Database Encryption Introduction
Database Encryption is a security protection product based on gateway proxy encryption technology, specifically designed to implement strategies such as encrypted storage and data masking for sensitive information.
In addition, the system features the following capabilities:
Transparent data encryption and decryption: The system supports transparent data encryption and decryption, meaning applications need not be aware of the encryption logic, the system automatically handles both encryption and decryption.
Data Anonymization: The system supports dynamic anonymization of sensitive data. Based on configured anonymization rules, it anonymizes plaintext data during display, ensuring data security during transmission and storage.
Key Management: The system supports multiple encryption algorithms, allowing flexible selection based on user requirements, and can integrate with external Key Management Services (KMS) to meet diverse security needs.
Through these features, database encryption, decryption, and data masking effectively protect sensitive information, meet compliance requirements, and provide robust security safeguards for the database.
The system serves as an agent encryption gateway deployed between the database and client applications. All access requests must pass through this gateway to achieve data encryption and access control functions. The system networking configuration is illustrated in Figure 1.
Data Encryption
The system supports data encryption and integrity verification, meeting the evaluation requirements of national security protection standards such as the Equal Protection Standard and Sub-protection Standard, as well as the assessment criteria for ensuring data integrity and confidentiality in commercial cryptographic system applications and security evaluations.
- Encryption algorithm: Supports AES and SM4 national cryptographic algorithms.
- Integrity verification algorithm: Supports the SM3-HMAC algorithm.
Usage Scenario
- Data encryption, decryption, and anonymization systems are widely used in various sectors including finance, healthcare, e-commerce, government services, and enterprise internal data management. In these scenarios, the systems encrypt sensitive data during storage and transmission, ensuring it is stored in ciphertext format within databases. Additionally, they anonymize the data during external display, analysis, or sharing with third parties to prevent data breaches.
- Compliant with national regulatory requirements: The system supports multiple encryption algorithms and strictly adheres to laws and regulations such as the Cybersecurity Law, Data Security Law, and Personal Information Protection Law. For example, the Cybersecurity Law explicitly prohibits network operators from disclosing, altering, or destroying the personal information they collect, except when the information has been processed to the extent that it cannot identify specific individuals and cannot be restored. Through data encryption and desensitization technologies, the system effectively protects personal information and critical data, ensuring compliance in data processing activities.
- Support for legacy system migration: The system employs a transparent proxy approach, requiring minimal modifications to existing databases and applications. It integrates seamlessly into legacy systems while providing robust data security protection without necessitating extensive architectural restructuring.
- Through these features, the data encryption, decryption, and anonymization system not only effectively safeguards sensitive data but also meets the stringent data security and compliance requirements of various industries.
Function Introduction
This section introduces the primary functions of database encryption/decryption and data masking, along with the relevant chapters.
| Function Name | Description | Section |
|---|---|---|
| Asset Management | Through the Data Source Asset Library module, users can efficiently manage various data source assets, ensuring data availability and security while providing a foundation for subsequent data encryption and anonymization operations. | |
| Device Status | Real-time monitoring of the operational status of various devices, including servers, network equipment, and storage devices. The system allows users to view device performance metrics, runtime data, and fault information, enabling timely detection of anomalies, early warnings, and proactive maintenance. This ensures stable device operation and safeguards the overall performance and reliability of the system. | |
| Role Management | Provide flexible user role management capabilities, allowing administrators to create and configure various user roles based on different business requirements and security policies. Each role can be assigned distinct permissions, such as access to specific data or execution of particular operations, enabling granular user permission management to ensure system security and data confidentiality. | |
| Key Management | The system supports multiple encryption algorithms and enables centralized key management. Users can easily create, store, update, and delete keys while ensuring their security and availability. Additionally, the system supports integration with Key Management Services (KMS), meeting diverse key management requirements across different users. | |
| Data Discovery and Analysis | The dynamic scanning and identification system manages sensitive data, including personal identification information, financial data, and trade secrets. Using predefined rules and algorithms, the system rapidly identifies the storage locations and usage patterns of sensitive data, providing a basis for subsequent operations such as data encryption and desensitization, thereby assisting users in better managing and protecting sensitive information. | |
| Data Field Management | Classify and manage data by domain based on different business requirements and security levels. Users can categorize data into distinct data domains according to factors such as data type, importance, and usage scenarios, and assign corresponding security policies and access permissions to each domain to achieve refined data management and security protection. | |
| Dynamic Desensitization | During data transmission, presentation, and sharing, sensitive data undergoes real-time desensitization according to predefined rules. The desensitized data retains the original format and certain characteristics but cannot be restored to its original state, thereby effectively protecting data privacy and security without disrupting normal business operations. | |
| Application Management | The system provides application management functionality to control which applications can access data encryption, decryption, and anonymization services. Through explicit authorization, it ensures that only approved applications can access and manipulate sensitive data, enabling refined data access management and safeguarding data security and compliance. | |
| Log Audit | The system meticulously records all user operations, data access history, system operation logs, and other relevant information. Through the log auditing feature, administrators can monitor the system's operational status in real time, trace data usage and modification processes, promptly identify abnormal activities and potential security threats, thereby providing robust support for system security management and incident investigation. |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
