1. Definition
Data transmission security is the safe management of data transmission over the network. This is an important stage of data security and also Data security incidents, such as data leakage, theft, and tampering, occur frequently, so the importance of this stage is self-evident.
This process contains four process areas, namely: data transmission encryption and network availability management.
1.1 Data transmission encryption
The official description is to adopt appropriate encryption protection measures according to the internal and external data transmission requirements of the organization to ensure that transmission channels, transmission nodes and The security of transmitted data prevents data leakage caused by interception of data during transmission.
When data is transmitted through untrusted or low-security networks, security risks such as data theft, forgery, and tampering are prone to occur. Therefore, relevant security protection measures need to be established to ensure that data is transmitted during the transmission process. security, and encryption is a common means to ensure data security.
The DSMM standard requires the following at the fully defined level:
Organizational construction
The organization has established positions and personnel to manage data encryption and key management. , responsible for the overall encryption principles and technical work, and the technical teams of each business are responsible for implementing data transmission encryption in specific scenarios.
The requirements of DSMM are almost the same. Each process area needs to designate a dedicated person and post to be responsible for the work and be competent for the work. In actual work, all process areas may have the same one or more people in this dimension, who can be appointed individually or explained in the corresponding system chapter.
System process:
Establish data transmission security management specifications and clarify data transmission security requirements (such as transmission channel encryption, data content encryption, signature verification, identity authentication, Data transmission interface security, etc.) to determine the scenarios where data transmission encryption is required.
Establish key management security specifications and clarify the processes and requirements for key generation, distribution, access, update, backup and destruction.
Technical tools:
There are technical solutions and tools for subject identity identification and authentication at both ends of the transmission channel.
There are technical solutions and tools for encrypting transmitted data, including uniformly deploying transmission channel encryption solutions for key data transmission channels (such as using TLS/SSL), and encrypting the content of transmitted data.
There are technical solutions and tools to detect the integrity of transmitted data and perform recovery control.
There are technical solutions and tools to review and monitor changes in data transmission security policies, and technical tools have been deployed to review and monitor protection measures such as channel security configuration, password algorithm configuration, and key management.
The established key management system provides functions such as data encryption and decryption, signature verification, etc., and implements secure management of the entire life cycle of keys (generation, storage, use, distribution, update, and destruction).
Personnel capabilities:
Understand the mainstream secure channel and trusted channel establishment solutions, identity identification and authentication technologies, data encryption algorithms and nationally recommended data encryption algorithms, Choose an appropriate data transmission security management method based on specific business scenarios.
The personnel responsible for this work understand the data encryption algorithm and can choose the appropriate encryption technology based on specific business scenarios.
#The following are the specific contents that should be paid attention to during the data transmission encryption process.
1. Establish data transmission security management specifications, clarify data transmission security requirements (such as transmission channel encryption, data content encryption, signature verification, identity authentication, data transmission interface security, etc.), and determine the need for data transmission encryption scene.
2. Scenarios that require encryption should be based on national laws and regulations, industry regulatory department requirements, and the confidentiality and integrity requirements of the unit's own business data. Content combined with data classification and grading usually includes but is not limited to system management data, identification information, important business data, important personal privacy and other data with high integrity and confidentiality requirements.
3. Since the implementation of encryption technology relies on keys, it is necessary to establish key management security specifications and a key management system to clarify the key generation, distribution, access, update, backup and destruction processes. . That is, what security level of data should be used, what encryption algorithm should be used (national encryption algorithm or international algorithm, symmetric encryption algorithm, asymmetric encryption algorithm or hash algorithm) and how many bits of strength key should be used, how long is the validity period of the key, and how Backup keys, how to delete keys, etc.
4. When selecting the encryption type and key strength, you need to consider the business type and network status, and selectively implement encryption to avoid impact on the business.
5. For those responsible for encryption policy configuration and key management, there must be an audit and supervision mechanism to ensure that the configuration and changes of their encryption algorithms are authorized and recognized. At present, bastion machines are usually used for supervision and management. .
1.2 Network availability management
The official description is to achieve high availability of the network through the backup construction of basic network links and key network equipment, thereby ensuring the reliability of the data transmission process. stability.
Data relies on the availability of the network during network transmission. Once a network failure or paralysis occurs, data transmission will be affected or even interrupted.
The DSMM standard requires the following at the fully defined level:
Institutional process:
The availability construction requirements of the network should be considered in the critical business network architecture, Implement redundant construction of key network transmission links and network equipment nodes.
Technical tools:
Deploy load balancing, anti-intrusion attack and other equipment to further strengthen the prevention of network availability risks
Personnel capabilities:
The personnel responsible for this work have network security management capabilities, understand the security requirements for availability in network security, and can formulate effective availability security protection plans based on the network performance requirements of different businesses.
The following are the specific contents that should be focused on during the data collection security management stage:
1. Transmission links and network equipment of key business networks Nodes are constructed redundantly. Including: hardware redundancy (power redundancy, engine redundancy, module redundancy, device stacking, link redundancy, device redundancy, load balancing), software redundancy (link bundling technology) and routing redundancy (VRRP, dynamic routing protocol).
2. Use security devices such as load balancing and anti-intrusion attacks to reduce network availability risks.
2. Summary
The data transmission security of DSMM is actually to ensure the security of the data transmission process from the front-end collection to the business processing system. The main goal is To achieve data confidentiality, tamper resistance and high availability, network security requirements are also based on data encryption and network redundancy.
Although many systems and technical tools are described separately in the article, they may be mixed together in actual work. At the same time, many specific implementation parts are not only applied in one process area or one life cycle stage. It can even be applied throughout the entire life cycle. For example, it requires encrypted storage and transmission of important or sensitive data, which applies to all stages of the life cycle.
The above is the detailed content of Detailed introduction to data transmission security of DSMM. For more information, please follow other related articles on the PHP Chinese website!