However, it is difficult for large and medium-sized enterprises to prevent information leakage. Large and medium-sized enterprises often have thousands of computers, several or even dozens of large servers, as well as an unknown number of mobile hard disks and USB flash drives, as well as computers of branches and foreign business travelers connected to the intranet. Information is distributed in various physical locations, whether it is terminal computer, server, notebook computer, mobile hard disk, USB flash drive or database, all kinds of documents and data are kept. Errors in any link will lead to data leakage.
According to the current mainstream data security protection theory, experts suggest that the whole enterprise network and its storage devices should be divided into five security domains, which are controlled and protected separately, so as to achieve overall consistent data leakage protection, which is a scientific and effective data security management method.
The so-called data leak-proof domain security theory is to divide all kinds of physical devices connected to the enterprise network into five security areas: terminals, ports, disks, servers (including databases) and mobile storage devices, and adopt corresponding products to protect different security areas. You can focus on protecting terminals, and you can also focus on protecting servers and databases. According to the enterprise's own information security situation, choose the protection focus in a targeted manner.
I. Prevention of Terminal Data Leakage
When it comes to terminal security, people will definitely think of Symantec. The advertising slogan of this world-class information security company headquartered in the United States is: Symantec is terminal security. In order to prevent the leakage of terminal data, the data loss prevention (DLP) products acquired by Symantec from Vontu have achieved great commercial success in most countries around the world, including the United States, Europe and South Asia. Its DLP products have been recognized by all countries almost without any obstacles and have been implemented. However, Symantec has made slow progress in Japan and China, two countries with the strictest information security control. Symantec DLP's serious injury mainly lies in three aspects: 1, and its high price makes it an aristocratic product; 2. The localization is poor. Because English-speaking countries communicate smoothly in language and technology, it is easier to accept DLP, but in China, Symantec has more localization work to do. 3. China government's policy on information security products makes foreign information security products can only be sold by foreign companies.
Not only Symantec, but also DLP products from Trend Micro, Websense, Maccoffee and other manufacturers have the same situation in China.
In fact, China people are proud of terminal data leakage prevention. China DLP manufacturers, led by Beijing Easytong, began to develop encryption software from 200 1, which is enough to ensure that terminal data will not be leaked. It is a basic fact that domestic information security vendors get development opportunities under the protection of the government. With its unique technical sensitivity and product understanding, China Minsheng Investment Co., Ltd. has launched software such as transparent document encryption, authority management and outgoing control, with transparent document encryption as the core, supplemented by functions such as authority control, outgoing management and log audit, which can ensure data security from the source.
No matter thousands of Yulong Communication and Zhengtai Technology, tens of thousands or even hundreds of thousands of BYD Group, CIMC Group, China Mobile Group, or hundreds of thousands of global multinational companies, they all adopted the data leakage prevention system of Easytong terminal.
For terminal information security, SmartSec, DRM, CDG and ODM can be used. In addition, there are other encryption software in China, but the product performance is slightly inferior.
Second, the prevention of disk data leakage
A disk is a physical device for storing data. By controlling the disk, data leakage can be prevented. At present, the most advanced technology to prevent disk data leakage in the world is full disk encryption. For all-disk encryption (FDE) software, please refer to "Secrets of all-disk encryption (FDE) software performance" and "Overview of all-disk encryption (FDE) software".
Protecting data security by encrypting the whole disk is a technology introduced by mainstream international information security vendors. Foreign enterprise users usually adopt the most famous Pointsec and Safeboot. Checkpoint spent $580 million to acquire Pointsec, a data security product for terminals and mobile devices, which has actually been applied worldwide before. Safeboot was acquired by Coffee Company and integrated into the data leakage prevention (DLP) system of Coffee Company.
Due to the protection of enterprise information security by China government, enterprises in China cannot use foreign encryption software products. According to national laws and regulations, all software products involving commercial passwords must be produced and sold by enterprises with the qualifications of the designated production unit of national commercial passwords and the sales license unit of national commercial passwords. Moreover, it must have the relevant sales qualifications of the State Secrecy Bureau, the army and the Ministry of Public Security before it can be sold in China. Therefore, foreign FDE software cannot be widely used in China.
