CN114282244A - Multi-cloud key management and BYOK-based data security management method - Google Patents
Multi-cloud key management and BYOK-based data security management method Download PDFInfo
- Publication number
- CN114282244A CN114282244A CN202111613920.7A CN202111613920A CN114282244A CN 114282244 A CN114282244 A CN 114282244A CN 202111613920 A CN202111613920 A CN 202111613920A CN 114282244 A CN114282244 A CN 114282244A
- Authority
- CN
- China
- Prior art keywords
- cloud
- byok
- encryption
- key
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000007726 management method Methods 0.000 title claims abstract description 62
- 238000000034 method Methods 0.000 claims abstract description 42
- 230000008569 process Effects 0.000 claims abstract description 8
- 238000004590 computer program Methods 0.000 claims description 10
- 238000013475 authorization Methods 0.000 claims description 6
- 239000007858 starting material Substances 0.000 claims description 6
- 230000008520 organization Effects 0.000 abstract description 7
- 239000008186 active pharmaceutical agent Substances 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The invention discloses a multi-cloud key management and BYOK-based data security management method, which can practically protect the security of encrypted data of an enterprise. The method comprises the following steps: acquiring SK and AK by using KMS provided by a plurality of cloud service manufacturers; acquiring a BYOK with a key; the encryption key EK corresponding to each cloud service manufacturer KMS is generated by calling the pre-compiled encryption and decryption API corresponding to each cloud service manufacturer KMS and combining BYOK; storing the SK, AK, and EK in a configuration file; and calling the API of the KMS to acquire the BYOK with the key during the starting process of the software or the program. The invention realizes that an organization is allowed to keep complete control over data and encryption keys while using key management services of different cloud service manufacturers, so that the organization can use own keys to encrypt the data in the cloud service, and meanwhile, the local encryption service of a cloud provider is still continuously utilized to ensure the data security.
Description
Technical Field
The application relates to the technical field of cloud data security management, in particular to a data security management method using KMS key management service of a cloud manufacturer.
Background
With the advent of the national data security laws and the personal information protection laws (drafts), the internet security laws and the internet security laws further protect the information security of domestic enterprises and individuals, and products of internet enterprises are facing new security challenges.
When an enterprise protects data security, sensitive data needs to be encrypted. But the enterprise is processing the data key used to encrypt the data. Typically, most companies or service providers store them in a configuration file or persisted to a database. When software or application program needs to be encrypted and decrypted, the software or application program is read from a configuration file or a database and then used. However, the data key is directly stored in the configuration file or in the database, so that the data key is easily leaked when someone obtains the source code of the product or directly drags the library through a bug or a program backdoor, and an attacker can directly decrypt the encrypted data, so that the data key is very unsafe, cannot guarantee the encrypted data, and cannot meet the requirements of compliance and reporting.
Some companies also directly use the KMS key management service provided by the cloud manufacturer to directly host the key to a third party, and when software or an application program needs to use the key, the software or the application program directly calls the API of the KMS service to perform encryption and decryption. Therefore, although the requirements of compliance and reporting can be met, the key is managed by the third party, and when information leakage occurs to the third party, the data key is leaked, the encrypted sensitive data is leaked, and the requirement that part of customers want to use own keys to encrypt data cannot be met.
Disclosure of Invention
Therefore, aiming at the technical problems, a multi-cloud key management and BYOK-based data security management method is provided, and the security of encrypted data of an enterprise is practically protected.
In a first aspect, a method for multi-cloud key management and data security management based on BYOK includes:
(1) acquiring SK and AK by using KMS provided by a plurality of cloud service manufacturers;
(2) acquiring a BYOK with a key;
(3) generating an encryption key EK corresponding to each cloud service manufacturer KMS by calling a pre-compiled encryption and decryption API corresponding to each cloud service manufacturer KMS and combining the self-provided key BYOK;
(4) storing the SK, AK, and EK in a configuration file;
(5) determining the type of data to be encrypted and stored according to classification and grading of data in the system;
(6) calling an API (application program interface) of the KMS to acquire the BYOK with the key in the starting process of software or a program; storing plaintext data which needs to be encrypted and stored and is cached in a memory into a database by using BYOK encryption; and decrypting the ciphertext data stored in the database to the memory by using BYOK.
