Big data is the “free” resource of the industrial society. Whoever has the data has the initiative. With the wave of digital transformation of enterprises, data has become the core asset and innovation element of the financial industry.
As an important entrance of national financial activities, the securities industry gathers a large number of financial data. As the core database system of the company, its database stores a large number of sensitive and important data information, and its security is related to the safe operation of the whole transaction system. This requires the industry to fully understand the importance and urgency of network data security, adhere to the equal emphasis on financial security and data application development, and actively respond to complex data security risks and challenges.
In this context, A large stock exchange (hereinafter referred to as: A) started the construction of database operation and maintenance management and deployed the integrated data security management and control platform — CloudQuery Enterprise Edition (hereinafter referred to as: CQ) in order to further improve its internal database security operation and maintenance capability and meet the requirements of standard information security compliance.
The core appeal
Through the deployment of CQ, A would strengthen the database security access control mechanism, solve the direct-connect do not have A unified database to bring people with accounts, permissions, difficult to control, audit information locating precision, increase data desensitization function at the same time, the real-time data validation of user queries, dynamic desensitization sensitive data, without affecting the original data, on the basis of Reduce the risk of artificial leaks. Its core appeal has the following points:
Database Operation Control
Cancel the direct database connection mode, realize the data access operation through the platform, and replace the tools such as PLSQL Developer and SQLYOG without changing the user habits.
Database Permission Control
By binding users and accounts one to one, the database accounts can be shared by multiple users. At the same time, the fine granularity of account rights is improved, and the audit of user account rights raising, expiration, and cancellation is strengthened to meet the normal use of users and improve the level of permission control.
Desensitization of sensitive data
Dynamically desensitize the query result data, flexibly develop desensitization policies according to account query requirements, and ensure data security and leakage to the maximum extent without affecting users’ use.
solution
According to the requirements of INSTITUTE A, we believe that the CQ of this department is mainly committed to solving problems such as weak database security, sensitive data leakage, inconsistency between personnel and accounts, difficulty in authority control, and difficulty in locating responsible personnel when data changes occur. Therefore, the application scenarios are mainly targeted at departments with large personnel and high mobility, such as outsourcing, RESEARCH and development, operation and maintenance, etc., to assist them in authority control and data access control. Meanwhile, system stability is strengthened according to the nature of the industry, and security, scalability, and high availability are upgraded.
Platform security
Security is mainly embodied in access control, illegal access blocking and data desensitization of the system and database. For outsourcing personnel, the login time can be controlled, allowing only logging in the system at a specified time, or data operation of a specified resource at a specified time. In cooperation with data desensitization, data operation through the platform not only ensures the restriction of personnel, but also ensures the shielding of sensitive data resources.
Platform scalability
Based on CQ, multiple data sources need to be accessed, so the modular architecture is adopted in the architecture design, which has high scalability and achieves the functions of fast data source access, comprehensive data source feature support, high coverage of database elements, and support for custom filtering.
High availability
As an access point for enterprise data, CQ has high requirements on service stability. Therefore, it provides double-A solution for high availability. Failover can be completed within 5 seconds, ensuring system availability to A large extent.
The project design
The main functions of this design CQ include user management, database connection management, database operation management, data desensitization management, system management, while providing database server monitoring function, audit function.
User management
Users who need to access the database need to log in to CQ and access the database through the system. At the same time, the built-in user system can maintain the information of users and organizational structure, and also support the import of multi-source user information, realizing the one-to-one correspondence between users and accounts, and solving the problem of multiple users using one database account.
Access controls
According to user permissions, platform, users can be divided into system administrator, the administrator and ordinary users triple role, in the aspect of database access into operation privileges, export rights, time limit, indefinitely, limited, etc., access control can be up to the cell level, for is beyond the scope of authorization data operations timely blocking and collect to the alarm system, This helps database administrators discover risks in a timely manner.
Data desensitization management
Desensitization of query results, platform desensitization function only involves data query, does not involve data change, data in the process of technical implementation not only ensures the data security of the database, but also does not affect the normal operation of the business system.
Server monitoring
Through monitoring, the platform can sense the server load status, read and write status and slow query status in real time, so as to realize the integration of the monitoring module with the existing mature system and timely feedback of the database status without affecting the operating efficiency of the database. It is convenient for DBAs to observe the managed database status in real time.
The audit function
Every detail of a user’s actions in CQ is tracked by the audit service. CQ supports audit details and analysis of audit results to identify vulnerable links that may cause problems and provide early warning. In case of problems, CQ can accurately locate accounts and highlight alarms for dangerous and failed operations. At the same time, after modeling and calculation based on audit details, the audit analysis can assist database management personnel to timely observe the operation dynamics of ordinary users and check the internal database usage status.
So far, the data security and audit traceability problems of INSTITUTE A have been solved after the introduction of CQ platform. At the same time, with the high availability configuration of the platform itself, unified management of operation portals, flexible authorization and platform stability have been achieved on the basis of ensuring database access security. Before the launch, A institute conducted in-depth security scanning of THE CQ platform, and the product was put into production after confirming that there was no problem, which fundamentally solved the problem of difficult data control and governance.
Official website address:cloudquery.club/