Fortunately, China software enterprises are not behind foreign software manufacturers in FDE software. DiskSec software launched by Beijing Easytong in 2008 is powerful, and there are stand-alone and enterprise versions to choose from. From the performance point of view, it is higher than FDE software of similar foreign enterprises. DiskSec is not only a multifunctional FDE software that can protect PC, notebook computer and mobile storage device, but also can be used for enterprise terminal protection. You can also jointly launch a fully encrypted hard disk computer with computer manufacturers, which has strong applicability. At present, DiskSec has been applied in China Air Force, with the deployment scale reaching 65,438+10,000 notebook terminals. In addition, a large number of PCs and laptops have deployed DiskSec in finance, telecommunications, electric power, manufacturing and other industries.
Third, the port data leakage protection
It seems that the soft waterproof wall is well known to the public by controlling the port to prevent data leakage. Technically speaking, the waterproof wall itself has a low threshold and is not difficult to develop. Many brands of port protection software have been released and widely used. Both physical ports and network ports can basically be protected. But in theory, as long as the data is encrypted, there is no need for peripheral port protection. Encryption and port protection have been carried out, which seems to be suspected of repeated construction. However, enterprises can adopt multiple protections to protect data, which is a feasible method.
At present, there are many mainstream port protection software in the market, among which ChinaSoft Waterproof Wall and Beijing Easytong Equipment Security Management System DeviceSec are the mainstream. The latter can become the mainstream because DeviceSec can be combined with encryption software to form an overall protection system. Comparatively speaking, DeviceSec combined with encryption function is more secure than single-port protection software waterproof wall.
Four, the server (database) data leakage prevention
The most important place for data security in large and medium-sized enterprises should be to protect servers and databases. At present, the security of file server data is mainly ensured by identity authentication and authority control. For the data security of application server, the corresponding technical means are quite weak.
The data security protection of database is complicated, and there are three main means: 1, file-based database encryption technology; 2. Database encryption technology based on records: 3. Subkey database encryption. But these three methods will have a great impact on the performance of the database. In order to prevent database from leaking, more advanced technical means must be adopted.
For servers and databases, the most advanced technologies and products in the world were born. FileNetSec is a document security gateway system launched by Beijing Easytong at the end of 2008, which has been deployed and implemented in many large domestic enterprises. GF Securities, Yulong Communication, CITIC Securities and other enterprises all use FileNetSec to encrypt and protect the core data.
Five, mobile storage devices to prevent leaks
Mobile storage devices mainly refer to mobile hard disk, USB flash drive, PC memory card, MP3, MP4, digital camera, digital video camera, mobile phone, CD-ROM, floppy disk, etc. With the widespread use of mobile storage devices, it is more and more common that mobile storage devices lead to leaks. At present, there are two main solutions to the leakage of mobile devices: one is to control various ports of computers and intranets, unify the authentication of access ports of mobile devices, and bind hardware to restrict the use of mobile storage devices; The second is to identify the mobile storage device by setting the password/password, and encrypt the data in the mobile storage device. The so-called media management usually refers to the management of mobile storage devices.
At present, there are many software systems about the management of mobile storage devices in the market, such as Beijing Easytong, Guomai, Beixinyuan and Boruiqin. In military industry, government and other departments, there are strict regulations on media management, and provincial authorities often force subordinate units to deploy media management systems.
But the general media management system has a fatal flaw, that is, it can only manage mobile devices. It is not enough to just control the security domain of the mobile storage device. According to the information security requirements of enterprises, it is necessary to control different security domains in order to achieve an overall consistent protection system and comprehensive data leakage prevention. Therefore, when choosing a media management system, we should consider the integration with other security areas of the enterprise. In this respect, Beijing Easytong is ahead, and media management is an indispensable part of Easytong's data leakage protection (DLP) system. It can not only completely protect the security of mobile devices, but also form a complete protection system with other security systems.
Summary: Sun Tzu's Art of War says: He who does not seek the overall situation does not seek a domain. Although the intranet system is divided into five security domains, it must be unified in consideration, architecture and deployment in order to realize the unification of subdomain security and comprehensive protection. In order to achieve data leakage prevention, large and medium-sized enterprises should fully consider the characteristics and specific requirements of each security domain and make careful arrangements to achieve overall data leakage prevention (DLP).