More than 20 days later, the cryptography will be in effect.

There are still more than 20 days left before the Cryptography Law of the People’s Republic of China (hereinafter referred to as the “Cryptography Law”) comes into effect on January 1, 2020. What does the code say, how does it relate to us as individuals and businesses, and how should we prepare for it before it takes effect? Today we’re going to talk about cryptography.

When it comes to passwords, we all think of bank passwords, mobile phone passwords, payment passwords, account passwords and so on, but this password is not that password.

Cryptography refers to products, technologies, and services that use specific transformations to encrypt or authenticate information, etc. Therefore, the hardware security module, server password machine, digital certificate authentication system and other core functions belong to encryption protection or security authentication products are password products.

Passwords are classified into core passwords, common passwords and commercial passwords. Core passwords and common passwords are used to protect state secret information, while commercial passwords are used to protect information that is not a state secret. They are the most widely used types in the Internet and other industries.

All enterprises and organizations that use encryption protection, security authentication technology, products and services to protect, especially those that affect the national economy and people’s livelihood, social public interests and order, should reasonably use passwords to ensure data security.

Enterprises and organizations that use commercial passwords also need to evaluate the security of commercial passwords. In the security 2.0, which was officially implemented on December 1, 2019, it has made a clear evaluation standard of password application security for the third level and higher protection objects of network security. Operators of critical information infrastructure that could affect national security also need to be vetted in accordance with regulatory requirements.

Password application security assessment Password protection requirements for the data collected, transmitted, and stored on network objects and the data in the peripheral protected environment are proposed based on the importance and type of the password protection to achieve confidentiality, authenticity, integrity, and non-repudiation. Comprehensive password protection and security management is implemented around the data life cycle.

Generally speaking, passwords should not only be used for data collection, storage, transmission and other nodes, but also be effective and cannot be formalistic.

For those who do not use passwords, the management department will order the offending units to correct and give warnings, and the offending units will be fined hundreds of thousands of dollars, and the person in charge will be punished and fined. Once a crime is committed, criminal responsibility will be investigated in accordance with the law.

According to users’ requirements for different data security levels, Ali Cloud provides a complete set of advanced data encryption capabilities and key management service, which is the password management service in the password law, so that users can protect the “password book” on the cloud to meet different data encryption requirements.

To make it easier to let the user for low level of security of data encryption protection, to avoid paying extra key management overhead, ali cloud in KMS key management service provides users with an automatic management of key functions, users only need to choose in the KMS “service key” this function, you can through the KMS to realize automatic data encryption, No user action is required, and any invocation of the key is visible to the user in the operation audit product.

If users have higher requirements for data encryption, they can manage the life cycle of keys in KMS, including creating, deleting, disabling, and enabling keys, and independently manage the authorization rules of keys in access control (RAM) instead of using the service key function automatically generated by KMS. The key is the only key to decrypt the data. Without the user’s authorization key, no one can see the data. If the key is removed, no one, including the user, can decrypt the data.

Advanced security capabilities over fully managed encryption come from a widely accepted technique in the industry: BYOK (Bring Your Own Key). Generally speaking, users can produce their own key to import into the hardware cryptography machine hosted by KMS on the cloud. This process is one-way, the key can only be imported but not exported, and any third party other than the user can not know the content of the managed cryptography machine. In addition, users can destroy the key on the cloud at any time and still retain the key lifecycle management capability. For example, users can delete the key after encrypting the data by importing the key, and re-import the same key to decrypt the data when it needs to be decrypted, which provides users with more independent rights.

Compared with the previous three order are “cloud product integration encryption”, starting from the order of encryption, users can write their own code calls the KMS API ability, more suitable for sensitive data protection have higher requirements, or in order to satisfy the GPDR and other laws and regulations requirements of users, the encryption can be implemented for a particular data encryption protection actively. Users can formulate different key management policies based on their own service scenarios and service logic features to embed encryption capabilities into services, so that security and compliance requirements are closely integrated with the service system and the attack surface of sensitive data is further reduced. For example, TDE encryption does not effectively prevent database users or DBAs from accessing sensitive data in the database. If the business system is customizing encryption for a particular sensitive data column, the database user or DBA needs further access to the key to view the sensitive data.

In addition, the customized encryption application system can make better use of the built-in automatic key rotation capability of KMS to implement key management security policies.

In addition to the key management service KMS, Ali Cloud also provides users with cloud server password machine instance. Users can manage the number of cryptographic machine instances and perform key synchronization, backup, and load balancing among cryptographic machines. In this process, cloud service providers do not participate in any key management related work, users not only have complete control over the key management, but also have complete control over the hardware cipher machine, which is the highest encryption mode.

Ali cloud can be seen from the above, the ability of cloud password system, not only can help the user to achieve data encryption protection, the generation of digital signature and authentication, encryption keys function such as automatic rotary, easier to build applications and solutions, password can also be assigned to the cloud data security, identity authentication, chain blocks, such as DevSecOps widely scenario.

Cryptographic capabilities map on the cloud

The promulgation of cryptography law is only the first step, data security is a system engineering. Under the guidance of the Password Law, enterprises can strengthen their own security system with the help of aliyun’s technical tools and security products, fully enjoy the technology dividend and promote the sustainable and stable development of business on the premise of ensuring data security.

The original link

This article is the original content of the cloud habitat community, shall not be reproduced without permission.