Database Security Service. Service Overview. Issue 16 Date HUAWEI TECHNOLOGIES CO., LTD.

Transcription

1 Issue 16 Date HUAWEI TECHNOLOGIES CO., LTD.

2 Copyright Huawei Technologies Co., Ltd All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means without prior written consent of Huawei Technologies Co., Ltd. Trademarks and Permissions and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd. All other trademarks and trade names mentioned in this document are the property of their respective holders. Notice The purchased products, services and features are stipulated by the contract made between Huawei and the customer. All or part of the products, services and features described in this document may not be within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information, and recommendations in this document are provided "AS IS" without warranties, guarantees or representations of any kind, either express or implied. The information in this document is subject to change without notice. Every effort has been made in the preparation of this document to ensure accuracy of the contents, but all statements, information, and recommendations in this document do not constitute a warranty of any kind, express or implied. Issue 16 ( ) Copyright Huawei Technologies Co., Ltd. i

3 Contents Contents Database Protection DBSS Instance HexaTier Functions Application Scenarios Database Audit Application Scenarios Advantages Accessing and Using DBSS Accessing DBSS Using DBSS Related Services User Permissions Issue 16 ( ) Copyright Huawei Technologies Co., Ltd. ii

4 1 1 Database Protection Database Audit (DBSS) provides functions such as database audit with a bypass disposition pattern, sensitive data masking, database audit, sensitive data discovery, data reduction, and anti-injection by recording user access to databases based on the reverse proxy and machine learning mechanism to ensure the security of databases on the cloud. Based on the reverse proxy and machine learning mechanism, database protection provides functions such as data masking, database audit, sensitive data discovery, data reduction, and anti-injection to ensure database security on the cloud. Based on security configurations of database protection instances, database protection provides protection and audit functions for the following databases on the management console: Relational Database Service (RDS) instances Databases on Elastic Cloud Servers (ECSs) Databases on Bare Metal Servers (BMSs) Database protection supports the following database types: Microsoft SQL Server MySQL PostgreSQL DWS NOTE Database protection supports Distributed Database Middleware (DDM). However, only some functions of DDM are supported currently due to the defect of the DDM mechanism. Database audit is deployed in a bypass disposition pattern. It records user access to the database in real time, generates fine-grained audit reports for compliance management, sends real-time alerts, and blocks attack behavior. In addition, database audit generates compliance reports that meet data security standards (such as Sarbanes-Oxley) to locate internal violations and improper operations, detecting and blocking external intrusions as well as ensuring data asset security. Issue 16 ( ) Copyright Huawei Technologies Co., Ltd. 1

5 1 Database audit supports the following database types: MySQL 5.0 MySQL 5.1 MySQL 5.5 MySQL 5.6 MySQL 5.7 MySQL 8.0 NOTE The database audit function is only available for databases on HUAWEI CLOUD management console. Database protection deployment architecture Figure 1-1 shows the deployment architecture of database protection. Issue 16 ( ) Copyright Huawei Technologies Co., Ltd. 2

6 1 Figure 1-1 Deployment architecture Issue 16 ( ) Copyright Huawei Technologies Co., Ltd. 3

7 2 Database Protection 2 Database Protection 2.1 DBSS Instance A DBSS instance is an independently running set of DBSS. You can purchase and manage instances on the DBSS console. 2.2 HexaTier HexaTier is the console of database protection. You need to log in to HexaTier to configure enabled DBSS instances and protect your databases. 2.3 Functions Database Security After you purchase database protection, you can log in to HexaTier to configure protection and audit functions for your database on HUAWEI CLOUD. Database firewall HexaTier supports firewall policy customization, automatically learns policies, and Intrusion Detection System/Intrusion Prevention System (IDS/IPS) policies based on exception detection. If a request is violating the security policy reaches the database firewall, HexaTier reports an alert in real-time or blocks the request as required. By machine learning, HexaTier can also establish a user access behavior baseline, generate query groups, and apply the groups in database firewall policies. Separation of duties HexaTier supports fine-grained user management and permission control based on role types, tables, views, or columns. SQL injection detection and protection HexaTier has a built-in SQL injection protection feature, context-based learning models, and rating mechanisms. It performs comprehensive diagnosis on any incoming SQL and blocks any suspicious ones in real time, protecting your databases from SQL injection attacks. Issue 16 ( ) Copyright Huawei Technologies Co., Ltd. 4

