Static data masking is deployed in a bypass configuration, ensuring that the masking system is network-accessible to the source and target databases, capable of querying and extracting data from the source database, as well as inserting masked data into the target database.

Dynamic data masking is deployed through a proxy method. The application system establishes a connection with the database. To achieve data masking, the connection request from the application system is forwarded to the dynamic data masking system, which parses the request and then forwards the SQL statement to the database server. The data returned by the database server is also processed by the dynamic masking system before being returned to the application server.

The data masking system is an integrated hardware and software product, capable of software deployment, and supports cloud environments and virtualized deployment.

Ankki data anonymization equipment does not record user data. It uses non-persistent anonymization, and there is no data storage locally. The data read is temporarily stored in memory and is not written to the device's hard drive. The data in memory will be cleared afterward.

Built-in industry-specific rules: such as healthcare, finance, etc.;

Built-in grading standard rules;

Built-in classification rules for special industries: such as healthcare data classification: medical application data, medical payment data, personal attribute data, etc., and financial data classification: transactions, supervision, information disclosure, other data, etc.

Built-in sensitive type rules: such as ID card, email, IP address, name, support for customizing sensitive data types.

WAF only monitors data coming through HTTP, but the access sources of the database are diverse, such as the following database access methods:

1. Other application systems within the organization can access the database: For example, in an e-commerce system, prices and inventory may be updated regularly using some automated scripts.

2. Some internal management programs can access the system, or some interfaces, which are convenient for employees to add information or send information to customers.

3. Database DBAs, IT managers, QA, developers and other internal personnel can access the database through database management tools.

WAF is unaware of these potential database access sources, and attacks from within are even more terrifying! When the value of data becomes higher and higher and the database becomes an "attack" target, relying solely on WAF for protection seems a bit stretched.

On the one hand, the database audit system can make a complete record of data access operations, so that after an incident of violating security rules occurs, it can effectively trace the responsibility and analyze the cause, and if necessary, it can also provide necessary evidence for punishing malicious attacks.

On the other hand, after the implementation of audit standards, audit clues will indicate that specific personnel have not violated regulations and have no destructive behavior, which is a good protection for legitimate users.

From the perspective of information security, auditing is an indispensable part of a secure database system and the last important line of defense for database security.

1. When we talk about security prevention, there are several key concepts. Pre-event refers to prevention, in-event refers to the control during the process, and post-event refers to the tracing and evidence collection after the event;

2. Therefore, auditing is not just post-event, but a kind of monitoring during the event; people often have a misunderstanding that if it cannot be prevented, it is not in the event, let alone pre-event;

3. Database auditing can actually achieve the trinity of pre-event prevention, in-event monitoring, and post-event tracing. For example, by monitoring abnormal IP, process, and repeated logins to the system, we can help us prevent illegal access, brute force cracking and other problems; during the event, we monitor all kinds of access behaviors to the database, and through preset rules, we can intelligently and real-timely discover problems, and intervene in time through the alarm platform, SMS, email, etc. The control before and during the event is not blocked, just because it is not suitable to adopt this mode; after the event, we can analyze and locate the problem through the alarm slip, time platform, and log platform.

Our platform has adopted a new architecture, introducing a hierarchical design with big data components. The big data search engine enables rapid retrieval of massive amounts of data; the data analysis layer uses multi-process, efficient caching mechanisms to quickly match and analyze source data with the system's situational models, achieving real-time analysis, real-time alerts, and real-time linkage; the platform comes pre-equipped with an AI learning engine that can quickly learn and model source data, enabling the rapid location and identification of abnormal behaviors. The platform has completed adaptation applications for multiple scenarios, including Kunpeng big data platforms, Alibaba's big data platforms, and Huawei's data platforms, achieving rapid matching and docking with new scenarios and new technologies.

The data security governance platform of Ankki has the following advantages: an open system architecture that can not only connect with our own products but also with security products from other manufacturers; it has the characteristics of complete data collection, quantifiable risks, and precise risk identification; supports a variety of data interfaces for easy docking; distributed big data platform, supports components such as Tomcat, Spark, ES, Kafka, etc., ensuring the system's data analysis capabilities and system scalability.

The situational awareness of ankki database comprehensive management differs from most market products, which are primarily focused on network security situational awareness, analyzing and displaying the trends of network attack behaviors, such as viruses. In contrast, ankki data security situational awareness (data security governance platform) is centered on data security, analyzing and displaying the overall situation of data security from the dimensions of the overall situation, risk situation, health situation, vulnerability situation, and asset situation throughout the entire lifecycle of the data. It can also interact with surrounding security products to achieve joint defense, thereby establishing a systematic data security governance combat platform.

ankki data security governance platform is the only domestic representative manufacturer of data security that has entered Gartner's "2021 Data Security Technology Maturity Curve." Compared to other similar products, ankki has laid out and promoted a comprehensive data security management solution earlier, which has been implemented in industries such as government, finance, and healthcare.

Current data desensitization supports two forms of desensitization:

The first is static desensitization. The static desensitization system uses the customer configured from the customer configuration from the source database to extract data that needs to be desensitized, and then privatize the data according to the desensitization rules configured by the customer. The data is inserted into the target test library. During the desensitization process, the data will not be stored in our devices throughout the process, and the principle of data does not land. The data after desensitization is isolated from the production environment. Development, testing, training, and analysts can use the test data at will in the target test database, and perform reading and writing operations to meet the safety of the production database while the business needs.

Static desensitization is generally used in non -production environments. The sensitive data is extracted from the production environment and departure to non -production environment. It is often used for databases of non -production systems such as training, analysis, testing, and development.

The second is dynamic desensitization. The dynamic desensitization adopts an agent deployment mode to perform the application layer analysis, and the return effects are processed. The client first access the desensitization system. The desensitization system is based on the client access request. The database is visited by the user user. The Ministry of Ministry of the Regulations perform desensitization processing the return data, and then return the data after desensitization to the client, that is, real -time desensitization processing returned by the production library, and at the same time limit the number of rows returned by a query to ensure that the return data is returned to ensure the return data. Availability and security.

Doing auditing inside the application software is only auditing the access from the application server level, while directly on the database side of the operating tools, processes, etc. can not be audited, and these are the most serious threats. If the software vendors in the database server to do auditing, which is completely different from their previous technical areas, they are generally not specialized in security, the application vendors themselves belong to the object of monitoring, so it is even more important not to let them monitor their own.

1. Based on the database audit equipment hardware parameters and SQL statement processing capacity per second

2. The number of hardware interfaces of the required database audit product (related to database distribution)