Dynamic data desensitization mechanism
⚫ Data privacy protection is one of the security capabilities required for database security. It can limit unauthorized users' access to private data to a certain extent and ensure the security of private data.
⚫ The dynamic data desensitization mechanism is a technology that realizes the protection of private data by customizing the desensitization strategy, which can effectively solve the problem of unauthorized users' access to sensitive information on the premise of retaining the original data.
⚫ After the administrator specifies the object to be desensitized and the customized data desensitization strategy, if the database resource queried by the user is associated with the corresponding desensitization strategy, the data desensitization will be performed according to the user identity and desensitization strategy, thereby restricting the Authorize user access to private data.
⚫ The dynamic data desensitization mechanism customizes desensitization strategies based on resource tags. Specific desensitization methods can be selected according to actual scenarios, and desensitization strategies can also be formulated for some specific users. The SQL syntax for creating a complete desensitization strategy is as follows:
CREATE RESOURCE LABEL label_for_creditcard ADD COLUMN(user1.table1.creditcard);
CREATE RESOURCE LABEL label_for_name ADD COLUMN(user1.table1.name);
CREATE MASKING POLICY msk_creditcard creditcardmasking ON LABEL(label_for_creditcard);
CREATE MASKING POLICY msk_name randommasking ON LABEL(label_for_name) FILTER ON IP(local), ROLES(dev);
⚫ Among them, label_for_creditcard and msk_name are the resource labels for desensitization planned for this round, which respectively contain two column objects; creditcardmasking and randommasking are preset desensitization functions; msk_creditcard defines what all users do when accessing the resources contained in the label_for_creditcard label. The desensitization strategy of creditcardmasking does not distinguish the access source; msk_name defines the desensitization strategy of randommasking when the local user dev accesses the resources contained in the label_for_name label; when the FILTER object is not specified, it means that it takes effect for all users, otherwise it only applies to the label The user of the scene takes effect.
Top comments (0)