Optionally, the encryption and decryption processes in step (6) implement automatic encryption and decryption based on typeHandler of annotation and Mybatis, specifically by introducing a pre-written Starter.
Further, the pre-programmed Starter specifically includes:
c) writing a mybatis interceptor for realizing the encryption of an object which intercepts the attribute containing the @ DataSecurity annotation;
d) a typeHandler type processor for writing mybatis is used for intercepting and decrypting an object containing a prefix and a suffix of an encrypted text.
Optionally, the plurality of cloud service vendors includes huashi cloud and AWS.
Further, the encryption and decryption API of KMS written as cloud includes:
acquiring the authorization of Huacheng cloud through AK, SK and keyId information by adopting a getToken method;
calling an encryption API of the key management service of Hua cloud by adopting an encryptKms method;
and calling a decryption API of the key management service of the cloud by adopting a decryptKms method.
Further, an encryption and decryption API of the KMS writing the ASW includes:
acquiring authorization of the AWS through AK, SK and keyId information by adopting a getAuthorize method;
calling an encryption API of the key management service of the AWS by adopting an encrypt method;
the decryption API of the key management service of the AWS is called using the decrypt method.
Optionally, in the step (5), determining the data type needing to be stored in an encrypted manner to be C3 and C4 level data; where C3 is user secret data and C4 is user secret data.
In a second aspect, a computer device includes a memory and a processor, the memory stores a computer program, and is characterized in that the processor implements the steps of the above-mentioned multi-cloud key management and BYOK-based data security management method when executing the computer program.
In a third aspect, a computer-readable storage medium, on which a computer program is stored, is characterized in that the computer program, when executed by a processor, implements the steps of the above-described method for multi-cloud key management and data security management based on BYOK.
The invention has at least the following beneficial effects:
the invention uses BYOK (with key), which can help enterprises to solve the requirements of compliance and report more comprehensively, and simultaneously combines with KMS (key management service) provided by different cloud service manufacturers, thereby realizing that the organization (enterprise user) is allowed to keep complete control over data and encryption keys while using the key management service of different cloud service manufacturers, enabling the organization to use own key to encrypt the data in the cloud service, and simultaneously still continuously using the local encryption service of the cloud provider to ensure the data security.
The enterprise user can ensure that enough entropy sources are used for generating the encryption key, and the key can be protected from being leaked, so that the encrypted data of the enterprise can be protected.
Drawings
Fig. 1 is a schematic operation flow diagram of a multi-cloud key management and BYOK-based data security management method according to an embodiment of the present invention;
fig. 2 is a schematic diagram illustrating the principle (key acquisition and usage flow) of a multi-cloud key management and BYOK-based data security management method according to an embodiment of the present invention;
fig. 3 is a sample KMS management console interface provided by an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application.
The embodiment of the invention aims to ensure that enough entropy sources are used to generate data keys when an organization (particularly an enterprise user) uses the keys to encrypt sensitive data, so that the data keys can be protected more safely, risks caused by key leakage can be prevented, the requirements of compliance and report can be met, and the requirement of a client on using the own data keys can be met.
In one embodiment, as shown in fig. 1, the method for multi-cloud key management and data security management based on BYOK is applied to an enterprise user terminal, and includes the following steps:
s1: acquiring SK and AK by using KMS provided by a plurality of cloud service manufacturers;
s2: acquiring a BYOK with a key;
s3: generating an encryption key EK corresponding to each cloud service manufacturer KMS by calling a pre-compiled encryption and decryption API corresponding to each cloud service manufacturer KMS and combining the self-provided key BYOK;
s4: storing the SK, AK, and EK in a configuration file;
s5: determining the type of data to be encrypted and stored according to classification and grading of data in the system;
s6: calling an API (application program interface) of the KMS to acquire the BYOK with the key in the starting process of software or a program; storing plaintext data which needs to be encrypted and stored and is cached in a memory into a database by using BYOK encryption; and decrypting the ciphertext data stored in the database to the memory by using BYOK.
