Big Data Application Security Research Report

一、阿里云大数据安全实践阿里云数加大数据平台提供从数据采集,加工、数据分析、机器学习到最后数据应用的全链路技术和服务。
First, Ali cloud big data security practices Ali cloud data platform number increase from data acquisition, data processing, data analysis, machine learning to the final application of all link technology and services.
基于阿里云数加大数据平台,除了可以打造智能可视化透明工厂、智能交通实时预测和实时监控监测、智能医院就医接诊服务,以及大数据网络安全态势感知系统外,还可以打造成一个满足政府不同部门以及政企之间实现数据共享的数据交换平台。
Ali cloud data platform based on the number of increase, in addition to create a visual intelligent transparent factory, intelligent traffic monitoring, real-time prediction and real-time monitoring of intelligent hospital admissions service, and large data network security situation awareness system, can also be a meeting between different government departments and enterprises to realize data sharing data exchange platform to create.
为了保障数据共享和交换过程中的数据安全,数家大数据平台通过安全机制和管控措施实现不同用户之间数据的“可用不可见”,具体如图B-1所示:
In order to protect the data sharing and exchange of data security, several large data platform through security mechanisms and control measures to achieve the data between different users can not be visible, as shown in figure B-1:
为确保数据交换和共享的安全,避免数据滥用,阿里云数加平台提供了一系列安全措施
In order to ensure the safety of data exchange and sharing, to avoid misuse of data, the number of Ali cloud platform provides a series of security measures
密钥管理和鉴权。提供统一的密钥管理和访问鉴权服务,支持多因素鉴权模型;
Key management and authentication. Provide a unified key management and access authentication services, support for multi factor authentication model;
访问控制和隔离。实施多租户访问隔离措施,实施数据安全等级划分,支持基于标签的强制访问控制,提供基于ACL的数据访问授权模型,提供全局数据视图和私有数据视图,提供数据视图的访问控制;
Access control and isolation. The implementation of multi tenant access isolation measures, the implementation of data security classification, support mandatory access control based on the label, providing ACL based access authorization model, provides a global view of the data and private data view, provides views of the data access control;
数据安全和个人信息保护。提供数据脱敏和个人信息去标识化功能,提供满足国产密码算法的用户数据加密服务;
Data security and personal information protection. Provide data desensitization and personal information to identify functions, to provide users with data encryption algorithm to meet the domestic encryption algorithm;
安全审计和血缘追踪。提供数据访问审计日志,支持数据血缘追踪,跟踪数据的流向和衍生变化过程;
Security audit and tracking. Provide data access audit log, support data tracking, tracking the flow of data and derivative process;
审批和预警。支持数据导出控制,支持人工审批或系统预警;提供数据质量保障系统,对交换的数据进行数据质量评测和监控、预警;
Approval and early warning. Support data export control, support manual approval or system early warning; provide data quality assurance system, exchange data for data quality evaluation and monitoring, early warning;
生命周期管理。提供从采集、存储、使用、传输、共享、发布、到销毁等基于数据生命周期的技术和管理措施。
Life cycle management。 Provide technical and management measures based on the data lifecycle from the collection, storage, use, transmission, sharing, distribution, and destruction.
阿里云基于数据生命周期构建全面的数据安全保障体系,从数据行为、数据内容、数据环境等角度提供技术和管理措施,具体如图B-2所示:

B20政策建议报告撰写完成 倡议建立世界电子贸易平台
高考微问答031:信息安全专业很有料?

