With the continuous development of cloud computing, big data, AI and other technologies, a large number of core data are stored in various systems of enterprises, which have become important production resources and lifeblood of enterprises. Therefore, **** data security has become the core and most prominent problem of enterprises.
Under the background of the official implementation of the National Data Security Law, iQiyi security team based on the GBT22239-2019 Information security technology network security level protection basic requirements and the relevant standards and requirements of the People’s Republic of China password Law, launched the Cloud KMS key management platform, It focuses on data storage encryption and key management.
Because members sensitive data level, usage scenario, one by one single system access will cause high cost of development of human, and not conducive to system maintenance, so the member department in view of the existing Cloud KMS to secondary packaging, the data encryption and key management combined with business operation, effectively improve the safety of data members.
Let’s take a look at the classic Cloud KMS platform.
Introduction to Cloud KMS
Cloud Key Management System (KMS) is a one-stop Key Management and data encryption service platform based on HSM hardware and virtualization technologies to store, manage, and update keys securely. Its core lies in the secure storage of service keys, and supports the use of dedicated storage devices to ensure the security of the storage of keys, the use of secure hash algorithm to generate user keys, and the use of identity authentication mechanism to control the access to keys.
The main function
Key lifecycle management
●Cloud KMS provides centralized escrow and control of the Key. The Key escrow on THE KMS is called the Service Master Key (CMK). Businesses can create the user master Key (CMK) by themselves and easily manage the access to the Key through the authentication mechanism.
●KMS supports import of external keys. Currently, it supports import of 128-bit and 256-bit symmetric keys to facilitate service access to KMS.
Data encryption
At the same time, KMS adopts the two-site, three-center deployment mode to ensure high availability of services, and provides simple and efficient apis to support data key creation, data encryption and decryption operations.
Interface authentication
KMS uses AccessKey to authenticate requests and supports services to create and manage AK/SK key pairs.
Loud KMS architecture
Usage scenarios
Envelope encryption: use KMS to create a master key, use the master key to generate a data key, and then use.
The data key encrypts and decrypts data locally. This scenario applies to the encryption and decryption of large data objects, such as files and videos.
If the encryption content is large and mostly files and videos are not structured, the envelope encryption scenario is suitable.
The encryption process
Decryption process
Online encryption: Use KMS to create a master key that can be used to encrypt and decrypt data directly. This scenario applies to encryption and decryption with small data objects.
• If the encryption content is small, such as certificates, it is suitable for online encryption scenarios.
Second, business practice
background
Iqiyi member’s business sensitive data is mainly concentrated in member key, activation code and other scenarios, mainly reflected in small amount of single data, large data magnitude and high call frequency. It is sensitive to abnormal data scenarios, so online encryption is preferred on the basis of secondary encapsulation.
In practice, business adaptation functions are added on top of Cloud KMS underlying basic functions, including cache, retry policy, regular update of ciphertext, etc., and details of interaction with underlying services are hidden to reduce the access and learning costs of business users. Provide Starter for SpringBoot, MyBatis, configuration center and other components to achieve low intrusion.
Frame structure
At present, some internal systems of members have been connected to KMS, and all data stored externally and internally are encrypted. Encryption and decryption are based on algorithms related to hardware chips approved by the State Administration of State Secrets. The overall architecture is as follows:
1. Service providers can store ciphertext data in memory within a short period of time. The storage time and storage mode can be configured based on actual conditions.
2. Customize the cache key elimination policy and configure the elimination policy based on the actual situation. Currently, all updates and FIFO updates are supported, and more algorithms will be supported in the future.
3. Pluggable retry policy. The default retry policy is built-in so that services can customize the retry policy based on the exposed interface.
Processing flow
Main processing flow is divided into: authority attestation, configuration, parsing, custom logic processing, retry policies, such as the cache update, will share the master key service platform based on business party, business party is the master key configuration to the center, the sensitive information on a local file, after introduction of KMS kit by configuring encryption function can be realized.
Permission check: Verifies the identity of the access party based on the AK/SK configured by the user
** Configuration parsing: ** Parses configuration files and configures central data
** Custom logic processing: ** user implementation extension interface, implementation of custom processing logic
Retry policy: **** If Cloud KMS invocation is abnormal, retry the configuration
** Cache change: ** will cache ciphertext data in the business system for a certain period of time to avoid heavy pressure on the downstream
The business value
Use access KMS encryption, no longer need to focus on the encryption of data conversion, and even do not need to pay attention to the data form, greatly reduce the use cost of development, at the same time of upstream and downstream interactions and data flow is no longer need redundant code for adaptation, makes the business logic is more concise and clear. Its more value is reflected in the following data level and system level:
Data level
1. Ensure that the encryption and decryption of every sensitive data is completed through KMS, and ensure that every data meets the basic requirements of security level protection
2. Improve the commonality of ciphertext data in multiple systems, reduce system coupling, reduce repeated development by about 80%, reduce the influence of factors other than services, and make business logic clearer
3. More unified and standardized management of sensitive data, reducing the workload of data operation and maintenance by 50%
The system level
1. Reduce docking frequency, reduce system complexity, unify fusing current limiting and other operations, and reduce operation and maintenance costs by 30% (only related to encryption and decryption)
2. Avoid repeated wheel building, strong reuse, easy to upgrade and iteration
Subsequent planning
At present, Cloud KMS of secondary packaging is still a promotion within a small scope. Although it is suitable for most scenarios, there are still many areas that need to be adjusted. The positioning of this tool is a basic component, with certain functions of shunting, disaster recovery and data backup.
● Expand the autonomy of the business side to customize the encryption process
● Increase the support of different algorithms, with more choices
● Integration of existing DDD templates, zero intrusion