In an embodiment, as shown in fig. 2, the implementation of the data security management method specifically includes the following steps:
1) newly creating a master Key in the KMS, and acquiring SK (secret Access Key), AK (Access Key Id);
a) the login flower is a KMS service console provided by cloud service manufacturers such as cloud and AWS; FIG. 3 is a sample KMS management console interface;
b) creating a key;
c) storing information such as AK, SK, keyId and the like;
2) the encryption and decryption APIs of the KMS of different cloud service manufacturers are compiled, and the method mainly interfaces Huacheng cloud and AWS
a) Compiling KMS encryption and decryption tool classes of ASW;
and acquiring authorization of the AWS through AK, SK, keyId and other information by adopting a getAuuthorize method, calling an encryption API of a key management service of the AWS by adopting an encrypt method, and calling a decryption API of the key management service of the AWS by adopting a decrypt method.
b) Compiling KMS encryption and decryption tools of Hua as cloud;
and acquiring the authorization of the Hua cloud through AK, SK, keyId and other information by adopting a getToken method, calling an encryption API of the Hua cloud key management service by adopting an encryptKms method, and calling a decryption API of the Hua cloud key management service by adopting a decryptKms method.
3) Generating a data key (BYOK) using a crypto-engine or other key generation device;
4) obtaining EKs using encryption and decryption APIs
a) Calling an API provided by KMS service of Huawei cloud, and generating EK of Huawei cloud by using an encryptKms method and the key (BYOK) acquired in the step 3); for example:
i. the SDK dependency provided by Huashi cloud manufacturers is introduced into the project;
writing a program to call an encryption API in the SDK;
operating a program, and generating an EK of Huacheng cloud by using an encryptKms method and the data key (BYOK) obtained in the step 3);
b) calling an API provided by KMS service of the ASW, and generating EK of the AWS by using an encrypt method and the key acquired in the step 3); for example:
i. the SDK dependency provided by Huashi cloud manufacturers is introduced into the project;
writing a program to call an encryption API in the SDK;
operating a program, and generating an EK of Huacheng cloud by using an encryptKms method and the data key (BYOK) obtained in the step 3);
5) configuring information such as SK, AK, EK and the like acquired in the steps 1) and 3) in a CM;
6) writing Starter to realize automatic encryption and decryption of typeHandler based on annotation and Mybatis;
a) writing a mybatis interceptor to realize the encryption of an object which intercepts the attribute containing the @ DataSecurity annotation;
b) compiling a typeHandler type processor of mybatis to intercept and decrypt an object containing a prefix and a suffix of an encrypted text;
7) classifying and grading the data in the system, and performing encrypted storage on the data of C3 and C4 levels
a) User secret data (Customer Confidential) C3
Example (c): organizing employee information in the framework;
b) user confidential data (Customer Secret) C4
Example (c): identity cards, etc.;
8) starter is introduced into business service to realize encryption protection on sensitive data
a) Introducing a maven dependency of srm-startup-security into a pom file of each service and placing the maven dependency at the top;
b) modifying the data type of the database field needing encryption into VARCHAR, and performing extended VARCHAR (32+ character length multiplied by 8);
c) adding @ DataSecurity annotation to the fields needing to be encrypted in the entity class;
d) the field does not support fuzzy search after being encrypted;
e) after the field is encrypted, if the field is used as a query condition, the following method is required to be called for manual encryption and then is transmitted into a database for querying a DataSecurityInterreceptor.
f) After the field is encrypted, the field cannot be processed by using the database function, for example, after the amount is encrypted, the precision processing cannot be performed by using the FORMAT () function.
