Data encryption products have the particularity of their application fields, and many industries will have some corresponding product attribute restrictions for security reasons, such as restricting the technical patents or encryption algorithms applied for by products to belong to China or pass the corresponding certification. This has affected the popularization of data security technology and the scale market effect to some extent. However, with the increasing number of security incidents at home and abroad, data encryption products are in the development stage.
When deploying or applying data security policies, general encryption technologies and their advantages and disadvantages are as follows:
1, disk/tape level encryption or media level encryption. This encryption method is implemented on the storage array, and the static data encryption algorithm is generally implemented on the controller or the data controller of the disk cabinet. It aims to protect the data stored in hardware media from being leaked by physical theft, but all data except arrays or tapes are processed, transmitted and stored in plaintext. Therefore, the media-level encryption method is generally only used as an additional security strategy to provide data security for some special applications, such as data backup transported by physical disks/tapes.
2. Embedded encryption. This encryption product is deployed between the storage array and the switching equipment, and the encryption and decryption algorithms are carried out through special products. Although the performance has been improved, its encryption scope is still limited to the media level, and the data is still accessed in plaintext on the application side, so this method is regarded as another form of media encryption in many places.
The application of the above two methods is limited. After all, for the party who wants to steal data, the scene of entering the computer room by physical means to steal storage media and then reading data will only appear in the movie scene.
3. Document security system, or file-level encryption, belongs to file-level DLP (data leakage prevention). This unstructured data protection method is usually embedded in the NAS layer of network attached storage. Because the encryption algorithm is implemented in the NAS header, the biggest problem brought by this implementation is the impact on performance. Moreover, many products provide functions such as leaving no trace of terminal data and distributing a large amount of application data in the background. Therefore, most file-level encryption schemes support horizontal expansion to provide high throughput support for large users or large file applications.
4. Database encryption, also known as secure storage gateway.
. Similar to file-level encryption, database encryption implements encryption protection for structured data and is deployed at the front end of the database. Because a large number of query modification statements are involved in database operation, database encryption will have a great impact on the whole database system.
5. The host uses encryption, which is deployed on the host side. At present, most of these products are integrated into backup products as one of the functional components to realize data backup security strategy. The encryption load of the host application is borne by the host itself, which has little influence on the network and background storage, but in the face of massive data encryption processing, the performance of the host will be tight.
Data encryption is only a part of enterprise information security, aiming at the safe access of data in the enterprise life cycle. When considering the deployment of data encryption technology, we should comprehensively consider the existing IT scale and data security objectives of the enterprise. Different types of data adopt different data encryption strategies. For example, confidential documents can be accessed through a physically isolated document security system, and a separate database system needs to be allocated to store confidential structured information.
Information security is always a strategic first system engineering, and it is only a tool to realize this system engineering. In the planning of information security strategy, it is necessary to archive and classify all kinds of information and formulate different protection strategies. Of course, we can also refer to the current domestic laws and regulations and industry standards and norms such as classified protection and grade protection.