8 2 Database Protection Sensitive Data Discovery Database Data Reduction HexaTier has the built-in compliance knowledge base for Payment Card Industry (PCI), Healthcare Information Portability and Accountability Act (HIPAA), Sarbanes-Oxley Act (SOX), and General Data Protection Regulation (GDPR). You can also customize the rule knowledge base and discovery policies for sensitive data. Once sensitive data is identified, you can generate sensitive data masking and audit rules in one click. Users can set data reduction rules to detect data operation on specific database tables from unauthorized users, IP addresses, and applications. When the amount of operated data exceeds the specified threshold, HexaTier alerts administrators and records this event in a data reduction log to protect user data from leakage. Database Activity Monitoring Dynamic Data Masking HexaTier provides visualized monitoring on the database, table, and column levels. It independently monitors and analyzes database activities and provides alarms about unauthorized activities. Database activity monitoring is also called database audit. HexaTier provides database audit trails to help trace attackers. Tracing can be performed based on the following: source IP address, user identity, application, access time, databases requested for access, original SQL statement, operation, operation result, time taken, and content returned. Audit records are remotely stored to ensure compliance. Users can set masking rules for specified database tables or columns and queries from specific source IP addresses, users, and applications. A precise masking engine is used to mask sensitive data in real time without affecting application performance or changing data stored in the database. 2.4 Application Scenarios Attack Prevention This section describes the application diagrams of database protection including attack defense, data masking, and database audit. Database protection provides multiple policies to prevent database attacks and continuously protect databases on the cloud. Figure 2-1 shows the attack prevention architecture. Issue 16 ( ) Copyright Huawei Technologies Co., Ltd. 5

9 2 Database Protection Figure 2-1 Attack defense architecture Sensitive Data Masking Database protection identifies and dynamically masks sensitive data in users' databases. Figure 2-2 shows the sensitive data masking architecture. Issue 16 ( ) Copyright Huawei Technologies Co., Ltd. 6

10 2 Database Protection Figure 2-2 Sensitive data masking architecture Database Audit Database protection supports audits of cloud-based databases. This function meets users' requirements on database audit and log retention. Figure 2-3 shows the database auditing architecture. Issue 16 ( ) Copyright Huawei Technologies Co., Ltd. 7

11 2 Database Protection Figure 2-3 Database audit architecture Issue 16 ( ) Copyright Huawei Technologies Co., Ltd. 8

12 3 Database Audit 3 Database Audit 3.1 Application Scenarios Database audit applies to enterprises or organizations that have high security requirements on data security. Issue 16 ( ) Copyright Huawei Technologies Co., Ltd. 9

13 4 Advantages 4 Advantages Deployed as a reverse proxy between an application server and a database, DBSS provides you with database protection functions such as database firewall, database auditing, and dynamic data masking. Various functions DBSS provides three major functions: database audit, database firewall, and data leakage protection. With these functions, it solves the following problems altogether: poor auditing effect, difficult security defense, and regulation compliance requirements. Low misreporting rate Thanks to an SQL injection feature library used by the industry, a machine learning model, and a scoring mechanism, DBSS's misreporting rate is far lower than the industry average. Real-time protection The reverse proxy architecture can truly block malicious requests in real time. Fine-grained permission control The weak coupling mechanism of DBSS helps achieve fine-grained permission control without modifying users' rights. Powerful dynamic data masking Sensitive data is protected in real time without affecting databases and applications. Compliance with various regulations Thanks to an SQL injection feature library used by the industry, a machine learning model, and a scoring mechanism, DBSS's misreporting rate is far lower than the industry average. A built-in knowledge base about regulation compliance helps users comply with laws and regulations. Issue 16 ( ) Copyright Huawei Technologies Co., Ltd. 10

14 5 Accessing and Using DBSS 5 Accessing and Using DBSS 5.1 Accessing DBSS 5.2 Using DBSS You can use the management console to access DBSS. If you have registered with HUAWEI CLOUD, you can log in to the management console and access your DBSS. On the top of the console, click Service List and choose Security > Database Security Service. After purchasing database protection, you can log in to HexaTier to configure the database protection instances to protect your database. After you apply for the database audit, the database audit function is provided in a bypass disposition pattern to protect data assets. 5.3 Related Services This section describes the relationship between DBSS and other cloud services. ECS DBSS instances are created on Elastic Cloud Servers (ECSs). You can use the DBSS instances to protect and audit databases already running on the ECSs. RDS DBSS can protect and audit Relational Database Service (RDS) instances. BMS DBSS can protect and audit databases already running on Bare Metal Servers (BMSs). Issue 16 ( ) Copyright Huawei Technologies Co., Ltd. 11

15 5 Accessing and Using DBSS CTS Cloud Trace Service (CTS) provides you with a history of DBSS operations. After enabling CTS, you can view all generated traces to review and audit performed DBSS operations. For details, see the Cloud Trace Service User Guide. IAM Identity and Access Management (IAM) provides you with permission management for DBSS. Only users who have the DBSS System Administrator permissions can use DBSS. To obtain the permissions, contact users who have the Security Administrator permissions. For details, see the Identity and Access Management User Guide. 5.4 User Permissions Two permission policies are provided by default: default policies and custom policies. Default policies are pre-defined by IAM and cannot be modified. If default policies do not meet your requirements, you can create custom policies for fine-grained permission control. Configure permission policies for a user group and add users to the group so that these users can obtain operation permissions defined in the policies. For details about DBSS user permissions, see Permission Description. Issue 16 ( ) Copyright Huawei Technologies Co., Ltd. 12