The embodiment of the invention combines and uses KMS key management services provided by different cloud service manufacturers while using BYOK (self-carrying key), and stores EK (encryption key) generated by combining BYOK and KMS in a configuration file, and then calls an API (application program interface) of the KMS to acquire a data key (BYOK) in a memory in the starting process of software or a program, so that the data key is prevented from being off the disk, and the security of encrypted sensitive data is further ensured.
The embodiment of the invention realizes that the organization is allowed to keep complete control on the data and the encryption key while using the Key Management Service (KMS) of different cloud service manufacturers, so that the organization can use the own key to encrypt the data in the cloud service, and the local encryption service of a cloud provider is still continuously utilized to ensure the data security. BYOK may help the enterprise more fully address compliance and reporting requirements. Moreover, the enterprise user can ensure that the encryption key is generated by using enough entropy sources, and the key can be protected from being leaked, so that the security of the encrypted data of the enterprise can be protected.
In one embodiment, a computer device is also provided, which may be an enterprise user terminal. The computer device comprises a memory and a processor, wherein the memory stores a computer program, and relates to all or part of the flow of the method of the embodiment.
In one embodiment, a computer-readable storage medium having a computer program stored thereon is provided, which relates to all or part of the processes of the method of the above embodiments.
The technical features of the above embodiments can be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the above embodiments are not described, but should be considered as the scope of the present specification as long as there is no contradiction between the combinations of the technical features.
The above-mentioned embodiments only express several embodiments of the present application, and the description thereof is more specific and detailed, but not construed as limiting the scope of the invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present patent shall be subject to the appended claims.
Claims (9)
1. The multi-cloud key management and BYOK-based data security management method is characterized by comprising the following steps:
(1) acquiring SK and AK by using KMS provided by a plurality of cloud service manufacturers;
(2) acquiring a BYOK with a key;
(3) generating an encryption key EK corresponding to each cloud service manufacturer KMS by calling a pre-compiled encryption and decryption API corresponding to each cloud service manufacturer KMS and combining the self-provided key BYOK;
(4) storing the SK, AK, and EK in a configuration file;
(5) determining the type of data to be encrypted and stored according to classification and grading of data in the system;
(6) calling an API (application program interface) of the KMS to acquire the BYOK with the key in the starting process of software or a program; storing plaintext data which needs to be encrypted and stored and is cached in a memory into a database by using BYOK encryption; and decrypting the ciphertext data stored in the database to the memory by using BYOK.
2. The method for multi-cloud key management and data security management based on BYOK as claimed in claim 1, wherein the encryption and decryption processes in step (6) are implemented by introducing a pre-written Starter to implement automatic encryption and decryption of typeHandler based on annotation and Mybatis.
3. The method for multi-cloud key management and data security management based on BYOK according to claim 2, wherein the pre-programmed Starter specifically comprises:
a) writing a mybatis interceptor for realizing the encryption of an object which intercepts the attribute containing the @ DataSecurity annotation;
b) a typeHandler type processor for writing mybatis is used for intercepting and decrypting an object containing a prefix and a suffix of an encrypted text.
4. The multi-cloud key management and BYOK-based data security management method of claim 1, wherein the plurality of cloud service vendors comprise huacheng cloud and AWS.
5. The multi-cloud key management and BYOK-based data security management method according to claim 4, wherein writing an encryption and decryption API of the KMS of hua-cloud comprises:
acquiring the authorization of Huacheng cloud through AK, SK and keyId information by adopting a getToken method;
calling an encryption API of the key management service of Hua cloud by adopting an encryptKms method;
and calling a decryption API of the key management service of the cloud by adopting a decryptKms method.
6. The multi-cloud key management and BYOK-based data security management method according to claim 4, wherein an encryption and decryption API of a KMS that writes an ASW comprises:
acquiring authorization of the AWS through AK, SK and keyId information by adopting a getAuthorize method;
calling an encryption API of the key management service of the AWS by adopting an encrypt method;
the decryption API of the key management service of the AWS is called using the decrypt method.