Ali cloud data lifecycle based on the construction of a comprehensive data security system, from the data behavior, data content, data environment, etc. to provide technical and management measures, as shown in figure B-2:
通过实施阿里云大数据安全管控体系,提供“可用不可见”的大数据交换共享平台安全环境,以保障大数据在“存储、流通、使用”过程中的安全。
Through the implementation of safety management system of Ali cloud big data, with big data available invisible exchange and sharing platform security environment, in order to protect the security of data in the storage, distribution and use in the process.
二、百度大数据安全实践数据是百度公司的重要资产。百度公司在内部构建了公司级大数据平台,收录公司各个业务领域的数据,建设数据闭环解决方案,推动全公司数据的统一管理、数据共享、数据发现和数据使用。这些聚在一起的数据资产来自多个部门和业务,对安全的要求也不同。
Two, Baidu big data security practice data is an important asset Baidu Inc. Baidu Inc established company big data platform in the internal company, included various business fields of data, a solution for building a data loop, promote the whole company unified data management, data sharing, data discovery and data use. These gathered data assets from multiple departments and businesses, the security requirements are also different.
百度非常重视大数据应用过程中的安全保障,在安全方面形成了统一的大数据安全框架,通过在数据全生命周期各环节实施安全技术和管理机制,为大数据平台和用户数据提供安全保障。
Baidu attaches great importance to the security of data in the application process, in terms of security form a unified data security framework, through the implementation of security technology and management mechanism in all aspects of the entire life cycle, to provide security for the big data platform and user data.
百度大数据平台安全架构
Baidu big data platform security architecture
百度大数据平台具备基础的系统安全、安全管理,以及以数据安全分级机制为核心的数据安全架构,如图B-3所示:
Baidu big data platform has the basis of system security, security management, as well as data security classification mechanism as the core of the data security architecture, as shown in figure B-3:
系统安全和安全管理是百度大数据平台中最基础的安全机制。数据安全架构在整个大数据安全架构中处于极为重要的位置。数据安全架构包括安全审计、安全控制和安全加密三部分,并采用安全分级机制,分为基础级和可选级。
System security and security management is the most basic security mechanism in Baidu’s big data platform. Data security architecture in the entire data security architecture in a very important position. Data security architecture includes three parts: security audit, security control and security encryption, and security classification mechanism is divided into the basic level and optional level.
安全基础级别包括安全审计和安全控制两个功能,它是所有在大数据平台的业务数据都会得到的安全基础保障,为大数据平台上的数据提供生命周期过程中的可审计性和细粒度完整控制功能。可选级别包括数据的加解密功能,支持各种强度的加解密算法。
Basic safety levels including two security control and security audit function, it is the basic safety and security of all in the big data platform of business data will be provided for the big data platform of the data life cycle in the process of audit and fine-grained complete control function. Optional levels include data encryption and decryption functions to support a variety of strength encryption and decryption algorithm.
百度大数据平台支持数据的加密存储,考虑到平台每天产生的数据量极其庞大,以及数据运算的效率要求,可以根据数据的业务特点和密级要求来选择不同强度的加密算法。
Baidu big data platform to support data encryption storage platform, taking into account the amount of data generated every day is extremely large, and the efficiency of data processing requirements, can choose different encryption algorithm according to the strength of the business characteristics and the security requirements of data.
百度大数据平台关键安全能力
Baidu big data platform key security capabilities
百度提出4A安全体系来构建大数据平台的关键安全能力,主要包括:
Baidu 4A security system to build a large data platform key security capabilities, including:
Account(账号):为每个用户创建唯一的用户账号,并对用户身份进行鉴别,确保数据访问控制和安全审计可以追溯到个人账号。同时,采用基于角色的用户分组管理,将系统管理角色、系统数据建设角色和数据查看角色进行区分。
Account (account): for each user to create a unique user account, and identify the identity of the user to ensure that data access control and security audit can be traced back to the personal account. At the same time, the role of the user management, the role of the system management roles, the role of system data construction and data to see the role of distinction.
Authentication(鉴别):百度大数据平台上的数据访问必须有统一的身份鉴别机制。百度大数据平台采用统一单点登录身份认证技术对用户进行身份鉴别管理。
Authentication (identification): Baidu data access platform for large data must have a unified identity authentication mechanism. Baidu big data platform using unified single sign on authentication technology for user identification management.
Authorization(授权):百度大数据平台需要根据数据访问主体身份,以及被访问数据的密级,实现对各类数据的访问授权。对于机密等级以上的数据,需要对接到具体的电子审批流程。此外,数据在流转过程中,大数据平台可以自动判断对应的下一个节点的安全等级和人员授权情况,进行数据流转的安全判断和维护。
Authorization (authorized): Baidu big data platform according to the requirement of data access and data access identity, classification, implementation of various data access authorization. For confidential data above the level, the need to connect to a specific electronic approval process. In addition, the data in the process of circulation, big data platform can automatically determine the corresponding security level of the next node and personnel authorization, the data flow of the security judgment and maintenance.
Audit(审计):百度大数据平台具有审计日志记录功能,实现对系统中针对用户管理、权限管理、用户登陆、数据获取/访问/修改等行为的完整日志记录。基于系统审计日志,可以实现事中的安全监控,以及事后的行为溯源和取证分析。
Audit (AUDIT): Baidu big data platform with the audit log function, the implementation of the system for user management, privilege management, user login, data access \/ access \/ modify the behavior of the complete log. Based on the system audit log, you can achieve the security monitoring of things, as well as the behavior of hindsight and forensic analysis.
三、华为大数据安全实践华为大数据分析平台FusionInsight基于开源社区软件Hadoop进行功能增强,提供企业级大数据存储、查询和分析的统一平台,帮助企业快速构建海量数据信息处理系统。
Three, HUAWEI big data security practices of HUAWEI big data analysis platform FusionInsight software Hadoop based on the open source community function enhancement, unified platform provides enterprise data storage, query and analysis, rapid construction of massive data processing system to help enterprises.
FusionInsight是完全开放的大数据分析平台,并针对金融、运营商等数据密集型行业的运行维护、应用开发等需求打造了高可靠、高安全、易使用的运行维护系统和全量数据建模中间件。华为FusionInsight大数据分析平台框架图如图B-4所示。
FusionInsight is a completely open platform for big data analysis, and for the financial, operators and other data intensive operation and maintenance, application development needs to create a high reliability, high security, easy to use operation and maintenance system and the full amount of data modeling middleware. HUAWEI FusionInsight big data analysis platform framework figure as shown in figure B-4.
大数据分析平台汇聚着大量数据,面临着更多的安全威胁和挑战,包括数据滥用和用户隐私泄露问题。华为FuisonInsight大数据分析平台提供可运营的安全体系,从网络安全、主机安全、用户安全和数据安全方面提供全方位的安全防护(如图B-5):

从一份信息安全管控需求问卷谈起

Big data analysis platform brings together a large number of data, facing more security threats and challenges, including data abuse and user privacy issues. HUAWEI FuisonInsight big data analytics platform to provide operational security system, from the network security, host security, user security and data security to provide a full range of security protection (Figure B-5):
网络安全
network security
FusionInsight集群支持通过网络平面隔离的方式保证网络安全。
FusionInsight cluster supports network security by way of network plane isolation.
主机安全
Host security
通过对FusionInsight集群内节点的操作系统安全加固等手段保证节点正常运行,包括更新最新补丁、操作系统内核安全加固、操作系统权限控制、端口管理、部署防病毒软件等。
Guaranteed by the operating system security reinforcement technology of FusionInsight cluster node’s normal operation, including the latest update patch, reinforcement, security operating system kernel operating system access control, port management, deployment of anti-virus software.
用户安全
User security
通过提供身份认证、权限控制、审计控制等安全措施防止用户假冒、越权、恶意操作等安全威胁:
Through the provision of identity authentication, access control, audit control and other security measures to prevent users from counterfeiting, ultra vires, malicious operations and other security threats:
身份认证。FusionInsight使用LDAP作为帐户管理系统,并通过Kerberos对帐户信息进行安全认证;统一了Manager系统用户和组件用户的管理及认证,提供单点登录。
Identity authentication. FusionInsight uses LDAP as the account management system, and carries on the security authentication through the Kerberos to the account information; unifies the Manager system user and the user management and authentication, provides the single sign on.
权限控制。基于用户和角色的认证统一体系,遵从帐户/角色RBAC(基于角色的访问控制)模型,实现通过角色进行权限管理,对用户进行批量授权管理,降低集群的管理难度;通过角色创建访问组件资源的权限,可以细粒度管理资源(例如文件、目录、表、数据库、列族等访问权限);将角色授予用户/用户组,简化用户/用户组的权限配置。
Authority control. Users and roles of the unified certification system based on compliance account \/ role RBAC (role-based access control) model, realize the management of user permissions through roles, batch authorization management, reduce the cluster management difficulty; create access component resources through roles permission can fine-grained management of resources (such as files, directories, table the database, etc.); column family access will be granted to a user role \/ user group permissions configuration simplifies the user \/ user group.
审计日志。FusionInsight审计日志中记录了用户操作信息,可以快速定位系统是否遭受恶意的操作和攻击,并避免审计日志中记录用户敏感信息:确保每一项用户的破坏性业务操作被记录审计,保证用户业务操作可回溯;为系统提供审计日志的查询、导出功能,可为用户提供安全事件的事后追溯、定位问题原因及划分事故责任的重要手段。
社交网络多点安全少点道歉
Audit log. FusionInsight audit log records the user operation information, whether the system can quickly locate malicious operations and attacks, and avoid the user sensitive information recorded in the audit log: ensure that every user of the destructive operation was recorded audit, to ensure that the user operation back; with the audit log query and export functions for the system. To provide security for the user after the event and the division of responsibility for the accident causes, the localization of important means.
数据安全
data security
从集群容灾、备份、数据完整性、数据保密性等方面保证用户数据的安全。
To ensure the security of user data from the aspects of disaster recovery, backup, data integrity and data confidentiality.
文件系统加密:Hive、HBase可以对表、字段加密,集群内部用户信息禁止明文存储;
File system encryption: Hive, HBase can table, field encryption, cluster internal user information to prohibit plaintext storage;
加密灵活:加密算法插件化,可进行扩充,亦可自行开发。非敏感数据可不加密,不影响性能;
Flexible encryption: encryption algorithm plug-in, can be extended, can also develop their own. Non sensitive data can be encrypted, does not affect performance;
业务透明:上层业务只需指定敏感数据(Hive和HBase表级、列级加密),加解密过程业务完全不感知。
Business transparency: the upper layer of the business only need to specify sensitive data (Hive and HBase table level, column level encryption), encryption and decryption process business completely unaware.
数据容灾
Data disaster tolerance
FusionInsight集群容灾为集群内部保存的用户数据提供实时的异地数据容灾功能;它对外提供了基础的运维工具,包含主备集群关系维护,数据重建,数据校验,数据同步进展查看等功能。
The FusionInsight cluster provides remote disaster recovery data disaster recovery function real time for user data stored within the cluster; it provides a basic operation tools, including the main producing cluster relationship maintenance, data reconstruction, data validation, data synchronization progress check function.
四、京东大数据安全实践数据资源已经成为一种基础战略资源,数据的共享和流通会产生巨大价值。然而,数据资源在流通过程中却面临着诸多瓶颈和制约,尤其是当数据一种特殊的数字内容产品时,其权益保护难度远大于传统的大数据,一旦发生侵权问题,举证和追责过程都十分困难。
Four, Jingdong big data security practice data resources has become a basic strategic resources, data sharing and circulation will have great value. However, the data resources in the process of circulation is facing many bottlenecks and constraints, especially when the data is a special kind of digital content products, the protection of rights and interests is more difficult than that of the traditional big data, once the infringement problems are very difficult to proof and accountable process.
为了解决这些问题,京东万象数据服务平台(如图B-6所示)利用区块链技术对流通的数据进行确权溯源,数据买家在数据服务平台上购买的每一笔交易信息都会在区块链中存储起来,数据买家通过获得交易凭证可以看到该笔交易的数字证书以及该笔交易信息在区块链中的存储地址,待买家需要进行数据确权时,登录用户中心进入查询平台,输入交易凭证中的相关信息,查询到存储在区块链中的该笔交易信息,从而完成交易数据的溯源确权。
In order to solve these problems, the Jingdong Vientiane data service platform (Fig. B-6) using the block chain technical data on the circulation of right data source, data service platform buyers in the purchase of each transaction information will be stored in the block chain, the data obtained by buyers can see the digital certificate of the transaction documents the transaction and the transaction information in the block in the chain store address, the buyers need data right, login user center into the search platform, enter the relevant information in the transaction documents, queries stored in the block in the chain of the transaction information, thus completing the traceability of ownership transaction data.
请点击此处输入图片描述
Please click here to enter the picture description
在安全保障方面,为了防止数据流通过程中的个人身份冒用问题,京东万象数据服务平台通过使用公安部提供的个人身份认证服务对用户身份进行识别和保护。京东万象数据服务平台结合公安部eID技术,该技术密码技术为基础、以智能安全芯片为载体、由“公安部公民网络身份识别系统”签发给公民的网络身份标识,能够在不泄露身份信息的前提下在线远程识别用户身份。
In terms of security, in order to prevent the flow of data in the process of personal identity theft, Jingdong Vientiane data service platform for identification and protection of user identity through personal identity authentication service provided by the Ministry of public security. According to the Ministry of public security technology Jingdong eID Vientiane data service platform, the cryptography technology based on intelligent security chip as the carrier, by the Ministry of public security of citizen network identification system issued to the network identity of citizens can, without disclosing the identity information of the remote user identity identification in line.
京东万象数据服务平台通过区块链溯源和eID技术,有效解决了合法用户基于互联网开展大数据安全交易的数字产品版权保护问题,保障了数据拥有者在数据交易中的合法权益。
Jingdong Vientiane data service platform through block chain tracing and eID technology, can effectively solve the legitimate users based on digital copyright protection of Internet to carry out large data security transaction problems, protect the owner of the data in the data exchange of the legitimate rights and interests.
五、奇虎360大数据安全实践奇虎360在面对日益严峻的安全挑战时,不断更新技术思路,实现了及时响应最新的网络安全威胁。为应对千变万化的网络安全威胁,奇虎360通过部署的数万台大数据服务器,对当前网络安全事件进行实时监测与分析,采用大数据技术对网络安全威胁进行跟踪和防范。
Five, the Qihoo 360 big data security practices of Qihoo 360 in the face of increasingly serious security challenges, constantly updated technology ideas, to achieve the timely response to the latest network security threats. For the network security threats to the Qihoo 360 through the deployment of the myriads of changes, tens of thousands of big data server, real-time monitoring and analysis of current network security incidents, the threat of network security tracking and prevent the use of big data technology.
在互联网上坏家伙们在偷窃,而好人们一定要携起手来,确保我们能走在他们的前面。

公司应该为信息系统安全确定责任主体。公司法定代表人或主要负责人为信息系统安全的第一责任人。

猜您喜欢

全员安全意识培训搞不好,二级三级再多级也没用
信息安全复杂行为管理的闹剧
安全生产、职业卫生、环境保护
第一千金伊万卡W20峰会热聊默克尔气场全开
IKOI-CAFE BESTSPORTSBETTING
安卓智能机劫持飞机案件引发航空恐慌