system automatically identifies request interfaces of web application systems and application programming interfaces (APIs) to discover sensitive data. It visually displays sensitive data assets and implements data authorization based on users, interfaces, and accounts. The system ensures fine-grained data access control for applications and APIs, dynamic data masking of application request results, digital watermarks for web page results, security protection, and full-process source tracing for data leakage. Additionally, it includes data security functions such as application access security log audit, risk identification, and situation analysis, ensuring data security for the normal use and transfer of service data in the application system.

For details about the functions, see Table 1.

**Table 7** Functions
Feature	Description
Overview	Asset overview: Collects statistics on the number of assets such as applications, APIs, accounts, and sensitive data. Access popularity: Displays access information for the last 7 or 30 days from various dimensions.
Log Center	Records alarm logs and traffic logs, supporting log queries based on multiple conditions. Alarm logs: Allow you to view details about matched blacklist, risk protection, and blocking access control rules. Retrieval logs: Allow you to view the access traffic to a specific service.
Asset Center	Application assets: Gateways can be deployed as proxies by configuring domain names or IP addresses and ports. Multiple proxy types (e.g., HTTP, HTTPS) are available to meet various security and application requirements. API assets: After the proxy is used, the system automatically scans APIs in application assets based on the access status to ensure that no API is missing. Account assets: Accounts and sessions can be identified based on account parsing rules to facilitate targeted management. Various protection rules can be configured based on identified accounts. Built-in sensitive data identification algorithms detect multiple types of sensitive data such as passwords, ID card numbers, and bank card numbers.
Security Policy	Whitelist: Allows you to configure whitelists with different effective scopes based on conditions such as client IP address, account, and sensitivity label. Access control: Allows you to configure security protection rules for applications based on different combinations of conditions. Risk prevention: Supports built-in attack identification rules and performs blocking or log audit based on the set actions. Custom attack blocking policies can also be defined for automatic attack handling. Blacklist: Allows you to configure a blacklist to block access based on any combination of client IP addresses, accounts, and sensitive labels. Masking: Provides built-in common sensitive data labels and corresponding masking algorithms and allows you to add masking templates and configure sensitive data labels and algorithms in batches. Sensitive data returned by APIs can be masked based on different conditions to prevent sensitive data leakage. Watermarking: Allows you to add different types of watermarks to application services, including web page watermarks, dot matrix watermarks, document watermarks, and traceless watermarks. In case of a data leakage incident, the leakage source can be traced based on the watermark content.
Service Configuration	Sensitive data labels: Allow you to manage sensitive data labels by specifying keys, values, and regular expressions. You can manually add exceptions and sensitive data. Client IP address parsing: By configuring client IP parsing rules, you can parse the identified content at the corresponding identification location to obtain the client IP address. Certificate management: Allows you to manage SSL certificates in the system. Classification and grading: The system provides built-in sensitive data classification and grading rules, which can be customized.
System Management	Network management: Allows you to configure the NIC, route, and DNS information via a web page, or enable bypass status by one click for system troubleshooting. Backup and restoration: Allows you to back up audit logs and configuration files, which can be restored in case of issues or misoperations. Data clearance: Service logs and system logs can be cleared periodically or manually.
User Management	Built-in system administrator, audit administrator, and security administrator are included. System administrator: Responsible for routine system operation and maintenance. Security administrator: Handles routine security management, including granting and revoking user permissions. Audit administrator: Responsible for auditing, tracing, analyzing, and supervising the actions of the system administrator and security administrator.
System O&M	System monitoring: Displays device status and system resource usage in real time to facilitate troubleshooting. System overload: Allows you to configure the system to bypass some traffic when the API data security system is overloaded to reduce pressure.