7. The multi-cloud key management and BYOK-based data security management method according to claim 1, wherein in the step (5), it is determined that the type of data to be stored in an encrypted manner is C3, C4 level data; where C3 is user secret data and C4 is user secret data.
8. A computer device comprising a memory and a processor, the memory storing a computer program, wherein the processor when executing the computer program implements the steps of the method for multi-cloud key management and BYOK-based data security management of any one of claims 1 to 7.
9. A computer readable storage medium having stored thereon a computer program, wherein the computer program when executed by a processor implements the steps of the method for multi-cloud key management and BYOK-based data security management of any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111613920.7A CN114282244A (en) | 2021-12-27 | 2021-12-27 | Multi-cloud key management and BYOK-based data security management method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111613920.7A CN114282244A (en) | 2021-12-27 | 2021-12-27 | Multi-cloud key management and BYOK-based data security management method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114282244A true CN114282244A (en) | 2022-04-05 |
Family
ID=80876078
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111613920.7A Pending CN114282244A (en) | 2021-12-27 | 2021-12-27 | Multi-cloud key management and BYOK-based data security management method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114282244A (en) |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20200053065A1 (en) * | 2018-08-13 | 2020-02-13 | Salesforce.Com, Inc. | Key encryption key rotation |
-
2021
- 2021-12-27 CN CN202111613920.7A patent/CN114282244A/en active Pending
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20200053065A1 (en) * | 2018-08-13 | 2020-02-13 | Salesforce.Com, Inc. | Key encryption key rotation |
Non-Patent Citations (1)
| Title |
|---|
| 王勇: "多云密钥管理与BYOK", 网络安全和信息化, 31 May 2020 (2020-05-31), pages 112 - 113 * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111539813B (en) | Method, device, equipment and system for backtracking processing of business behaviors | |
| CN108595989B (en) | Mobile APP safety protection system and method under iOS | |
| US20170295013A1 (en) | Method for fulfilling a cryptographic request requiring a value of a private key | |
| CN106997439B (en) | TrustZone-based data encryption and decryption method and device and terminal equipment | |
| US8489889B1 (en) | Method and apparatus for restricting access to encrypted data | |
| US9152813B2 (en) | Transparent real-time access to encrypted non-relational data | |
| CN106992851B (en) | TrustZone-based database file password encryption and decryption method and device and terminal equipment | |
| US9501646B2 (en) | Program verification apparatus, program verification method, and computer readable medium | |
| US11537723B2 (en) | Secure data storage | |
| CN113326517A (en) | System and method for detecting sensitive information leakage while preserving privacy | |
| CN106980793B (en) | TrustZone-based universal password storage and reading method, device and terminal equipment | |
| US20220329413A1 (en) | Database integration with an external key management system | |
| US11321471B2 (en) | Encrypted storage of data | |
| WO2019114137A1 (en) | Password calling method, server, and storage medium | |
| CN104618096A (en) | Method and device for protecting secret key authorized data, and TPM (trusted platform module) secrete key management center | |
| US10397193B2 (en) | Blind cloud data leak protection | |
| CN112887087B (en) | Data management method and device, electronic equipment and readable storage medium | |
| US20230327855A1 (en) | System and method for protecting secret data items using multiple tiers of encryption and secure element | |
| CN113434535B (en) | Data processing method, communication system, device, product and storage medium | |
| CN114282244A (en) | Multi-cloud key management and BYOK-based data security management method | |
| US9537842B2 (en) | Secondary communications channel facilitating document security | |
| CN107688729B (en) | Application program protection system and method based on trusted host | |
| JP2007004291A (en) | Fragility diagnostic method, fragility diagnostic device to be used for the same, fragility diagnostic program and recording medium with its program recorded, diagnostic report preparing device, diagnostic report preparing program and recording medium with its program recorded | |
| JP2019028940A (en) | Data management program and data management method | |
| CN108616644B (en) | Encryption prompting method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |