Guaranteeing data security is essential, to avoid putting users' personal data at risk of leaks, and avoid damage to enterprises' business security and brand reputation.
Although data security cannot generate direct monetary returns, it has become crucial for enterprises. Regulations on data protection have been introduced all over the world, making data security of paramount importance.
From an enterprise perspective, the challenges faced in data security can be attributed to both internal and external factors.
Enterprises must speed up building their data security systems since they have a limited amount of time to comply with safety regulations.
Large enterprises and digital-first companies are typically the focus of regulators when it comes to data security regulation. Additionally, if a company has a presence in the EU for example, it must also adhere to GDPR regulations - making building a data security system of the utmost importance.
However, Rome wasn't built in a day. There are many pain points in terms of technology and standards when it comes to data security:
High business transformation costs: WMS (warehouse management systems) are diversified and large in scale, so application transformation entails high costs.
High risk during the release phase: there's a high risk when switching applications.
Switching costs: business switchover is challenging, requiring custom-made strategies.
Scattered data without unified standards: enterprise data is scattered and without unified authority control.
Data security is positively correlated with business coupling
According to regulations, data related to users' security or commercially sensitive data needs to be encrypted.
However, traditional data encryption solutions such as hard disk encryption, file encryption, database TDE encryption, database encryption gateway, and application encryption show a very close positive correlation between their data security and business coupling.
As mobile Internet takes over, business adjustments and feature launch frequency are rising, with product features and business scope expanding as well. Enterprises must react rapidly to market demands and sophisticated operating models.
As a result, traditional stovepipe architecture gradually gave way to microservice architecture - making the "more secure data leads to more coupled business" assumption obsolete.
If we pursue low business coupling, we have to sacrifice a certain degree of data security, which is unacceptable to both the internal requirements of enterprises and external industry standards.
Business scenarios associated with data encryption
Depending on specific industry requirements, DevOps teams must maintain a set of encryption and decryption systems for real-world business scenarios.
The self-maintained encryption system often needs to be rebuilt or modified when the encryption scenario changes. Additionally, for services that have already been launched, it's complicated to transparently and securely implement seamless encryption and transformation without modifying the business logic and SQL.
In terms of new services, data encryption is required. DevOps teams must achieve data encryption based on encryption requirements since everything is new. Rapid business growth, however, makes it difficult for the original encryption strategy to match the new demands. As a result, large-scale business system transformation is required, causing huge upgrading costs.
For mature services that are already online and are stored in plain text, when it comes to the the migration and encryption (data cleansing) of the old data and the related business, SQL transformation is required - which is quite complicated.
Moreover, the core business needs to be transformed without impacting the service level. The transformation involves establishing a pre-release environment and coming up with a rollback strategy, which will create significant costs.
In response to these issues, SphereEx-DBPlusEngine provides an enterprise cross-platform data security solution for heterogeneous environments requiring zero changes to the original code.
It also provides online data cleansing, custom algorithms, multiple key management (cloud management is also included), and more, to empower enterprises in coping with various data security requirements.
Following the launch of cloud key management, encryption, and online data cleansing features with November's version 1.2.0 release, SphereEx now completes its data security solution with regulation-compliant testing tools and cryptographic computing in the data flow process, establishing a streamlined enterprise-grade data security system.
1. One-Stop Security Compliance
1.1 Security compliance testing tools
Enterprises must determine which data needs to be encrypted, which comes with its own set of challenges as it is difficult to take into account all the legal and regulatory encryption requirements.
Legal and regulatory encryption requirements are fragmented to say the least, as they vary by location. Nevertheless, enterprises need a tool to quickly determine which data needs to be encrypted.
With this in mind, we introduced our security compliance testing tools. The tools can examine business data in accordance with national standards and overseas laws and regulations (such as GDPR), and automatically detect the fields in the system that need to be encrypted - reducing negative business impact.
1.2 No-code implementation
When it comes to data encryption, enterprises are most concerned about applications being changed. Code changes imply cost, stability, and security concerns as well as many unintended risks.
The open-source project ShardingSphere developed a mature no-code implementation capability for data encryption.
This feature has been enhanced by SphereEx-DBPlusEngine. Enterprises can use SphereEx-DBPlusEngine without changing any application or source code, thus avoiding the business risks caused by code modification. SphereEx-DBPlusEngine enables enterprises to quickly implement data encryption requirements to ensure rapid deployment.
1.3 Key management
As more businesses are transitioning to the cloud, business data naturally run in cloud environments. However, in a public cloud environment, if enterprises still use the original management method when using SphereEx-DBPlusEngine, hidden dangers in terms of security could manifest:
Encryption is needed for data storage and use in the cloud, as well as during data transfer.
The management term of the encryption/decryption key is the entire lifecycle of the data. If the key is lost before the data is destroyed, the data cannot be decrypted.
In order to address the two issues above, SphereEx-DBPlusEngine offers a cloud-based key management approach by abstracting key management as a standard SPI for cloud vendors like AWS and Alibaba Cloud.
Take AWS as an example. When the program initializes the encryption algorithm, it connects to AWS to retrieve the relevant key stored there and then stores the key in the algorithm.
The entire data encryption process doesn't include any network communication with the cloud, preventing data flow caused by interaction and fundamentally ensuring key security.
By offering a cloud-based key management solution, SphereEx provides enterprises with incredibly high key management flexibility and improves the convenience and security of the entire encryption system.
It can also seamlessly interface with each cloud's key management features to offer the best protection. Moreover, SphereEx-DBPlusEngine supports a number of key management methods to interface with cloud-based, public, and private key management.
1.4 Encrypted data cleansing, backwashing, and rewashing
When enterprises need to migrate new services, they often need to encrypt a large amount of new business data to comply with regulations and internal compliance requirements in terms of data security. A traditional encryption method would not only increase the workload but also delay the entire migration process, affecting the business deployment process.
Currently, DBPlusEngine already provides an encryption solution. For new tables and services, we can directly configure them using encryption rules; but for existing data tables, the plaintext fields in these tables should be cleaned and converted to encrypted content.
The data cleansing job is triggered by DistSQL. Once the program receives the request, it will create a data cleansing job according to the current data cleansing rule and encryption rule.
The job is divided into two sections: the query and update tasks:
The query task is responsible for querying the user's table data and retrieving the plaintext fields that need to be encrypted and then pushing them to the channel.
The update task obtains the data from the channel, encrypts it, and updates it.
The whole task creation and execution process interacts with the governance center, allowing users to query its progress or clean up the job through DistSQL.
Furthermore, in an OLAP scenario, DevOps teams cannot analyze the encrypted data, while the business must maintain the encrypted state.
In this context, the decrypt() function can be used to obtain the plaintext data directly without having to backwash the data, allowing your teams to analyze the ciphertext data and obtain the data value.
SphereEx-DBPlusEngine also supports backwashing and rewashing in the following two scenarios:
- Backwashing for business data rollback
If some data does not need to be encrypted once the business goes online, or when data masking is performed on data that has been encrypted in large batches, it is necessary to backwash the encrypted data and uniformly convert it to plaintext again.
- Rewashing for key replacement
If the key needs to be changed on a regular basis or at a critical point to ensure long-term data security, it is necessary to backwash the encrypted data, convert it to plaintext, and re-encrypt the data using the new encryption method.
2. Compatibility & Flexibility
2.1 Flexible encryption algorithm
SphereEx-DBPlusEngine supports complete data lifecycle security management, with particular attention to the encryption capability for data storage security. It is possible to store and access encrypted data without modifying the application side by implementing data encryption on the client.
SphereEx-DBPlusEngine provides customization capabilities in terms of key management methods and support for IDEA and other encryption algorithms to meet the wide range of data encryption needs.
To further increase the efficiency of encrypted storage and computing, SphereEx-DBPlusEngine can work with security hardware for complete and high-performance encryption. It can also provide standard security equipment with integrated hardware and software, further lowering the user's threshold.
2.2 Fine-grained encryption capability
SphereEx-DBPlusEngine supports multi-dimensional and fine-grained data encryption capability, which can implement data encryption at the row and column levels, and then support data encryption at both the user and tenant levels.
According to encryption granularity, different encryption algorithms and key management can be flexibly configured to achieve accurate and adaptable data security protection.
2.3 Suitable for private, public, and hybrid cloud environments deployment
To increase data security, many enterprises distribute all their data across various environments. This is especially true for industries or application scenarios that have strict requirements for data security. They often need to take into account their diverse deployment environments and complex data security environments.
SphereEx-DBPlusEngine can be flexibly deployed in private, public, and hybrid cloud environments to meet various users' needs. Its key management, compliance detection, data cleansing, fine-grained encryption, encryption algorithm adaptation and other capabilities fully satisfy users' needs for data security in hybrid environments, while shielding the differences created by different underlying environments and ensuring a consistent user experience.
SphereEx-DBPlusEngine, a database enhancement engine, adopts a pluggable architecture with functional modularity. In addition to data storage, it also provides data sharding, distributed transactions, data security, and other database application architecture enhancement capabilities.
In November, SphereEx-DBPlusEngine's version V1.2.0 was released, adding cloud-based key management and data cleansing capabilities for data security.
It provides enterprises with comprehensive and powerful compliance testing tools, cloud-based key management, encryption and decryption, and cryptographic computing capabilities, further enhancing the data security protection capability of SphereEx-DBPlusEngine.
To find out more or request a free trial for DBPlusEngine, you can sign up on our website here.
Alternatively, if you are an AWS user, you can learn more about our offering on AWS Marketplace here.