Database security capability content-construction and practice of security access control matrix model-Hangzhou pldsec Network Technology Co

Database security capability content-construction and practice of security access control matrix model

Release time： 2019.08.05 | Source： Palladium

With the continuous expansion of the business scale of enterprises, the complexity of information construction and network security work is getting higher and higher, and the scope of the work of the security department is wider, and the security assurance of the enterprise must match the development of the business in a timely manner.

Enticed by the high interest of corporate data, continuously advanced weaponized attack methods make the collection of attack intelligence more convenient and more difficult to capture. In the face of more and more threats, traditional terminal security and network security seem to be stretched, and they cannot protect the truly important things of the enterprise organization-enterprise data and applications.

Obviously, in order to ensure business continuity and data security, and maintain the core competitiveness of an enterprise, it is necessary to have a higher level, more comprehensive and mature database security capability (refer to the DSMM data security capability maturity model). The database security capability depends on the database system software that carries the core data of the enterprise, and the latter has become the infrastructure for business operation and data protection, and is the first to leap to the top of the list of data security capability building work for the security department.

How to build database security capabilities?

Protecting corporate database and application security, meeting data compliance requirements, and effectively managing databases against data theft are what Palladium has been focusing on. This article will introduce the construction and practice of database security access control matrix model from the aspect of database security management and control, so as to provide reference ideas for the construction of enterprise data security capabilities.

With the development of enterprise informatization work, the digitization of business systems has been significantly accelerated, and data has been widely used in enterprise internal support, cooperative operations, and product development. It is true that data sharing promotes the development of productivity, but it also blurs the boundaries of data, and data flows become frequent. Therefore, the circulation of shared data brings higher challenges to enterprise security access control.

What are the limitations of traditional identity authentication and access control?

Because traditional identity authentication and access control are based on access control at the network layer, separate data network areas and operation and maintenance management areas, with IP resources (protocol ports) as the object, and the control is relatively broad, and they can only participate in the access of the network transport layer. Require. The access control related to the business system is usually designed with system functions as the center, and the purpose of authority control is achieved by controlling the user's access to different functional interfaces. When part of the data is shared, the system usually allows to save it as a file or picture, and add a watermark to the file for traceability after the information is leaked. If a high-privileged person disseminates a single piece of data with liquidity in the database, the system often Can not be effectively controlled. In the face of data center-level resource pools, these methods are not enough to support the higher fine-grained access control requirements for data transmission, data exchange, and data processing within the enterprise.

As the industry's leading provider of overall database security solutions, Palladium has successively released patented technologies for database access control based on login parameters and database access control based on large traffic. Its database security products have a professional full protocol decoding module, which can identify and analyze database transmission protocols and application layer protocol decoding, and strip SQL statements. Through the stream conversation technology, the protocol is stream reorganized, and all parsed sentences will be marked with a unique identifier. On this basis, a security access control matrix model is summarized for the access control aspect of database security access.

Traditional network operation and maintenance do not pay attention to the flow of data security. The focus is always on the network construction level. The access to the database strategy uses the source and target IP, target port and protocol (TCP/UDP) of network transmission for elements.

What other elements can access to the database be based on?

To realize the control of database access, the problem that must be solved is the analysis of the database protocol. First, you need to obtain database access traffic from network traffic and identify database protocols, such as Oracle's data transfer protocol TNS and SQL Server transfer protocol TDS.

Then perform full protocol analysis on the database traffic protocol data packet, which must involve the cracking of encrypted database information (such as the TDS protocol of SQL Server, which needs to obtain an encryption certificate to realize encrypted login parameter analysis), and identify the unique parameters that can be used.

From the above brief access request to the Oracle database, we can see that in addition to the access IP, port and protocol, the parameter information that can be collected includes the client application name (navicat.exe) and the client host name (DESKTOP-VCK0MFC) ), the client host user name (J), and the database account name (system) and instance service name (xe) used, which are referred to as the admission control factor.

There are many types of database software used in mainstream applications, and the protocol types and encryption methods are different. The parameter information in the database application protocol we obtain through protocol analysis is also different. Some examples are as follows:

The new security admission control model will add admission factors identified through database traffic analysis and cracking to form a more complete set of optional control factors.

In the security admission control model, by adding the above admission control factors, higher fine-grained access control can be obtained, and the admission control strategy will become more flexible.

How to implement the matrix model?

There are various admission factors used to access the database in the enterprise, such as the interaction of business middleware and database clusters, the access to the database of the business application background maintenance, and the operation behavior of the database table by the operation and maintenance DBA tool. It is very difficult and costly to evaluate all "need to know" access rights information, so automated and smarter methods are needed.

Security access control model, based on large-traffic database protocol full decoding technology, through machine learning, to achieve the entire network database traffic (including the north-south traffic requested by the business system, and the east-west traffic between the operation and maintenance and the server interaction in the data center) Self-learning of security access admission factors, rapid improvement of database access strategies, and formation of an admission control matrix.

How to achieve the perfect landing of technology?

Improve the visual access control matrix, forming a whitelist-style security rule configuration. For all database access behaviors, you need to enter the access control matrix for mixed matching authentication, and only accesses that meet the complex whitelist rules are allowed. However, abnormal attack behaviors that constantly change attack scripts, accounts, and target devices will be accurately identified and blocked in time. Whether it is an external request from a business system or an east-west interactive access within a server cluster, the control to completely eliminate illegal behaviors can be achieved.

Therefore, the construction of the database security access control matrix model is based on the protocol full decoding technology, identifying multiple access control factors, and forming an access control matrix through independent learning of access content. Access to the database is controlled, irrational and abnormal behaviors are accurately blocked, and enterprise database security capabilities are effectively implemented.

The database security access control matrix model is a part of the enterprise's construction of database security capabilities, and it is the best practice to achieve flexible, variable, adaptive and highly fine-grained access control matrix. For enterprises, especially in the face of numerous threats for the purpose of obtaining sensitive enterprise data and information, in the future data-centric new economic era, by integrating input information from people, processes and technologies, they can effectively construct and improve Enterprise data security capabilities can respond quickly and confidently when threats come.

NEXT：Renewing and moving forward Wa...Previous："Gathering Potential and Win-W...

Return