This paper described the construction strategy of multi-depth protection for user data by Shanghai Telecom for the past many years, thus forming three stages:daily safety precaution, real-time monitoring during operation and maintenance, safety analysis for after-operation behavior, as well as construction for sensitive data center in operating and maintaining process, Desktop cloud construction and deployment upgrade“daily safety precaution capability”; construction and deployment of HAC and database auditing product has fulfilled the function of role-based access control of host computer , border monitoring, middle-ware monitoring, database monitoring, in the meantime, enhanced the ability for”real-time monitoring during operation”;the recorded screen of bastion machine and playback of database auditing improved precaution capability of“safety analysis for after-operation behavior”. In the core data level, sensitive data is transferred to the center of the“Secret Library”from the conventional business platform through key field mapping and monitored by multi-angle camera, thus enhanced safety management capabilities in data use process. Information security is raised to a considerable height at all levels through an airtight safety precaution method.% 论文阐述了上海电信多年来对用户数据多纵深保护体系的构建策略,从而形成运维过程的事前、事中、事后3个阶段的安全防范特性,以及敏感数据中心建设情况。桌面云建设与部署提升事前防范能力;运维安全审计系统(HAC)和数据库审计产品的建设与部署实现了基于角色的主机访问控制、边界监测、中间件监测、数据库监测,提升事中防范能力;堡垒机录屏、数据库审计的回放提升了事后防范能力;在核心数据层面通过关键字段映射将敏感数据从常规业务平台转移至“密库”中心,并由多角度摄像机监视,提升了数据使用过程中的安全管理能力。通过密不透风的安全防范手段,将信息安全保护水平提升到相当高度。
展开▼