Financial proprietary cloud business needs
According to the industry trend, as an Internet giant, it is bound to establish its own financial payment business in the process of creating its own closed-loop business. For example: Early taobao, for the fairness, online pay treasure, tencent also follow suit on the WeChat pay, jingdong mall was forced by ma father also on the jingdong pay, jingdong ious, etc., according to pioneer in construction process, a form of traditional IDC room self-built – > build public clouds financial zone – > build public cloud container platform financial zone, another kind of form, Traditional IDC room self-built -> financial proprietary cloud -> financial proprietary cloud based on container platform. The original purpose of this system is to reduce costs and increase efficiency. If the service system exceeds 10000+, the resource usage from the VM era to the container era will be reduced by 30%.
From the perspective of security business, on the one hand, from the perspective of industry access security compliance, higher requirements are put forward for the financial proprietary cloud platform, which needs to pass level 4 protection, which puts forward high security requirements for the platform itself, especially clear requirements in the trusted computing field. Financial data security standards also have clear guidelines, which need to be carried by products. On the other hand, in the actual operation of financial proprietary cloud, in the face of hacker intrusion, it should be strictly controlled from the data governance level.
Cloud native data security solution
Referring to the financial data security standards, there are clear plans for data collection, transmission, data storage, use, deletion and destruction in the life cycle of financial data use, and these standards need to be realized by an automated platform.
Here we give priority to discussing the concept of financial data classification:
Level 2: Mainly contains data from partners, and level 2 data should give priority to business needs
Level 3: mainly includes personal property information. When collecting Level 3 or above data, the authenticity of data collection devices or systems should be enhanced and verified by combining passwords, device fingerprints, device physical locations, network access modes, and device risks.
Level 4: mainly includes: payment password. Level 4 data should give priority to security requirements and carry out continuous dynamic authentication for the whole process of data collection to ensure the authenticity of data collection equipment or system. Operations such as blocking and secondary authentication can be implemented if necessary.
Analysis from data security platform construction level
From sensitive data identification, sensitive data desensitization to leak detection, there is a complete set of data security solutions.
Platform side data security:
**1. Cloud platform data security includes supply chain security, physical security and trusted native workloads ** · Supply chain security. Currently, in order to ensure the stability of the domestic financial market, the supply chain has requirements based on ARM Kunpeng domestic server, Kirin operating system and domestic encryption algorithm.
· Physical security, mainly including hot spare for machine room construction and L4 machine room standards.
· Trusted native workloads, including physical servers and Kubernetes clusters, require domestic trusted roots, or use domestic encryption cards or domestic HSM.
2. Cloud product data security
· Hardware encryption infrastructure, including TPM trusted root, password card, HSM hardware encryption machine
· Full-link encryption, involving workload, object storage, middleware, big data components, OpenAPI gateway and SaaS services provided by the upper layer
· KMS secret key management
Tenant data security:
1. Protection for public cloud environment:
Network border defense: DDoS defense, Web application firewall, SSL certificate, load balancing, host security and cloud security operation center
2. Data security of cloud applications:
Cloud application data security: Sensitive data protection products transparently encrypt persistent storage (such as cloud disks, RDS databases, object storage, and ES), cloud hosts, K8S, virtual images, virtual snapshots, and container images.
Product Technical Architecture:
Data security product planning, it is suggested that to establish a sensitive data protection products, achieved the identification of sensitive data, classification and building data assets map visualization, noodle data desensitization, including intelligent transformation, a variety of desensitization algorithm, custom templates, prevent leak detection functions, including faults, treatment, at the same time, the abnormal alarm sent to cloud security operations center.
Business process for Sensitive data protection products:
The business process
· Cloud products have data access rights. AK/SK authorization is required
· Add related asset RDS
OSS
EBS
elasticsearch
Self-built database
Self-built file server
Self-built big data components
· Identify sensitive data financial data specifications
PCI-DSS
Custom rules
Create an identification Task
Query/download reports
· Abnormal Alarm & Handling Unauthorized users access or download sensitive data without authorization
Legitimate users access and download sensitive data in batches
Unauthorized data access operations
Change the bucket to public read or public read/write
· Data desensitization and desensitization algorithms: Hash desensitization, encryption desensitization, character masking, keyword desensitization, etc
Create static desensitization task (mysql, ES)
Initiate dynamic desensitization
· Data watermarking: PDF, Word, Excel
Other auxiliary solutions
Data security Depth Defense solutions that require some assistance in specific scenarios:
In the process of data collection, it needs to be integrated with IDaaS scheme into the overall system. In the CDN scenario, you need to use the Keyless CDN solution to encrypt the source server. Research and development of operation and maintenance separation, operation and maintenance in the operation of data, need to pass the internal fortress machine audit operation; Data destruction requires a low-level formatting process.
【 White whoring network security learning materials 】